diff --git a/console/src/main/java/com/alibaba/nacos/console/filter/JwtAuthenticationTokenFilter.java b/console/src/main/java/com/alibaba/nacos/console/filter/JwtAuthenticationTokenFilter.java index 4e8be4910..ddd171ffb 100644 --- a/console/src/main/java/com/alibaba/nacos/console/filter/JwtAuthenticationTokenFilter.java +++ b/console/src/main/java/com/alibaba/nacos/console/filter/JwtAuthenticationTokenFilter.java @@ -65,7 +65,7 @@ public class JwtAuthenticationTokenFilter extends OncePerRequestFilter { private String resolveToken(HttpServletRequest request) { String bearerToken = request.getHeader(NacosAuthConfig.AUTHORIZATION_HEADER); if (StringUtils.isNotBlank(bearerToken) && bearerToken.startsWith(TOKEN_PREFIX)) { - return bearerToken.substring(7); + return bearerToken.substring(TOKEN_PREFIX.length()); } String jwt = request.getParameter(Constants.ACCESS_TOKEN); if (StringUtils.isNotBlank(jwt)) { diff --git a/console/src/main/java/com/alibaba/nacos/console/security/nacos/LdapAuthenticationProvider.java b/console/src/main/java/com/alibaba/nacos/console/security/nacos/LdapAuthenticationProvider.java index 1627d4589..1749dc395 100644 --- a/console/src/main/java/com/alibaba/nacos/console/security/nacos/LdapAuthenticationProvider.java +++ b/console/src/main/java/com/alibaba/nacos/console/security/nacos/LdapAuthenticationProvider.java @@ -63,6 +63,8 @@ public class LdapAuthenticationProvider implements AuthenticationProvider { private static final String LDAP_PREFIX = "LDAP_"; + private static final String DEFAULT_SECURITY_AUTH = "simple"; + @Autowired private NacosUserDetailsServiceImpl userDetailsService; @@ -112,11 +114,12 @@ public class LdapAuthenticationProvider implements AuthenticationProvider { private boolean isAdmin(String username) { List roleInfos = nacosRoleService.getRoles(username); - if (CollectionUtils.isNotEmpty(roleInfos)) { - for (RoleInfo roleinfo : roleInfos) { - if (GLOBAL_ADMIN_ROLE.equals(roleinfo.getRole())) { - return true; - } + if (CollectionUtils.isEmpty(roleInfos)) { + return false; + } + for (RoleInfo roleinfo : roleInfos) { + if (GLOBAL_ADMIN_ROLE.equals(roleinfo.getRole())) { + return true; } } return false; @@ -126,7 +129,7 @@ public class LdapAuthenticationProvider implements AuthenticationProvider { Hashtable env = new Hashtable<>(); env.put(Context.INITIAL_CONTEXT_FACTORY, FACTORY); env.put(Context.PROVIDER_URL, ldapUrl); - env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_AUTHENTICATION, DEFAULT_SECURITY_AUTH); env.put(Context.SECURITY_PRINCIPAL, userNamePattern.replace("{0}", username)); env.put(Context.SECURITY_CREDENTIALS, password); diff --git a/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthConfig.java b/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthConfig.java index ce6ba48dd..74f066c8b 100644 --- a/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthConfig.java +++ b/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthConfig.java @@ -58,6 +58,10 @@ public class NacosAuthConfig extends WebSecurityConfigurerAdapter { public static final String CONSOLE_RESOURCE_NAME_PREFIX = "console/"; public static final String UPDATE_PASSWORD_ENTRY_POINT = CONSOLE_RESOURCE_NAME_PREFIX + "user/password"; + + private static final String DEFAULT_ALL_PATH_PATTERN = "/**"; + + private static final String PROPERTY_IGNORE_URLS = "nacos.security.ignore.urls"; @Autowired private Environment env; @@ -85,12 +89,12 @@ public class NacosAuthConfig extends WebSecurityConfigurerAdapter { String ignoreUrls = null; if (AuthSystemTypes.NACOS.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) { - ignoreUrls = "/**"; + ignoreUrls = DEFAULT_ALL_PATH_PATTERN; } else if (AuthSystemTypes.LDAP.name().equalsIgnoreCase(authConfigs.getNacosAuthSystemType())) { - ignoreUrls = "/**"; + ignoreUrls = DEFAULT_ALL_PATH_PATTERN; } if (StringUtils.isBlank(authConfigs.getNacosAuthSystemType())) { - ignoreUrls = env.getProperty("nacos.security.ignore.urls", "/**"); + ignoreUrls = env.getProperty(PROPERTY_IGNORE_URLS, DEFAULT_ALL_PATH_PATTERN); } if (StringUtils.isNotBlank(ignoreUrls)) { for (String each : ignoreUrls.trim().split(SECURITY_IGNORE_URLS_SPILT_CHAR)) { @@ -112,19 +116,12 @@ public class NacosAuthConfig extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { if (StringUtils.isBlank(authConfigs.getNacosAuthSystemType())) { - http - - .csrf().disable().cors() // We don't need CSRF for JWT based authentication - + http.csrf().disable().cors()// We don't need CSRF for JWT based authentication .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) - .and().authorizeRequests().requestMatchers(CorsUtils::isPreFlightRequest).permitAll() .antMatchers(LOGIN_ENTRY_POINT).permitAll() - .and().authorizeRequests().antMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated() - .and().exceptionHandling().authenticationEntryPoint(new JwtAuthenticationEntryPoint()); - // disable cache http.headers().cacheControl(); diff --git a/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthManager.java b/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthManager.java index d753e40eb..f6a70dbe0 100644 --- a/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthManager.java +++ b/console/src/main/java/com/alibaba/nacos/console/security/nacos/NacosAuthManager.java @@ -51,6 +51,10 @@ public class NacosAuthManager implements AuthManager { private static final String TOKEN_PREFIX = "Bearer "; + private static final String PARAM_USERNAME = "username"; + + private static final String PARAM_PASSWORD = "password"; + @Autowired private JwtTokenManager tokenManager; @@ -152,8 +156,8 @@ public class NacosAuthManager implements AuthManager { } bearerToken = request.getParameter(Constants.ACCESS_TOKEN); if (StringUtils.isBlank(bearerToken)) { - String userName = request.getParameter("username"); - String password = request.getParameter("password"); + String userName = request.getParameter(PARAM_USERNAME); + String password = request.getParameter(PARAM_PASSWORD); bearerToken = resolveTokenFromUser(userName, password); } @@ -170,8 +174,8 @@ public class NacosAuthManager implements AuthManager { } bearerToken = request.getHeader(Constants.ACCESS_TOKEN); if (StringUtils.isBlank(bearerToken)) { - String userName = request.getHeader("username"); - String password = request.getHeader("password"); + String userName = request.getHeader(PARAM_USERNAME); + String password = request.getHeader(PARAM_PASSWORD); bearerToken = resolveTokenFromUser(userName, password); } diff --git a/console/src/main/java/com/alibaba/nacos/console/security/nacos/roles/NacosRoleServiceImpl.java b/console/src/main/java/com/alibaba/nacos/console/security/nacos/roles/NacosRoleServiceImpl.java index 8f4a5fe0c..6fc1f6850 100644 --- a/console/src/main/java/com/alibaba/nacos/console/security/nacos/roles/NacosRoleServiceImpl.java +++ b/console/src/main/java/com/alibaba/nacos/console/security/nacos/roles/NacosRoleServiceImpl.java @@ -52,6 +52,8 @@ public class NacosRoleServiceImpl { public static final String GLOBAL_ADMIN_ROLE = "ROLE_ADMIN"; + private static final int DEFAULT_PAGE_NO = 1; + @Autowired private AuthConfigs authConfigs; @@ -74,7 +76,7 @@ public class NacosRoleServiceImpl { private void reload() { try { Page roleInfoPage = rolePersistService - .getRolesByUserName(StringUtils.EMPTY, 1, Integer.MAX_VALUE); + .getRolesByUserName(StringUtils.EMPTY, DEFAULT_PAGE_NO, Integer.MAX_VALUE); if (roleInfoPage == null) { return; } @@ -91,7 +93,7 @@ public class NacosRoleServiceImpl { Map> tmpPermissionInfoMap = new ConcurrentHashMap<>(16); for (String role : tmpRoleSet) { Page permissionInfoPage = permissionPersistService - .getPermissions(role, 1, Integer.MAX_VALUE); + .getPermissions(role, DEFAULT_PAGE_NO, Integer.MAX_VALUE); tmpPermissionInfoMap.put(role, permissionInfoPage.getPageItems()); } @@ -157,7 +159,7 @@ public class NacosRoleServiceImpl { public List getRoles(String username) { List roleInfoList = roleInfoMap.get(username); if (!authConfigs.isCachingEnabled()) { - Page roleInfoPage = getRolesFromDatabase(username, 1, Integer.MAX_VALUE); + Page roleInfoPage = getRolesFromDatabase(username, DEFAULT_PAGE_NO, Integer.MAX_VALUE); if (roleInfoPage != null) { roleInfoList = roleInfoPage.getPageItems(); } @@ -176,7 +178,7 @@ public class NacosRoleServiceImpl { public List getPermissions(String role) { List permissionInfoList = permissionInfoMap.get(role); if (!authConfigs.isCachingEnabled()) { - Page permissionInfoPage = getPermissionsFromDatabase(role, 1, Integer.MAX_VALUE); + Page permissionInfoPage = getPermissionsFromDatabase(role, DEFAULT_PAGE_NO, Integer.MAX_VALUE); if (permissionInfoPage != null) { permissionInfoList = permissionInfoPage.getPageItems(); } diff --git a/console/src/main/resources/META-INF/nacos-default.properties b/console/src/main/resources/META-INF/nacos-default.properties index 96157a6cb..04aa6500e 100644 --- a/console/src/main/resources/META-INF/nacos-default.properties +++ b/console/src/main/resources/META-INF/nacos-default.properties @@ -17,7 +17,7 @@ # Console Default Properties spring.mvc.view.prefix=/jsp/ -# 响应页面默认后缀 +# the default suffix of page spring.mvc.view.suffix=.jsp spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration #logging.level.root=DEBUG