feat: provides authentication and authorization expression dialects (#2729)

#### What type of PR is this?
/kind feature
/milestone 2.0.0-rc.1
/area core

#### What this PR does / why we need it:
主题端支持使用表达式方言获取登录状态和判断权限，例如：

获取当前登录用户名
```html
<div th:text="${#authentication.name}">
  The value of the "name" property of the authentication object should appear here.
</div>
```
关于判断登录状态我们并不推荐调用表达式 `${#authentication.isAuthenticated()}`，因为始终返回 `true`，使用以下几种属性表达式代替：
```html
<div sec:authorize="isAuthenticated()">
如果不是匿名用户你会看到我
</div>

<div sec:authorize="isFullyAuthenticated()">
如果不是匿名用户且不是 rememberMe 你会看到我
</div>
```
其他
```html
<div sec:authorize="isAnonymous()">
如果是匿名用户你会看到我
</div>
```
```html
<div sec:authorize="isRememberMe()">
如果是 rememberMe  你会看到我
</div>
```
更多请参考：
https://github.com/thymeleaf/thymeleaf-extras-springsecurity

Console 端判断是否登录需要改一下，目前所有未登录状态都属于一个叫 anonymousUser 的用户
#### Which issue(s) this PR fixes:

Fixes #2676

#### Special notes for your reviewer:
/cc @halo-dev/sig-halo 
#### Does this PR introduce a user-facing change?
```release-note
主题端支持使用表达式方言获取登录状态和判断权限
```

build.gradle

@@ -76,6 +76,7 @@ dependencies {
     implementation "io.github.java-diff-utils:java-diff-utils:$javaDiffUtils"
     implementation "org.springframework.integration:spring-integration-core"
     implementation "com.github.java-json-tools:json-patch:$jsonPatch"
+    implementation "org.thymeleaf.extras:thymeleaf-extras-springsecurity6"
 
     compileOnly 'org.projectlombok:lombok'
     testCompileOnly 'org.projectlombok:lombok'

src/main/java/run/halo/app/config/WebServerSecurityConfig.java

@@ -1,7 +1,6 @@
 package run.halo.app.config;
 
 import static org.springframework.security.config.Customizer.withDefaults;
-import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;
 
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.JWKSet;
@@ -56,9 +55,11 @@ public class WebServerSecurityConfig {
         RoleService roleService,
         ObjectProvider<SecurityConfigurer> securityConfigurers) {
 
-        http.securityMatcher(pathMatchers("/api/**", "/apis/**", "/login", "/logout"))
+        http.authorizeExchange()
-            .authorizeExchange(exchanges ->
+            .pathMatchers("/api/**", "/apis/**", "/login", "/logout")
-                exchanges.anyExchange().access(new RequestInfoAuthorizationManager(roleService)))
+            .access(new RequestInfoAuthorizationManager(roleService))
+            .pathMatchers("/**").permitAll()
+            .and()
             .anonymous(anonymousSpec -> {
                 anonymousSpec.authorities(AnonymousUserConst.Role);
                 anonymousSpec.principal(AnonymousUserConst.PRINCIPAL);

src/main/resources/extensions/role-template-anonymous.yaml

@@ -5,6 +5,9 @@ metadata:
   labels:
     halo.run/role-template: "true"
     halo.run/hidden: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-own-user-info", "role-template-own-permissions"]
 rules:
   - apiGroups: [ "api.halo.run" ]
     resources: [ "comments", "comments/reply" ]

src/main/resources/extensions/user.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1alpha1
+kind: User
+metadata:
+  name: anonymousUser
+spec:
+  displayName: Anonymous User
+  email: anonymous@example.com
+  disabled: true