refactor: 后台服务间调用区分sso token

framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/constants/SessionConstants.java

@@ -7,6 +7,7 @@ public class SessionConstants {
 
     public final static String HEADER_TOKEN = "X-AUTH-TOKEN";
     public final static String CSRF_TOKEN = "CSRF-TOKEN";
+    public final static String SSO_TOKEN = "SSO-TOKEN";
     public final static String CURRENT_PROJECT = "PROJECT";
     public final static String CURRENT_WORKSPACE = "WORKSPACE";
     public final static String ACCESS_KEY = "accessKey";

framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/HttpHeaderUtils.java

@@ -60,6 +60,7 @@ public class HttpHeaderUtils {
 
             headers.add(SessionConstants.HEADER_TOKEN, sessionUser.getSessionId());
             headers.add(SessionConstants.CSRF_TOKEN, sessionUser.getCsrfToken());
+            headers.add(SessionConstants.SSO_TOKEN, sessionUser.getId());
             headers.add(SessionConstants.CURRENT_PROJECT, sessionUser.getLastProjectId());
             headers.add(SessionConstants.CURRENT_WORKSPACE, sessionUser.getLastWorkspaceId());
         }

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java

@@ -1,7 +1,6 @@
 package io.metersphere.security;
 
 import io.metersphere.commons.constants.SessionConstants;
-import io.metersphere.commons.utils.LogUtil;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authc.UsernamePasswordToken;
@@ -21,9 +20,9 @@ public class ApiKeyFilter extends AnonymousFilter {
         // 不是apikey的通过
         if (!ApiKeyHandler.isApiKeyCall(httpRequest) && !SecurityUtils.getSubject().isAuthenticated()) {
             // sso 带了token的
-            String userId = ApiKeySessionHandler.validate(httpRequest);
+            String userId = SSOSessionHandler.validate(httpRequest);
             if (StringUtils.isNotBlank(userId)) {
-                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random));
+                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
             }
             return true;
         }
@@ -32,7 +31,7 @@ public class ApiKeyFilter extends AnonymousFilter {
         if (!SecurityUtils.getSubject().isAuthenticated()) {
             String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
             if (StringUtils.isNotBlank(userId)) {
-                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, ApiKeySessionHandler.random));
+                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
             }
         }
 
@@ -45,6 +44,13 @@ public class ApiKeyFilter extends AnonymousFilter {
 
     @Override
     protected void postHandle(ServletRequest request, ServletResponse response) throws Exception {
+        HttpServletRequest httpRequest = WebUtils.toHttp(request);
+        // sso 带了token的 退出
+        String userId = httpRequest.getHeader(SessionConstants.SSO_TOKEN);
+        if (StringUtils.isNotBlank(userId) && SecurityUtils.getSubject().isAuthenticated()) {
+            SecurityUtils.getSubject().logout();
+        }
+        // apikey 退出
         if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request)) && SecurityUtils.getSubject().isAuthenticated()) {
             SecurityUtils.getSubject().logout();
         }

framework/sdk-parent/sdk/src/main/java/io/metersphere/security/SSOSessionHandler.java

@@ -9,7 +9,7 @@ import org.apache.commons.lang3.StringUtils;
 import javax.servlet.http.HttpServletRequest;
 import java.util.UUID;
 
-public class ApiKeySessionHandler {
+public class SSOSessionHandler {
 
     public static String random = UUID.randomUUID() + UUID.randomUUID().toString();