From d79514d821fa4dd1a75290f6377cab1e5077c1e8 Mon Sep 17 00:00:00 2001 From: YunaiV Date: Sat, 25 Jun 2022 22:50:33 +0800 Subject: [PATCH] =?UTF-8?q?=E7=A6=81=E6=AD=A2=E7=BD=91=E5=85=B3=E7=9B=B4?= =?UTF-8?q?=E6=8E=A5=E4=BC=A0=E8=BE=93=20login-user?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../filter/security/TokenAuthenticationFilter.java | 8 ++++---- .../yudao/gateway/util/SecurityFrameworkUtils.java | 11 +++++++++++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java index fd072e48e..a37c262fa 100644 --- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java +++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java @@ -12,14 +12,11 @@ import org.springframework.cloud.client.loadbalancer.reactive.ReactorLoadBalance import org.springframework.cloud.gateway.filter.GatewayFilterChain; import org.springframework.cloud.gateway.filter.GlobalFilter; import org.springframework.core.Ordered; -import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.stereotype.Component; import org.springframework.web.reactive.function.client.WebClient; import org.springframework.web.server.ServerWebExchange; import reactor.core.publisher.Mono; -import javax.annotation.Resource; -import java.util.function.Consumer; import java.util.function.Function; /** @@ -47,8 +44,11 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered { @Override public Mono filter(final ServerWebExchange exchange, GatewayFilterChain chain) { - String token = SecurityFrameworkUtils.obtainAuthorization(exchange); + // 移除 login-user 的请求头,避免伪造模拟 + SecurityFrameworkUtils.removeLoginUser(exchange); + // 情况一,如果没有 Token 令牌,则直接继续 filter + String token = SecurityFrameworkUtils.obtainAuthorization(exchange); if (StrUtil.isEmpty(token)) { return chain.filter(exchange); } diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java index a8edad267..25896a60b 100644 --- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java +++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java @@ -58,6 +58,17 @@ public class SecurityFrameworkUtils { exchange.getAttributes().put(LOGIN_USER_TYPE_ATTR, token.getUserType()); } + public static ServerWebExchange removeLoginUser(ServerWebExchange exchange) { + // 如果不包含,直接返回 + if (!exchange.getRequest().getHeaders().containsKey(LOGIN_USER_HEADER)) { + return exchange; + } + // 如果包含,则移除。参考 RemoveRequestHeaderGatewayFilterFactory 实现 + ServerHttpRequest request = exchange.getRequest().mutate() + .headers(httpHeaders -> httpHeaders.remove(LOGIN_USER_HEADER)).build(); + return exchange.mutate().request(request).build(); + } + /** * 获得登录用户的编号 *