【7.6.0】更新一个综合的过滤器，合并之前的两个token和权限过滤器

2023-06-21 00:57:37 +08:00 · 2023-06-21 00:57:37 +08:00 · db927eef72
parent ee1c016d25
commit db927eef72
4 changed files with 40 additions and 126 deletions
--- a/src/main/java/cn/stylefeng/guns/config/web/SpringMvcConfiguration.java
+++ b/src/main/java/cn/stylefeng/guns/config/web/SpringMvcConfiguration.java
@ -1,8 +1,7 @@
 package cn.stylefeng.guns.config.web;

 import cn.stylefeng.guns.core.error.CustomErrorAttributes;
-import cn.stylefeng.guns.core.security.AuthJwtTokenSecurityInterceptor;
-import cn.stylefeng.guns.core.security.PermissionSecurityInterceptor;
+import cn.stylefeng.guns.core.security.TokenAndPermissionInterceptor;
 import cn.stylefeng.roses.kernel.wrapper.field.jackson.CustomJacksonIntrospector;
 import com.fasterxml.jackson.databind.ser.std.ToStringSerializer;
 import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
@ -26,10 +25,7 @@ import javax.annotation.Resource;
 public class SpringMvcConfiguration implements WebMvcConfigurer {

    @Resource
-    private AuthJwtTokenSecurityInterceptor authJwtTokenSecurityInterceptor;
-
-    @Resource
-    private PermissionSecurityInterceptor permissionSecurityInterceptor;
+    private TokenAndPermissionInterceptor tokenAndPermissionInterceptor;

    /**
     * 重写系统的默认错误提示
@ -51,7 +47,8 @@ public class SpringMvcConfiguration implements WebMvcConfigurer {
    @Bean
    public Jackson2ObjectMapperBuilderCustomizer jackson2ObjectMapperBuilderCustomizer() {
        return jacksonObjectMapperBuilder -> {
-            jacksonObjectMapperBuilder.serializerByType(Long.class, ToStringSerializer.instance).serializerByType(Long.TYPE, ToStringSerializer.instance);
+            jacksonObjectMapperBuilder.serializerByType(Long.class, ToStringSerializer.instance)
+                    .serializerByType(Long.TYPE, ToStringSerializer.instance);
            jacksonObjectMapperBuilder.annotationIntrospector(new CustomJacksonIntrospector());
        };
    }
@ -64,8 +61,7 @@ public class SpringMvcConfiguration implements WebMvcConfigurer {
     */
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(authJwtTokenSecurityInterceptor);
-        registry.addInterceptor(permissionSecurityInterceptor);
+        registry.addInterceptor(tokenAndPermissionInterceptor);
    }

    /**
--- a/src/main/java/cn/stylefeng/guns/core/security/AuthJwtTokenSecurityInterceptor.java
+++ b/src/main/java/cn/stylefeng/guns/core/security/AuthJwtTokenSecurityInterceptor.java
@ -1,51 +0,0 @@
-package cn.stylefeng.guns.core.security;
-
-import cn.hutool.core.util.StrUtil;
-import cn.stylefeng.guns.core.security.base.BaseSecurityInterceptor;
-import cn.stylefeng.roses.kernel.auth.api.AuthServiceApi;
-import cn.stylefeng.roses.kernel.auth.api.exception.AuthException;
-import cn.stylefeng.roses.kernel.auth.api.exception.enums.AuthExceptionEnum;
-import cn.stylefeng.roses.kernel.scanner.api.pojo.resource.ResourceDefinition;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.stereotype.Component;
-
-import javax.annotation.Resource;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * 鉴权的过滤器，用来鉴权token
- *
- * @author fengshuonan
- * @since 2020/12/15 22:45
- */
-@Component
-@Slf4j
-public class AuthJwtTokenSecurityInterceptor extends BaseSecurityInterceptor {
-
-    /**
-     * 登陆服务Api
-     */
-    @Resource
-    private AuthServiceApi authServiceApi;
-
-    @Override
-    public void filterAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ResourceDefinition resourceDefinition, String token) {
-
-        // 1. 获取当前请求的路径
-        String requestURI = httpServletRequest.getRequestURI();
-
-        // 2. 如果需要登录
-        if (resourceDefinition.getRequiredLoginFlag()) {
-
-            // token为空，返回用户校验失败
-            if (StrUtil.isEmpty(token)) {
-                throw new AuthException(AuthExceptionEnum.TOKEN_GET_ERROR);
-            }
-
-            // 3.校验token和用户会话信息是否正确
-            authServiceApi.checkAuth(token, requestURI);
-        }
-    }
-
-}
--- a/src/main/java/cn/stylefeng/guns/core/security/PermissionSecurityInterceptor.java
+++ b/src/main/java/cn/stylefeng/guns/core/security/PermissionSecurityInterceptor.java
@ -1,51 +0,0 @@
-package cn.stylefeng.guns.core.security;
-
-import cn.hutool.core.util.StrUtil;
-import cn.stylefeng.guns.core.security.base.BaseSecurityInterceptor;
-import cn.stylefeng.roses.kernel.auth.api.PermissionServiceApi;
-import cn.stylefeng.roses.kernel.auth.api.exception.AuthException;
-import cn.stylefeng.roses.kernel.auth.api.exception.enums.AuthExceptionEnum;
-import cn.stylefeng.roses.kernel.scanner.api.pojo.resource.ResourceDefinition;
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.stereotype.Component;
-
-import javax.annotation.Resource;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * 权限校验的过滤器，用来校验用户有没有访问接口的权限
- *
- * @author fengshuonan
- * @since 2020/12/15 22:46
- */
-@Component
-@Slf4j
-public class PermissionSecurityInterceptor extends BaseSecurityInterceptor {
-
-    /**
-     * 资源权限校验API
-     */
-    @Resource
-    private PermissionServiceApi permissionServiceApi;
-
-    @Override
-    public void filterAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ResourceDefinition resourceDefinition, String token) {
-
-        // 1. 获取当前请求的路径
-        String requestURI = httpServletRequest.getRequestURI();
-
-        // 2. 如果需要鉴权
-        if (resourceDefinition.getRequiredPermissionFlag()) {
-
-            // token为空，返回用户校验失败
-            if (StrUtil.isEmpty(token)) {
-                throw new AuthException(AuthExceptionEnum.TOKEN_GET_ERROR);
-            }
-
-            // 3. 进行当前接口的权限校验
-            permissionServiceApi.checkPermission(token, requestURI);
-        }
-    }
-
-}
--- a/src/main/java/cn/stylefeng/guns/core/security/TokenAndPermissionInterceptor.java
+++ b/src/main/java/cn/stylefeng/guns/core/security/TokenAndPermissionInterceptor.java
@ -1,7 +1,8 @@
-package cn.stylefeng.guns.core.security.base;
+package cn.stylefeng.guns.core.security;

 import cn.hutool.core.util.StrUtil;
 import cn.stylefeng.roses.kernel.auth.api.AuthServiceApi;
+import cn.stylefeng.roses.kernel.auth.api.PermissionServiceApi;
 import cn.stylefeng.roses.kernel.auth.api.SessionManagerApi;
 import cn.stylefeng.roses.kernel.auth.api.context.LoginContext;
 import cn.stylefeng.roses.kernel.auth.api.exception.AuthException;
@ -13,6 +14,7 @@ import cn.stylefeng.roses.kernel.scanner.api.pojo.resource.ResourceDefinition;
 import cn.stylefeng.roses.kernel.scanner.api.pojo.resource.ResourceUrlParam;
 import cn.stylefeng.roses.kernel.sys.api.ResourceServiceApi;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.HandlerInterceptor;

 import javax.annotation.Resource;
@ -20,13 +22,14 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 /**
- * 基础的Filter，一般用在权限过滤
+ * Token和权限校验的综合过滤器
 *
 * @author fengshuonan
- * @since 2020/12/15 22:50
+ * @since 2023/6/21 0:54
 */
+@Component
@Slf4j
-public abstract class BaseSecurityInterceptor implements HandlerInterceptor {
+public class TokenAndPermissionInterceptor implements HandlerInterceptor {

    @Resource
    private ResourceServiceApi resourceServiceApi;
@ -37,6 +40,9 @@ public abstract class BaseSecurityInterceptor implements HandlerInterceptor {
    @Resource
    private SessionManagerApi sessionManagerApi;

+    @Resource
+    private PermissionServiceApi permissionServiceApi;
+
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {

@ -45,7 +51,8 @@ public abstract class BaseSecurityInterceptor implements HandlerInterceptor {
        requestURI = requestURI.replaceAll("/+", "/");

        // 2. 不需要权限过滤的资源，直接放行
-        Boolean noneSecurityFlag = AntPathMatcherUtil.getAntMatchFLag(requestURI, request.getContextPath(), AuthConfigExpander.getNoneSecurityConfig());
+        Boolean noneSecurityFlag = AntPathMatcherUtil.getAntMatchFLag(requestURI, request.getContextPath(),
+                AuthConfigExpander.getNoneSecurityConfig());
        if (noneSecurityFlag) {
            return true;
        }
@ -88,18 +95,31 @@ public abstract class BaseSecurityInterceptor implements HandlerInterceptor {
            throw new AuthException(AuthExceptionEnum.CANT_REQUEST_UN_OPEN_API, requestURI);
        }

-        // 8.执行真正过滤器业务，如果拦截器执行不成功会抛出异常
-        this.filterAction(request, response, resourceDefinition, token);
+        // 8. 执行token校验
+        if (resourceDefinition.getRequiredLoginFlag()) {
+
+            // token为空，返回用户校验失败
+            if (StrUtil.isEmpty(token)) {
+                throw new AuthException(AuthExceptionEnum.TOKEN_GET_ERROR);
+            }
+
+            // 校验token和用户会话信息是否正确
+            authServiceApi.checkAuth(token, requestURI);
+        }
+
+        // 9. 执行权限校验
+        if (resourceDefinition.getRequiredPermissionFlag()) {
+
+            // token为空，返回用户校验失败
+            if (StrUtil.isEmpty(token)) {
+                throw new AuthException(AuthExceptionEnum.TOKEN_GET_ERROR);
+            }
+
+            // 进行当前接口的权限校验
+            permissionServiceApi.checkPermission(token, requestURI);
+        }

        return true;
    }

-    /**
-     * 过滤器的具体业务执行逻辑
-     *
-     * @author fengshuonan
-     * @since 2020/12/15 22:52
-     */
-    public abstract void filterAction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ResourceDefinition resourceDefinition, String token);
-
 }