网关增加权限验证

beiyoufx · Oct 29, 2018 · 30f3c37 · 30f3c37
1 parent 0de3182
commit 30f3c37
Show file tree

Hide file tree

Showing 9 changed files with 137 additions and 124 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -1,14 +1,18 @@
-# EditorConfig: http://editorconfig.org/
-
-root = true
-
-[*]
-indent_style = space
-indent_size = 4
-end_of_line = lf
-charset = utf-8
-trim_trailing_whitespace = true
-insert_final_newline = true
-
-[*.md]
-trim_trailing_whitespace = false
+# EditorConfig: http://editorconfig.org/
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.yml]
+indent_style = space
+indent_size = 2
diff --git a/soraka-gateway/pom.xml b/soraka-gateway/pom.xml
@@ -41,7 +41,10 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-oauth2</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-feign</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

diff --git a/soraka-gateway/src/main/java/com/soraka/gateway/SorakaGatewayApplication.java b/soraka-gateway/src/main/java/com/soraka/gateway/SorakaGatewayApplication.java
@@ -3,6 +3,7 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.cloud.netflix.eureka.EnableEurekaClient;
+import org.springframework.cloud.netflix.feign.EnableFeignClients;
 import org.springframework.cloud.netflix.zuul.EnableZuulProxy;
 
 /**
@@ -14,6 +15,7 @@
  */
 @EnableZuulProxy
 @EnableEurekaClient
+@EnableFeignClients
 @SpringBootApplication
 public class SorakaGatewayApplication {
 

diff --git a/soraka-gateway/src/main/java/com/soraka/gateway/config/SorakaResourceConfigurerAdapter.java b/soraka-gateway/src/main/java/com/soraka/gateway/config/SorakaResourceConfigurerAdapter.java
@@ -33,7 +33,7 @@ public void configure(HttpSecurity http) throws Exception {
         http.headers().frameOptions().disable();
         http
             .authorizeRequests()
-            .antMatchers("/auth/oauth/token/**").permitAll()
+            .antMatchers("/auth/**").permitAll()
             .anyRequest()
             .access("@permissionService.hasPermission(request, authentication)");
     }
@@ -57,16 +57,4 @@ public OAuth2WebSecurityExpressionHandler oAuth2WebSecurityExpressionHandler(App
         expressionHandler.setApplicationContext(applicationContext);
         return expressionHandler;
     }
-
-    @Bean
-    public TokenStore jwtTokenStore() {
-        return new JwtTokenStore(jwtAccessTokenConverter());
-    }
-
-    @Bean
-    public JwtAccessTokenConverter jwtAccessTokenConverter() {
-        JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
-        jwtAccessTokenConverter.setSigningKey(Constants.JWT_SIGN_KEY);
-        return jwtAccessTokenConverter;
-    }
 }
diff --git a/soraka-gateway/src/main/java/com/soraka/gateway/service/feign/MenuService.java b/soraka-gateway/src/main/java/com/soraka/gateway/service/feign/MenuService.java
@@ -0,0 +1,26 @@
+package com.soraka.gateway.service.feign;
+
+import com.soraka.common.model.domain.MenuDO;
+import com.soraka.gateway.service.feign.fallback.MenuServiceFallbackImpl;
+import org.springframework.cloud.netflix.feign.FeignClient;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+
+import java.util.List;
+
+/**
+ * @author yongjie.teng
+ * @date 2018/10/29
+ * @package com.soraka.gateway.service.feign
+ */
+@FeignClient(name = "soraka-admin", fallback = MenuServiceFallbackImpl.class)
+public interface MenuService {
+    /**
+     * 查询角色菜单
+     *
+     * @param roleKeys 角色Key
+     * @return 菜单列表
+     */
+    @GetMapping("menu/roleMenu")
+    List<MenuDO> findRoleMenu(@RequestParam("roleKeys") List<String> roleKeys);
+}
diff --git a/...eway/src/main/java/com/soraka/gateway/service/feign/fallback/MenuServiceFallbackImpl.java b/...eway/src/main/java/com/soraka/gateway/service/feign/fallback/MenuServiceFallbackImpl.java
@@ -0,0 +1,30 @@
+package com.soraka.gateway.service.feign.fallback;
+
+import com.soraka.common.model.domain.MenuDO;
+import com.soraka.gateway.service.feign.MenuService;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @author yongjie.teng
+ * @date 2018/10/29
+ * @package com.soraka.gateway.service.feign.fallback
+ */
+@Slf4j
+@Service
+public class MenuServiceFallbackImpl implements MenuService {
+    /**
+     * 查询角色菜单
+     *
+     * @param roleKeys 角色Key
+     * @return 菜单列表
+     */
+    @Override
+    public List<MenuDO> findRoleMenu(List<String> roleKeys) {
+        log.error("调用{}异常{}","findRoleMenu",roleKeys);
+        return new ArrayList<>();
+    }
+}
diff --git a/soraka-gateway/src/main/java/com/soraka/gateway/service/impl/PermissionServiceImpl.java b/soraka-gateway/src/main/java/com/soraka/gateway/service/impl/PermissionServiceImpl.java
@@ -1,18 +1,32 @@
 package com.soraka.gateway.service.impl;
 
+import com.soraka.common.model.domain.MenuDO;
 import com.soraka.gateway.service.PermissionService;
+import com.soraka.gateway.service.feign.MenuService;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.stereotype.Service;
+import org.springframework.util.AntPathMatcher;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * @author yongjie.teng
  * @date 2018/10/25
  * @package com.soraka.gateway.service.impl
  */
+@Slf4j
 @Service("permissionService")
 public class PermissionServiceImpl implements PermissionService {
+    @Autowired
+    private MenuService menuService;
+    private AntPathMatcher antPathMatcher = new AntPathMatcher();
+
     /**
      * 判断请求是否有权限
      *
@@ -22,6 +36,31 @@ public class PermissionServiceImpl implements PermissionService {
      */
     @Override
     public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
-        return true;
+        Object principal = authentication.getPrincipal();
+        List<SimpleGrantedAuthority> grantedAuthorityList = (List<SimpleGrantedAuthority>) authentication.getAuthorities();
+
+        if (principal == null) {
+            return false;
+        }
+        if (grantedAuthorityList == null || grantedAuthorityList.isEmpty()) {
+            log.warn("角色列表为空：{}", authentication.getPrincipal());
+            return false;
+        }
+
+        // 获取角色权限
+        List<String> roleKeys = new ArrayList<>();
+        for (SimpleGrantedAuthority authority : grantedAuthorityList) {
+            roleKeys.add(authority.getAuthority());
+        }
+        List<MenuDO> menus = menuService.findRoleMenu(roleKeys);
+        // 权限校验
+        for (MenuDO menu : menus) {
+            if (StringUtils.isNotBlank(menu.getUrl())
+                && antPathMatcher.match(menu.getUrl(), request.getRequestURI())
+                && request.getMethod().equalsIgnoreCase(menu.getMethod())) {
+                return true;
+            }
+        }
+        return false;
     }
 }
diff --git a/soraka-gateway/src/main/java/com/soraka/gateway/userdetails/UserDetailsImpl.java b/soraka-gateway/src/main/java/com/soraka/gateway/userdetails/UserDetailsImpl.java
diff --git a/soraka-gateway/src/main/resources/application.yml b/soraka-gateway/src/main/resources/application.yml
@@ -3,6 +3,7 @@ spring:
     name: soraka-gateway
 server:
   port: 8002
+#注册中心
 eureka:
   instance:
     hostname: localhost
@@ -12,19 +13,34 @@ eureka:
     fetch-registry: true
     service-url:
       defaultZone: http://localhost:8001/eureka/
+#路由
 zuul:
   ignored-services: '**'
   routes:
     soraka-weixin: 'mp/**'
     soraka-admin: 'admin/**'
     soraka-auth: 'auth/**'
   sensitiveHeaders: Cookie,Set-Cookie
+#负载均衡
 ribbon:
   ReadTimeout: 3000
+##熔断
+feign:
+  hystrix:
+      enabled: true
 #认证服务器地址
 security:
   auth:
     server: http://localhost:8005
+  sessions: stateless
+  oauth2:
+    client:
+      client-id: soraka
+      client-secret: soraka
+    resource:
+      jwt:
+        key-uri: ${security.auth.server}/oauth/token_key #解析jwt令牌所需要密钥的地址
+#日志
 logging:
   level:
     com.soraka.auth: DEBUG