增加 auth 认证拦截器(未完全)

This commit is contained in:
YunaiV 2020-04-21 23:55:36 +08:00
parent eec8f0860e
commit 6f37500f62
14 changed files with 202 additions and 20 deletions

View File

@ -17,7 +17,6 @@
<groupId>cn.iocoder.mall</groupId>
<artifactId>system-rpc-api</artifactId>
<version>1.0-SNAPSHOT</version>
<optional>true</optional>
</dependency>
<!-- Spring 核心 -->
@ -38,7 +37,6 @@
<dependency>
<groupId>org.apache.dubbo</groupId>
<artifactId>dubbo</artifactId>
<optional>true</optional>
</dependency>
</dependencies>

View File

@ -1,16 +1,38 @@
package cn.iocoder.mall.security.config;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import cn.iocoder.mall.security.core.interceptor.AccountAuthInterceptor;
import cn.iocoder.mall.web.config.CommonWebAutoConfiguration;
import cn.iocoder.mall.web.core.constant.CommonMallConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
@AutoConfigureAfter(CommonWebAutoConfiguration.class) // CommonWebAutoConfiguration 之后自动配置保证过滤器的顺序
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@ConditionalOnClass(name = {"cn.iocoder.mall.system.rpc.api.systemlog.SystemLogRPC", "org.apache.dubbo.config.annotation.Reference"})
public class CommonSecurityAutoConfiguration implements WebMvcConfigurer {
// ========== 拦截器相关 ==========
private Logger logger = LoggerFactory.getLogger(getClass());
// ========== 拦截器相关 ==========
@Bean
@ConditionalOnMissingBean(AccountAuthInterceptor.class)
public AccountAuthInterceptor accountAuthInterceptor() {
return new AccountAuthInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
// AccountAuthInterceptor 拦截器
registry.addInterceptor(this.accountAuthInterceptor())
.addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
logger.info("[addInterceptors][加载 AccountAuthInterceptor 拦截器完成]");
}
}

View File

@ -0,0 +1,16 @@
package cn.iocoder.mall.security.core.annotation;
import java.lang.annotation.*;
/**
* 要求用户登录注解通过将该注解添加到 Controller 会自动校验用户是否登陆
*
* 默认请求下用户访问的 API 接口无需登陆主要的考虑是
* 1. 需要用户登陆的接口本身会获取在线用户的编号如果不添加 @RequiresLogin 注解就会报错
* 2. 大多数情况下用户的 API 接口无需登陆
*/
@Documented
@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE 因为没有场景
@Retention(RetentionPolicy.RUNTIME)
public @interface RequiresLogin {
}

View File

@ -0,0 +1,22 @@
package cn.iocoder.mall.security.core.annotation;
import java.lang.annotation.*;
/**
* 参考 Shiro @RequiresPermissions 设计 http://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html
*
* 通过将该注解添加到 Controller 的方法上进行授权鉴定
*/
@Documented
@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE 因为没有场景
@Retention(RetentionPolicy.RUNTIME)
public @interface RequiresPermissions {
/**
* 当有多个标识时必须全部拥有权限才可以操作
*
* @return 权限标识数组
*/
String[] value();
}

View File

@ -0,0 +1,28 @@
package cn.iocoder.mall.security.core.context;
import lombok.Data;
import lombok.experimental.Accessors;
import java.util.Set;
/**
* Security 上下文
*/
@Data
@Accessors(chain = true)
public class AdminSecurityContext {
/**
* 管理员编号
*/
private Integer adminId;
/**
* 管理员账号
*/
private String username;
/**
* 拥有的角色编号
*/
private Set<Integer> roleIds;
}

View File

@ -0,0 +1,30 @@
package cn.iocoder.mall.security.core.context;
/**
* {@link AdminSecurityContext} Holder
*
* 参考 spring security ThreadLocalSecurityContextHolderStrategy 简单实现
*/
public class AdminSecurityContextHolder {
private static final ThreadLocal<AdminSecurityContext> SECURITY_CONTEXT = new ThreadLocal<>();
public static void setContext(AdminSecurityContext context) {
SECURITY_CONTEXT.set(context);
}
public static AdminSecurityContext getContext() {
AdminSecurityContext ctx = SECURITY_CONTEXT.get();
// 为空时设置一个空的进去
if (ctx == null) {
ctx = new AdminSecurityContext();
SECURITY_CONTEXT.set(ctx);
}
return ctx;
}
public static void clear() {
SECURITY_CONTEXT.remove();
}
}

View File

@ -0,0 +1,18 @@
package cn.iocoder.mall.security.core.context;
import lombok.Data;
import lombok.experimental.Accessors;
/**
* User Security 上下文
*/
@Data
@Accessors(chain = true)
public class UserSecurityContext {
/**
* 用户编号
*/
private Integer userId;
}

View File

@ -0,0 +1,30 @@
package cn.iocoder.mall.security.core.context;
/**
* {@link UserSecurityContext} Holder
*
* 参考 spring security ThreadLocalSecurityContextHolderStrategy 简单实现
*/
public class UserSecurityContextHolder {
private static final ThreadLocal<UserSecurityContext> SECURITY_CONTEXT = new ThreadLocal<UserSecurityContext>();
public static void setContext(UserSecurityContext context) {
SECURITY_CONTEXT.set(context);
}
public static UserSecurityContext getContext() {
UserSecurityContext ctx = SECURITY_CONTEXT.get();
// 为空时设置一个空的进去
if (ctx == null) {
ctx = new UserSecurityContext();
SECURITY_CONTEXT.set(ctx);
}
return ctx;
}
public static void clear() {
SECURITY_CONTEXT.remove();
}
}

View File

@ -1,4 +1,4 @@
package cn.iocoder.mall.security.core.account;
package cn.iocoder.mall.security.core.interceptor;
import cn.iocoder.common.framework.util.HttpUtil;
import cn.iocoder.common.framework.util.ServiceExceptionUtil;
@ -10,6 +10,7 @@ import cn.iocoder.mall.web.core.util.CommonWebUtil;
import org.apache.dubbo.config.annotation.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
@ -24,8 +25,12 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
// 执行认证
// 获得访问令牌
String accessToken = HttpUtil.obtainAuthorization(request);
if (StringUtils.hasText(accessToken)) { // 如果未传递则不进行认证
return true;
}
// 执行认证
OAuth2AccessTokenAuthenticateRequest oauth2AccessTokenAuthenticateRequest = new OAuth2AccessTokenAuthenticateRequest()
.setAccessToken(accessToken).setIp(HttpUtil.getIp(request));
CommonResult<OAuth2AccessTokenResponse> oauth2AccessTokenResponseResult = oauth2RPC.authenticate(oauth2AccessTokenAuthenticateRequest);

View File

@ -0,0 +1,2 @@
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
cn.iocoder.mall.security.config.CommonSecurityAutoConfiguration

View File

@ -1,5 +1,6 @@
package cn.iocoder.mall.web.config;
import cn.iocoder.common.framework.servlet.CorsFilter;
import cn.iocoder.mall.web.core.constant.CommonMallConstants;
import cn.iocoder.mall.web.core.handler.GlobalExceptionHandler;
import cn.iocoder.mall.web.core.handler.GlobalResponseBodyHandler;
@ -10,6 +11,7 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
@ -47,14 +49,23 @@ public class CommonWebAutoConfiguration implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
try {
AccessLogInterceptor accessLogInterceptor = this.accessLogInterceptor();
if (accessLogInterceptor != null) {
registry.addInterceptor(accessLogInterceptor)
registry.addInterceptor(this.accessLogInterceptor())
.addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
}
logger.info("[addInterceptors][加载 AccessLogInterceptor 拦截器完成]");
} catch (NoSuchBeanDefinitionException e) {
logger.warn("[addInterceptors][无法获取 AccessLogInterceptor 拦截器,因此不启动 AccessLog 的记录]");
}
}
// ========== 过滤器相关 ==========
@Bean
@ConditionalOnMissingBean
public FilterRegistrationBean<CorsFilter> corsFilter() {
FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<>();
registrationBean.setFilter(new CorsFilter());
registrationBean.addUrlPatterns("/*");
return registrationBean;
}
}

View File

@ -53,13 +53,6 @@ public class UserMVCAutoConfiguration implements WebMvcConfigurer {
registry.addInterceptor(userSecurityInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_USER + "/**");
}
@Bean
@ConditionalOnMissingBean
public FilterRegistrationBean<CorsFilter> corsFilter() {
FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<>();
registrationBean.setFilter(new CorsFilter());
registrationBean.addUrlPatterns("/*");
return registrationBean;
}
}

View File

@ -26,6 +26,11 @@
<artifactId>mall-spring-boot-starter-web</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>cn.iocoder.mall</groupId>
<artifactId>mall-spring-boot-starter-security</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>cn.iocoder.mall</groupId>
<artifactId>mall-spring-boot-starter-swagger</artifactId>

View File

@ -21,3 +21,5 @@ dubbo:
consumer:
SystemLogRPC: # 用于 AccessLogInterceptor 等拦截器,记录 HTTP API 请求的访问日志
version: 1.0.0
OAuth2RPC:
version: 1.0.0