refactor: 去掉已经废弃的类和方法

framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/ShiroUtils.java

@@ -1,14 +1,5 @@
 package io.metersphere.commons.utils;
 
-import io.metersphere.security.CustomSessionIdGenerator;
-import io.metersphere.security.CustomSessionManager;
-import org.apache.shiro.cache.CacheManager;
-import org.apache.shiro.session.mgt.SessionManager;
-import org.apache.shiro.session.mgt.eis.AbstractSessionDAO;
-import org.apache.shiro.web.servlet.Cookie;
-import org.apache.shiro.web.servlet.SimpleCookie;
-import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
-
 import java.util.Map;
 
 public class ShiroUtils {
@@ -94,26 +85,4 @@ public class ShiroUtils {
         filterChainDefinitionMap.put("/language", "apikey, authc");// 跳转到 /language 不用校验 csrf
         filterChainDefinitionMap.put("/mock", "apikey, authc"); // 跳转到 /mock接口 不用校验 csrf
     }
-
-    public static Cookie getSessionIdCookie() {
-        SimpleCookie sessionIdCookie = new SimpleCookie();
-        sessionIdCookie.setPath("/");
-        sessionIdCookie.setName("MS_SESSION_ID");
-        return sessionIdCookie;
-    }
-
-    public static SessionManager getSessionManager(Long sessionTimeout, CacheManager cacheManager) {
-        DefaultWebSessionManager sessionManager = new CustomSessionManager();
-        sessionManager.setSessionIdUrlRewritingEnabled(false);
-        sessionManager.setDeleteInvalidSessions(true);
-        sessionManager.setSessionValidationSchedulerEnabled(true);
-        sessionManager.setSessionIdCookie(ShiroUtils.getSessionIdCookie());
-        sessionManager.setGlobalSessionTimeout(sessionTimeout * 1000);// 超时时间ms
-        sessionManager.setCacheManager(cacheManager);
-        AbstractSessionDAO sessionDAO = (AbstractSessionDAO) sessionManager.getSessionDAO();
-        sessionDAO.setSessionIdGenerator(new CustomSessionIdGenerator());
-
-        //sessionManager.setSessionIdCookieEnabled(true);
-        return sessionManager;
-    }
 }

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java

@@ -4,6 +4,7 @@ import io.metersphere.commons.constants.SessionConstants;
 import io.metersphere.commons.utils.LogUtil;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.web.filter.authc.AnonymousFilter;
 import org.apache.shiro.web.util.WebUtils;
 
@@ -22,7 +23,7 @@ public class ApiKeyFilter extends AnonymousFilter {
             // sso 带了token的
             String userId = ApiKeySessionHandler.validate(httpRequest);
             if (StringUtils.isNotBlank(userId)) {
-                SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL"));
+                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random));
             }
             return true;
         }
@@ -31,7 +32,7 @@ public class ApiKeyFilter extends AnonymousFilter {
         if (!SecurityUtils.getSubject().isAuthenticated()) {
             String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
             if (StringUtils.isNotBlank(userId)) {
-                SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL"));
+                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random));
             }
         }
 

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionIdGenerator.java

@@ -1,19 +0,0 @@
-package io.metersphere.security;
-
-import org.apache.commons.lang3.StringUtils;
-import org.apache.shiro.session.Session;
-import org.apache.shiro.session.mgt.eis.SessionIdGenerator;
-
-import java.io.Serializable;
-import java.util.UUID;
-
-public class CustomSessionIdGenerator implements SessionIdGenerator {
-    @Override
-    public Serializable generateId(Session session) {
-        String threadSessionId = CustomSessionManager.threadSessionId.get();
-        if (StringUtils.isNotBlank(threadSessionId)) {
-            return threadSessionId;
-        }
-        return UUID.randomUUID().toString();
-    }
-}

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CustomSessionManager.java

@@ -1,31 +0,0 @@
-package io.metersphere.security;
-
-import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
-import org.apache.shiro.web.util.WebUtils;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import java.io.Serializable;
-
-public class CustomSessionManager extends DefaultWebSessionManager {
-
-    static final ThreadLocal<String> threadSessionId = new ThreadLocal<>();
-
-    @Override
-    protected Serializable getSessionId(ServletRequest request, ServletResponse response) {
-        String id = null;
-        HttpServletRequest httpRequest = WebUtils.toHttp(request);
-        if (ApiKeyHandler.isApiKeyCall(httpRequest)) {
-            // API调用同一个ak使用同一个session，避免调用频繁，导致session过多，内存泄漏
-            id = httpRequest.getHeader(ApiKeyHandler.API_ACCESS_KEY);
-            setSessionIdCookieEnabled(false);
-            threadSessionId.set(id);
-            return id;
-        }
-        // 线程池中线程可能会复用，非api删除
-        threadSessionId.remove();
-        setSessionIdCookieEnabled(true);
-        return super.getSessionId(request, response);
-    }
-}

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/MsUserToken.java

@@ -1,24 +0,0 @@
-package io.metersphere.security;
-
-import org.apache.shiro.authc.UsernamePasswordToken;
-
-public class MsUserToken extends UsernamePasswordToken {
-    private String loginType;
-
-    public MsUserToken() {
-    }
-
-    public MsUserToken(final String username, final String password, final String loginType) {
-        super(username, password);
-        this.loginType = loginType;
-    }
-
-    public String getLoginType() {
-        return loginType;
-    }
-
-    public void setLoginType(String loginType) {
-        this.loginType = loginType;
-    }
-
-}

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/BaseRealm.java

@@ -1,43 +0,0 @@
-package io.metersphere.security.realm;
-
-import io.metersphere.commons.user.SessionUser;
-import io.metersphere.commons.utils.SessionUtils;
-import io.metersphere.dto.UserDTO;
-import io.metersphere.i18n.Translator;
-import io.metersphere.service.BaseUserService;
-import org.apache.shiro.authc.*;
-import org.apache.shiro.authz.AuthorizationInfo;
-import org.apache.shiro.realm.AuthorizingRealm;
-import org.apache.shiro.subject.PrincipalCollection;
-
-import javax.annotation.Resource;
-
-public abstract class BaseRealm extends AuthorizingRealm {
-    @Resource
-    private BaseUserService baseUserService;
-
-    @Override
-    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
-        return null;
-    }
-
-    @Override
-    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
-        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
-
-        String userId = token.getUsername();
-        String password = String.valueOf(token.getPassword());
-        UserDTO user = baseUserService.getUserDTO(userId);
-        if (user == null) {
-            throw new UnknownAccountException(Translator.get("user_not_exist"));
-        }
-        SessionUser sessionUser = SessionUser.fromUser(user, SessionUtils.getSessionId());
-        SessionUtils.putUser(sessionUser);
-        return new SimpleAuthenticationInfo(userId, password, getName());
-    }
-
-    @Override
-    public boolean isPermitted(PrincipalCollection principals, String permission) {
-        return SessionUtils.hasPermission(SessionUtils.getCurrentWorkspaceId(), SessionUtils.getCurrentProjectId(), permission);
-    }
-}

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/realm/LocalRealm.java

@@ -12,6 +12,7 @@ import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.*;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -30,7 +31,7 @@ import java.util.Set;
  * set realm
  * </p>
  */
-public class LocalRealm extends BaseRealm {
+public class LocalRealm extends AuthorizingRealm {
 
     private Logger logger = LoggerFactory.getLogger(LocalRealm.class);
     @Resource
@@ -79,6 +80,11 @@ public class LocalRealm extends BaseRealm {
 
     }
 
+    @Override
+    public boolean isPermitted(PrincipalCollection principals, String permission) {
+        return SessionUtils.hasPermission(SessionUtils.getCurrentWorkspaceId(), SessionUtils.getCurrentProjectId(), permission);
+    }
+
     private UserDTO getUserWithOutAuthenticate(String userId) {
         UserDTO user = baseUserService.getUserDTO(userId);
         String msg;

framework/sdk-parent/sdk/src/main/java/io/metersphere/service/BaseUserService.java

@@ -26,7 +26,6 @@ import io.metersphere.request.LoginRequest;
 import io.metersphere.request.member.EditPassWordRequest;
 import io.metersphere.request.member.EditSeleniumServerRequest;
 import io.metersphere.request.member.QueryMemberRequest;
-import io.metersphere.security.MsUserToken;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.SecurityUtils;
@@ -357,7 +356,7 @@ public class BaseUserService {
             }
         }
 
-        MsUserToken token = new MsUserToken(username, password, login);
+        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
         Subject subject = SecurityUtils.getSubject();
         try {
             subject.login(token);