1.加入资源验证过滤一个Module多个资源

王通
1 parent 617a41f8
Showing 12 changed files with 155 additions and 35 deletions
src/main/java/com/bsth/common/Constants.java
src/main/java/com/bsth/common/Setting.java
src/main/java/com/bsth/controller/realcontrol/AdminUtilsController.java
src/main/java/com/bsth/controller/sys/UserController.java
src/main/java/com/bsth/entity/sys/SysUser.java
src/main/java/com/bsth/filter/AuthorityFilter.java
src/main/java/com/bsth/filter/WhiteIpFilter.java
src/main/java/com/bsth/security/WebSecurityConfig.java
src/main/java/com/bsth/service/sys/impl/ModuleServiceImpl.java
src/main/resources/application-cloud.properties
src/main/resources/application-dev.properties
src/main/resources/application-test.properties
@@ -68,4 +68,6 @@ public class Constants {
 	public static final String SSO_TOKEN = "ssoToken";
  
 	public static final String SPECIAL_ROLES = "special.roles";
+
+	public static final String RESOURCE_AUTHORITYS = "resourceAuthoritys";
 }
@@ -6,14 +6,26 @@ import org.springframework.stereotype.Component;
 @Component
 public class Setting {
  
-    @Value("${enabled.whiteip}")
-    private boolean whiteipEnabled;
  
-    public boolean isWhiteipEnabled() {
+    private static boolean whiteipEnabled;
+
+    private static boolean authorityEnabled;
+
+    public static boolean isWhiteipEnabled() {
         return whiteipEnabled;
     }
  
+    @Value("${enabled.whiteip}")
     public void setWhiteipEnabled(boolean whiteipEnabled) {
-        this.whiteipEnabled = whiteipEnabled;
+        Setting.whiteipEnabled = whiteipEnabled;
+    }
+
+    public static boolean isAuthorityEnabled() {
+        return authorityEnabled;
+    }
+
+    @Value("${enabled.authority}")
+    public void setAuthorityEnabled(boolean authorityEnabled) {
+        Setting.authorityEnabled = authorityEnabled;
     }
 }
@@ -356,4 +356,17 @@ public class AdminUtilsController {
  
         return "error";
     }
+
+    @RequestMapping("/authoritySwitch")
+    public String authoritySwitch(boolean authorityEnabled) {
+        Map<String, Object> result = new HashMap<>();
+        try {
+            setting.setAuthorityEnabled(authorityEnabled);
+            return "success";
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        return "error";
+    }
 }
 \ No newline at end of file
@@ -126,6 +126,7 @@ public class UserController extends BaseController&lt;SysUser, Integer&gt; {
             //session里写入用户名，webSocket连接时标识身份用
             session.setAttribute(Constants.SSO_TOKEN, token);
             session.setAttribute(Constants.SESSION_USERNAME, sysUser.getUserName());
+            session.setAttribute(Constants.RESOURCE_AUTHORITYS, sysUser.getLinks());
             //获取公司权限数据
             List<CompanyAuthority> cmyAuths = companyAuthorityService.findByUser(sysUser);
             session.setAttribute(Constants.COMPANY_AUTHORITYS, cmyAuths);
@@ -204,6 +205,7 @@ public class UserController extends BaseController&lt;SysUser, Integer&gt; {
             sysUserService.recordLoginDate(userName);
             //session里写入用户名，webSocket连接时标识身份用
             session.setAttribute(Constants.SESSION_USERNAME, user.getUserName());
+            session.setAttribute(Constants.RESOURCE_AUTHORITYS, user.getLinks());
  
             //获取公司权限数据
             List<CompanyAuthority> cmyAuths = companyAuthorityService.findByUser(user);
@@ -259,6 +261,7 @@ public class UserController extends BaseController&lt;SysUser, Integer&gt; {
             SecurityUtils.login(user, request);
             //session里写入用户名，webSocket连接时标识身份用
             session.setAttribute(Constants.SESSION_USERNAME, user.getUserName());
+            session.setAttribute(Constants.RESOURCE_AUTHORITYS, user.getLinks());
  
             //获取公司权限数据
             List<CompanyAuthority> cmyAuths = companyAuthorityService.findByUser(user);
@@ -2,10 +2,12 @@ package com.bsth.entity.sys;
  
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import org.springframework.util.StringUtils;
  
 import javax.persistence.*;
 import java.io.Serializable;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.Set;
  
@@ -144,4 +146,25 @@ public class SysUser implements Serializable {
 	public void setRealName(String realName) {
 		this.realName = realName;
 	}
+
+	public Set<String> getLinks() {
+		Set<String> links = new HashSet<>();
+		if (links.size() == 0) {
+			for (Role role : roles) {
+				for (Module module : role.getModules()) {
+					String symbol = module.getMappSymbol();
+					if (!StringUtils.isEmpty(symbol)) {
+						String[] symbols = symbol.split(";");
+						for (String temp : symbols) {
+							if (!StringUtils.isEmpty(temp)) {
+								links.add(temp);
+							}
+						}
+					}
+				}
+			}
+		}
+
+		return links;
+	}
 }
+package com.bsth.filter;
+
+import com.bsth.common.Constants;
+import com.bsth.common.ResponseCode;
+import com.bsth.common.Setting;
+import com.bsth.entity.sys.SysUser;
+import com.bsth.security.util.SecurityUtils;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * 权限过滤器
+ * @author Hill
+ */
+public class AuthorityFilter extends BaseFilter {
+
+	Logger logger = LoggerFactory.getLogger(this.getClass());
+
+	private ObjectMapper mapper = new ObjectMapper();
+
+	private final String rootUri = "/";
+
+	private final String scheduleReferer = "/real_control/v2";
+
+	private String[] pubUrls = new String[]{ "/sockjs/", "/pages/", "/error", "/dictionary/all", "/user/isWeakCipher", "/user/isRealName", "/user/currentUser", "/user/companyData", "/module/findByCurrentUser", "/eci/validate_get_destroy_info", "/business", "/personnel/all_py", "/companyAuthority/all", "/line/all", "/basic/refresh_person_data", "/downloadFile", "/report/lineList" };
+
+	@Override
+	public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+		if (!Setting.isAuthorityEnabled()) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		String uri = request.getRequestURI(), referer = request.getHeader("Referer");
+		Set<String> links = (Set<String>) request.getSession().getAttribute(Constants.RESOURCE_AUTHORITYS);
+		if (rootUri.equals(uri) || (referer != null && referer.indexOf(scheduleReferer) > 0) || isPubURL(uri)) {
+			chain.doFilter(request, response);
+			return;
+		}
+		if (links != null) {
+			boolean matched = false;
+			for (String link : links) {
+				if (uri.startsWith(link)) {
+					matched = true;
+					break;
+				}
+			}
+			if (!matched) {
+				Map<String, Object> result = new HashMap<>();
+				result.put("status", ResponseCode.ERROR);
+				result.put("msg", "未授权的访问");
+				response.setContentType("text/html;charset=utf-8");
+				response.getWriter().write(mapper.writeValueAsString(result));
+				return;
+			}
+		}
+
+		chain.doFilter(request, response);
+	}
+
+	protected boolean isPubURL(String url) {
+		for (String pubUrl : pubUrls) {
+			if (url.startsWith(pubUrl)) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+}
 package com.bsth.filter;
  
-import com.alibaba.fastjson.JSON;
 import com.bsth.common.Setting;
 import com.bsth.data.BasicData;
 import com.bsth.entity.WhiteIp;
-import com.bsth.entity.sys.SysUser;
-import com.bsth.security.util.SecurityUtils;
 import com.bsth.util.IpUtils;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.core.annotation.Order;
-import org.springframework.stereotype.Component;
-import org.springframework.web.context.WebApplicationContext;
  
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Enumeration;
 import java.util.List;
-import java.util.Map;
  
 /**
  * IP白名单过滤器
@@ -32,18 +21,14 @@ public class WhiteIpFilter implements Filter {
  
 	Logger logger = LoggerFactory.getLogger(this.getClass());
  
-	private Setting setting;
-
-	public Setting getSetting() {
-		return setting;
-	}
-
-	public void setSetting(Setting setting) {
-		this.setting = setting;
-	}
-
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+		if (!Setting.isWhiteipEnabled()) {
+			chain.doFilter(request, response);
+			return;
+		}
+
 		HttpServletRequest req = (HttpServletRequest)request;
 		HttpServletResponse res = (HttpServletResponse)response;
  
@@ -58,12 +43,11 @@ public class WhiteIpFilter implements Filter {
 				}
 			}
 		}
-		if (isMatch || !setting.isWhiteipEnabled()) {
+		if (isMatch) {
 			chain.doFilter(request, response);
 		} else {
 			logger.info(ip + "未在白名单中，不予访问");
 			res.setStatus(404);
-			return;
 		}
 	}
 }
 package com.bsth.security;
  
+import com.bsth.common.Constants;
 import com.bsth.common.Setting;
+import com.bsth.filter.AuthorityFilter;
 import com.bsth.filter.WhiteIpFilter;
-import com.bsth.security.handler.CustomLogoutSuccessHandler;
+import com.bsth.security.filter.LoginInterceptor;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -21,9 +22,6 @@ import org.springframework.security.web.firewall.DefaultHttpFirewall;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
  
-import com.bsth.common.Constants;
-import com.bsth.security.filter.LoginInterceptor;
-
 @Configuration
 @EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@@ -78,9 +76,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                 .sessionRegistry(sessionRegistry());
  
         WhiteIpFilter whiteIpFilter = new WhiteIpFilter();
-        whiteIpFilter.setSetting(setting);
         http.addFilterBefore(whiteIpFilter, FilterSecurityInterceptor.class);
         http.addFilterBefore(new LoginInterceptor(), FilterSecurityInterceptor.class);
+        http.addFilterBefore(new AuthorityFilter(), FilterSecurityInterceptor.class);
         http.addFilter(filterSecurityInterceptor());
     }
  
@@ -74,7 +74,7 @@ public class ModuleServiceImpl extends BaseServiceImpl&lt;Module, Integer&gt; implemen
 		Map<Integer, Module> map = new HashMap<>();
 		for(Module m : all){
 			map.put(m.getId(), m);
-			if(m.getGroupType().equals("3"))
+			if(m.getGroupType().equals("3") && m.isEnable())
 				rs.add(m);
 		}
  
@@ -63,6 +63,7 @@ cp.ack.url= https://58.247.254.118:4003/prod-api/serverApi/instructionsIssue/con
 admin.mail= 3090342880@qq.com
 ## enabled
 enabled.whiteip= true
+enabled.authority= false
  
 sso.enabled= true
 sso.systemcode = SYS0023
@@ -64,7 +64,8 @@ cp.ack.url= http://114.80.178.12:8778/prod-api/serverApi/instructionsIssue/confi
 ## admin mail
 admin.mail= 3090342880@qq.com
 ## enabled
-enabled.whiteip= true
+enabled.whiteip= false
+enabled.authority= false
  
 sso.enabled= false
 sso.systemcode = SYS0019
@@ -63,6 +63,7 @@ cp.ack.url= http://114.80.178.12:8778/prod-api/serverApi/instructionsIssue/confi
 admin.mail= 3090342880@qq.com
 ## enabled
 enabled.whiteip= false
+enabled.authority= false
  
 sso.enabled= true
 sso.systemcode = SYS0023