From 4017ec94ec2f511f8fa33d86c254c8479dc5a8da Mon Sep 17 00:00:00 2001 From: CaptainB Date: Fri, 4 Nov 2022 14:47:25 +0800 Subject: [PATCH] =?UTF-8?q?refactor:=20=E5=8E=BB=E6=8E=89=E5=B7=B2?= =?UTF-8?q?=E7=BB=8F=E5=BA=9F=E5=BC=83=E7=9A=84=E7=B1=BB=E5=92=8C=E6=96=B9?= =?UTF-8?q?=E6=B3=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../metersphere/commons/utils/ShiroUtils.java | 31 ------------- .../io/metersphere/security/ApiKeyFilter.java | 5 ++- .../security/CustomSessionIdGenerator.java | 19 -------- .../security/CustomSessionManager.java | 31 ------------- .../io/metersphere/security/MsUserToken.java | 24 ----------- .../metersphere/security/realm/BaseRealm.java | 43 ------------------- .../security/realm/LocalRealm.java | 8 +++- .../metersphere/service/BaseUserService.java | 3 +- 8 files changed, 11 insertions(+), 153 deletions(-) delete mode 100644 framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionIdGenerator.java delete mode 100644 framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionManager.java delete mode 100644 framework/sdk-parent/sdk/src/main/java/io/metersphere/security/MsUserToken.java delete mode 100644 framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/BaseRealm.java diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/ShiroUtils.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/ShiroUtils.java index c5ad6e3464..5ee72d6d77 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/ShiroUtils.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/ShiroUtils.java @@ -1,14 +1,5 @@ package io.metersphere.commons.utils; -import io.metersphere.security.CustomSessionIdGenerator; -import io.metersphere.security.CustomSessionManager; -import org.apache.shiro.cache.CacheManager; -import org.apache.shiro.session.mgt.SessionManager; -import org.apache.shiro.session.mgt.eis.AbstractSessionDAO; -import org.apache.shiro.web.servlet.Cookie; -import org.apache.shiro.web.servlet.SimpleCookie; -import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; - import java.util.Map; public class ShiroUtils { @@ -94,26 +85,4 @@ public class ShiroUtils { filterChainDefinitionMap.put("/language", "apikey, authc");// 跳转到 /language 不用校验 csrf filterChainDefinitionMap.put("/mock", "apikey, authc"); // 跳转到 /mock接口 不用校验 csrf } - - public static Cookie getSessionIdCookie() { - SimpleCookie sessionIdCookie = new SimpleCookie(); - sessionIdCookie.setPath("/"); - sessionIdCookie.setName("MS_SESSION_ID"); - return sessionIdCookie; - } - - public static SessionManager getSessionManager(Long sessionTimeout, CacheManager cacheManager) { - DefaultWebSessionManager sessionManager = new CustomSessionManager(); - sessionManager.setSessionIdUrlRewritingEnabled(false); - sessionManager.setDeleteInvalidSessions(true); - sessionManager.setSessionValidationSchedulerEnabled(true); - sessionManager.setSessionIdCookie(ShiroUtils.getSessionIdCookie()); - sessionManager.setGlobalSessionTimeout(sessionTimeout * 1000);// 超时时间ms - sessionManager.setCacheManager(cacheManager); - AbstractSessionDAO sessionDAO = (AbstractSessionDAO) sessionManager.getSessionDAO(); - sessionDAO.setSessionIdGenerator(new CustomSessionIdGenerator()); - - //sessionManager.setSessionIdCookieEnabled(true); - return sessionManager; - } } diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java index c9b6c217bd..2bf9ed8242 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java @@ -4,6 +4,7 @@ import io.metersphere.commons.constants.SessionConstants; import io.metersphere.commons.utils.LogUtil; import org.apache.commons.lang3.StringUtils; import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.web.filter.authc.AnonymousFilter; import org.apache.shiro.web.util.WebUtils; @@ -22,7 +23,7 @@ public class ApiKeyFilter extends AnonymousFilter { // sso 带了token的 String userId = ApiKeySessionHandler.validate(httpRequest); if (StringUtils.isNotBlank(userId)) { - SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL")); + SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random)); } return true; } @@ -31,7 +32,7 @@ public class ApiKeyFilter extends AnonymousFilter { if (!SecurityUtils.getSubject().isAuthenticated()) { String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request)); if (StringUtils.isNotBlank(userId)) { - SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL")); + SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random)); } } diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionIdGenerator.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionIdGenerator.java deleted file mode 100644 index 769dd8ab42..0000000000 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionIdGenerator.java +++ /dev/null @@ -1,19 +0,0 @@ -package io.metersphere.security; - -import org.apache.commons.lang3.StringUtils; -import org.apache.shiro.session.Session; -import org.apache.shiro.session.mgt.eis.SessionIdGenerator; - -import java.io.Serializable; -import java.util.UUID; - -public class CustomSessionIdGenerator implements SessionIdGenerator { - @Override - public Serializable generateId(Session session) { - String threadSessionId = CustomSessionManager.threadSessionId.get(); - if (StringUtils.isNotBlank(threadSessionId)) { - return threadSessionId; - } - return UUID.randomUUID().toString(); - } -} diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionManager.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionManager.java deleted file mode 100644 index e9d9b3be3b..0000000000 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionManager.java +++ /dev/null @@ -1,31 +0,0 @@ -package io.metersphere.security; - -import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; -import org.apache.shiro.web.util.WebUtils; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import java.io.Serializable; - -public class CustomSessionManager extends DefaultWebSessionManager { - - static final ThreadLocal threadSessionId = new ThreadLocal<>(); - - @Override - protected Serializable getSessionId(ServletRequest request, ServletResponse response) { - String id = null; - HttpServletRequest httpRequest = WebUtils.toHttp(request); - if (ApiKeyHandler.isApiKeyCall(httpRequest)) { - // API调用同一个ak使用同一个session,避免调用频繁,导致session过多,内存泄漏 - id = httpRequest.getHeader(ApiKeyHandler.API_ACCESS_KEY); - setSessionIdCookieEnabled(false); - threadSessionId.set(id); - return id; - } - // 线程池中线程可能会复用,非api删除 - threadSessionId.remove(); - setSessionIdCookieEnabled(true); - return super.getSessionId(request, response); - } -} diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/MsUserToken.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/MsUserToken.java deleted file mode 100644 index f72326ec18..0000000000 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/MsUserToken.java +++ /dev/null @@ -1,24 +0,0 @@ -package io.metersphere.security; - -import org.apache.shiro.authc.UsernamePasswordToken; - -public class MsUserToken extends UsernamePasswordToken { - private String loginType; - - public MsUserToken() { - } - - public MsUserToken(final String username, final String password, final String loginType) { - super(username, password); - this.loginType = loginType; - } - - public String getLoginType() { - return loginType; - } - - public void setLoginType(String loginType) { - this.loginType = loginType; - } - -} diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/BaseRealm.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/BaseRealm.java deleted file mode 100644 index 7c3fce73a7..0000000000 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/BaseRealm.java +++ /dev/null @@ -1,43 +0,0 @@ -package io.metersphere.security.realm; - -import io.metersphere.commons.user.SessionUser; -import io.metersphere.commons.utils.SessionUtils; -import io.metersphere.dto.UserDTO; -import io.metersphere.i18n.Translator; -import io.metersphere.service.BaseUserService; -import org.apache.shiro.authc.*; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.realm.AuthorizingRealm; -import org.apache.shiro.subject.PrincipalCollection; - -import javax.annotation.Resource; - -public abstract class BaseRealm extends AuthorizingRealm { - @Resource - private BaseUserService baseUserService; - - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { - return null; - } - - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { - UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; - - String userId = token.getUsername(); - String password = String.valueOf(token.getPassword()); - UserDTO user = baseUserService.getUserDTO(userId); - if (user == null) { - throw new UnknownAccountException(Translator.get("user_not_exist")); - } - SessionUser sessionUser = SessionUser.fromUser(user, SessionUtils.getSessionId()); - SessionUtils.putUser(sessionUser); - return new SimpleAuthenticationInfo(userId, password, getName()); - } - - @Override - public boolean isPermitted(PrincipalCollection principals, String permission) { - return SessionUtils.hasPermission(SessionUtils.getCurrentWorkspaceId(), SessionUtils.getCurrentProjectId(), permission); - } -} diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/LocalRealm.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/LocalRealm.java index 09c0d8d9f2..c1b0c5285a 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/LocalRealm.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/LocalRealm.java @@ -12,6 +12,7 @@ import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; +import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -30,7 +31,7 @@ import java.util.Set; * set realm *

*/ -public class LocalRealm extends BaseRealm { +public class LocalRealm extends AuthorizingRealm { private Logger logger = LoggerFactory.getLogger(LocalRealm.class); @Resource @@ -79,6 +80,11 @@ public class LocalRealm extends BaseRealm { } + @Override + public boolean isPermitted(PrincipalCollection principals, String permission) { + return SessionUtils.hasPermission(SessionUtils.getCurrentWorkspaceId(), SessionUtils.getCurrentProjectId(), permission); + } + private UserDTO getUserWithOutAuthenticate(String userId) { UserDTO user = baseUserService.getUserDTO(userId); String msg; diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/service/BaseUserService.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/service/BaseUserService.java index c36a8e19fd..025f02b079 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/service/BaseUserService.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/service/BaseUserService.java @@ -26,7 +26,6 @@ import io.metersphere.request.LoginRequest; import io.metersphere.request.member.EditPassWordRequest; import io.metersphere.request.member.EditSeleniumServerRequest; import io.metersphere.request.member.QueryMemberRequest; -import io.metersphere.security.MsUserToken; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang3.StringUtils; import org.apache.shiro.SecurityUtils; @@ -357,7 +356,7 @@ public class BaseUserService { } } - MsUserToken token = new MsUserToken(username, password, login); + UsernamePasswordToken token = new UsernamePasswordToken(username, password); Subject subject = SecurityUtils.getSubject(); try { subject.login(token);