refactor:AuthorizationManager的check方法移除白名单校验

mall-ums/mall-ums-api/src/main/java/com/youlai/mall/ums/api/entity/UmsMember.java

@@ -28,5 +28,7 @@ public class UmsMember {
 
     private String sessionKey;
 
+    private Integer status;
+
 
 }

youlai-auth/src/main/java/com/youlai/auth/config/WebSecurityConfig.java

@@ -19,7 +19,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
          http
             .authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
         .and()
-            .authorizeRequests().antMatchers("/rsa/publicKey").permitAll().anyRequest().authenticated()
+            .authorizeRequests().antMatchers("/rsa/publicKey","/oauth/logout").permitAll().anyRequest().authenticated()
         .and()
             .csrf().disable();
     }

youlai-auth/src/main/java/com/youlai/auth/controller/AuthController.java

@@ -21,7 +21,7 @@ import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import lombok.AllArgsConstructor;
 import me.chanjar.weixin.common.error.WxErrorException;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.apache.logging.log4j.util.Strings;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
@@ -72,8 +72,12 @@ public class AuthController {
         if (StrUtil.isBlank(clientId)) {
             throw new BizException("客户端ID不能为空");
         }
-        switch (clientId) {
-            case AuthConstants.ADMIN_CLIENT_ID: // 后台管理
+
+        // 微信小程序逻辑处理
+        if (AuthConstants.WEAPP_CLIENT_ID.equals(clientId)) {
+            this.handleParametersForWeapp(parameters);
+        }
+
         OAuth2AccessToken oAuth2AccessToken = tokenEndpoint.postAccessToken(principal, parameters).getBody();
         Oauth2Token oauth2Token = Oauth2Token.builder()
                 .token(oAuth2AccessToken.getValue())
@@ -81,7 +85,28 @@ public class AuthController {
                 .expiresIn(oAuth2AccessToken.getExpiresIn())
                 .build();
         return Result.success(oauth2Token);
-            case AuthConstants.WEAPP_CLIENT_ID: // 微信小程序
+    }
+
+    @DeleteMapping("/logout")
+    public Result logout(HttpServletRequest request) {
+        String payload = request.getHeader(AuthConstants.JWT_PAYLOAD_KEY);
+        JSONObject jsonObject = JSONUtil.parseObj(payload);
+
+        String jti = jsonObject.getStr("jti"); // JWT唯一标识
+        long exp = jsonObject.getLong("exp"); // JWT过期时间戳
+
+        long currentTimeSeconds = System.currentTimeMillis() / 1000;
+
+        if (exp < currentTimeSeconds) { // token已过期
+            return Result.custom(ResultCode.TOKEN_INVALID_OR_EXPIRED);
+        }
+        redisTemplate.opsForValue().set(AuthConstants.TOKEN_BLACKLIST_PREFIX + jti, null, (exp - currentTimeSeconds), TimeUnit.SECONDS);
+        return Result.success();
+    }
+
+
+    private void handleParametersForWeapp(Map<String, String> parameters) {
+
         try {
             String code = parameters.get("code");
             if (StrUtil.isBlank(code)) {
@@ -104,7 +129,8 @@ public class AuthController {
                 member.setGender(Integer.valueOf(userInfo.getGender()));
                 member.setOpenid(openid);
                 member.setUsername(openid);
-                        member.setPassword(passwordEncoder.encode(openid));
+                member.setPassword(passwordEncoder.encode(openid).replace(AuthConstants.BCRYPT, Strings.EMPTY)); // 加密密码移除前缀加密方式 {bcrypt}
+
                 Result result = remoteUmsMemberService.add(member);
                 if (!ResultCode.SUCCESS.getCode().equals(result.getCode())) {
                     throw new BizException("注册会员失败");
@@ -116,38 +142,12 @@ public class AuthController {
             // 微信授权登录数据模拟生成token
             parameters.put("username", member.getUsername());
             parameters.put("password", member.getUsername());
-                    oAuth2AccessToken = tokenEndpoint.postAccessToken(principal, parameters).getBody();
-                    oauth2Token = Oauth2Token.builder()
-                            .token(oAuth2AccessToken.getValue())
-                            .refreshToken(oAuth2AccessToken.getRefreshToken().getValue())
-                            .expiresIn(oAuth2AccessToken.getExpiresIn())
-                            .build();
-                    return Result.success(oauth2Token);
+
         } catch (WxErrorException e) {
             e.printStackTrace();
             throw new BizException("auth failed");
         }
+
     }
 
-        return null;
-    }
-
-    @DeleteMapping("/logout")
-    public Result logout(HttpServletRequest request) {
-        String payload = request.getHeader(AuthConstants.JWT_PAYLOAD_KEY);
-        JSONObject jsonObject = JSONUtil.parseObj(payload);
-
-        String jti = jsonObject.getStr("jti"); // JWT唯一标识
-        long exp = jsonObject.getLong("exp"); // JWT过期时间戳
-
-        long currentTimeSeconds = System.currentTimeMillis() / 1000;
-
-        if (exp < currentTimeSeconds) { // token已过期
-            return Result.custom(ResultCode.TOKEN_INVALID_OR_EXPIRED);
-        }
-        redisTemplate.opsForValue().set(AuthConstants.TOKEN_BLACKLIST_PREFIX + jti, null, (exp - currentTimeSeconds), TimeUnit.SECONDS);
-        return Result.success();
-    }
-
-
 }

youlai-auth/src/main/java/com/youlai/auth/domain/User.java

@@ -36,7 +36,7 @@ public class User implements UserDetails {
         this.setId(user.getId());
         this.setUsername(user.getUsername());
         this.setPassword(AuthConstants.BCRYPT + user.getPassword());
-        this.setEnabled(user.getStatus().equals(1));
+        this.setEnabled(Integer.valueOf(1).equals(user.getStatus()));
         this.setClientId(user.getClientId());
         if (user.getRoles() != null) {
             authorities = new ArrayList<>();
@@ -48,7 +48,7 @@ public class User implements UserDetails {
         this.setId(member.getId());
         this.setUsername(member.getUsername());
         this.setPassword(AuthConstants.BCRYPT + member.getPassword());
-        this.setEnabled(member.getStatus().equals(1));
+        this.setEnabled( Integer.valueOf(1).equals(member.getStatus()));
         this.setClientId(member.getClientId());
     }
 

youlai-gateway/src/main/java/com/youlai/gateway/component/AuthorizationManager.java

@@ -6,7 +6,6 @@ import com.youlai.common.core.constant.AuthConstants;
 import com.youlai.gateway.config.WhiteListConfig;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.logging.log4j.util.Strings;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.server.reactive.ServerHttpRequest;
@@ -39,14 +38,6 @@ public class AuthorizationManager implements ReactiveAuthorizationManager<Author
         String path = request.getURI().getPath();
         PathMatcher pathMatcher = new AntPathMatcher();
 
-        // 白名单路径直接放行
-        List<String> whiteList = whiteListConfig.getUrls();
-        for (String ignoreUrl : whiteList) {
-            if (pathMatcher.match(ignoreUrl, path)) {
-                return Mono.just(new AuthorizationDecision(true));
-            }
-        }
-
         // 对应跨域的预检请求直接放行
         if (request.getMethod() == HttpMethod.OPTIONS) {
             return Mono.just(new AuthorizationDecision(true));
@@ -58,7 +49,12 @@ public class AuthorizationManager implements ReactiveAuthorizationManager<Author
             return Mono.just(new AuthorizationDecision(false));
         }
 
-        // 缓存取资源权限角色关系列表
+        // 非管理端路径无需鉴权直接放行
+        if (!pathMatcher.match(AuthConstants.ADMIN_URL_PATTERN, path)) {
+            return Mono.just(new AuthorizationDecision(true));
+        }
+
+        // 从缓存取资源权限角色关系列表
         Map<Object, Object> resourceRolesMap = redisTemplate.opsForHash().entries(AuthConstants.RESOURCE_ROLES_KEY);
         Iterator<Object> iterator = resourceRolesMap.keySet().iterator();