From 380ef717d7f790a3477cac11a809b9d7443c7f53 Mon Sep 17 00:00:00 2001
From: YunaiV <zhijiantianya@gmail.com>
Date: Fri, 30 Dec 2022 12:42:20 +0800
Subject: [PATCH] =?UTF-8?q?1.=20=E4=BF=AE=E5=A4=8D=20token=20=E8=BF=87?=
 =?UTF-8?q?=E6=9C=9F=E6=97=B6=EF=BC=8C=E7=BD=91=E5=85=B3=E7=BB=A7=E7=BB=AD?=
 =?UTF-8?q?=E7=BD=91=E5=85=B3=202.=20=E4=BF=AE=E5=A4=8D=20swagger=20?=
 =?UTF-8?q?=E9=87=8D=E5=A4=8D=E5=B8=A6=E4=BA=86=E5=89=8D=E7=BC=80=203.=20?=
 =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20bpm=20=E6=A8=A1=E5=9D=97=E7=9A=84=20securi?=
 =?UTF-8?q?ty=20=E9=85=8D=E7=BD=AE=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../security/TokenAuthenticationFilter.java   | 17 ++++++++-
 .../src/main/resources/application.yaml       |  2 +
 .../config/SecurityConfiguration.java         | 38 +++++++++++++++++++
 .../framework/security/core/package-info.java |  4 ++
 4 files changed, 59 insertions(+), 2 deletions(-)
 create mode 100644 yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/config/SecurityConfiguration.java
 create mode 100644 yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/core/package-info.java

diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
index 7d366becf..c944c18fa 100644
--- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
+++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
@@ -16,12 +16,14 @@ import org.springframework.cloud.client.loadbalancer.reactive.ReactorLoadBalance
 import org.springframework.cloud.gateway.filter.GatewayFilterChain;
 import org.springframework.cloud.gateway.filter.GlobalFilter;
 import org.springframework.core.Ordered;
+import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.reactive.function.client.WebClient;
 import org.springframework.web.server.ServerWebExchange;
 import reactor.core.publisher.Mono;
 
 import java.time.Duration;
+import java.util.Objects;
 import java.util.function.Function;
 
 /**
@@ -43,7 +45,9 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
     /**
      * 空的 LoginUser 的结果
      *
-     * TODO 芋艿：用于解决 getLoginUser 返回 Mono.empty() 的时候，会导致后续的 flatMap 无法进行处理的问题。先暂时这么解决，寻找更优解 ing
+     * 用于解决如下问题：
+     * 1. {@link #getLoginUser(ServerWebExchange, String)} 返回 Mono.empty() 时，会导致后续的 flatMap 无法进行处理的问题。
+     * 2. {@link #buildUser(String)} 时，如果 Token 已经过期，返回 LOGIN_USER_EMPTY 对象，避免缓存无法刷新
      */
     private static final LoginUser LOGIN_USER_EMPTY = new LoginUser();
 
@@ -131,10 +135,19 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
     }
 
     private LoginUser buildUser(String body) {
+        // 处理结果，结果不正确
         CommonResult<OAuth2AccessTokenCheckRespDTO> result = JsonUtils.parseObject(body, CHECK_RESULT_TYPE_REFERENCE);
-        if (result == null || result.isError()) {
+        if (result == null) {
             return null;
         }
+        if (result.isError()) {
+            // 特殊情况：令牌已经过期（code = 401），需要返回 LOGIN_USER_EMPTY，避免 Token 一直因为缓存，被误判为有效
+            if (Objects.equals(result.getCode(), HttpStatus.UNAUTHORIZED.value())) {
+                return LOGIN_USER_EMPTY;
+            }
+            return null;
+        }
+
         // 创建登录用户
         OAuth2AccessTokenCheckRespDTO tokenInfo = result.getData();
         return new LoginUser().setId(tokenInfo.getUserId()).setUserType(tokenInfo.getUserType())
diff --git a/yudao-gateway/src/main/resources/application.yaml b/yudao-gateway/src/main/resources/application.yaml
index 42f9fa5e7..15735c7d9 100644
--- a/yudao-gateway/src/main/resources/application.yaml
+++ b/yudao-gateway/src/main/resources/application.yaml
@@ -37,3 +37,5 @@ spring:
             - Path=/admin-api/bpm/**
           filters:
               - RewritePath=/admin-api/bpm/v2/api-docs, /v2/api-docs
+      x-forwarded:
+        prefix-enabled: false # 避免 Swagger 重复带上额外的 /admin-api/system 前缀
diff --git a/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/config/SecurityConfiguration.java b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/config/SecurityConfiguration.java
new file mode 100644
index 000000000..27195924a
--- /dev/null
+++ b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/config/SecurityConfiguration.java
@@ -0,0 +1,38 @@
+package cn.iocoder.yudao.module.bpm.framework.security.config;
+
+import cn.iocoder.yudao.framework.security.config.AuthorizeRequestsCustomizer;
+import cn.iocoder.yudao.module.system.enums.ApiConstants;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+
+/**
+ * System 模块的 Security 配置
+ */
+@Configuration(proxyBeanMethods = false, value = "systemSecurityConfiguration")
+public class SecurityConfiguration {
+
+    @Bean("systemAuthorizeRequestsCustomizer")
+    public AuthorizeRequestsCustomizer authorizeRequestsCustomizer() {
+        return new AuthorizeRequestsCustomizer() {
+
+            @Override
+            public void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry registry) {
+                // TODO 芋艿：这个每个项目都需要重复配置，得捉摸有没通用的方案
+                // Swagger 接口文档
+                registry.antMatchers("/swagger-ui.html").anonymous()
+                        .antMatchers("/swagger-resources/**").anonymous()
+                        .antMatchers("/webjars/**").anonymous()
+                        .antMatchers("/*/api-docs").anonymous();
+                // Spring Boot Actuator 的安全配置
+                registry.antMatchers("/actuator").anonymous()
+                        .antMatchers("/actuator/**").anonymous();
+                // RPC 服务的安全配置
+                registry.antMatchers(ApiConstants.PREFIX + "/**").permitAll();
+            }
+
+        };
+    }
+
+}
diff --git a/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/core/package-info.java b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/core/package-info.java
new file mode 100644
index 000000000..6d9f5a508
--- /dev/null
+++ b/yudao-module-bpm/yudao-module-bpm-biz/src/main/java/cn/iocoder/yudao/module/bpm/framework/security/core/package-info.java
@@ -0,0 +1,4 @@
+/**
+ * 占位
+ */
+package cn.iocoder.yudao.module.bpm.framework.security.core;