diff --git a/framework/sdk-parent/sdk/pom.xml b/framework/sdk-parent/sdk/pom.xml
index 3d0401513f..80d23a0a20 100644
--- a/framework/sdk-parent/sdk/pom.xml
+++ b/framework/sdk-parent/sdk/pom.xml
@@ -162,10 +162,31 @@
${quartz-starter.version}
+
+ org.apache.shiro
+ shiro-spring-boot-web-starter
+ ${shiro.version}
+ jakarta
+
+
+ org.apache.shiro
+ shiro-spring-boot-starter
+
+
+ org.apache.shiro
+ shiro-web
+
+
+ org.apache.shiro
+ shiro-spring
+
+
+
org.apache.shiro
shiro-spring-boot-starter
${shiro.version}
+ jakarta
org.apache.shiro
@@ -182,6 +203,18 @@
shiro-web
${shiro.version}
jakarta
+
+
+ shiro-core
+ org.apache.shiro
+
+
+
+
+ org.apache.shiro
+ shiro-core
+ ${shiro.version}
+ jakarta
org.apache.shiro
@@ -193,6 +226,10 @@
shiro-web
org.apache.shiro
+
+ shiro-core
+ org.apache.shiro
+
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java
index 8cc67756ed..63b169ac68 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/autoconfigure/ShiroConfig.java
@@ -51,14 +51,6 @@ public class ShiroConfig {
return shiroFilterFactoryBean;
}
- @Bean(name = "shiroFilter")
- public FilterRegistrationBean shiroFilter(ShiroFilterFactoryBean shiroFilterFactoryBean) throws Exception {
- FilterRegistrationBean registration = new FilterRegistrationBean<>();
- registration.setFilter((Filter) Objects.requireNonNull(shiroFilterFactoryBean.getObject()));
- registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
- return registration;
- }
-
@Bean
public MemoryConstrainedCacheManager memoryConstrainedCacheManager() {
return new MemoryConstrainedCacheManager();
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java
index 67220da49a..c58d9d2903 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.java
@@ -5,5 +5,5 @@ import org.apache.ibatis.annotations.Param;
import java.util.List;
public interface ExtCheckOwnerMapper {
- boolean checkoutOwner(@Param("table") String resourceType, @Param("projectId") String projectId, @Param("ids") List ids);
+ boolean checkoutOwner(@Param("table") String resourceType, @Param("userId") String userId, @Param("ids") List ids);
}
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml
index e3f65a7ab6..cac10e8745 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/base/mapper/ext/ExtCheckOwnerMapper.xml
@@ -2,12 +2,15 @@
-
\ No newline at end of file
+
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java
index ceac0e9794..45d4df0fd5 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/handler/RestControllerExceptionHandler.java
@@ -3,9 +3,9 @@ package io.metersphere.controller.handler;
import io.metersphere.commons.exception.MSException;
import io.metersphere.commons.utils.LogUtil;
-import org.apache.shiro.ShiroException;
import org.apache.shiro.authz.UnauthorizedException;
+import org.apache.shiro.lang.ShiroException;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java
index 6664fe802b..d1a01b83de 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/CheckOwnerAspect.java
@@ -7,8 +7,13 @@ import io.metersphere.commons.exception.MSException;
import io.metersphere.commons.utils.SessionUtils;
import io.metersphere.i18n.Translator;
import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.web.util.WebUtils;
import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.After;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.annotation.Pointcut;
@@ -20,9 +25,10 @@ import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestAttributes;
+import org.springframework.web.context.request.RequestContextHolder;
import java.lang.reflect.Method;
-import java.util.Arrays;
import java.util.List;
@@ -43,6 +49,16 @@ public class CheckOwnerAspect {
@Before("pointcut()")
public void before(JoinPoint joinPoint) {
+ // apikey 过来的请求
+ RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+ if (requestAttributes != null) {
+ HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(RequestAttributes.REFERENCE_REQUEST);
+ if (ApiKeyHandler.isApiKeyCall(request) && !SecurityUtils.getSubject().isAuthenticated()) {
+ String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
+ SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
+ }
+ }
+
//从切面织入点处通过反射机制获取织入点处的方法
MethodSignature signature = (MethodSignature) joinPoint.getSignature();
//获取切入点所在的方法
@@ -59,6 +75,7 @@ public class CheckOwnerAspect {
return;
}
+
// 操作内容
//获取方法参数名
String[] params = discoverer.getParameterNames(method);
@@ -73,14 +90,27 @@ public class CheckOwnerAspect {
Expression titleExp = parser.parseExpression(resourceId);
Object v = titleExp.getValue(context, Object.class);
if (v instanceof String id) {
- if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), List.of(id))) {
+ if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getUserId(), List.of(id))) {
MSException.throwException(Translator.get("check_owner_case"));
}
}
if (v instanceof List ids) {
- if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), ids)) {
+ if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getUserId(), ids)) {
MSException.throwException(Translator.get("check_owner_case"));
}
}
}
+
+ @After("pointcut()")
+ public void after() {
+ // apikey 过来的请求
+ RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
+ if (requestAttributes != null) {
+ HttpServletRequest request = (HttpServletRequest) requestAttributes.resolveReference(RequestAttributes.REFERENCE_REQUEST);
+ // apikey 退出
+ if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request)) && SecurityUtils.getSubject().isAuthenticated()) {
+ SecurityUtils.getSubject().logout();
+ }
+ }
+ }
}
diff --git a/pom.xml b/pom.xml
index e392ad2d52..f0ee528815 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
org.springframework.boot
spring-boot-starter-parent
- 3.2.4
+ 3.2.6
@@ -23,7 +23,7 @@
2023.0.0
2.7.22
1.6.0
- 1.13.0
+ 2.0.1
1.5.3
3.1.1
2.1.4