root/ludu-cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

【修复】RPC 调用时,不再进行 tenant-id 校验,内部使用,无需校验

Browse Source
This commit is contained in:
YunaiV 2024-04-29 09:46:30 +08:00
parent e618f833fd
commit ed04f0ce5a
1 changed files with 4 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
yudao-framework/yudao-spring-boot-starter-biz-tenant/src/main/java/cn/iocoder/yudao/framework/tenant/core/security/TenantSecurityWebFilter.java
View File

@ -1,8 +1,6 @@
package cn.iocoder.yudao.framework.tenant.core.security; package cn.iocoder.yudao.framework.tenant.core.security;
import cn.hutool.core.collection.CollUtil; import cn.hutool.core.collection.CollUtil;
import cn.hutool.core.util.StrUtil;
import cn.iocoder.yudao.framework.common.enums.RpcConstants;
import cn.iocoder.yudao.framework.common.exception.enums.GlobalErrorCodeConstants; import cn.iocoder.yudao.framework.common.exception.enums.GlobalErrorCodeConstants;
import cn.iocoder.yudao.framework.common.pojo.CommonResult; import cn.iocoder.yudao.framework.common.pojo.CommonResult;
import cn.iocoder.yudao.framework.common.util.servlet.ServletUtils; import cn.iocoder.yudao.framework.common.util.servlet.ServletUtils;
@ -15,13 +13,13 @@ import cn.iocoder.yudao.framework.web.config.WebProperties;
import cn.iocoder.yudao.framework.web.core.filter.ApiRequestFilter; import cn.iocoder.yudao.framework.web.core.filter.ApiRequestFilter;
import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler; import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler;
import cn.iocoder.yudao.framework.web.core.util.WebFrameworkUtils; import cn.iocoder.yudao.framework.web.core.util.WebFrameworkUtils;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.AntPathMatcher;
import jakarta.servlet.FilterChain; import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException; import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.AntPathMatcher;
import java.io.IOException; import java.io.IOException;
import java.util.Objects; import java.util.Objects;
@ -56,12 +54,6 @@ public class TenantSecurityWebFilter extends ApiRequestFilter {
this.tenantFrameworkService = tenantFrameworkService; this.tenantFrameworkService = tenantFrameworkService;
} }
@Override
protected boolean shouldNotFilter(HttpServletRequest request) {
return super.shouldNotFilter(request) &&
!StrUtil.startWithAny(request.getRequestURI(), RpcConstants.RPC_API_PREFIX); // 因为 RPC API 也会透传租户编号
}
@Override @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException { throws ServletException, IOException {
@ -75,8 +67,7 @@ public class TenantSecurityWebFilter extends ApiRequestFilter {
tenantId = user.getTenantId(); tenantId = user.getTenantId();
TenantContextHolder.setTenantId(tenantId); TenantContextHolder.setTenantId(tenantId);
// 如果传递了租户编号则进行比对租户编号避免越权问题 // 如果传递了租户编号则进行比对租户编号避免越权问题
} else if (!Objects.equals(user.getTenantId(), TenantContextHolder.getTenantId()) } else if (!Objects.equals(user.getTenantId(), TenantContextHolder.getTenantId())) {
&& !isRpcRequest) { // Cloud 特殊逻辑如果是 RPC 请求就不校验了主要考虑一些场景下会调用 TenantUtils 去切换租户
log.error("[doFilterInternal][租户({}) User({}/{}) 越权访问租户({}) URL({}/{})]", log.error("[doFilterInternal][租户({}) User({}/{}) 越权访问租户({}) URL({}/{})]",
user.getTenantId(), user.getId(), user.getUserType(), user.getTenantId(), user.getId(), user.getUserType(),
TenantContextHolder.getTenantId(), request.getRequestURI(), request.getMethod()); TenantContextHolder.getTenantId(), request.getRequestURI(), request.getMethod());