tongtong/youlai-boot
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): 增加匿名访问控制

Browse Source 
- 新增 AnonymousAccess 注解用于标记支持匿名访问的方法
- 添加 AnonymousGetMapping、AnonymousPostMapping 等注解用于具体 HTTP 方法
- 实现 AnonymousUtils 工具类以获取所有匿名访问 URL
- 修改 SecurityConfig 配置类,支持细粒度的匿名访问控制- 更新 LogAspect 切面,增加对匿名访问的处理
This commit is contained in:
谢东
2024-12-06 23:19:47 +08:00
parent 9c77b7c1ac
commit bb32fc1fe7
11 changed files with 528 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/main/java/com/youlai/boot/common/annotation/AnonymousAccess.java Normal file
View File

@@ -0,0 +1,11 @@
package com.youlai.boot.common.annotation;
import java.lang.annotation.*;
/// 标记匿名访问
@Inherited
@Documented
@Target({ElementType.METHOD, ElementType.ANNOTATION_TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface AnonymousAccess {
}

67
src/main/java/com/youlai/boot/common/annotation/methods/AnonymousDeleteMapping.java Normal file
View File

@@ -0,0 +1,67 @@
package com.youlai.boot.common.annotation.methods;
import com.youlai.boot.common.annotation.AnonymousAccess;
import org.springframework.core.annotation.AliasFor;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.*;
/**
* Annotation for mapping HTTP {@code DELETE} requests onto specific handler
* methods.
* <p>
* 支持匿名访问 DeleteMapping
*
* @see RequestMapping
*/
@AnonymousAccess
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@RequestMapping(method = RequestMethod.DELETE)
public @interface AnonymousDeleteMapping {
/**
* Alias for {@link RequestMapping#name}.
*/
@AliasFor(annotation = RequestMapping.class)
String name() default "";
/**
* Alias for {@link RequestMapping#value}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] value() default {};
/**
* Alias for {@link RequestMapping#path}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] path() default {};
/**
* Alias for {@link RequestMapping#params}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] params() default {};
/**
* Alias for {@link RequestMapping#headers}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] headers() default {};
/**
* Alias for {@link RequestMapping#consumes}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] consumes() default {};
/**
* Alias for {@link RequestMapping#produces}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] produces() default {};
}

67
src/main/java/com/youlai/boot/common/annotation/methods/AnonymousGetMapping.java Normal file
View File

@@ -0,0 +1,67 @@
package com.youlai.boot.common.annotation.methods;
import com.youlai.boot.common.annotation.AnonymousAccess;
import org.springframework.core.annotation.AliasFor;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.*;
/**
* Annotation for mapping HTTP {@code GET} requests onto specific handler
* methods.
* <p>
* 支持匿名访问 GetMapping
*
* @see RequestMapping
*/
@AnonymousAccess
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@RequestMapping(method = RequestMethod.GET)
public @interface AnonymousGetMapping {
/**
* Alias for {@link RequestMapping#name}.
*/
@AliasFor(annotation = RequestMapping.class)
String name() default "";
/**
* Alias for {@link RequestMapping#value}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] value() default {};
/**
* Alias for {@link RequestMapping#path}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] path() default {};
/**
* Alias for {@link RequestMapping#params}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] params() default {};
/**
* Alias for {@link RequestMapping#headers}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] headers() default {};
/**
* Alias for {@link RequestMapping#consumes}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] consumes() default {};
/**
* Alias for {@link RequestMapping#produces}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] produces() default {};
}

67
src/main/java/com/youlai/boot/common/annotation/methods/AnonymousPatchMapping.java Normal file
View File

@@ -0,0 +1,67 @@
package com.youlai.boot.common.annotation.methods;
import com.youlai.boot.common.annotation.AnonymousAccess;
import org.springframework.core.annotation.AliasFor;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.*;
/**
* Annotation for mapping HTTP {@code PATCH} requests onto specific handler
* methods.
* <p>
* 支持匿名访问 PatchMapping
*
* @see RequestMapping
*/
@AnonymousAccess
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@RequestMapping(method = RequestMethod.PATCH)
public @interface AnonymousPatchMapping {
/**
* Alias for {@link RequestMapping#name}.
*/
@AliasFor(annotation = RequestMapping.class)
String name() default "";
/**
* Alias for {@link RequestMapping#value}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] value() default {};
/**
* Alias for {@link RequestMapping#path}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] path() default {};
/**
* Alias for {@link RequestMapping#params}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] params() default {};
/**
* Alias for {@link RequestMapping#headers}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] headers() default {};
/**
* Alias for {@link RequestMapping#consumes}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] consumes() default {};
/**
* Alias for {@link RequestMapping#produces}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] produces() default {};
}

67
src/main/java/com/youlai/boot/common/annotation/methods/AnonymousPostMapping.java Normal file
View File

@@ -0,0 +1,67 @@
package com.youlai.boot.common.annotation.methods;
import com.youlai.boot.common.annotation.AnonymousAccess;
import org.springframework.core.annotation.AliasFor;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.*;
/**
* Annotation for mapping HTTP {@code POST} requests onto specific handler
* methods.
* <p>
* 支持匿名访问 PostMapping
*
* @see RequestMapping
*/
@AnonymousAccess
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@RequestMapping(method = RequestMethod.POST)
public @interface AnonymousPostMapping {
/**
* Alias for {@link RequestMapping#name}.
*/
@AliasFor(annotation = RequestMapping.class)
String name() default "";
/**
* Alias for {@link RequestMapping#value}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] value() default {};
/**
* Alias for {@link RequestMapping#path}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] path() default {};
/**
* Alias for {@link RequestMapping#params}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] params() default {};
/**
* Alias for {@link RequestMapping#headers}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] headers() default {};
/**
* Alias for {@link RequestMapping#consumes}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] consumes() default {};
/**
* Alias for {@link RequestMapping#produces}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] produces() default {};
}

67
src/main/java/com/youlai/boot/common/annotation/methods/AnonymousPutMapping.java Normal file
View File

@@ -0,0 +1,67 @@
package com.youlai.boot.common.annotation.methods;
import com.youlai.boot.common.annotation.AnonymousAccess;
import org.springframework.core.annotation.AliasFor;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import java.lang.annotation.*;
/**
* Annotation for mapping HTTP {@code PUT} requests onto specific handler
* methods.
* <p>
* 支持匿名访问 PutMapping
*
* @see RequestMapping
*/
@AnonymousAccess
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@RequestMapping(method = RequestMethod.PUT)
public @interface AnonymousPutMapping {
/**
* Alias for {@link RequestMapping#name}.
*/
@AliasFor(annotation = RequestMapping.class)
String name() default "";
/**
* Alias for {@link RequestMapping#value}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] value() default {};
/**
* Alias for {@link RequestMapping#path}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] path() default {};
/**
* Alias for {@link RequestMapping#params}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] params() default {};
/**
* Alias for {@link RequestMapping#headers}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] headers() default {};
/**
* Alias for {@link RequestMapping#consumes}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] consumes() default {};
/**
* Alias for {@link RequestMapping#produces}.
*/
@AliasFor(annotation = RequestMapping.class)
String[] produces() default {};
}

52
src/main/java/com/youlai/boot/common/enums/RequestMethodEnum.java Normal file
View File

@@ -0,0 +1,52 @@
package com.youlai.boot.common.enums;
import lombok.AllArgsConstructor;
import lombok.Getter;
@Getter
@AllArgsConstructor
public enum RequestMethodEnum {
/**
* 搜寻 @AnonymousGetMapping
*/
GET("GET"),
/**
* 搜寻 @AnonymousPostMapping
*/
POST("POST"),
/**
* 搜寻 @AnonymousPutMapping
*/
PUT("PUT"),
/**
* 搜寻 @AnonymousPatchMapping
*/
PATCH("PATCH"),
/**
* 搜寻 @AnonymousDeleteMapping
*/
DELETE("DELETE"),
/**
* 否则就是所有 Request 接口都放行
*/
ALL("All");
/**
* Request 类型
*/
private final String type;
public static RequestMethodEnum find(String type) {
for (RequestMethodEnum value : RequestMethodEnum.values()) {
if (value.getType().equals(type)) {
return value;
}
}
return ALL;
}
}

91
src/main/java/com/youlai/boot/common/util/AnonymousUtils.java Normal file
View File

@@ -0,0 +1,91 @@
package com.youlai.boot.common.util;
import com.youlai.boot.common.annotation.AnonymousAccess;
import com.youlai.boot.common.enums.RequestMethodEnum;
import org.springframework.context.ApplicationContext;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import java.util.*;
import java.util.stream.Collectors;
public class AnonymousUtils {
/**
* 获取所有匿名标记URL不区分请求方式
*/
public static Set<String> getAnonymousUrls(ApplicationContext applicationContext) {
return getAllAnonymousUrls(applicationContext).values().stream().flatMap(Collection::stream).collect(Collectors.toSet());
}
/**
* 获取所有被标记的匿名类集合
*
* @return /
*/
public static Map<String, Set<String>> getAllAnonymousUrls(ApplicationContext applicationContext) {
// 搜索匿名标记
RequestMappingHandlerMapping requestMappingHandlerMapping = (RequestMappingHandlerMapping) applicationContext.getBean("requestMappingHandlerMapping");
Map<RequestMappingInfo, HandlerMethod> handlerMethodMap = requestMappingHandlerMapping.getHandlerMethods();
// 获取所以被标记的匿名类集合
return getAnonymousUrl(handlerMethodMap);
}
/**
* 获取所有被标记的匿名类集合
*
* @param handlerMethodMap 请求映射信息集合
* @return /
*/
public static Map<String, Set<String>> getAnonymousUrl(Map<RequestMappingInfo, HandlerMethod> handlerMethodMap) {
Set<String> get = new HashSet<>();
Set<String> post = new HashSet<>();
Set<String> put = new HashSet<>();
Set<String> patch = new HashSet<>();
Set<String> delete = new HashSet<>();
Set<String> all = new HashSet<>();
handlerMethodMap.forEach((key, value) -> {
AnonymousAccess anonymousAccess = value.getMethodAnnotation(AnonymousAccess.class);
if (anonymousAccess != null) {
ArrayList<RequestMethod> requestMethods = new ArrayList<>(key.getMethodsCondition().getMethods());
RequestMethodEnum request = RequestMethodEnum.find(requestMethods.isEmpty() ? RequestMethodEnum.ALL.getType() : requestMethods.get(0).name());
switch (Objects.requireNonNull(request)) {
case GET:
get.addAll(key.getDirectPaths());
break;
case POST:
post.addAll(key.getDirectPaths());
break;
case PUT:
put.addAll(key.getDirectPaths());
break;
case PATCH:
patch.addAll(key.getDirectPaths());
break;
case DELETE:
delete.addAll(key.getDirectPaths());
break;
default:
all.addAll(key.getDirectPaths());
}
}
});
return Map.ofEntries(
entry(RequestMethodEnum.GET.getType(), get),
entry(RequestMethodEnum.POST.getType(), post),
entry(RequestMethodEnum.PUT.getType(), put),
entry(RequestMethodEnum.PATCH.getType(), patch),
entry(RequestMethodEnum.DELETE.getType(), delete),
entry(RequestMethodEnum.ALL.getType(), all)
);
}
public static Map.Entry<String, Set<String>> entry(String key, Collection<String> collection) {
return Map.entry(key, collection.stream().filter(it -> !it.isEmpty()).collect(Collectors.toUnmodifiableSet()));
}
}

30
src/main/java/com/youlai/boot/config/SecurityConfig.java
View File

@@ -3,7 +3,8 @@ package com.youlai.boot.config;
import cn.binarywang.wx.miniapp.api.WxMaService;
import cn.hutool.captcha.generator.CodeGenerator;
import cn.hutool.core.collection.CollectionUtil;
import com.youlai.boot.common.constant.SecurityConstants;
import com.youlai.boot.common.enums.RequestMethodEnum;
import com.youlai.boot.common.util.AnonymousUtils;
import com.youlai.boot.config.property.SecurityProperties;
import com.youlai.boot.core.filter.RateLimiterFilter;
import com.youlai.boot.core.security.exception.MyAccessDeniedHandler;
@@ -16,9 +17,11 @@ import com.youlai.boot.shared.auth.service.impl.JwtTokenService;
import com.youlai.boot.system.service.ConfigService;
import com.youlai.boot.system.service.UserService;
import lombok.RequiredArgsConstructor;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
@@ -33,6 +36,9 @@ import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.util.Map;
import java.util.Set;
/**
* Spring Security 安全配置
*
@@ -60,16 +66,30 @@ public class SecurityConfig {
private final MyAuthenticationEntryPoint authenticationEntryPoint; // 项目内安全类
private final MyAccessDeniedHandler accessDeniedHandler;
private final ApplicationContext applicationContext;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// 获取所有匿名访问路径
Map<String, Set<String>> anonymousUrls = AnonymousUtils.getAllAnonymousUrls(applicationContext);
http
.authorizeHttpRequests(requestMatcherRegistry ->
requestMatcherRegistry
.requestMatchers(
SecurityConstants.LOGIN_PATH,
SecurityConstants.WECHAT_LOGIN_PATH)
.permitAll()
// GET
.requestMatchers(HttpMethod.GET, anonymousUrls.get(RequestMethodEnum.GET.getType()).toArray(new String[0])).permitAll()
// POST
.requestMatchers(HttpMethod.POST, anonymousUrls.get(RequestMethodEnum.POST.getType()).toArray(new String[0])).permitAll()
// PUT
.requestMatchers(HttpMethod.PUT, anonymousUrls.get(RequestMethodEnum.PUT.getType()).toArray(new String[0])).permitAll()
// PATCH
.requestMatchers(HttpMethod.PATCH, anonymousUrls.get(RequestMethodEnum.PATCH.getType()).toArray(new String[0])).permitAll()
// DELETE
.requestMatchers(HttpMethod.DELETE, anonymousUrls.get(RequestMethodEnum.DELETE.getType()).toArray(new String[0])).permitAll()
// 所有类型的接口都放行
.requestMatchers(anonymousUrls.get(RequestMethodEnum.ALL.getType()).toArray(new String[0])).permitAll()
.anyRequest().authenticated()
)
.exceptionHandling(httpSecurityExceptionHandlingConfigurer ->

17
src/main/java/com/youlai/boot/core/aspect/LogAspect.java
View File

@@ -7,13 +7,12 @@ import cn.hutool.http.useragent.UserAgent;
import cn.hutool.http.useragent.UserAgentUtil;
import cn.hutool.json.JSONUtil;
import com.aliyun.oss.HttpMethod;
import com.youlai.boot.common.constant.SecurityConstants;
import com.youlai.boot.common.enums.LogModuleEnum;
import com.youlai.boot.common.util.AnonymousUtils;
import com.youlai.boot.common.util.IPUtils;
import com.youlai.boot.core.security.util.SecurityUtils;
import com.youlai.boot.system.model.entity.Log;
import com.youlai.boot.system.service.LogService;
import groovyjarjarpicocli.CommandLine;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.RequiredArgsConstructor;
@@ -23,6 +22,7 @@ import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.AfterThrowing;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
@@ -31,6 +31,7 @@ import org.springframework.web.servlet.HandlerMapping;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
/**
* 日志切面
@@ -43,9 +44,9 @@ import java.util.Map;
@RequiredArgsConstructor
@Slf4j
public class LogAspect {
private final LogService logService;
private final HttpServletRequest request;
private final ApplicationContext applicationContext;
@Pointcut("@annotation(com.youlai.boot.core.annotation.Log)")
public void logPointcut() {
@@ -70,7 +71,7 @@ public class LogAspect {
*/
@AfterThrowing(value = "logPointcut()", throwing = "e")
public void doAfterThrowing(JoinPoint joinPoint, Exception e) {
this.saveLog(joinPoint, e, null,null);
this.saveLog(joinPoint, e, null, null);
}
/**
@@ -80,8 +81,12 @@ public class LogAspect {
String requestURI = request.getRequestURI();
Long userId = null;
// 获取所有匿名标记
Set<String> anonymousUrls = AnonymousUtils.getAnonymousUrls(applicationContext);
// 非登录请求获取用户ID登录请求在登录成功后(joinPoint.proceed())获取用户ID
if (!SecurityConstants.LOGIN_PATH.equals(requestURI)) {
if (!anonymousUrls.contains(requestURI)) {
userId = SecurityUtils.getUserId();
}
@@ -96,7 +101,7 @@ public class LogAspect {
log.setContent("系统发生异常");
this.setRequestParameters(joinPoint, log);
log.setResponseContent(JSONUtil.toJsonStr(e.getStackTrace()));
}else{
} else {
log.setModule(logAnnotation.module());
log.setContent(logAnnotation.value());
// 请求参数

5
src/main/java/com/youlai/boot/shared/auth/controller/AuthController.java
View File

@@ -1,5 +1,6 @@
package com.youlai.boot.shared.auth.controller;
import com.youlai.boot.common.annotation.methods.AnonymousPostMapping;
import com.youlai.boot.common.enums.LogModuleEnum;
import com.youlai.boot.common.result.Result;
import com.youlai.boot.shared.auth.model.RefreshTokenRequest;
@@ -30,7 +31,7 @@ public class AuthController {
private final AuthService authService;
@Operation(summary = "登录")
@PostMapping("/login")
@AnonymousPostMapping("/login")
@Log(value = "登录", module = LogModuleEnum.LOGIN)
public Result<AuthTokenResponse> login(
@Parameter(description = "用户名", example = "admin") @RequestParam String username,
@@ -63,7 +64,7 @@ public class AuthController {
}
@Operation(summary = "微信登录")
@PostMapping("/wechat-login")
@AnonymousPostMapping("/wechat-login")
@Log(value = "微信登录", module = LogModuleEnum.LOGIN)
public Result<AuthTokenResponse> wechatLogin(
@Parameter(description = "微信授权码", example = "code") @RequestParam String code