增加 auth 认证拦截器（未完全）

2020-04-21 23:55:36 +08:00 · 2020-04-21 23:55:36 +08:00 · 6f37500f62
parent eec8f0860e
commit 6f37500f62
14 changed files with 202 additions and 20 deletions
--- a/common/mall-spring-boot-starter-security/pom.xml
+++ b/common/mall-spring-boot-starter-security/pom.xml
@ -17,7 +17,6 @@
            <groupId>cn.iocoder.mall</groupId>
            <artifactId>system-rpc-api</artifactId>
            <version>1.0-SNAPSHOT</version>
            <optional>true</optional>
        </dependency>
        <!-- Spring 核心 -->
@ -38,7 +37,6 @@
        <dependency>
            <groupId>org.apache.dubbo</groupId>
            <artifactId>dubbo</artifactId>
            <optional>true</optional>
        </dependency>
    </dependencies>
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/config/CommonSecurityAutoConfiguration.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/config/CommonSecurityAutoConfiguration.java
@ -1,16 +1,38 @@
 package cn.iocoder.mall.security.config;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import cn.iocoder.mall.security.core.interceptor.AccountAuthInterceptor;
 import cn.iocoder.mall.web.config.CommonWebAutoConfiguration;
 import cn.iocoder.mall.web.core.constant.CommonMallConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
@AutoConfigureAfter(CommonWebAutoConfiguration.class) // 在 CommonWebAutoConfiguration 之后自动配置，保证过滤器的顺序
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
@ConditionalOnClass(name = {"cn.iocoder.mall.system.rpc.api.systemlog.SystemLogRPC", "org.apache.dubbo.config.annotation.Reference"})
 public class CommonSecurityAutoConfiguration implements WebMvcConfigurer {
-    // ========== 拦截器相关 ==========
+    private Logger logger = LoggerFactory.getLogger(getClass());
    // ========== 拦截器相关 ==========
    @Bean
    @ConditionalOnMissingBean(AccountAuthInterceptor.class)
    public AccountAuthInterceptor accountAuthInterceptor() {
        return new AccountAuthInterceptor();
    }
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // AccountAuthInterceptor 拦截器
        registry.addInterceptor(this.accountAuthInterceptor())
                .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
        logger.info("[addInterceptors][加载 AccountAuthInterceptor 拦截器完成]");
    }
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresLogin.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresLogin.java
@ -0,0 +1,16 @@
 package cn.iocoder.mall.security.core.annotation;
 import java.lang.annotation.*;
 /**
 * 要求用户登录注解。通过将该注解添加到 Controller 上，会自动校验用户是否登陆。
 *
 * 默认请求下，用户访问的 API 接口，无需登陆。主要的考虑是，
 * 1. 需要用户登陆的接口，本身会获取在线用户的编号。如果不添加 @RequiresLogin 注解就会报错。
 * 2. 大多数情况下，用户的 API 接口无需登陆。
 */
@Documented
@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
@Retention(RetentionPolicy.RUNTIME)
 public @interface RequiresLogin {
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresPermissions.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresPermissions.java
@ -0,0 +1,22 @@
 package cn.iocoder.mall.security.core.annotation;
 import java.lang.annotation.*;
 /**
 * 参考 Shiro @RequiresPermissions 设计 http://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html
 *
 * 通过将该注解添加到 Controller 的方法上，进行授权鉴定
 */
@Documented
@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
@Retention(RetentionPolicy.RUNTIME)
 public @interface RequiresPermissions {
    /**
     * 当有多个标识时，必须全部拥有权限，才可以操作
     *
     * @return 权限标识数组
     */
    String[] value();
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContext.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContext.java
@ -0,0 +1,28 @@
 package cn.iocoder.mall.security.core.context;
 import lombok.Data;
 import lombok.experimental.Accessors;
 import java.util.Set;
 /**
 * Security 上下文
 */
@Data
@Accessors(chain = true)
 public class AdminSecurityContext {
    /**
     * 管理员编号
     */
    private Integer adminId;
    /**
     * 管理员账号
     */
    private String username;
    /**
     * 拥有的角色编号
     */
    private Set<Integer> roleIds;
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContextHolder.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContextHolder.java
@ -0,0 +1,30 @@
 package cn.iocoder.mall.security.core.context;
 /**
 * {@link AdminSecurityContext} Holder
 *
 * 参考 spring security 的 ThreadLocalSecurityContextHolderStrategy 类，简单实现。
 */
 public class AdminSecurityContextHolder {
    private static final ThreadLocal<AdminSecurityContext> SECURITY_CONTEXT = new ThreadLocal<>();
    public static void setContext(AdminSecurityContext context) {
        SECURITY_CONTEXT.set(context);
    }
    public static AdminSecurityContext getContext() {
        AdminSecurityContext ctx = SECURITY_CONTEXT.get();
        // 为空时，设置一个空的进去
        if (ctx == null) {
            ctx = new AdminSecurityContext();
            SECURITY_CONTEXT.set(ctx);
        }
        return ctx;
    }
    public static void clear() {
        SECURITY_CONTEXT.remove();
    }
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/UserSecurityContext.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/UserSecurityContext.java
@ -0,0 +1,18 @@
 package cn.iocoder.mall.security.core.context;
 import lombok.Data;
 import lombok.experimental.Accessors;
 /**
 * User Security 上下文
 */
@Data
@Accessors(chain = true)
 public class UserSecurityContext {
    /**
     * 用户编号
     */
    private Integer userId;
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/UserSecurityContextHolder.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/UserSecurityContextHolder.java
@ -0,0 +1,30 @@
 package cn.iocoder.mall.security.core.context;
 /**
 * {@link UserSecurityContext} Holder
 *
 * 参考 spring security 的 ThreadLocalSecurityContextHolderStrategy 类，简单实现。
 */
 public class UserSecurityContextHolder {
    private static final ThreadLocal<UserSecurityContext> SECURITY_CONTEXT = new ThreadLocal<UserSecurityContext>();
    public static void setContext(UserSecurityContext context) {
        SECURITY_CONTEXT.set(context);
    }
    public static UserSecurityContext getContext() {
        UserSecurityContext ctx = SECURITY_CONTEXT.get();
        // 为空时，设置一个空的进去
        if (ctx == null) {
            ctx = new UserSecurityContext();
            SECURITY_CONTEXT.set(ctx);
        }
        return ctx;
    }
    public static void clear() {
        SECURITY_CONTEXT.remove();
    }
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AccountAuthInterceptor.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AccountAuthInterceptor.java
@ -1,4 +1,4 @@
-package cn.iocoder.mall.security.core.account;
+package cn.iocoder.mall.security.core.interceptor;
 import cn.iocoder.common.framework.util.HttpUtil;
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
@ -10,6 +10,7 @@ import cn.iocoder.mall.web.core.util.CommonWebUtil;
 import org.apache.dubbo.config.annotation.Reference;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.util.StringUtils;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 import javax.servlet.http.HttpServletRequest;
@ -24,8 +25,12 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
-        // 执行认证
+        // 获得访问令牌
        String accessToken = HttpUtil.obtainAuthorization(request);
        if (StringUtils.hasText(accessToken)) { // 如果未传递，则不进行认证
            return true;
        }
        // 执行认证
        OAuth2AccessTokenAuthenticateRequest oauth2AccessTokenAuthenticateRequest = new OAuth2AccessTokenAuthenticateRequest()
                .setAccessToken(accessToken).setIp(HttpUtil.getIp(request));
        CommonResult<OAuth2AccessTokenResponse> oauth2AccessTokenResponseResult = oauth2RPC.authenticate(oauth2AccessTokenAuthenticateRequest);
--- a/common/mall-spring-boot-starter-security/src/main/resources/META-INF/spring.factories
+++ b/common/mall-spring-boot-starter-security/src/main/resources/META-INF/spring.factories
@ -0,0 +1,2 @@
 org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
  cn.iocoder.mall.security.config.CommonSecurityAutoConfiguration
--- a/common/mall-spring-boot-starter-web/src/main/java/cn/iocoder/mall/web/config/CommonWebAutoConfiguration.java
+++ b/common/mall-spring-boot-starter-web/src/main/java/cn/iocoder/mall/web/config/CommonWebAutoConfiguration.java
@ -1,5 +1,6 @@
 package cn.iocoder.mall.web.config;
 import cn.iocoder.common.framework.servlet.CorsFilter;
 import cn.iocoder.mall.web.core.constant.CommonMallConstants;
 import cn.iocoder.mall.web.core.handler.GlobalExceptionHandler;
 import cn.iocoder.mall.web.core.handler.GlobalResponseBodyHandler;
@ -10,6 +11,7 @@ import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
@ -47,14 +49,23 @@ public class CommonWebAutoConfiguration implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        try {
-            AccessLogInterceptor accessLogInterceptor = this.accessLogInterceptor();
+            registry.addInterceptor(this.accessLogInterceptor())
-            if (accessLogInterceptor != null) {
+                    .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
-                registry.addInterceptor(accessLogInterceptor)
+            logger.info("[addInterceptors][加载 AccessLogInterceptor 拦截器完成]");
                        .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
            }
        } catch (NoSuchBeanDefinitionException e) {
            logger.warn("[addInterceptors][无法获取 AccessLogInterceptor 拦截器，因此不启动 AccessLog 的记录]");
        }
    }
    // ========== 过滤器相关 ==========
    @Bean
    @ConditionalOnMissingBean
    public FilterRegistrationBean<CorsFilter> corsFilter() {
        FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.setFilter(new CorsFilter());
        registrationBean.addUrlPatterns("/*");
        return registrationBean;
    }
 }
--- a/common/mall-spring-boot/src/main/java/cn/iocoder/mall/spring/boot/web/UserMVCAutoConfiguration.java
+++ b/common/mall-spring-boot/src/main/java/cn/iocoder/mall/spring/boot/web/UserMVCAutoConfiguration.java
@ -53,13 +53,6 @@ public class UserMVCAutoConfiguration implements WebMvcConfigurer {
        registry.addInterceptor(userSecurityInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_USER + "/**");
    }
-    @Bean
+
    @ConditionalOnMissingBean
    public FilterRegistrationBean<CorsFilter> corsFilter() {
        FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.setFilter(new CorsFilter());
        registrationBean.addUrlPatterns("/*");
        return registrationBean;
    }
 }
--- a/system/system-rest/pom.xml
+++ b/system/system-rest/pom.xml
@ -26,6 +26,11 @@
            <artifactId>mall-spring-boot-starter-web</artifactId>
            <version>1.0-SNAPSHOT</version>
        </dependency>
        <dependency>
            <groupId>cn.iocoder.mall</groupId>
            <artifactId>mall-spring-boot-starter-security</artifactId>
            <version>1.0-SNAPSHOT</version>
        </dependency>
        <dependency>
            <groupId>cn.iocoder.mall</groupId>
            <artifactId>mall-spring-boot-starter-swagger</artifactId>
--- a/system/system-rpc/src/main/resources/rpc.yaml
+++ b/system/system-rpc/src/main/resources/rpc.yaml
@ -21,3 +21,5 @@ dubbo:
  consumer:
    SystemLogRPC: # 用于 AccessLogInterceptor 等拦截器，记录 HTTP API 请求的访问日志
      version: 1.0.0
    OAuth2RPC:
      version: 1.0.0
		`@ -0,0 +1,2 @@`
							`org.springframework.boot.autoconfigure.EnableAutoConfiguration=\`
							`cn.iocoder.mall.security.config.CommonSecurityAutoConfiguration`