【7.1.5】ThreadLocal使用加强，在Filter清空ThreadLocal

kernel-a-rule/src/main/java/cn/stylefeng/roses/kernel/rule/threadlocal/RemoveThreadLocalApi.java

@@ -0,0 +1,19 @@
+package cn.stylefeng.roses.kernel.rule.threadlocal;
+
+/**
+ * 对程序进行拓展，方便清除ThreadLocal
+ *
+ * @author fengshuonan
+ * @date 2021/10/29 11:14
+ */
+public interface RemoveThreadLocalApi {
+
+    /**
+     * 具体删除ThreadLocal的逻辑
+     *
+     * @author fengshuonan
+     * @date 2021/10/29 11:19
+     */
+    void removeThreadLocalAction();
+
+}

kernel-d-auth/auth-api/src/main/java/cn/stylefeng/roses/kernel/auth/api/context/LoginUserRemoveThreadLocalHolder.java

@@ -0,0 +1,20 @@
+package cn.stylefeng.roses.kernel.auth.api.context;
+
+import cn.stylefeng.roses.kernel.rule.threadlocal.RemoveThreadLocalApi;
+import org.springframework.stereotype.Component;
+
+/**
+ * 清除当前登录用户相关的ThreadLocalHolder
+ *
+ * @author fengshuonan
+ * @date 2021/10/29 11:41
+ */
+@Component
+public class LoginUserRemoveThreadLocalHolder implements RemoveThreadLocalApi {
+
+    @Override
+    public void removeThreadLocalAction() {
+        LoginUserHolder.remove();
+    }
+
+}

kernel-d-scanner/scanner-api/src/main/java/cn/stylefeng/roses/kernel/scanner/api/holder/IpAddrRemoveThreadLocalHolder.java

@@ -0,0 +1,20 @@
+package cn.stylefeng.roses.kernel.scanner.api.holder;
+
+import cn.stylefeng.roses.kernel.rule.threadlocal.RemoveThreadLocalApi;
+import org.springframework.stereotype.Component;
+
+/**
+ * 清除ip地址相关的ThreadLocalHolder
+ *
+ * @author fengshuonan
+ * @date 2021/10/29 11:42
+ */
+@Component
+public class IpAddrRemoveThreadLocalHolder implements RemoveThreadLocalApi {
+
+    @Override
+    public void removeThreadLocalAction() {
+        IpAddrHolder.clear();
+    }
+
+}

kernel-d-security/pom.xml

@@ -19,6 +19,7 @@
         <module>security-api</module>
         <module>security-sdk-black-white</module>
         <module>security-sdk-captcha</module>
+        <module>security-sdk-clear-threadlocal</module>
         <module>security-sdk-cors</module>
         <module>security-sdk-count</module>
         <module>security-sdk-xss</module>

kernel-d-security/security-sdk-clear-threadlocal/README.md

@@ -0,0 +1 @@
+清空web请求中的ThreadLocal中的变量值

kernel-d-security/security-sdk-clear-threadlocal/pom.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>cn.stylefeng.roses</groupId>
+        <artifactId>kernel-d-security</artifactId>
+        <version>7.1.5</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>security-sdk-clear-threadlocal</artifactId>
+
+    <packaging>jar</packaging>
+
+    <dependencies>
+
+        <!--安全模块的api-->
+        <dependency>
+            <groupId>cn.stylefeng.roses</groupId>
+            <artifactId>security-api</artifactId>
+            <version>${roses.version}</version>
+        </dependency>
+
+        <!--web模块-->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+    </dependencies>
+
+</project>

kernel-d-security/security-sdk-clear-threadlocal/src/main/java/cn/stylefeng/roses/kernel/security/clear/ClearThreadLocalFilter.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright [2020-2030] [https://www.stylefeng.cn]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Guns采用APACHE LICENSE 2.0开源协议，您在使用过程中，需要注意以下几点：
+ *
+ * 1.请不要删除和修改根目录下的LICENSE文件。
+ * 2.请不要删除和修改Guns源码头部的版权声明。
+ * 3.请保留源码和相关描述文件的项目出处，作者声明等。
+ * 4.分发源码时候，请注明软件出处 https://gitee.com/stylefeng/guns
+ * 5.在修改包名，模块名称，项目代码等时，请注明软件出处 https://gitee.com/stylefeng/guns
+ * 6.若您的项目无法满足以上几点，可申请商业授权
+ */
+package cn.stylefeng.roses.kernel.security.clear;
+
+import cn.hutool.extra.spring.SpringUtil;
+import cn.stylefeng.roses.kernel.rule.threadlocal.RemoveThreadLocalApi;
+import lombok.extern.slf4j.Slf4j;
+
+import javax.servlet.*;
+import java.io.IOException;
+import java.util.Map;
+
+
+/**
+ * 清空程序中的ThreadLocal
+ *
+ * @author fengshuonan
+ * @date 2021/10/29 11:11
+ */
+@Slf4j
+public class ClearThreadLocalFilter implements Filter {
+
+    public static final String NAME = "ClearThreadLocalFilter";
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
+        try {
+            chain.doFilter(request, response);
+        } finally {
+
+            try {
+                Map<String, RemoveThreadLocalApi> beansOfType = SpringUtil.getBeansOfType(RemoveThreadLocalApi.class);
+                if (beansOfType != null) {
+                    for (Map.Entry<String, RemoveThreadLocalApi> entry : beansOfType.entrySet()) {
+                        RemoveThreadLocalApi removeThreadLocalApi = entry.getValue();
+                        removeThreadLocalApi.removeThreadLocalAction();
+                    }
+                }
+            } catch (Exception e) {
+                // 清空失败
+                log.error("清空threadLocal失败！", e);
+            }
+        }
+    }
+
+}

kernel-d-security/security-sdk-request-encrypt-and-decode/src/main/java/cn/stylefeng/roses/kernel/security/request/encrypt/advice/EncryptionRequestBodyAdvice.java

@@ -46,6 +46,7 @@ import java.util.Date;
  */
 @Slf4j
 @ControllerAdvice
+@SuppressWarnings("all")
 public class EncryptionRequestBodyAdvice implements RequestBodyAdvice {
 
     static {

kernel-d-security/security-sdk-request-encrypt-and-decode/src/main/java/cn/stylefeng/roses/kernel/security/request/encrypt/advice/EncryptionResponseBodyAdvice.java

@@ -31,6 +31,7 @@ import java.util.Date;
  */
 @Slf4j
 @ControllerAdvice
+@SuppressWarnings("all")
 public class EncryptionResponseBodyAdvice implements ResponseBodyAdvice {
 
     static {
@@ -66,6 +67,7 @@ public class EncryptionResponseBodyAdvice implements ResponseBodyAdvice {
 
                         // 从 ThreadLocal 中获取 aes key
                         String aesKey = EncryptionHolder.getAesKey();
+
                         // 偏移
                         byte[] iv = HexUtil.decodeHex(SecureUtil.md5(StrUtil.format("{}{}", aesKey, DateUtil.format(new Date(), "yyyyMMdd"))));
 

kernel-d-security/security-sdk-request-encrypt-and-decode/src/main/java/cn/stylefeng/roses/kernel/security/request/encrypt/holder/EncryptRemoveThreadLocalHolder.java

@@ -0,0 +1,20 @@
+package cn.stylefeng.roses.kernel.security.request.encrypt.holder;
+
+import cn.stylefeng.roses.kernel.rule.threadlocal.RemoveThreadLocalApi;
+import org.springframework.stereotype.Component;
+
+/**
+ * 清除加解密的相关ThreadLocal
+ *
+ * @author fengshuonan
+ * @date 2021/10/29 11:37
+ */
+@Component
+public class EncryptRemoveThreadLocalHolder implements RemoveThreadLocalApi {
+
+    @Override
+    public void removeThreadLocalAction() {
+        EncryptionHolder.clearAesKey();
+    }
+
+}

kernel-d-security/security-spring-boot-starter/pom.xml

@@ -24,6 +24,13 @@
             <version>${roses.version}</version>
         </dependency>
 
+        <!--threadLocal清除器-->
+        <dependency>
+            <groupId>cn.stylefeng.roses</groupId>
+            <artifactId>security-sdk-clear-threadlocal</artifactId>
+            <version>${roses.version}</version>
+        </dependency>
+
         <!--图形验证码模块-->
         <dependency>
             <groupId>cn.stylefeng.roses</groupId>

kernel-d-security/security-spring-boot-starter/src/main/java/cn/stylefeng/roses/kernel/security/starter/GunsSecurityAutoConfiguration.java

@@ -24,8 +24,14 @@
  */
 package cn.stylefeng.roses.kernel.security.starter;
 
+import cn.stylefeng.roses.kernel.security.api.constants.SecurityConstants;
+import cn.stylefeng.roses.kernel.security.clear.ClearThreadLocalFilter;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
+import static org.springframework.core.Ordered.HIGHEST_PRECEDENCE;
+
 /**
  * 安全模块自动配置
  *
@@ -35,4 +41,20 @@ import org.springframework.context.annotation.Configuration;
 @Configuration
 public class GunsSecurityAutoConfiguration {
 
+    /**
+     * ThreadLocal清除器
+     *
+     * @author fengshuonan
+     * @date 2021/10/29 11:29
+     */
+    @Bean
+    public FilterRegistrationBean<ClearThreadLocalFilter> clearThreadLocalFilterFilterRegistrationBean() {
+        FilterRegistrationBean<ClearThreadLocalFilter> bean = new FilterRegistrationBean<>();
+        bean.setFilter(new ClearThreadLocalFilter());
+        bean.addUrlPatterns(SecurityConstants.DEFAULT_XSS_PATTERN);
+        bean.setName(ClearThreadLocalFilter.NAME);
+        bean.setOrder(HIGHEST_PRECEDENCE + 1);
+        return bean;
+    }
+
 }

kernel-d-validator/validator-api/src/main/java/cn/stylefeng/roses/kernel/validator/api/context/RequestRemoveThreadLocalHolder.java

@@ -0,0 +1,21 @@
+package cn.stylefeng.roses.kernel.validator.api.context;
+
+import cn.stylefeng.roses.kernel.rule.threadlocal.RemoveThreadLocalApi;
+import org.springframework.stereotype.Component;
+
+/**
+ * 清除参数缓存相关的ThreadLocal
+ *
+ * @author fengshuonan
+ * @date 2021/10/29 11:37
+ */
+@Component
+public class RequestRemoveThreadLocalHolder implements RemoveThreadLocalApi {
+
+    @Override
+    public void removeThreadLocalAction() {
+        RequestGroupContext.clear();
+        RequestParamContext.clear();
+    }
+
+}