refactor: 后台服务间调用区分sso token

This commit is contained in:
CaptainB 2023-01-09 19:58:14 +08:00 committed by 刘瑞斌
parent 28f67180b3
commit 468e06dcd4
4 changed files with 13 additions and 5 deletions

View File

@ -7,6 +7,7 @@ public class SessionConstants {
public final static String HEADER_TOKEN = "X-AUTH-TOKEN"; public final static String HEADER_TOKEN = "X-AUTH-TOKEN";
public final static String CSRF_TOKEN = "CSRF-TOKEN"; public final static String CSRF_TOKEN = "CSRF-TOKEN";
public final static String SSO_TOKEN = "SSO-TOKEN";
public final static String CURRENT_PROJECT = "PROJECT"; public final static String CURRENT_PROJECT = "PROJECT";
public final static String CURRENT_WORKSPACE = "WORKSPACE"; public final static String CURRENT_WORKSPACE = "WORKSPACE";
public final static String ACCESS_KEY = "accessKey"; public final static String ACCESS_KEY = "accessKey";

View File

@ -60,6 +60,7 @@ public class HttpHeaderUtils {
headers.add(SessionConstants.HEADER_TOKEN, sessionUser.getSessionId()); headers.add(SessionConstants.HEADER_TOKEN, sessionUser.getSessionId());
headers.add(SessionConstants.CSRF_TOKEN, sessionUser.getCsrfToken()); headers.add(SessionConstants.CSRF_TOKEN, sessionUser.getCsrfToken());
headers.add(SessionConstants.SSO_TOKEN, sessionUser.getId());
headers.add(SessionConstants.CURRENT_PROJECT, sessionUser.getLastProjectId()); headers.add(SessionConstants.CURRENT_PROJECT, sessionUser.getLastProjectId());
headers.add(SessionConstants.CURRENT_WORKSPACE, sessionUser.getLastWorkspaceId()); headers.add(SessionConstants.CURRENT_WORKSPACE, sessionUser.getLastWorkspaceId());
} }

View File

@ -1,7 +1,6 @@
package io.metersphere.security; package io.metersphere.security;
import io.metersphere.commons.constants.SessionConstants; import io.metersphere.commons.constants.SessionConstants;
import io.metersphere.commons.utils.LogUtil;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils; import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authc.UsernamePasswordToken;
@ -21,9 +20,9 @@ public class ApiKeyFilter extends AnonymousFilter {
// 不是apikey的通过 // 不是apikey的通过
if (!ApiKeyHandler.isApiKeyCall(httpRequest) && !SecurityUtils.getSubject().isAuthenticated()) { if (!ApiKeyHandler.isApiKeyCall(httpRequest) && !SecurityUtils.getSubject().isAuthenticated()) {
// sso 带了token的 // sso 带了token的
String userId = ApiKeySessionHandler.validate(httpRequest); String userId = SSOSessionHandler.validate(httpRequest);
if (StringUtils.isNotBlank(userId)) { if (StringUtils.isNotBlank(userId)) {
SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random)); SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
} }
return true; return true;
} }
@ -32,7 +31,7 @@ public class ApiKeyFilter extends AnonymousFilter {
if (!SecurityUtils.getSubject().isAuthenticated()) { if (!SecurityUtils.getSubject().isAuthenticated()) {
String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request)); String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
if (StringUtils.isNotBlank(userId)) { if (StringUtils.isNotBlank(userId)) {
SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random)); SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
} }
} }
@ -45,6 +44,13 @@ public class ApiKeyFilter extends AnonymousFilter {
@Override @Override
protected void postHandle(ServletRequest request, ServletResponse response) throws Exception { protected void postHandle(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest httpRequest = WebUtils.toHttp(request);
// sso 带了token的 退出
String userId = httpRequest.getHeader(SessionConstants.SSO_TOKEN);
if (StringUtils.isNotBlank(userId) && SecurityUtils.getSubject().isAuthenticated()) {
SecurityUtils.getSubject().logout();
}
// apikey 退出
if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request)) && SecurityUtils.getSubject().isAuthenticated()) { if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request)) && SecurityUtils.getSubject().isAuthenticated()) {
SecurityUtils.getSubject().logout(); SecurityUtils.getSubject().logout();
} }

View File

@ -9,7 +9,7 @@ import org.apache.commons.lang3.StringUtils;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.util.UUID; import java.util.UUID;
public class ApiKeySessionHandler { public class SSOSessionHandler {
public static String random = UUID.randomUUID() + UUID.randomUUID().toString(); public static String random = UUID.randomUUID() + UUID.randomUUID().toString();