first commit

This commit is contained in:
2023-05-28 16:33:27 +08:00
parent b01b6df882
commit d35ea18db8
22 changed files with 465 additions and 266 deletions

View File

@ -3,12 +3,13 @@ package com.qiaoba.auth.config;
import cn.hutool.core.util.RandomUtil;
import cn.hutool.crypto.SecureUtil;
import com.qiaoba.auth.constants.SecurityConstant;
import com.qiaoba.auth.filters.JwtAuthenticationTokenFilter;
import com.qiaoba.auth.filters.AuthenticationCoreFilter;
import com.qiaoba.auth.handler.AccessDeniedHandler;
import com.qiaoba.auth.handler.LogoutHandler;
import com.qiaoba.auth.properties.AuthConfigProperties;
import com.qiaoba.auth.utils.TokenUtil;
import com.qiaoba.common.base.constants.BaseConstant;
import com.qiaoba.common.base.constants.ConfigConstant;
import com.qiaoba.common.redis.service.RedisService;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
@ -42,7 +43,7 @@ public class SpringSecurityConfig {
private final AuthConfigProperties authConfigProperties;
private final AccessDeniedHandler accessDeniedHandler;
private final JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
private final AuthenticationCoreFilter authenticationCoreFilter;
private final RedisService redisService;
private final LogoutHandler logoutHandler;
@ -52,8 +53,8 @@ public class SpringSecurityConfig {
@PostConstruct
public void init() {
if (redisService.hasKey(SecurityConstant.TOKEN_EXPIRE_TIME_KEY)) {
TokenUtil.expireTime = Integer.parseInt(redisService.get(SecurityConstant.TOKEN_EXPIRE_TIME_KEY).toString());
if (redisService.hasKey(ConfigConstant.TOKEN_EXPIRE_TIME_KEY)) {
TokenUtil.expireTime = Integer.parseInt(redisService.get(ConfigConstant.TOKEN_EXPIRE_TIME_KEY).toString());
}
if (redisService.hasKey(SecurityConstant.REDIS_SECRET_KEY)) {
@ -95,10 +96,10 @@ public class SpringSecurityConfig {
// 禁用缓存
httpSecurity.headers().cacheControl();
// 退出处理
httpSecurity.logout().logoutUrl(SecurityConstant.LOGOUT_URL).logoutSuccessHandler(logoutHandler);
httpSecurity.logout().logoutUrl(SecurityConstant.LOGOUT_URI).logoutSuccessHandler(logoutHandler);
// 添加JWT filter
httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
httpSecurity.addFilterBefore(jwtAuthenticationTokenFilter, LogoutFilter.class);
httpSecurity.addFilterBefore(authenticationCoreFilter, UsernamePasswordAuthenticationFilter.class);
httpSecurity.addFilterBefore(authenticationCoreFilter, LogoutFilter.class);
return httpSecurity.build();
}
}

View File

@ -21,34 +21,23 @@ public class SecurityConstant {
public static final int HTTP_SQUEEZED_OFFLINE = 4011;
public static final int MAX_ERROR_COUNT = 5;
public static final String LOGOUT_URL = "/logout";
public static final String LOGOUT_URI = "/logout";
public static final String HAS_BEEN_PULLED_BLACK = "您的IP已经被系统拉黑";
public static final String ACCESS_DENIED = "暂无权限访问, 请重新登录";
public static final String BLACKLIST_KEY = "login:blacklist";
public static final String LOGIN_ERROR_COUNT = "login:errorCount:";
public static final String BLACKLIST_ON = "true";
public static final String BLACKLIST_ON_OFF_KEY = ConfigConstant.SYS_CONFIG_KEY_PREFIX + "sys.account.blacklistOnOff";
public static final String CAPTCHA_KEY = "login:captcha:";
public static final String CAPTCHA_ON_OFF_KEY = ConfigConstant.SYS_CONFIG_KEY_PREFIX + "sys.account.captchaOnOff";
public static final String CAPTCHA_ON = "true";
public static final String REGISTER_ON_OFF_KEY = ConfigConstant.SYS_CONFIG_KEY_PREFIX + "sys.account.registerUser";
public static final String REGISTER_ON = "true";
public static final String REDIS_SECRET_KEY = "sys:secret:secret";
public static final String USER_DETAILS_REDIS_KEY = "user_details:";
public static final String ONLINE_USER_REDIS_KEY = "online_user:";
public static final String LOGGED_USER_REDIS_KEY = "logged_user:";
public static final String TOKEN_EXPIRE_TIME_KEY = ConfigConstant.SYS_CONFIG_KEY_PREFIX + "sys.token.expireTime";
/**
* 登录成功
*/
public static final String LOGIN_SUCCESS = "登录成功";
/**
* 登录失败
*/
public static final String LOGIN_FAIL = "登录失败";
/**
* 密码错误
*/
@ -65,33 +54,4 @@ public class SecurityConstant {
public static final String TOKEN_HEAD = "Bearer ";
/**
* Xss过滤白名单
*/
public final static List<String> XSS_WHITELIST = Arrays.asList(
"/captchaImage",
"/login",
"/workflow/process/start",
"/workflow/model/save"
);
/**
* 需要限流的接口
*/
public final static List<String> LIMIT_URI = Arrays.asList(
"/captchaImage",
"/login",
"/register"
);
/**
* 限流的RedisKey
*/
public final static String RATE_LIMIT_KEY = "rateLimit:";
/**
* 同IP每秒最大允许访问次数
*/
public final static Integer MAX_RATE_LIMIT_TOTAL = 5;
}

View File

@ -0,0 +1,33 @@
package com.qiaoba.auth.entity.dto;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import java.io.Serializable;
/**
* 在线用户
*
* @author ailanyin
* @version 1.0
* @since 2023/5/22 17:08
*/
@Data
@AllArgsConstructor
@NoArgsConstructor
public class OnlineUserDto implements Serializable {
private static final long serialVersionUID = 1L;
/**
* 登录账号
*/
private String username;
/**
* 设备号 暂用UUID
*/
private String deviceSn;
}

View File

@ -2,6 +2,8 @@ package com.qiaoba.auth.entity.dto;
import lombok.Data;
import java.io.Serializable;
/**
* 角色
*
@ -10,7 +12,9 @@ import lombok.Data;
* @since 2023/5/22 17:08
*/
@Data
public class RoleDto {
public class RoleDto implements Serializable {
private static final long serialVersionUID = 1L;
private String roleId;
private String roleKey;

View File

@ -1,8 +1,8 @@
package com.qiaoba.auth.filters;
import cn.hutool.core.util.StrUtil;
import com.qiaoba.api.auth.service.AuthConfigApiService;
import com.qiaoba.auth.constants.SecurityConstant;
import com.qiaoba.auth.entity.OnlineUser;
import com.qiaoba.auth.entity.dto.OnlineUserDto;
import com.qiaoba.auth.properties.AuthConfigProperties;
import com.qiaoba.auth.service.OnlineUserService;
import com.qiaoba.auth.utils.TokenUtil;
@ -24,20 +24,20 @@ import java.io.IOException;
import java.util.Objects;
/**
* JwtAuthenticationTokenFilter
* 为了保证 SecurityContext 上下文中 userInfo 是最新的
* 鉴权核心过滤器
*
* @author ailanyin
* @version 1.0
* @since 2021/10/21 0021 下午 14:13
* @since 2023-05-28 15:31:55
*/
@RequiredArgsConstructor
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
public class AuthenticationCoreFilter extends OncePerRequestFilter {
private final RedisService redisService;
private final UserDetailsService userDetailsService;
private final OnlineUserService onlineUserService;
private final AuthConfigProperties authConfigProperties;
private final AuthConfigApiService authConfigApiService;
@Override
protected void doFilterInternal(HttpServletRequest request,
@ -49,18 +49,21 @@ public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
return;
}
// 取Header中的Token
String authHeader = request.getHeader(SecurityConstant.TOKEN_HEADER);
if (StrUtil.isNotBlank(authHeader) && authHeader.startsWith(SecurityConstant.TOKEN_HEAD)) {
String authToken = authHeader.substring(SecurityConstant.TOKEN_HEAD.length());
String username = authToken.split(":")[0];
String deviceSn = authToken.split(":")[1];
String authToken = TokenUtil.getToken(request, false);
if (!"/logout".equals(request.getRequestURI())) {
OnlineUserDto onlineUserDto = TokenUtil.getUsernameAndDeviceSn(authToken);
String username = onlineUserDto.getUsername();
String deviceSn = onlineUserDto.getDeviceSn();
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
// 不是退出请求
if (!SecurityConstant.LOGOUT_URI.equals(request.getRequestURI())) {
// 不允许同时在线
if (!authConfigApiService.checkAllowBothOnline()) {
if (redisService.hasKey(SecurityConstant.LOGGED_USER_REDIS_KEY + username)) {
if (!onlineUserService.checkIsLastLogged(username, deviceSn)) {
onlineUserService.deleteOne(username, deviceSn, true);
ResponseUtil.errorAuth(response, 4012, "被挤下线");
onlineUserService.deleteOne(username, deviceSn);
return;
}
} else {
@ -68,15 +71,22 @@ public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {
return;
}
}
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
// 允许同时在线
else {
if (Objects.isNull(userDetails)) {
ResponseUtil.errorAuth(response, 4011, "登陆过期");
return;
}
}
}
// 更新 SecurityContextHolder Authentication, 为了保证 SecurityContext 上下文中 userDetails 是最新的
if (Objects.isNull(SecurityContextHolder.getContext().getAuthentication())) {
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
chain.doFilter(request, response);
}
}

View File

@ -2,7 +2,6 @@ package com.qiaoba.auth.handler;
import com.qiaoba.auth.entity.LoginUser;
import com.qiaoba.auth.service.OnlineUserService;
import com.qiaoba.common.redis.service.RedisService;
import lombok.RequiredArgsConstructor;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
@ -24,13 +23,12 @@ import java.io.IOException;
@RequiredArgsConstructor
public class LogoutHandler implements LogoutSuccessHandler {
private final RedisService redisService;
private final OnlineUserService onlineUserService;
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
// 删除缓存中的用户信息
LoginUser user = (LoginUser) authentication.getPrincipal();
onlineUserService.deleteOne(user.getUsername(), user.getDeviceSn());
onlineUserService.deleteOne(user.getUsername(), user.getDeviceSn(), true);
}
}

View File

@ -25,8 +25,9 @@ public interface OnlineUserService {
*
* @param username 登录账号
* @param deviceSn 设备号
* @param deleteOwn 是否是删除自己
*/
void deleteOne(String username, String deviceSn);
void deleteOne(String username, String deviceSn, Boolean deleteOwn);
/**
* 删除(强退)
@ -60,4 +61,5 @@ public interface OnlineUserService {
* @return 结果
*/
Boolean checkIsLastLogged(String username, String deviceSn);
}

View File

@ -0,0 +1,60 @@
package com.qiaoba.auth.service.impl;
import cn.hutool.core.util.StrUtil;
import com.qiaoba.api.auth.service.AuthConfigApiService;
import com.qiaoba.auth.constants.SecurityConstant;
import com.qiaoba.common.base.constants.ConfigConstant;
import com.qiaoba.common.base.exceptions.ServiceException;
import com.qiaoba.common.redis.service.RedisService;
import lombok.RequiredArgsConstructor;
import org.springframework.stereotype.Service;
/**
* 安全配置 服务层实现
*
* @author ailanyin
* @version 1.0
* @since 2023-05-28 15:09:34
*/
@Service
@RequiredArgsConstructor
public class AuthConfigServiceImpl implements AuthConfigApiService {
private final RedisService redisService;
@Override
public Boolean checkAllowBothOnline() {
return ConfigConstant.COMMON_ON_VALUE.equals(redisService.get(ConfigConstant.ALLOW_BOTH_ONLINE_KEY));
}
@Override
public Boolean getCaptchaConfig() {
return ConfigConstant.COMMON_ON_VALUE.equals(redisService.get(ConfigConstant.CAPTCHA_ON_OFF_KEY));
}
@Override
public Boolean getRegisterConfig() {
return ConfigConstant.COMMON_ON_VALUE.equals(redisService.get(ConfigConstant.REGISTER_ON_OFF_KEY));
}
@Override
public void validateCaptcha(String code, String uuid) {
if (getCaptchaConfig()) {
if (StrUtil.isBlank(code) || StrUtil.isBlank(uuid)) {
throw new ServiceException("验证码或uuid获取失败");
}
try {
if (!redisService.hasKey(SecurityConstant.CAPTCHA_KEY + uuid)) {
throw new ServiceException("验证码已经过期失效!");
} else {
if (!code.equalsIgnoreCase(redisService.get(SecurityConstant.CAPTCHA_KEY + uuid).toString())) {
throw new ServiceException("验证码输入错误!");
}
}
} finally {
redisService.del(SecurityConstant.CAPTCHA_KEY + uuid);
}
}
}
}

View File

@ -4,13 +4,16 @@ import cn.hutool.core.util.StrUtil;
import com.qiaoba.api.auth.service.SysUserDetailsApiService;
import com.qiaoba.auth.constants.SecurityConstant;
import com.qiaoba.auth.entity.OnlineUser;
import com.qiaoba.auth.entity.dto.OnlineUserDto;
import com.qiaoba.auth.service.OnlineUserService;
import com.qiaoba.auth.utils.TokenUtil;
import com.qiaoba.common.base.constants.BaseConstant;
import com.qiaoba.common.base.exceptions.ServiceException;
import com.qiaoba.common.redis.service.RedisService;
import lombok.RequiredArgsConstructor;
import org.springframework.stereotype.Service;
import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
@ -28,16 +31,21 @@ public class OnlineUserServiceImpl implements OnlineUserService {
private final RedisService redisService;
private final SysUserDetailsApiService sysUserDetailsApiService;
private final HttpServletRequest request;
@Override
public void insert(OnlineUser onlineUser) {
// key: username:deviceSn
// value: onlineUser
redisService.set(handleKey(onlineUser.getUsername(), onlineUser.getDeviceSn()), onlineUser, TokenUtil.expireTime * 3600);
}
@Override
public void deleteOne(String username, String deviceSn) {
public void deleteOne(String username, String deviceSn, Boolean deleteOwn) {
if (!deleteOwn && isOwn(deviceSn)) {
throw new ServiceException("禁止踢出自己!");
}
if (deviceSn.equals(redisService.get(SecurityConstant.LOGGED_USER_REDIS_KEY + username))) {
redisService.del(SecurityConstant.LOGGED_USER_REDIS_KEY + username);
}
@ -69,8 +77,7 @@ public class OnlineUserServiceImpl implements OnlineUserService {
List<OnlineUser> users = new ArrayList<>();
Collection<String> keys = redisService.getKeys(key);
for (String temp : keys) {
temp = temp.replace("tenant_1:", "");
users.add(redisService.getObject(temp, OnlineUser.class));
users.add(redisService.getObject(redisService.removeTenantPrefix(temp), OnlineUser.class));
}
return users;
}
@ -84,4 +91,10 @@ public class OnlineUserServiceImpl implements OnlineUserService {
private String handleKey(String key, String deviceSn) {
return SecurityConstant.ONLINE_USER_REDIS_KEY + key + BaseConstant.COLON_JOIN_STR + deviceSn;
}
private Boolean isOwn(String deviceSn) {
String token = TokenUtil.getToken(request, false);
OnlineUserDto dto = TokenUtil.getUsernameAndDeviceSn(token);
return deviceSn.equals(dto.getDeviceSn());
}
}

View File

@ -1,12 +1,12 @@
package com.qiaoba.auth.utils;
import cn.hutool.core.date.DateField;
import cn.hutool.core.date.DateTime;
import cn.hutool.jwt.JWTPayload;
import cn.hutool.jwt.JWTUtil;
import cn.hutool.core.util.StrUtil;
import com.qiaoba.auth.constants.SecurityConstant;
import com.qiaoba.auth.entity.dto.OnlineUserDto;
import com.qiaoba.common.base.constants.BaseConstant;
import com.qiaoba.common.base.exceptions.ServiceException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
/**
* TokenUtil
@ -23,47 +23,32 @@ public class TokenUtil {
*/
public static String secret;
public static Integer expireTime = 72;
private static final String TOKEN_TEMPLATE = "{}:{}";
public static String generateToken(String username) {
DateTime now = DateTime.now();
DateTime newTime = now.offsetNew(DateField.HOUR, expireTime);
Map<String, Object> payload = new HashMap<String, Object>(4);
//签发时间
payload.put(JWTPayload.ISSUED_AT, now);
//过期时间
payload.put(JWTPayload.EXPIRES_AT, newTime);
//生效时间
payload.put(JWTPayload.NOT_BEFORE, now);
//载荷
payload.put(JWTPayload.SUBJECT, username);
return JWTUtil.createToken(payload, secret.getBytes());
public static String generateToken(String username, String deviceSn) {
return StrUtil.format(TOKEN_TEMPLATE, username, deviceSn);
}
public static String getUserNameFromToken(String token) {
try {
return JWTUtil.parseToken(token).getPayload(JWTPayload.SUBJECT).toString();
} catch (Exception e) {
public static String getToken(HttpServletRequest request, boolean allowNull) {
// 取Header中的Token
String authHeader = request.getHeader(SecurityConstant.TOKEN_HEADER);
if (StrUtil.isNotBlank(authHeader) && authHeader.startsWith(SecurityConstant.TOKEN_HEAD)) {
return authHeader.substring(SecurityConstant.TOKEN_HEAD.length());
}
if (allowNull) {
return null;
}
throw new ServiceException("Token不存在");
}
/**
* 验证Token是否有效
*
* @param token token
* @return 是/否
*/
public static boolean validateToken(String token) {
public static OnlineUserDto getUsernameAndDeviceSn(String token) {
try {
if (!JWTUtil.verify(token, secret.getBytes())) {
return false;
}
long expireTime = Long.parseLong(JWTUtil.parseToken(token).getPayload(JWTPayload.EXPIRES_AT).toString() + "000");
return new DateTime(expireTime).after(DateTime.now());
String[] split = token.split(BaseConstant.COLON_JOIN_STR);
return new OnlineUserDto(split[0], split[1]);
} catch (Exception e) {
return false;
throw new ServiceException("Token解析失败");
}
}
}

View File

@ -2,8 +2,9 @@ org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
com.qiaoba.auth.properties.AuthConfigProperties,\
com.qiaoba.auth.handler.AccessDeniedHandler,\
com.qiaoba.auth.handler.LogoutHandler,\
com.qiaoba.auth.filters.JwtAuthenticationTokenFilter,\
com.qiaoba.auth.filters.AuthenticationCoreFilter,\
com.qiaoba.auth.advice.SecurityExceptionAdvice,\
com.qiaoba.auth.aspectj.DataScopeAspect,\
com.qiaoba.auth.service.impl.OnlineUserServiceImpl,\
com.qiaoba.auth.service.impl.AuthConfigServiceImpl,\
com.qiaoba.auth.config.SpringSecurityConfig