From ef1096f56a9c46d7f3f87ae4fc921435c75691b2 Mon Sep 17 00:00:00 2001 From: YunaiV Date: Sat, 25 Jun 2022 23:55:22 +0800 Subject: [PATCH] =?UTF-8?q?TokenAuthenticationFilter=20=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E6=9C=AC=E5=9C=B0=E7=BC=93=E5=AD=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../gateway/filter/security/LoginUser.java | 34 ++++++++++ .../security/TokenAuthenticationFilter.java | 68 +++++++++++++++---- .../gateway/util/SecurityFrameworkUtils.java | 33 ++++----- .../yudao/gateway/util/WebFrameworkUtils.java | 17 ++--- .../controller/admin/auth/AuthController.http | 2 +- 5 files changed, 114 insertions(+), 40 deletions(-) create mode 100644 yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/LoginUser.java diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/LoginUser.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/LoginUser.java new file mode 100644 index 00000000..7c7fc407 --- /dev/null +++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/LoginUser.java @@ -0,0 +1,34 @@ +package cn.iocoder.yudao.gateway.filter.security; + +import lombok.Data; + +import java.util.List; + +/** + * 登录用户信息 + * + * copy from yudao-spring-boot-starter-security 的 LoginUser 类 + * + * @author 芋道源码 + */ +@Data +public class LoginUser { + + /** + * 用户编号 + */ + private Long id; + /** + * 用户类型 + */ + private Integer userType; + /** + * 租户编号 + */ + private Long tenantId; + /** + * 授权范围 + */ + private List scopes; + +} diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java index a37c262f..91d81c0a 100644 --- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java +++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java @@ -1,13 +1,17 @@ package cn.iocoder.yudao.gateway.filter.security; import cn.hutool.core.util.StrUtil; +import cn.iocoder.yudao.framework.common.core.KeyValue; import cn.iocoder.yudao.framework.common.pojo.CommonResult; +import cn.iocoder.yudao.framework.common.util.cache.CacheUtils; import cn.iocoder.yudao.framework.common.util.json.JsonUtils; import cn.iocoder.yudao.gateway.util.SecurityFrameworkUtils; import cn.iocoder.yudao.gateway.util.WebFrameworkUtils; import cn.iocoder.yudao.module.system.api.oauth2.OAuth2TokenApi; import cn.iocoder.yudao.module.system.api.oauth2.dto.OAuth2AccessTokenCheckRespDTO; import com.fasterxml.jackson.core.type.TypeReference; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; import org.springframework.cloud.client.loadbalancer.reactive.ReactorLoadBalancerExchangeFilterFunction; import org.springframework.cloud.gateway.filter.GatewayFilterChain; import org.springframework.cloud.gateway.filter.GlobalFilter; @@ -17,6 +21,7 @@ import org.springframework.web.reactive.function.client.WebClient; import org.springframework.web.server.ServerWebExchange; import reactor.core.publisher.Mono; +import java.time.Duration; import java.util.function.Function; /** @@ -34,6 +39,17 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered { private final WebClient webClient; + private final LoadingCache, LoginUser> loginUserCache = CacheUtils.buildAsyncReloadingCache(Duration.ofMinutes(1), + new CacheLoader, LoginUser>() { + + @Override + public LoginUser load(KeyValue keyValue) { + String body = checkAccessToken(keyValue.getKey(), keyValue.getValue()).block(); + return buildUser(body); + } + + }); + public TokenAuthenticationFilter(ReactorLoadBalancerExchangeFilterFunction lbFunction) { // Q:为什么不使用 OAuth2TokenApi 进行调用? // A1:Spring Cloud OpenFeign 官方未内置 Reactive 的支持 https://docs.spring.io/spring-cloud-openfeign/docs/current/reference/html/#reactive-support @@ -54,24 +70,50 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered { } // 情况二,如果有 Token 令牌,则解析对应 userId、userType、tenantId 等字段,并通过 通过 Header 转发给服务 - return webClient.get() - .uri(OAuth2TokenApi.URL_CHECK, uriBuilder -> uriBuilder.queryParam("accessToken", token).build()) - .headers(httpHeaders -> WebFrameworkUtils.setTenantIdHeader(exchange, httpHeaders)) // 设置租户的 Header - .retrieve().bodyToMono(String.class) // 发起请求,设置 body 为 String 结果 - .flatMap((Function>) body -> chain.filter(buildNewServerWebExchange(exchange, body))); // 处理请求的结果 + Long tenantId = WebFrameworkUtils.getTenantId(exchange); + KeyValue cacheKey = new KeyValue().setKey(tenantId).setValue(token); + LoginUser user = loginUserCache.getUnchecked(cacheKey); + if (user != null) { + SecurityFrameworkUtils.setLoginUser(exchange, user); + return chain.filter(exchange.mutate().request(builder -> SecurityFrameworkUtils.setLoginUserHeader(builder, user)).build()); + } + return checkAccessToken(cacheKey.getKey(), token) + .flatMap((Function>) body -> chain.filter(buildNewServerWebExchange(exchange, cacheKey, body))); // 处理请求的结果 } - private ServerWebExchange buildNewServerWebExchange(ServerWebExchange exchange, String body) { - // 校验 Token 令牌失败,则直接返回 - CommonResult result = JsonUtils.parseObject(body, CHECK_RESULT_TYPE_REFERENCE); - if (result == null || result.isError()) { + private Mono checkAccessToken(Long tenantId, String token) { + return webClient.get() + .uri(OAuth2TokenApi.URL_CHECK, uriBuilder -> uriBuilder.queryParam("accessToken", token).build()) + .headers(httpHeaders -> WebFrameworkUtils.setTenantIdHeader(tenantId, httpHeaders)) // 设置租户的 Header + .retrieve().bodyToMono(String.class); + } + + private ServerWebExchange buildNewServerWebExchange(ServerWebExchange exchange, KeyValue cacheKey, String body) { + // 1.1 解析 User + LoginUser user = buildUser(body); + // 1.2 校验 Token 令牌失败,则直接返回 + if (user == null) { return exchange; } - // 设置登录用户 - SecurityFrameworkUtils.setLoginUser(exchange, result.getData()); - // 将访问令牌封装成 LoginUser,并设置到 login-user 的请求头,使用 json 存储值 - return exchange.mutate().request(builder -> SecurityFrameworkUtils.setLoginUserHeader(builder, result.getData())).build(); + // 2. 设置到缓存 + loginUserCache.put(cacheKey, user); + + // 3.1 设置登录用户 + SecurityFrameworkUtils.setLoginUser(exchange, user); + // 3.2 将 user 并设置到 login-user 的请求头,使用 json 存储值 + return exchange.mutate().request(builder -> SecurityFrameworkUtils.setLoginUserHeader(builder, user)).build(); + } + + private LoginUser buildUser(String body) { + CommonResult result = JsonUtils.parseObject(body, CHECK_RESULT_TYPE_REFERENCE); + if (result == null || result.isError()) { + return null; + } + // 创建登录用户 + OAuth2AccessTokenCheckRespDTO tokenInfo = result.getData(); + return new LoginUser().setId(tokenInfo.getUserId()).setUserType(tokenInfo.getUserType()) + .setTenantId(tokenInfo.getTenantId()).setScopes(tokenInfo.getScopes()); } @Override diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java index 25896a60..c0b16635 100644 --- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java +++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/SecurityFrameworkUtils.java @@ -2,13 +2,11 @@ package cn.iocoder.yudao.gateway.util; import cn.hutool.core.map.MapUtil; import cn.iocoder.yudao.framework.common.util.json.JsonUtils; -import cn.iocoder.yudao.module.system.api.oauth2.dto.OAuth2AccessTokenCheckRespDTO; +import cn.iocoder.yudao.gateway.filter.security.LoginUser; import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.util.StringUtils; import org.springframework.web.server.ServerWebExchange; -import java.util.Map; - /** * 安全服务工具类 * @@ -51,13 +49,19 @@ public class SecurityFrameworkUtils { * 设置登录用户 * * @param exchange 请求 - * @param token 访问令牌 + * @param user 用户 */ - public static void setLoginUser(ServerWebExchange exchange, OAuth2AccessTokenCheckRespDTO token) { - exchange.getAttributes().put(LOGIN_USER_ID_ATTR, token.getUserId()); - exchange.getAttributes().put(LOGIN_USER_TYPE_ATTR, token.getUserType()); + public static void setLoginUser(ServerWebExchange exchange, LoginUser user) { + exchange.getAttributes().put(LOGIN_USER_ID_ATTR, user.getId()); + exchange.getAttributes().put(LOGIN_USER_TYPE_ATTR, user.getUserType()); } + /** + * 移除请求头的用户 + * + * @param exchange 请求 + * @return 请求 + */ public static ServerWebExchange removeLoginUser(ServerWebExchange exchange) { // 如果不包含,直接返回 if (!exchange.getRequest().getHeaders().containsKey(LOGIN_USER_HEADER)) { @@ -90,20 +94,13 @@ public class SecurityFrameworkUtils { } /** - * 将访问令牌封装成 LoginUser,并设置到 login-user 的请求头,使用 json 存储值 + * 将 user 并设置到 login-user 的请求头,使用 json 存储值 * * @param builder 请求 - * @param token 访问令牌 + * @param user 用户 */ - public static void setLoginUserHeader(ServerHttpRequest.Builder builder, OAuth2AccessTokenCheckRespDTO token) { - // 构建 LoginUser 对象。由于 Gateway 没有 loginUser 类,所以使用 Map - Map loginUser = MapUtil.newHashMap(4); - loginUser.put("id", token.getUserId()); - loginUser.put("userType", token.getUserType()); - loginUser.put("tenantId", token.getTenantId()); - loginUser.put("scopes", token.getScopes()); - // 设置到 Header 中 - builder.header(LOGIN_USER_HEADER, JsonUtils.toJsonString(loginUser)); + public static void setLoginUserHeader(ServerHttpRequest.Builder builder, LoginUser user) { + builder.header(LOGIN_USER_HEADER, JsonUtils.toJsonString(user)); } } diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/WebFrameworkUtils.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/WebFrameworkUtils.java index 0553cc3f..19e83568 100644 --- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/WebFrameworkUtils.java +++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/util/WebFrameworkUtils.java @@ -2,7 +2,6 @@ package cn.iocoder.yudao.gateway.util; import cn.hutool.core.net.NetUtil; import cn.hutool.core.util.ArrayUtil; -import cn.hutool.core.util.StrUtil; import cn.hutool.extra.servlet.ServletUtil; import cn.iocoder.yudao.framework.common.util.json.JsonUtils; import lombok.extern.slf4j.Slf4j; @@ -28,22 +27,24 @@ public class WebFrameworkUtils { private static final String HEADER_TENANT_ID = "tenant-id"; - private static final String HEADER_TAG = "tag"; - private WebFrameworkUtils() {} /** * 将 Gateway 请求中的 header,设置到 HttpHeaders 中 * - * @param exchange Gateway 请求 + * @param tenantId 租户编号 * @param httpHeaders WebClient 的请求 */ - public static void setTenantIdHeader(ServerWebExchange exchange, HttpHeaders httpHeaders) { - String tenantId = exchange.getRequest().getHeaders().getFirst(HEADER_TENANT_ID); - if (StrUtil.isNotEmpty(tenantId)) { + public static void setTenantIdHeader(Long tenantId, HttpHeaders httpHeaders) { + if (tenantId == null) { return; } - httpHeaders.set(HEADER_TENANT_ID, tenantId); + httpHeaders.set(HEADER_TENANT_ID, String.valueOf(tenantId)); + } + + public static Long getTenantId(ServerWebExchange exchange) { + String tenantId = exchange.getRequest().getHeaders().getFirst(HEADER_TENANT_ID); + return tenantId != null ? Long.parseLong(tenantId) : null; } /** diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http index a3792f1c..4a869ff3 100644 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http +++ b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.http @@ -29,5 +29,5 @@ tenant-id: {{adminTenentId}} ### 请求 /list-menus 接口 => 成功 GET {{systemBaseUrl}}/system/auth/list-menus #Authorization: Bearer {{token}} -Authorization: Bearer 81e64ecd759a410ca54d3f00bdeb4574 +Authorization: Bearer c347026e805e4d99b0d116eae66eda8c tenant-id: {{adminTenentId}}