|
|
|
|
@ -1,6 +1,5 @@
|
|
|
|
|
package com.anjiplus.template.gaea.business.filter;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
import com.alibaba.fastjson.JSONObject;
|
|
|
|
|
import com.anji.plus.gaea.bean.ResponseBean;
|
|
|
|
|
import com.anji.plus.gaea.cache.CacheHelper;
|
|
|
|
|
@ -16,7 +15,6 @@ import org.springframework.beans.factory.annotation.Value;
|
|
|
|
|
import org.springframework.core.annotation.Order;
|
|
|
|
|
import org.springframework.stereotype.Component;
|
|
|
|
|
import org.springframework.util.AntPathMatcher;
|
|
|
|
|
import org.springframework.util.CollectionUtils;
|
|
|
|
|
|
|
|
|
|
import javax.servlet.*;
|
|
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
|
|
@ -24,9 +22,9 @@ import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
import java.io.IOException;
|
|
|
|
|
import java.util.List;
|
|
|
|
|
import java.util.Map;
|
|
|
|
|
import java.util.Optional;
|
|
|
|
|
import java.util.concurrent.atomic.AtomicBoolean;
|
|
|
|
|
import java.util.regex.Pattern;
|
|
|
|
|
import java.util.stream.Collectors;
|
|
|
|
|
|
|
|
|
|
import static com.anji.plus.gaea.constant.GaeaConstant.URL_REPLACEMENT;
|
|
|
|
|
|
|
|
|
|
@ -39,23 +37,23 @@ import static com.anji.plus.gaea.constant.GaeaConstant.URL_REPLACEMENT;
|
|
|
|
|
@Order(Integer.MIN_VALUE + 99)
|
|
|
|
|
public class TokenFilter implements Filter {
|
|
|
|
|
private static final Pattern PATTERN = Pattern.compile(".*().*");
|
|
|
|
|
private static final String USER_GUEST = "guest";
|
|
|
|
|
|
|
|
|
|
@Value("${server.servlet.context-path:'/'}")
|
|
|
|
|
@Value("${server.servlet.context-path:/}")
|
|
|
|
|
private String SLASH = "/";
|
|
|
|
|
private AntPathMatcher antPathMatcher = new AntPathMatcher();
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
|
private CacheHelper cacheHelper;
|
|
|
|
|
@Autowired
|
|
|
|
|
private JwtBean jwtBean;
|
|
|
|
|
|
|
|
|
|
/** 跳过token验证和权限验证的url清单*/
|
|
|
|
|
@Value("#{'${customer.skip-authenticate-urls}'.split(',')}")
|
|
|
|
|
/**
|
|
|
|
|
* 跳过token验证和权限验证的url清单
|
|
|
|
|
*/
|
|
|
|
|
@Value("#{'${customer.skip-authenticate-urls:}'.split(',')}")
|
|
|
|
|
private List<String> skipAuthenticateUrls;
|
|
|
|
|
private Pattern skipAuthenticatePattern;
|
|
|
|
|
|
|
|
|
|
private AntPathMatcher antPathMatcher = new AntPathMatcher();
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public void init(FilterConfig filterConfig) throws ServletException {
|
|
|
|
|
// 生成匹配正则,跳过token验证和权限验证的url
|
|
|
|
|
@ -69,13 +67,25 @@ public class TokenFilter implements Filter {
|
|
|
|
|
HttpServletResponse response = (HttpServletResponse) servletResponse;
|
|
|
|
|
String uri = request.getRequestURI();
|
|
|
|
|
|
|
|
|
|
// TODO 暂时先不校验 直接放行
|
|
|
|
|
/*if (true) {
|
|
|
|
|
filterChain.doFilter(request, response);
|
|
|
|
|
return;
|
|
|
|
|
}*/
|
|
|
|
|
|
|
|
|
|
//OPTIONS直接放行
|
|
|
|
|
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
|
|
|
|
|
filterChain.doFilter(request, response);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (SLASH.equals(uri) || SLASH.concat("/").equals(uri)) {
|
|
|
|
|
// swagger相关的直接放行
|
|
|
|
|
if (uri.contains("swagger-ui") || uri.contains("swagger-resources")) {
|
|
|
|
|
filterChain.doFilter(request, response);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (SLASH.equals(uri) || SLASH.concat(BusinessConstant.SLASH).equals(uri)) {
|
|
|
|
|
response.sendRedirect(SLASH + "/index.html");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
@ -125,51 +135,19 @@ public class TokenFilter implements Filter {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
String gaeaUserJsonStr = cacheHelper.stringGet(userKey);
|
|
|
|
|
// 延长有效期
|
|
|
|
|
cacheHelper.stringSetExpire(tokenKey, token, 3600);
|
|
|
|
|
cacheHelper.stringSetExpire(userKey, gaeaUserJsonStr, 3600);
|
|
|
|
|
|
|
|
|
|
//判断接口权限
|
|
|
|
|
//请求路径
|
|
|
|
|
//String requestUrl = request.getRequestURI(); requestUrl中可能会有contextpath,而底层扫描的controller是没有的
|
|
|
|
|
String servletPath = request.getServletPath();
|
|
|
|
|
String methodValue = request.getMethod();
|
|
|
|
|
//请求方法+#+请求路径
|
|
|
|
|
String urlKey = methodValue + GaeaConstant.URL_SPLIT + servletPath;
|
|
|
|
|
|
|
|
|
|
GaeaUserDto gaeaUserDto = JSONObject.parseObject(gaeaUserJsonStr, GaeaUserDto.class);
|
|
|
|
|
List<String> authorities = gaeaUserDto.getAuthorities();
|
|
|
|
|
Map<String, String> applicationNameAllAuthorities = cacheHelper.hashGet(BusinessConstant.GAEA_SECURITY_AUTHORITIES);
|
|
|
|
|
AtomicBoolean authFlag = new AtomicBoolean(false);
|
|
|
|
|
//查询当前请求是否在对应的权限里。即:先精确匹配(保证当前路由是需要精确匹配还是模糊匹配,防止精确匹配的被模糊匹配)
|
|
|
|
|
// 比如:/user/info和/user/**同时存在,/user/info,被/user/**匹配掉
|
|
|
|
|
if (applicationNameAllAuthorities.containsKey(urlKey)) {
|
|
|
|
|
String permissionCode = applicationNameAllAuthorities.get(urlKey);
|
|
|
|
|
if (authorities.contains(permissionCode)) {
|
|
|
|
|
authFlag.set(true);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
List<String> collect = applicationNameAllAuthorities.keySet().stream()
|
|
|
|
|
.filter(key -> StringUtils.isNotBlank(key) && key.contains(URL_REPLACEMENT))
|
|
|
|
|
.filter(key -> antPathMatcher.match(key, urlKey)).collect(Collectors.toList());
|
|
|
|
|
if (CollectionUtils.isEmpty(collect)) {
|
|
|
|
|
authFlag.set(true);
|
|
|
|
|
}else {
|
|
|
|
|
collect.forEach(key -> {
|
|
|
|
|
String permissionCode = applicationNameAllAuthorities.getOrDefault(key, "");
|
|
|
|
|
if (authorities.contains(permissionCode)) {
|
|
|
|
|
authFlag.set(true);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
// 判断用户是否有该url的权限
|
|
|
|
|
if (!BusinessConstant.USER_ADMIN.equals(loginName)) {
|
|
|
|
|
AtomicBoolean authorizeFlag = authorize(request, gaeaUserJsonStr);
|
|
|
|
|
if (!authorizeFlag.get()) {
|
|
|
|
|
authError(response);//无权限
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!authFlag.get()) {
|
|
|
|
|
//无权限
|
|
|
|
|
authError(response);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 延长有效期
|
|
|
|
|
cacheHelper.stringSetExpire(tokenKey, token, 3600);
|
|
|
|
|
cacheHelper.stringSetExpire(userKey, gaeaUserJsonStr, 3600);
|
|
|
|
|
|
|
|
|
|
//执行
|
|
|
|
|
filterChain.doFilter(request, response);
|
|
|
|
|
@ -205,14 +183,58 @@ public class TokenFilter implements Filter {
|
|
|
|
|
return Pattern.compile(patternString.toString());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** 判断用户是否有该接口的权限
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
private AtomicBoolean authorize(HttpServletRequest request, String gaeaUserJsonStr){
|
|
|
|
|
|
|
|
|
|
//判断接口权限
|
|
|
|
|
//请求路径
|
|
|
|
|
String requestUrl = request.getRequestURI();
|
|
|
|
|
if (!BusinessConstant.SLASH.equals(SLASH)) {
|
|
|
|
|
requestUrl = requestUrl.substring(SLASH.length());
|
|
|
|
|
}
|
|
|
|
|
String methodValue = request.getMethod();
|
|
|
|
|
//请求方法+#+请求路径
|
|
|
|
|
String path = methodValue + GaeaConstant.URL_SPLIT + requestUrl;
|
|
|
|
|
|
|
|
|
|
GaeaUserDto gaeaUserDto = JSONObject.parseObject(gaeaUserJsonStr, GaeaUserDto.class);
|
|
|
|
|
List<String> userAuthorities = gaeaUserDto.getAuthorities();
|
|
|
|
|
Map<String, String> authoritiesAllMap = cacheHelper.hashGet(BusinessConstant.GAEA_SECURITY_AUTHORITIES);
|
|
|
|
|
|
|
|
|
|
AtomicBoolean authFlag = new AtomicBoolean(false);
|
|
|
|
|
|
|
|
|
|
// 接口GET#/gaeaDictItem/pageList
|
|
|
|
|
if(authoritiesAllMap.containsKey(path)){
|
|
|
|
|
String permissionCode = authoritiesAllMap.get(path);
|
|
|
|
|
boolean flag = userAuthorities.contains(permissionCode);
|
|
|
|
|
authFlag.set(flag);
|
|
|
|
|
return authFlag;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 接口GET#/accessUser/roleTree/**
|
|
|
|
|
Optional<String> optionalMatchKey = authoritiesAllMap.keySet().stream()
|
|
|
|
|
.filter(key -> StringUtils.isNotBlank(key) && key.contains(URL_REPLACEMENT))
|
|
|
|
|
.filter(key -> antPathMatcher.match(key, path)).findFirst();
|
|
|
|
|
if(optionalMatchKey.isPresent() == false){
|
|
|
|
|
authFlag.set(true);
|
|
|
|
|
return authFlag;
|
|
|
|
|
}
|
|
|
|
|
String authoritieKey = optionalMatchKey.get();
|
|
|
|
|
String needPermission = authoritiesAllMap.get(authoritieKey);
|
|
|
|
|
boolean flag = userAuthorities.contains(needPermission);
|
|
|
|
|
authFlag.set(flag);
|
|
|
|
|
return authFlag;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private void error(HttpServletResponse response) throws IOException {
|
|
|
|
|
ResponseBean responseBean = ResponseBean.builder().code("50014").message("The Token has expired").build();
|
|
|
|
|
ResponseBean responseBean = ResponseBean.builder().code("50008").message("The Token has expired").build();
|
|
|
|
|
response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
|
|
|
|
|
response.getWriter().print(JSONObject.toJSONString(responseBean));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private void authError(HttpServletResponse response) throws IOException {
|
|
|
|
|
ResponseBean responseBean = ResponseBean.builder().code("User.no.authority").message("没有权限").build();
|
|
|
|
|
ResponseBean responseBean = ResponseBean.builder().code("User.no.authority").message("no auth").build();
|
|
|
|
|
response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
|
|
|
|
|
response.getWriter().print(JSONObject.toJSONString(responseBean));
|
|
|
|
|
}
|
|
|
|
|
|
raodeming
3 years ago