root/ludu-cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

禁止网关直接传输 login-user

Browse Source
This commit is contained in:
YunaiV 2022-06-25 22:50:33 +08:00
parent 97b931f782
commit d79514d821
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
View File

@ -12,14 +12,11 @@ import org.springframework.cloud.client.loadbalancer.reactive.ReactorLoadBalance
import org.springframework.cloud.gateway.filter.GatewayFilterChain; import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter; import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered; import org.springframework.core.Ordered;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.web.reactive.function.client.WebClient; import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import javax.annotation.Resource;
import java.util.function.Consumer;
import java.util.function.Function; import java.util.function.Function;
/** /**
@ -47,8 +44,11 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
@Override @Override
public Mono<Void> filter(final ServerWebExchange exchange, GatewayFilterChain chain) { public Mono<Void> filter(final ServerWebExchange exchange, GatewayFilterChain chain) {
String token = SecurityFrameworkUtils.obtainAuthorization(exchange); // 移除 login-user 的请求头避免伪造模拟
SecurityFrameworkUtils.removeLoginUser(exchange);
// 情况一如果没有 Token 令牌则直接继续 filter // 情况一如果没有 Token 令牌则直接继续 filter
String token = SecurityFrameworkUtils.obtainAuthorization(exchange);
if (StrUtil.isEmpty(token)) { if (StrUtil.isEmpty(token)) {
return chain.filter(exchange); return chain.filter(exchange);
} }

11
yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java
View File

@ -58,6 +58,17 @@ public class SecurityFrameworkUtils {
exchange.getAttributes().put(LOGIN_USER_TYPE_ATTR, token.getUserType()); exchange.getAttributes().put(LOGIN_USER_TYPE_ATTR, token.getUserType());
} }
public static ServerWebExchange removeLoginUser(ServerWebExchange exchange) {
// 如果不包含直接返回
if (!exchange.getRequest().getHeaders().containsKey(LOGIN_USER_HEADER)) {
return exchange;
}
// 如果包含则移除参考 RemoveRequestHeaderGatewayFilterFactory 实现
ServerHttpRequest request = exchange.getRequest().mutate()
.headers(httpHeaders -> httpHeaders.remove(LOGIN_USER_HEADER)).build();
return exchange.mutate().request(request).build();
}
/** /**
* 获得登录用户的编号 * 获得登录用户的编号
* *