wsy182/RuoYi-Cloud
1
1
Fork 0
mirror of https://gitee.com/y_project/RuoYi-Cloud.git synced 2026-01-31 05:51:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Pre Merge pull request !291 from 天天向上/gateway-auth

Browse Source
This commit is contained in:
天天向上
2024-07-09 04:13:16 +00:00
committed by Gitee
parent 8984ecba86 a5d5787735
commit 6af48adade
5 changed files with 234 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
ruoyi-gateway/src/main/java/com/ruoyi/gateway/filter/AuthFilter.java
View File

@@ -1,14 +1,6 @@
package com.ruoyi.gateway.filter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import com.alibaba.fastjson2.JSONObject;
import com.ruoyi.common.core.constant.CacheConstants;
import com.ruoyi.common.core.constant.HttpStatus;
import com.ruoyi.common.core.constant.SecurityConstants;
@@ -19,11 +11,27 @@ import com.ruoyi.common.core.utils.StringUtils;
import com.ruoyi.common.redis.service.RedisService;
import com.ruoyi.gateway.config.properties.IgnoreWhiteProperties;
import io.jsonwebtoken.Claims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
import org.springframework.cloud.gateway.filter.GlobalFilter;
import org.springframework.core.Ordered;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import javax.annotation.Resource;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
/**
* 网关鉴权
*
*
* @author ruoyi
*/
@Component
@@ -35,9 +43,13 @@ public class AuthFilter implements GlobalFilter, Ordered
@Autowired
private IgnoreWhiteProperties ignoreWhite;
@Autowired
@Resource
private RedisService redisService;
@Value("${security.gateway.enabled:false}")
private boolean gatewayAuth;
private AntPathMatcher antPathMatcher = new AntPathMatcher();
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain)
@@ -73,16 +85,91 @@ public class AuthFilter implements GlobalFilter, Ordered
{
return unauthorizedResponse(exchange, "令牌验证失败");
}
// 设置用户信息到请求
addHeader(mutate, SecurityConstants.USER_KEY, userkey);
addHeader(mutate, SecurityConstants.DETAILS_USER_ID, userid);
addHeader(mutate, SecurityConstants.DETAILS_USERNAME, username);
// 内部请求来源参数清除
removeHeader(mutate, SecurityConstants.FROM_SOURCE);
// 通过网关鉴权
if (gatewayAuth)
{
// admin不需要鉴权
if (isAdmin(userid))
{
return chain.filter(exchange.mutate().request(mutate.build()).build());
}
// 网关验证权限
String api = url + "_" + request.getMethod().name();
if (!hasPermission(api, userkey))
{
log.warn("无权访问:{}", api);
return ServletUtils.webFluxResponseWriter(exchange.getResponse(), "无权访问", HttpStatus.FORBIDDEN);
}
}
return chain.filter(exchange.mutate().request(mutate.build()).build());
}
private boolean isAdmin(String userid)
{
return "1".equals(userid);
}
private boolean hasPermission(String api, String token)
{
// 使用JSONObject接收避免导入依赖
JSONObject loginUser = redisService.getCacheObject(CacheConstants.LOGIN_TOKEN_KEY + token);
// 获取登录用户的资源列表
Set<String> permissions = (Set<String>) loginUser.get("permissions");
// 获取登录用的角色列表
Set<String> roles = (Set<String>) loginUser.get("roles");
// 获取系统所有控制器路径与权限对应的map
Map<String, String> pathPermsMap = redisService.getCacheMap(SecurityConstants.PATH_PERMISSION_MAP);
Set<String> matchedPerms = pathPermsMap.entrySet().stream()
.filter(entry -> match(entry.getKey(), api))
.map(entry -> entry.getValue())
.collect(Collectors.toSet());
if (!matchedPerms.isEmpty())
{
// 所有角色权限
Set<String> rolePerms = matchedPerms.stream().filter(item -> item.startsWith("ROLE_")).collect(Collectors.toSet());
// 所有资源权限
matchedPerms.removeAll(rolePerms);
if (!rolePerms.isEmpty())
{
if (rolePerms.contains(SecurityConstants.ROLE_ANON))
{
log.debug("允许访问公共权限:{}{}", api, rolePerms);
return true;
}
rolePerms = rolePerms.stream().map(item -> item.substring(SecurityConstants.ROLE_PREFIX.length())).collect(Collectors.toSet());
// 求交集
rolePerms.retainAll(roles);
if (!rolePerms.isEmpty())
{
log.debug("允许访问角色权限:{} {}", api, rolePerms);
return true;
}
}
// 求交集
matchedPerms.retainAll(permissions);
if (!matchedPerms.isEmpty())
{
log.debug("允许访问资源权限:{}{}", api, matchedPerms);
return true;
}
}
log.info("没有找到匹配的权限:{}, {}", api, matchedPerms);
return false;
}
private boolean match(String pattern, String api)
{
return antPathMatcher.match(pattern, api);
}
private void addHeader(ServerHttpRequest.Builder mutate, String name, Object value)
{
if (value == null)
@@ -101,7 +188,7 @@ public class AuthFilter implements GlobalFilter, Ordered
private Mono<Void> unauthorizedResponse(ServerWebExchange exchange, String msg)
{
log.error("[鉴权异常处理]请求路径:{}", exchange.getRequest().getPath());
log.error("[鉴权异常处理]请求路径:{}, {}", exchange.getRequest().getPath(), msg);
return ServletUtils.webFluxResponseWriter(exchange.getResponse(), msg, HttpStatus.UNAUTHORIZED);
}