JwtAuthenticationFilter
7/8/26Less than 1 minute
JwtAuthenticationFilter
Info
OncePerRequestFilter that extracts JWT from Authorization: Bearer header, validates signature/expiry/session/status, and populates Spring SecurityContext.
Overview
Parses the JWT from the Authorization header, validates the token signature and expiry, checks user existence, ban status, enabled flag, and session token consistency. On success, sets the SecurityContextHolder authentication and exposes username, role, and userId as request attributes. On failure, writes a JSON error response and short-circuits the filter chain.
Filter Flow
- Extract
Bearertoken fromAuthorizationheader - Validate token signature and expiry via
JwtUtil - Parse
usernameandrolefrom token claims - Load
Userfrom database by username - Check: user exists, not banned, enabled, session token matches
- On success: set
SecurityContext+ request attributes, continue chain - On failure: write JSON error, abort chain
Extended Business Codes
| Code | Constant | Description |
|---|---|---|
4011 | CODE_SESSION_KICKED | Session invalidated -- account logged in on another device |
4031 | CODE_USER_BANNED | User account is banned |
Error Responses
| Condition | HTTP Status | Code | Message |
|---|---|---|---|
| User deleted | 401 | 401 | 账号已被删除 |
| User banned | 403 | 4031 | 账号已被封禁 |
| User disabled | 401 | 401 | 账号已被禁用 |
| Session kicked | 401 | 4011 | 账号已在其他设备登录 |
Request Attributes Set
| Attribute | Type | Description |
|---|---|---|
username | String | Authenticated username |
role | String | Effective role (from DB, falling back to token) |
userId | Long | Authenticated user ID |
Dependencies
JwtUtil-- token parsing and validationUserService-- user lookupUserBanBloomService-- ban status check via bloom filterObjectMapper-- JSON error response serialization
Changelog
7/8/26, 5:52 AM
View All Changelog
9f290-on

