From ed04f0ce5a4a7b2288eee6c507e248b71fe8a4ea Mon Sep 17 00:00:00 2001 From: YunaiV Date: Mon, 29 Apr 2024 09:46:30 +0800 Subject: [PATCH] =?UTF-8?q?=E3=80=90=E4=BF=AE=E5=A4=8D=E3=80=91RPC=20?= =?UTF-8?q?=E8=B0=83=E7=94=A8=E6=97=B6=EF=BC=8C=E4=B8=8D=E5=86=8D=E8=BF=9B?= =?UTF-8?q?=E8=A1=8C=20tenant-id=20=E6=A0=A1=E9=AA=8C=EF=BC=8C=E5=86=85?= =?UTF-8?q?=E9=83=A8=E4=BD=BF=E7=94=A8=EF=BC=8C=E6=97=A0=E9=9C=80=E6=A0=A1?= =?UTF-8?q?=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../core/security/TenantSecurityWebFilter.java | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/yudao-framework/yudao-spring-boot-starter-biz-tenant/src/main/java/cn/iocoder/yudao/framework/tenant/core/security/TenantSecurityWebFilter.java b/yudao-framework/yudao-spring-boot-starter-biz-tenant/src/main/java/cn/iocoder/yudao/framework/tenant/core/security/TenantSecurityWebFilter.java index 784856fc1..7f57b7fb3 100644 --- a/yudao-framework/yudao-spring-boot-starter-biz-tenant/src/main/java/cn/iocoder/yudao/framework/tenant/core/security/TenantSecurityWebFilter.java +++ b/yudao-framework/yudao-spring-boot-starter-biz-tenant/src/main/java/cn/iocoder/yudao/framework/tenant/core/security/TenantSecurityWebFilter.java @@ -1,8 +1,6 @@ package cn.iocoder.yudao.framework.tenant.core.security; import cn.hutool.core.collection.CollUtil; -import cn.hutool.core.util.StrUtil; -import cn.iocoder.yudao.framework.common.enums.RpcConstants; import cn.iocoder.yudao.framework.common.exception.enums.GlobalErrorCodeConstants; import cn.iocoder.yudao.framework.common.pojo.CommonResult; import cn.iocoder.yudao.framework.common.util.servlet.ServletUtils; @@ -15,13 +13,13 @@ import cn.iocoder.yudao.framework.web.config.WebProperties; import cn.iocoder.yudao.framework.web.core.filter.ApiRequestFilter; import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler; import cn.iocoder.yudao.framework.web.core.util.WebFrameworkUtils; -import lombok.extern.slf4j.Slf4j; -import org.springframework.util.AntPathMatcher; - import jakarta.servlet.FilterChain; import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; +import org.springframework.util.AntPathMatcher; + import java.io.IOException; import java.util.Objects; @@ -56,12 +54,6 @@ public class TenantSecurityWebFilter extends ApiRequestFilter { this.tenantFrameworkService = tenantFrameworkService; } - @Override - protected boolean shouldNotFilter(HttpServletRequest request) { - return super.shouldNotFilter(request) && - !StrUtil.startWithAny(request.getRequestURI(), RpcConstants.RPC_API_PREFIX); // 因为 RPC API 也会透传租户编号 - } - @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { @@ -75,8 +67,7 @@ public class TenantSecurityWebFilter extends ApiRequestFilter { tenantId = user.getTenantId(); TenantContextHolder.setTenantId(tenantId); // 如果传递了租户编号,则进行比对租户编号,避免越权问题 - } else if (!Objects.equals(user.getTenantId(), TenantContextHolder.getTenantId()) - && !isRpcRequest) { // Cloud 特殊逻辑:如果是 RPC 请求,就不校验了。主要考虑,一些场景下,会调用 TenantUtils 去切换租户 + } else if (!Objects.equals(user.getTenantId(), TenantContextHolder.getTenantId())) { log.error("[doFilterInternal][租户({}) User({}/{}) 越权访问租户({}) URL({}/{})]", user.getTenantId(), user.getId(), user.getUserType(), TenantContextHolder.getTenantId(), request.getRequestURI(), request.getMethod());