From 098d3347a0df808908aab8c554cd7c4febc5e6d9 Mon Sep 17 00:00:00 2001
From: 疯狂的狮子Li <15040126243@163.com>
Date: 星期一, 26 八月 2024 11:43:59 +0800
Subject: [PATCH] !577 发布 5.2.2 正式版 安全性提升 Merge pull request !577 from 疯狂的狮子Li/dev
---
ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java | 76 ++++++++++++++++++++++++--------------
1 files changed, 48 insertions(+), 28 deletions(-)
diff --git a/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java b/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java
index 69a2e10..5fd49d1 100644
--- a/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/org/dromara/common/security/config/SecurityConfig.java
@@ -1,19 +1,24 @@
package org.dromara.common.security.config;
import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.filter.SaServletFilter;
+import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
import cn.dev33.satoken.interceptor.SaInterceptor;
import cn.dev33.satoken.router.SaRouter;
import cn.dev33.satoken.stp.StpUtil;
+import cn.dev33.satoken.util.SaResult;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.dromara.common.core.constant.HttpStatus;
import org.dromara.common.core.utils.ServletUtils;
import org.dromara.common.core.utils.SpringUtils;
import org.dromara.common.core.utils.StringUtils;
import org.dromara.common.satoken.utils.LoginHelper;
import org.dromara.common.security.config.properties.SecurityProperties;
import org.dromara.common.security.handler.AllUrlHandler;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@@ -38,37 +43,52 @@
public void addInterceptors(InterceptorRegistry registry) {
// 娉ㄥ唽璺敱鎷︽埅鍣紝鑷畾涔夐獙璇佽鍒�
registry.addInterceptor(new SaInterceptor(handler -> {
- AllUrlHandler allUrlHandler = SpringUtils.getBean(AllUrlHandler.class);
- // 鐧诲綍楠岃瘉 -- 鎺掗櫎澶氫釜璺緞
- SaRouter
- // 鑾峰彇鎵�鏈夌殑
- .match(allUrlHandler.getUrls())
- // 瀵规湭鎺掗櫎鐨勮矾寰勮繘琛屾鏌�
- .check(() -> {
- // 妫�鏌ユ槸鍚︾櫥褰� 鏄惁鏈塼oken
- StpUtil.checkLogin();
+ AllUrlHandler allUrlHandler = SpringUtils.getBean(AllUrlHandler.class);
+ // 鐧诲綍楠岃瘉 -- 鎺掗櫎澶氫釜璺緞
+ SaRouter
+ // 鑾峰彇鎵�鏈夌殑
+ .match(allUrlHandler.getUrls())
+ // 瀵规湭鎺掗櫎鐨勮矾寰勮繘琛屾鏌�
+ .check(() -> {
+ // 妫�鏌ユ槸鍚︾櫥褰� 鏄惁鏈塼oken
+ StpUtil.checkLogin();
- // 妫�鏌� header 涓� param 閲岀殑 clientid 涓� token 閲岀殑鏄惁涓�鑷�
- String headerCid = ServletUtils.getRequest().getHeader(LoginHelper.CLIENT_KEY);
- String paramCid = ServletUtils.getParameter(LoginHelper.CLIENT_KEY);
- String clientId = StpUtil.getExtra(LoginHelper.CLIENT_KEY).toString();
- if (!StringUtils.equalsAny(clientId, headerCid, paramCid)) {
- // token 鏃犳晥
- throw NotLoginException.newInstance(StpUtil.getLoginType(),
- "-100", "瀹㈡埛绔疘D涓嶵oken涓嶅尮閰�",
- StpUtil.getTokenValue());
- }
+ // 妫�鏌� header 涓� param 閲岀殑 clientid 涓� token 閲岀殑鏄惁涓�鑷�
+ String headerCid = ServletUtils.getRequest().getHeader(LoginHelper.CLIENT_KEY);
+ String paramCid = ServletUtils.getParameter(LoginHelper.CLIENT_KEY);
+ String clientId = StpUtil.getExtra(LoginHelper.CLIENT_KEY).toString();
+ if (!StringUtils.equalsAny(clientId, headerCid, paramCid)) {
+ // token 鏃犳晥
+ throw NotLoginException.newInstance(StpUtil.getLoginType(),
+ "-100", "瀹㈡埛绔疘D涓嶵oken涓嶅尮閰�",
+ StpUtil.getTokenValue());
+ }
- // 鏈夋晥鐜囧奖鍝� 鐢ㄤ簬涓存椂娴嬭瘯
- // if (log.isDebugEnabled()) {
- // log.debug("鍓╀綑鏈夋晥鏃堕棿: {}", StpUtil.getTokenTimeout());
- // log.debug("涓存椂鏈夋晥鏃堕棿: {}", StpUtil.getTokenActivityTimeout());
- // }
+ // 鏈夋晥鐜囧奖鍝� 鐢ㄤ簬涓存椂娴嬭瘯
+ // if (log.isDebugEnabled()) {
+ // log.info("鍓╀綑鏈夋晥鏃堕棿: {}", StpUtil.getTokenTimeout());
+ // log.info("涓存椂鏈夋晥鏃堕棿: {}", StpUtil.getTokenActivityTimeout());
+ // }
- });
- })).addPathPatterns("/**")
+ });
+ })).addPathPatterns("/**")
// 鎺掗櫎涓嶉渶瑕佹嫤鎴殑璺緞
.excludePathPatterns(securityProperties.getExcludes());
}
+ /**
+ * 瀵� actuator 鍋ュ悍妫�鏌ユ帴鍙� 鍋氳处鍙峰瘑鐮侀壌鏉�
+ */
+ @Bean
+ public SaServletFilter getSaServletFilter() {
+ String username = SpringUtils.getProperty("spring.boot.admin.client.username");
+ String password = SpringUtils.getProperty("spring.boot.admin.client.password");
+ return new SaServletFilter()
+ .addInclude("/actuator", "/actuator/**")
+ .setAuth(obj -> {
+ SaHttpBasicUtil.check(username + ":" + password);
+ })
+ .setError(e -> SaResult.error(e.getMessage()).setCode(HttpStatus.UNAUTHORIZED));
+ }
+
}
--
Gitblit v1.9.3