Merge remote-tracking branch 'origin/develop' into feature/I3YZQP

# Conflicts:
#	youlai-gateway/src/main/java/com/youlai/gateway/security/ResourceServerManager.java
#	youlai-gateway/src/main/java/com/youlai/gateway/security/SecurityGlobalFilter.java
This commit is contained in:
haoxr 2021-07-10 21:45:12 +08:00
commit 770def4ce3
31 changed files with 134 additions and 199 deletions

View File

@ -157,10 +157,14 @@ youlai-mall
| ------------------------------------------------------------ | ------------------------------------------------------------ | | ------------------------------------------------------------ | ------------------------------------------------------------ |
| ![image-20210622000304570](https://gitee.com/haoxr/image/raw/master/image-20210622000304570.png) | ![image-20210622000046029](https://gitee.com/haoxr/image/raw/master/image-20210622000046029.png) | | ![image-20210622000304570](https://gitee.com/haoxr/image/raw/master/image-20210622000304570.png) | ![image-20210622000046029](https://gitee.com/haoxr/image/raw/master/image-20210622000046029.png) |
## 项目文档
[项目文档地址](https://www.cnblogs.com/haoxianrui/)
## Stargazers over time ## Star趋势
- Github
[![Github](https://starchart.cc/hxrui/youlai-mall.svg)](https://starchart.cc/hxrui/youlai-mall) [![Github](https://starchart.cc/hxrui/youlai-mall.svg)](https://starchart.cc/hxrui/youlai-mall)
- Gitee
[![Gitee](https://whnb.wang/stars/youlaitech/youlai-mall)](https://whnb.wang/stars/youlaitech/youlai-mall) [![Gitee](https://whnb.wang/stars/youlaitech/youlai-mall)](https://whnb.wang/stars/youlaitech/youlai-mall)
## contributors ## contributors
@ -168,7 +172,7 @@ youlai-mall
## 联系信息 ## 联系信息
因为微信交流群超过200人了只能通过邀请进入群聊添加开发人员PS:日常上班时间建议选择没有头像的)后由其拉进群,相互交流学习,备注“**有来**”即可 因为微信交流群满200人只能通过邀请进入如果想进入交流群学习可添加以下开发人员备注“**有来**“由其拉进群
| ![](https://gitee.com/haoxr/image/raw/master/default/113__6c5ed5b1b73ea9cd4cf32848ed350c07_b9b214638a2a406e52dbf51e9bf9a2ef.png) | ![](https://gitee.com/haoxr/image/raw/master/hxr.jpg) | ![](https://gitee.com/haoxr/image/raw/master/huawei.jpg) | ![](https://gitee.com/haoxr/image/raw/master/default/1625149769(1).png) | | ![](https://gitee.com/haoxr/image/raw/master/default/113__6c5ed5b1b73ea9cd4cf32848ed350c07_b9b214638a2a406e52dbf51e9bf9a2ef.png) | ![](https://gitee.com/haoxr/image/raw/master/hxr.jpg) | ![](https://gitee.com/haoxr/image/raw/master/huawei.jpg) | ![](https://gitee.com/haoxr/image/raw/master/default/1625149769(1).png) |
| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |

Binary file not shown.

14
pom.xml
View File

@ -23,7 +23,7 @@
<parent> <parent>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.0</version> <version>2.5.2</version>
<relativePath/> <!-- lookup parent from repository --> <relativePath/> <!-- lookup parent from repository -->
</parent> </parent>
@ -247,4 +247,16 @@
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<aggregate>true</aggregate>
</configuration>
</plugin>
</plugins>
</build>
</project> </project>

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.convert.Convert; import cn.hutool.core.convert.Convert;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.collection.CollectionUtil; import cn.hutool.core.collection.CollectionUtil;
import cn.hutool.core.lang.Assert; import cn.hutool.core.lang.Assert;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.util.IdUtil; import cn.hutool.core.util.IdUtil;
import com.youlai.admin.service.impl.MinioService; import com.youlai.admin.service.impl.MinioService;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import com.baomidou.mybatisplus.core.metadata.IPage; import com.baomidou.mybatisplus.core.metadata.IPage;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.lang.Assert; import cn.hutool.core.lang.Assert;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
@ -91,8 +91,10 @@ public class RoleController {
public Result add(@RequestBody SysRole role) { public Result add(@RequestBody SysRole role) {
int count = iSysRoleService.count(new LambdaQueryWrapper<SysRole>() int count = iSysRoleService.count(new LambdaQueryWrapper<SysRole>()
.eq(SysRole::getCode, role.getCode() ) .eq(SysRole::getCode, role.getCode() )
.or()
.eq(SysRole::getName,role.getName())
); );
Assert.isTrue(count == 0, "角色编码已存在"); Assert.isTrue(count == 0, "角色名称或角色编码重复,请检查!");
boolean result = iSysRoleService.save(role); boolean result = iSysRoleService.save(role);
return Result.judge(result); return Result.judge(result);
} }
@ -108,9 +110,11 @@ public class RoleController {
@RequestBody SysRole role) { @RequestBody SysRole role) {
int count = iSysRoleService.count(new LambdaQueryWrapper<SysRole>() int count = iSysRoleService.count(new LambdaQueryWrapper<SysRole>()
.eq(SysRole::getCode, role.getCode()) .eq(SysRole::getCode, role.getCode())
.or()
.eq(SysRole::getName,role.getName())
.ne(SysRole::getId, id) .ne(SysRole::getId, id)
); );
Assert.isTrue(count == 0, "角色编码已存在"); Assert.isTrue(count == 0, "角色名称或角色编码重复,请检查!");
boolean result = iSysRoleService.updateById(role); boolean result = iSysRoleService.updateById(role);
if (result) { if (result) {
iSysPermissionService.refreshPermRolesRules(); iSysPermissionService.refreshPermRolesRules();

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import com.youlai.admin.pojo.vo.RouteVO; import com.youlai.admin.pojo.vo.RouteVO;
import com.youlai.admin.service.ISysMenuService; import com.youlai.admin.service.ISysMenuService;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import com.youlai.admin.service.ITokenService; import com.youlai.admin.service.ITokenService;
import com.youlai.common.result.Result; import com.youlai.common.result.Result;

View File

@ -1,4 +1,4 @@
package com.youlai.admin.controller.v1; package com.youlai.admin.controller;
import cn.hutool.core.bean.BeanUtil; import cn.hutool.core.bean.BeanUtil;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;

View File

@ -106,7 +106,7 @@ public class SysMenuServiceImpl extends ServiceImpl<SysMenuMapper, SysMenu> impl
.forEach(menu -> { .forEach(menu -> {
RouteVO routeVO = new RouteVO(); RouteVO routeVO = new RouteVO();
routeVO.setName(menu.getRouteName()); // 根据name路由跳转 this.$router.push({path:xxx}) routeVO.setName(menu.getId() + ""); // 根据name路由跳转 this.$router.push({path:xxx})
routeVO.setPath(menu.getRoutePath()); // 根据path路由跳转 this.$router.push({name:xxx}) routeVO.setPath(menu.getRoutePath()); // 根据path路由跳转 this.$router.push({name:xxx})
routeVO.setRedirect(menu.getRedirect()); routeVO.setRedirect(menu.getRedirect());
routeVO.setComponent(menu.getComponent()); routeVO.setComponent(menu.getComponent());

View File

@ -11,26 +11,3 @@ spring:
config: config:
server-addr: ${spring.cloud.nacos.discovery.server-addr} server-addr: ${spring.cloud.nacos.discovery.server-addr}
file-extension: yaml file-extension: yaml
sentinel:
enabled: true
eager: true # 取消控制台懒加载项目启动即连接Sentinel
transport:
client-ip: localhost
dashboard: localhost:8080
datasource:
# 限流规则flow为key随便定义
flow:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-flow-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: flow
# 降级规则
degrade:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-degrade-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: degrade

View File

@ -61,7 +61,7 @@ public class OAuthController {
* 方式一client_idclient_secret放在请求路径中(当前版本已废弃) * 方式一client_idclient_secret放在请求路径中(当前版本已废弃)
* 方式二放在请求头Request Headers中的Authorization字段且经过加密例如 Basic Y2xpZW50OnNlY3JldA== 明文等于 client:secret * 方式二放在请求头Request Headers中的Authorization字段且经过加密例如 Basic Y2xpZW50OnNlY3JldA== 明文等于 client:secret
*/ */
String clientId = JwtUtils.getAuthClientId(); String clientId = JwtUtils.getOAuthClientId();
OAuthClientEnum client = OAuthClientEnum.getByClientId(clientId); OAuthClientEnum client = OAuthClientEnum.getByClientId(clientId);
switch (client) { switch (client) {
case TEST: // knife4j接口测试文档使用 client_id/client_secret : client/123456 case TEST: // knife4j接口测试文档使用 client_id/client_secret : client/123456

View File

@ -124,11 +124,9 @@ public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdap
/** /**
* 密码编码器 * 密码编码器
* <p> *
* 委托方式根据密码的前缀选择对应的encoder例如{bcypt}前缀->标识BCYPT算法加密{noop}->标识不使用任何加密即明文的方式 * 委托方式根据密码的前缀选择对应的encoder例如{bcypt}前缀->标识BCYPT算法加密{noop}->标识不使用任何加密即明文的方式
* 密码判读 DaoAuthenticationProvider#additionalAuthenticationChecks * 密码判读 DaoAuthenticationProvider#additionalAuthenticationChecks
*
* @return
*/ */
@Bean @Bean
public PasswordEncoder passwordEncoder() { public PasswordEncoder passwordEncoder() {

View File

@ -34,7 +34,7 @@ public class UserDetailsServiceImpl implements UserDetailsService {
@Override @Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
String clientId = JwtUtils.getAuthClientId(); String clientId = JwtUtils.getOAuthClientId();
OAuthClientEnum client = OAuthClientEnum.getByClientId(clientId); OAuthClientEnum client = OAuthClientEnum.getByClientId(clientId);
Result result; Result result;

View File

@ -9,38 +9,8 @@ spring:
discovery: discovery:
server-addr: http://localhost:8848 server-addr: http://localhost:8848
config: config:
# docker启动nacos-server需要配置
server-addr: ${spring.cloud.nacos.discovery.server-addr} server-addr: ${spring.cloud.nacos.discovery.server-addr}
file-extension: yaml file-extension: yaml
group: DEFAULT_GROUP group: DEFAULT_GROUP
sentinel:
enabled: true
eager: true # 取消控制台懒加载项目启动即连接Sentinel
transport:
client-ip: localhost
dashboard: localhost:8080
datasource:
# 降级规则
degrade:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-degrade-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: degrade
# 开启feign对sentinel的支持
feign:
sentinel:
enabled: true
# jwt 配置
jwt:
config:
enabled: true
key-location: jwt.jks
key-alias: jwt
key-pass: 123456
iss: youlai.tech
sub: all
access-exp-days: 30

View File

@ -2,7 +2,6 @@ package com.youlai.common.constant;
public interface AuthConstants { public interface AuthConstants {
/** /**
* 认证请求头key * 认证请求头key
*/ */

View File

@ -10,26 +10,40 @@ import org.apache.logging.log4j.util.Strings;
import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes; import org.springframework.web.context.request.ServletRequestAttributes;
import sun.misc.BASE64Decoder; import sun.misc.BASE64Decoder;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.net.URLDecoder;
import java.util.List; import java.util.List;
import java.util.stream.Collectors;
/**
* JWT工具类
*
* @author xianrui
*/
@Slf4j @Slf4j
public class JwtUtils { public class JwtUtils {
@SneakyThrows
public static JSONObject getJwtPayload() { public static JSONObject getJwtPayload() {
String jwtPayload = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getHeader(AuthConstants.JWT_PAYLOAD_KEY); String payload = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getHeader(AuthConstants.JWT_PAYLOAD_KEY);
JSONObject jsonObject = JSONUtil.parseObj(jwtPayload); JSONObject jsonObject = JSONUtil.parseObj(URLDecoder.decode(payload,"UTF-8"));
return jsonObject; return jsonObject;
} }
/**
* 解析JWT获取用户ID
*
* @return
*/
public static Long getUserId() { public static Long getUserId() {
Long id = getJwtPayload().getLong(AuthConstants.USER_ID_KEY); Long id = getJwtPayload().getLong(AuthConstants.USER_ID_KEY);
return id; return id;
} }
/**
* 解析JWT获取获取用户名
*
* @return
*/
public static String getUsername() { public static String getUsername() {
String username = getJwtPayload().getStr(AuthConstants.USER_NAME_KEY); String username = getJwtPayload().getStr(AuthConstants.USER_NAME_KEY);
return username; return username;
@ -37,7 +51,7 @@ public class JwtUtils {
/** /**
* 获取登录认证的客户端ID * 获取登录认证的客户端ID
* <p> *
* 兼容两种方式获取Oauth2客户端信息client_idclient_secret * 兼容两种方式获取Oauth2客户端信息client_idclient_secret
* 方式一client_idclient_secret放在请求路径中 * 方式一client_idclient_secret放在请求路径中
* 方式二放在请求头Request Headers中的Authorization字段且经过加密例如 Basic Y2xpZW50OnNlY3JldA== 明文等于 client:secret * 方式二放在请求头Request Headers中的Authorization字段且经过加密例如 Basic Y2xpZW50OnNlY3JldA== 明文等于 client:secret
@ -45,7 +59,7 @@ public class JwtUtils {
* @return * @return
*/ */
@SneakyThrows @SneakyThrows
public static String getAuthClientId() { public static String getOAuthClientId() {
String clientId; String clientId;
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest(); HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
@ -66,15 +80,17 @@ public class JwtUtils {
return clientId; return clientId;
} }
/**
* JWT获取用户角色列表
*
* @return 角色列表
*/
public static List<String> getRoles() { public static List<String> getRoles() {
List<String> roles = null;
JSONObject payload = getJwtPayload(); JSONObject payload = getJwtPayload();
if (payload != null && payload.size() > 0) { if (payload != null && payload.containsKey(AuthConstants.JWT_AUTHORITIES_KEY)) {
List<String> list = payload.get(AuthConstants.JWT_AUTHORITIES_KEY, List.class); roles = payload.get(AuthConstants.JWT_AUTHORITIES_KEY, List.class);
List<String> roles = list.stream().collect(Collectors.toList()); }
return roles; return roles;
} }
return null;
}
} }

View File

@ -1,6 +1,5 @@
package com.youlai.gateway.component; package com.youlai.gateway.component;
import cn.hutool.core.util.StrUtil;
import com.youlai.common.constant.GlobalConstants; import com.youlai.common.constant.GlobalConstants;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.connection.Message; import org.springframework.data.redis.connection.Message;
@ -11,13 +10,13 @@ import java.nio.charset.StandardCharsets;
public class RedisChannelListener implements MessageListener { public class RedisChannelListener implements MessageListener {
@Autowired @Autowired
private AdminRoleLocalCache adminRoleLocalCache; private UrlPermRolesLocalCache urlPermRolesLocalCache;
@Override @Override
public void onMessage(Message message, byte[] bytes) { public void onMessage(Message message, byte[] bytes) {
String msg = new String(message.getBody(), StandardCharsets.UTF_8); String msg = new String(message.getBody(), StandardCharsets.UTF_8);
String channel = new String(message.getChannel(), StandardCharsets.UTF_8); String channel = new String(message.getChannel(), StandardCharsets.UTF_8);
adminRoleLocalCache.remove(GlobalConstants.URL_PERM_ROLES_KEY); urlPermRolesLocalCache.remove(GlobalConstants.URL_PERM_ROLES_KEY);
} }
} }

View File

@ -6,7 +6,6 @@ import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import javax.annotation.PostConstruct; import javax.annotation.PostConstruct;
import java.util.Map;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
/** /**
@ -17,7 +16,7 @@ import java.util.concurrent.TimeUnit;
*/ */
@Slf4j @Slf4j
@Component @Component
public class AdminRoleLocalCache<T> { public class UrlPermRolesLocalCache<T> {
private Cache<String,T> localCache = null; private Cache<String,T> localCache = null;
@PostConstruct @PostConstruct

View File

@ -5,7 +5,7 @@ import cn.hutool.core.convert.Convert;
import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.StrUtil;
import com.youlai.common.constant.AuthConstants; import com.youlai.common.constant.AuthConstants;
import com.youlai.common.constant.GlobalConstants; import com.youlai.common.constant.GlobalConstants;
import com.youlai.gateway.component.AdminRoleLocalCache; import com.youlai.gateway.component.UrlPermRolesLocalCache;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
@ -22,15 +22,14 @@ import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher; import org.springframework.util.PathMatcher;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set;
/** /**
* 网关自定义鉴权管理器 * 网关自定义鉴权管理器
* *
* @author haoxr * @author <a href="mailto:xianrui0365@163.com">xianrui</a>
* @date 2020-05-01
*/ */
@Component @Component
@RequiredArgsConstructor @RequiredArgsConstructor
@ -38,11 +37,13 @@ import java.util.Set;
public class ResourceServerManager implements ReactiveAuthorizationManager<AuthorizationContext> { public class ResourceServerManager implements ReactiveAuthorizationManager<AuthorizationContext> {
private final RedisTemplate redisTemplate; private final RedisTemplate redisTemplate;
private final AdminRoleLocalCache adminRoleLocalCache;
// 是否演示环境 // 本地缓存
@Value("${demo}") private final UrlPermRolesLocalCache urlPermRolesLocalCache;
private Boolean isDemoEnv;
// 是否开启本地缓存
@Value("${local-cache.enabled}")
private Boolean localCacheEnabled;
@Override @Override
public Mono<AuthorizationDecision> check(Mono<Authentication> mono, AuthorizationContext authorizationContext) { public Mono<AuthorizationDecision> check(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
@ -51,69 +52,68 @@ public class ResourceServerManager implements ReactiveAuthorizationManager<Autho
if (request.getMethod() == HttpMethod.OPTIONS) { if (request.getMethod() == HttpMethod.OPTIONS) {
return Mono.just(new AuthorizationDecision(true)); return Mono.just(new AuthorizationDecision(true));
} }
PathMatcher pathMatcher = new AntPathMatcher(); // 声明定义Ant路径匹配模式请求路径和缓存中权限规则的URL权限标识匹配 PathMatcher pathMatcher = new AntPathMatcher(); // Ant匹配器
String method = request.getMethodValue();
String path = request.getURI().getPath(); String path = request.getURI().getPath();
String restfulPath = method + ":" + path; // Restful接口权限设计 @link https://www.cnblogs.com/haoxianrui/p/14961707.html
// 移动端请求需认证但无需鉴权判断
String token = request.getHeaders().getFirst(AuthConstants.AUTHORIZATION_KEY); String token = request.getHeaders().getFirst(AuthConstants.AUTHORIZATION_KEY);
// 移动端请求无需鉴权只需认证即JWT的验签和是否过期判断
if (pathMatcher.match(GlobalConstants.APP_API_PATTERN, path)) { if (pathMatcher.match(GlobalConstants.APP_API_PATTERN, path)) {
// 如果token以"bearer "为前缀到这一步说明是经过NimbusReactiveJwtDecoder#decode和JwtTimestampValidator#validate等解析和验证通过的即已认证 // 如果token以"bearer "为前缀到这里说明JWT有效即已认证
if (StrUtil.isNotBlank(token) && token.startsWith(AuthConstants.AUTHORIZATION_PREFIX)) { if (StrUtil.isNotBlank(token)
&& token.startsWith(AuthConstants.AUTHORIZATION_PREFIX)) {
return Mono.just(new AuthorizationDecision(true)); return Mono.just(new AuthorizationDecision(true));
} else { } else {
return Mono.just(new AuthorizationDecision(false)); return Mono.just(new AuthorizationDecision(false));
} }
} }
// Restful接口权限设计 @link https://www.cnblogs.com/haoxianrui/p/14396990.html // 缓存取 URL权限-角色集合 规则数据
String restfulPath = request.getMethodValue() + ":" + path; // urlPermRolesRules = [{'key':'GET:/api/v1/users/*','value':['ADMIN','TEST']},...]
log.info("请求方法:RESTFul请求路径{}", restfulPath); Map<String, Object> urlPermRolesRules;
Map<String, Object> permRolesRules = (Map<String, Object>) adminRoleLocalCache.getCache(GlobalConstants.URL_PERM_ROLES_KEY); if (localCacheEnabled) {
if (isDemoEnv) { urlPermRolesRules = (Map<String, Object>) urlPermRolesLocalCache.getCache(GlobalConstants.URL_PERM_ROLES_KEY);
// 缓存取URL权限标识->角色集合权限规则 if (null == urlPermRolesRules) {
if (null == permRolesRules) { urlPermRolesRules = redisTemplate.opsForHash().entries(GlobalConstants.URL_PERM_ROLES_KEY);
permRolesRules = redisTemplate.opsForHash().entries(GlobalConstants.URL_PERM_ROLES_KEY); urlPermRolesLocalCache.setLocalCache(GlobalConstants.URL_PERM_ROLES_KEY, urlPermRolesRules);
adminRoleLocalCache.setLocalCache(GlobalConstants.URL_PERM_ROLES_KEY, permRolesRules);
} }
} else {
urlPermRolesRules = redisTemplate.opsForHash().entries(GlobalConstants.URL_PERM_ROLES_KEY);
} }
// 根据 请求路径 权限规则中的URL权限标识进行Ant匹配得出拥有权限的角色集合
Set<String> hasPermissionRoles = CollectionUtil.newHashSet(); // 声明定义有权限的角色集合
boolean needToCheck = false; // 声明定义是否需要被拦截检查的请求如果缓存中权限规则中没有任何URL权限标识和此次请求的URL匹配默认不需要被鉴权
if (CollectionUtil.isNotEmpty(permRolesRules)) { // 根据请求路径判断有访问权限的角色列表
for (Map.Entry<String, Object> ruleEntry : permRolesRules.entrySet()) { List<String> authorizedRoles = new ArrayList<>(); // 拥有访问权限的角色
String perm = ruleEntry.getKey(); // 缓存权限规则的键URL权限标识 boolean requireCheck = false; // 是否需要鉴权默认没有设置权限规则不用鉴权
for (Map.Entry<String, Object> permRoles : urlPermRolesRules.entrySet()) {
String perm = permRoles.getKey();
if (pathMatcher.match(perm, restfulPath)) { if (pathMatcher.match(perm, restfulPath)) {
List<String> roles = Convert.toList(String.class, ruleEntry.getValue()); // 缓存权限规则的值有请求路径访问权限的角色集合 List<String> roles = Convert.toList(String.class, permRoles.getValue());
hasPermissionRoles.addAll(Convert.toList(String.class, roles)); authorizedRoles.addAll(Convert.toList(String.class, roles));
if (needToCheck == false) { if (requireCheck == false) {
needToCheck = true; requireCheck = true;
} }
} }
} }
} if (requireCheck == false) {
log.info("拥有接口访问权限的角色:{}", hasPermissionRoles.toString());
// 没有设置权限规则放行如果默认想拦截所有的请求请移除needToCheck变量逻辑即可根据需求定制
if (needToCheck == false) {
return Mono.just(new AuthorizationDecision(true)); return Mono.just(new AuthorizationDecision(true));
} }
// 判断用户JWT中携带的角色是否有能通过权限拦截的角色 // 判断JWT中携带的用户角色是否有权限访问
Mono<AuthorizationDecision> authorizationDecisionMono = mono Mono<AuthorizationDecision> authorizationDecisionMono = mono
.filter(Authentication::isAuthenticated) .filter(Authentication::isAuthenticated)
.flatMapIterable(Authentication::getAuthorities) .flatMapIterable(Authentication::getAuthorities)
.map(GrantedAuthority::getAuthority) .map(GrantedAuthority::getAuthority)
.any(authority -> { .any(authority -> {
log.info("用户权限 : {}", authority); // ROLE_ROOT String roleCode = authority.substring(AuthConstants.AUTHORITY_PREFIX.length()); // 用户的角色
String role = authority.substring(AuthConstants.AUTHORITY_PREFIX.length()); // 角色编码ROOT if (GlobalConstants.ROOT_ROLE_CODE.equals(roleCode)) {
if (GlobalConstants.ROOT_ROLE_CODE.equals(role)) { // 如果是超级管理员则放行 return true; // 如果是超级管理员则放行
return true;
} }
boolean hasPermission = CollectionUtil.isNotEmpty(hasPermissionRoles) && hasPermissionRoles.contains(role); // 用户角色中只要有一个满足则通过权限校验 boolean hasAuthorized = CollectionUtil.isNotEmpty(authorizedRoles) && authorizedRoles.contains(roleCode);
return hasPermission; return hasAuthorized;
}) })
.map(AuthorizationDecision::new) .map(AuthorizationDecision::new)
.defaultIfEmpty(new AuthorizationDecision(false)); .defaultIfEmpty(new AuthorizationDecision(false));

View File

@ -11,7 +11,6 @@ import lombok.RequiredArgsConstructor;
import lombok.SneakyThrows; import lombok.SneakyThrows;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.logging.log4j.util.Strings; import org.apache.logging.log4j.util.Strings;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.gateway.filter.GatewayFilterChain; import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter; import org.springframework.cloud.gateway.filter.GlobalFilter;
@ -24,22 +23,23 @@ import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import java.net.URLEncoder;
/** /**
* 安全拦截全局过滤器 * 安全拦截全局过滤器
* *
* @author haoxr * @author <a href="mailto:xianrui0365@163.com">xianrui</a>
* @date 2020-06-12
*/ */
@Component @Component
@RequiredArgsConstructor
@Slf4j @Slf4j
@RequiredArgsConstructor
public class SecurityGlobalFilter implements GlobalFilter, Ordered { public class SecurityGlobalFilter implements GlobalFilter, Ordered {
private final RedisTemplate redisTemplate; private final RedisTemplate redisTemplate;
// 是否演示环境
@Value("${demo}") @Value("${spring.profiles.active}")
private Boolean isDemoEnv; private String env;
@SneakyThrows @SneakyThrows
@Override @Override
@ -48,8 +48,8 @@ public class SecurityGlobalFilter implements GlobalFilter, Ordered {
ServerHttpRequest request = exchange.getRequest(); ServerHttpRequest request = exchange.getRequest();
ServerHttpResponse response = exchange.getResponse(); ServerHttpResponse response = exchange.getResponse();
// 演示环境禁止删除和修改 // 线上演示环境禁止修改和删除
if (isDemoEnv if (env.equals("prod")
&& (HttpMethod.DELETE.toString().equals(request.getMethodValue()) // 删除方法 && (HttpMethod.DELETE.toString().equals(request.getMethodValue()) // 删除方法
|| HttpMethod.PUT.toString().equals(request.getMethodValue())) // 修改方法 || HttpMethod.PUT.toString().equals(request.getMethodValue())) // 修改方法
) { ) {
@ -75,7 +75,7 @@ public class SecurityGlobalFilter implements GlobalFilter, Ordered {
// 存在token且不是黑名单request写入JWT的载体信息 // 存在token且不是黑名单request写入JWT的载体信息
request = exchange.getRequest().mutate() request = exchange.getRequest().mutate()
.header(AuthConstants.JWT_PAYLOAD_KEY, payload) .header(AuthConstants.JWT_PAYLOAD_KEY, URLEncoder.encode(payload,"UTF-8"))
.build(); .build();
exchange = exchange.mutate().request(request).build(); exchange = exchange.mutate().request(request).build();
return chain.filter(exchange); return chain.filter(exchange);

View File

@ -11,7 +11,7 @@ import springfox.documentation.swagger.web.*;
import java.util.Optional; import java.util.Optional;
/** /**
* @Author haoxr * @author xianrui
* @Date 2021-02-25 16:34 * @Date 2021-02-25 16:34
* @Version 1.0.0 * @Version 1.0.0
* @ https://gitee.com/xiaoym/swagger-bootstrap-ui-demo/blob/master/knife4j-spring-cloud-gateway/service-doc/src/main/java/com/xiaominfo/swagger/service/doc/handler/SwaggerHandler.java * @ https://gitee.com/xiaoym/swagger-bootstrap-ui-demo/blob/master/knife4j-spring-cloud-gateway/service-doc/src/main/java/com/xiaominfo/swagger/service/doc/handler/SwaggerHandler.java

View File

@ -8,9 +8,9 @@ import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange; import org.springframework.web.server.ServerWebExchange;
/** /**
* @auth haoxr
* @date 2021-02-25 16:29
* @link https://gitee.com/xiaoym/swagger-bootstrap-ui-demo/blob/master/knife4j-spring-cloud-gateway/service-doc/src/main/java/com/xiaominfo/swagger/service/doc/config/SwaggerHeaderFilter.java * @link https://gitee.com/xiaoym/swagger-bootstrap-ui-demo/blob/master/knife4j-spring-cloud-gateway/service-doc/src/main/java/com/xiaominfo/swagger/service/doc/config/SwaggerHeaderFilter.java
* @auth xianrui
* @date 2021-02-25 16:29
*/ */
@Component @Component
public class SwaggerHeaderFilter extends AbstractGatewayFilterFactory { public class SwaggerHeaderFilter extends AbstractGatewayFilterFactory {

View File

@ -13,29 +13,7 @@ spring:
config: config:
server-addr: ${spring.cloud.nacos.discovery.server-addr} server-addr: ${spring.cloud.nacos.discovery.server-addr}
file-extension: yaml file-extension: yaml
sentinel:
enabled: false # 网关流控开关
eager: true # 取消控制台懒加载项目启动即连接Sentinel
transport:
client-ip: localhost
dashboard: localhost:8080
datasource:
# 网关限流规则gw-flow为key随便定义
gw-flow:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-gw-flow-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: gw-flow
# 网关API自定义分组
gw-api-group:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-gw-api-group-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: gw-api-group

View File

@ -15,24 +15,3 @@ spring:
server-addr: ${spring.cloud.nacos.discovery.server-addr} server-addr: ${spring.cloud.nacos.discovery.server-addr}
file-extension: yaml file-extension: yaml
namespace: prod_namespace_id namespace: prod_namespace_id
sentinel:
eager: true
transport:
dashboard: e.youlai.tech:8858
datasource:
# 网关限流
gw-flow:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-gw-flow-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: gw-flow
# 网关API自定义分组
gw-api-group:
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
dataId: ${spring.application.name}-gw-api-group-rules
groupId: SENTINEL_GROUP
data-type: json
rule-type: gw-api-group