package org.dromara.common.security.config;
|
|
import cn.dev33.satoken.exception.NotLoginException;
|
import cn.dev33.satoken.filter.SaServletFilter;
|
import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
|
import cn.dev33.satoken.interceptor.SaInterceptor;
|
import cn.dev33.satoken.router.SaRouter;
|
import cn.dev33.satoken.stp.StpUtil;
|
import cn.dev33.satoken.util.SaResult;
|
import jakarta.servlet.http.HttpServletRequest;
|
import lombok.RequiredArgsConstructor;
|
import lombok.extern.slf4j.Slf4j;
|
import org.dromara.common.core.constant.HttpStatus;
|
import org.dromara.common.core.exception.SseException;
|
import org.dromara.common.core.utils.ServletUtils;
|
import org.dromara.common.core.utils.SpringUtils;
|
import org.dromara.common.core.utils.StringUtils;
|
import org.dromara.common.satoken.utils.LoginHelper;
|
import org.dromara.common.security.config.properties.SecurityProperties;
|
import org.dromara.common.security.handler.AllUrlHandler;
|
import org.springframework.boot.autoconfigure.AutoConfiguration;
|
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
import org.springframework.context.annotation.Bean;
|
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
|
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
|
/**
|
* 权限安全配置
|
*
|
* @author Lion Li
|
*/
|
|
@Slf4j
|
@AutoConfiguration
|
@EnableConfigurationProperties(SecurityProperties.class)
|
@RequiredArgsConstructor
|
public class SecurityConfig implements WebMvcConfigurer {
|
|
private final SecurityProperties securityProperties;
|
|
/**
|
* 注册sa-token的拦截器
|
*/
|
@Override
|
public void addInterceptors(InterceptorRegistry registry) {
|
// 注册路由拦截器,自定义验证规则
|
registry.addInterceptor(new SaInterceptor(handler -> {
|
AllUrlHandler allUrlHandler = SpringUtils.getBean(AllUrlHandler.class);
|
// 登录验证 -- 排除多个路径
|
SaRouter
|
// 获取所有的
|
.match(allUrlHandler.getUrls())
|
// 对未排除的路径进行检查
|
.check(() -> {
|
HttpServletRequest request = ServletUtils.getRequest();
|
// 检查是否登录 是否有token
|
try {
|
StpUtil.checkLogin();
|
} catch (NotLoginException e) {
|
if (request.getRequestURI().contains("sse")) {
|
throw new SseException(e.getMessage(), e.getCode());
|
} else {
|
throw e;
|
}
|
}
|
|
// 检查 header 与 param 里的 clientid 与 token 里的是否一致
|
String headerCid = request.getHeader(LoginHelper.CLIENT_KEY);
|
String paramCid = ServletUtils.getParameter(LoginHelper.CLIENT_KEY);
|
String clientId = StpUtil.getExtra(LoginHelper.CLIENT_KEY).toString();
|
if (!StringUtils.equalsAny(clientId, headerCid, paramCid)) {
|
// token 无效
|
throw NotLoginException.newInstance(StpUtil.getLoginType(),
|
"-100", "客户端ID与Token不匹配",
|
StpUtil.getTokenValue());
|
}
|
|
// 有效率影响 用于临时测试
|
// if (log.isDebugEnabled()) {
|
// log.info("剩余有效时间: {}", StpUtil.getTokenTimeout());
|
// log.info("临时有效时间: {}", StpUtil.getTokenActivityTimeout());
|
// }
|
|
});
|
})).addPathPatterns("/**")
|
// 排除不需要拦截的路径
|
.excludePathPatterns(securityProperties.getExcludes());
|
}
|
|
/**
|
* 对 actuator 健康检查接口 做账号密码鉴权
|
*/
|
@Bean
|
public SaServletFilter getSaServletFilter() {
|
String username = SpringUtils.getProperty("spring.boot.admin.client.username");
|
String password = SpringUtils.getProperty("spring.boot.admin.client.password");
|
return new SaServletFilter()
|
.addInclude("/actuator", "/actuator/**")
|
.setAuth(obj -> {
|
SaHttpBasicUtil.check(username + ":" + password);
|
})
|
.setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
|
}
|
|
}
|
