创建 mall-spring-boot-starter-security-admin 模块，用于管理员的认证拦截器

common/mall-spring-boot-starter-security-admin/src/main/java/cn/iocoder/mall/security/admin/config/AdminSecurityAutoConfiguration.java

@@ -0,0 +1,44 @@
+package cn.iocoder.mall.security.admin.config;
+
+import cn.iocoder.mall.security.admin.core.interceptor.AdminDemoInterceptor;
+import cn.iocoder.mall.security.admin.core.interceptor.AdminSecurityInterceptor;
+import cn.iocoder.mall.web.config.CommonWebAutoConfiguration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+@AutoConfigureAfter(CommonWebAutoConfiguration.class) // 在 CommonWebAutoConfiguration 之后自动配置，保证过滤器的顺序
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
+public class AdminSecurityAutoConfiguration implements WebMvcConfigurer {
+
+    private Logger logger = LoggerFactory.getLogger(getClass());
+
+    // ========== 拦截器相关 ==========
+
+    @Bean
+    public AdminSecurityInterceptor adminSecurityInterceptor() {
+        return new AdminSecurityInterceptor();
+    }
+
+    @Bean
+    public AdminDemoInterceptor adminDemoInterceptor() {
+        return new AdminDemoInterceptor();
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        // AdminSecurityInterceptor 拦截器
+        registry.addInterceptor(this.adminSecurityInterceptor());
+        logger.info("[addInterceptors][加载 AdminSecurityInterceptor 拦截器完成]");
+        // AdminDemoInterceptor 拦截器
+        registry.addInterceptor(this.adminDemoInterceptor());
+        logger.info("[addInterceptors][加载 AdminDemoInterceptor 拦截器完成]");
+    }
+
+}

common/mall-spring-boot-starter-security-admin/src/main/java/cn/iocoder/mall/security/admin/core/context/AdminSecurityContext.java

@@ -0,0 +1,18 @@
+package cn.iocoder.mall.security.admin.core.context;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * Admin Security 上下文
+ */
+@Data
+@Accessors(chain = true)
+public class AdminSecurityContext {
+
+    /**
+     * 管理员编号
+     */
+    private Integer adminId;
+
+}

common/mall-spring-boot-starter-security-admin/src/main/java/cn/iocoder/mall/security/admin/core/context/AdminSecurityContextHolder.java

@@ -0,0 +1,34 @@
+package cn.iocoder.mall.security.admin.core.context;
+
+/**
+ * {@link AdminSecurityContext} Holder
+ *
+ * 参考 spring security 的 ThreadLocalSecurityContextHolderStrategy 类，简单实现。
+ */
+public class AdminSecurityContextHolder {
+
+    private static final ThreadLocal<AdminSecurityContext> SECURITY_CONTEXT = new ThreadLocal<>();
+
+    public static void setContext(AdminSecurityContext context) {
+        SECURITY_CONTEXT.set(context);
+    }
+
+    public static AdminSecurityContext getContext() {
+        AdminSecurityContext ctx = SECURITY_CONTEXT.get();
+        // 为空时，设置一个空的进去
+        if (ctx == null) {
+            ctx = new AdminSecurityContext();
+            SECURITY_CONTEXT.set(ctx);
+        }
+        return ctx;
+    }
+
+    public static void clear() {
+        SECURITY_CONTEXT.remove();
+    }
+
+    public static Integer getAdminId() {
+        return getContext().getAdminId();
+    }
+
+}

common/mall-spring-boot-starter-security-admin/src/main/java/cn/iocoder/mall/security/admin/core/interceptor/AdminDemoInterceptor.java

@@ -0,0 +1,30 @@
+package cn.iocoder.mall.security.admin.core.interceptor;
+
+import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.mall.security.admin.core.context.AdminSecurityContextHolder;
+import cn.iocoder.mall.systemservice.enums.SystemErrorCodeEnum;
+import org.springframework.http.HttpMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Objects;
+
+/**
+ * Admin 演示拦截器
+ *
+ * 这是个比较“奇怪”的拦截器，用于演示的管理员账号，禁止使用 POST 请求，从而实现即达到阉割版的演示的效果，又避免影响了数据
+ */
+public class AdminDemoInterceptor extends HandlerInterceptorAdapter {
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        // 当 Admin 编号等于 0 时，约定为演示账号
+        if (Objects.equals(AdminSecurityContextHolder.getAdminId(), 0)
+            && request.getMethod().equalsIgnoreCase(HttpMethod.POST.toString())) {
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.AUTHORIZATION_DEMO_PERMISSION_DENY);
+        }
+        return true;
+    }
+
+}

common/mall-spring-boot-starter-security-admin/src/main/java/cn/iocoder/mall/security/admin/core/interceptor/AdminSecurityInterceptor.java

@@ -0,0 +1,94 @@
+package cn.iocoder.mall.security.admin.core.interceptor;
+
+import cn.iocoder.common.framework.enums.UserTypeEnum;
+import cn.iocoder.common.framework.util.CollectionUtil;
+import cn.iocoder.common.framework.util.HttpUtil;
+import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.admin.core.context.AdminSecurityContext;
+import cn.iocoder.mall.security.admin.core.context.AdminSecurityContextHolder;
+import cn.iocoder.mall.systemservice.enums.SystemErrorCodeEnum;
+import cn.iocoder.mall.systemservice.rpc.oauth.OAuth2Rpc;
+import cn.iocoder.mall.systemservice.rpc.oauth.vo.OAuth2AccessTokenVO;
+import cn.iocoder.mall.web.core.util.CommonWebUtil;
+import cn.iocoder.security.annotations.RequiresNone;
+import cn.iocoder.security.annotations.RequiresPermissions;
+import org.apache.dubbo.config.annotation.Reference;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static cn.iocoder.mall.systemservice.enums.SystemErrorCodeEnum.OAUTH_USER_TYPE_ERROR;
+
+public class AdminSecurityInterceptor extends HandlerInterceptorAdapter {
+
+    @Reference(validation = "true", version = "${dubbo.consumer.OAuth2Rpc.version}")
+    private OAuth2Rpc oauth2Rpc;
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        // 获得访问令牌
+        Integer adminId = this.obtainAdminId(request);
+        // 校验认证
+        this.checkAuthentication((HandlerMethod) handler, adminId);
+        // 校验权限
+        this.checkPermission((HandlerMethod) handler, adminId);
+        return true;
+    }
+
+    private Integer obtainAdminId(HttpServletRequest request) {
+        String accessToken = HttpUtil.obtainAuthorization(request);
+        Integer adminId = null;
+        if (accessToken != null) {
+            CommonResult<OAuth2AccessTokenVO> checkAccessTokenResult = oauth2Rpc.checkAccessToken(accessToken);
+            checkAccessTokenResult.checkError();
+            // 校验用户类型正确
+            if (!UserTypeEnum.ADMIN.getValue().equals(checkAccessTokenResult.getData().getUserType())) {
+                throw ServiceExceptionUtil.exception(OAUTH_USER_TYPE_ERROR);
+            }
+            // 获得用户编号
+            adminId = checkAccessTokenResult.getData().getUserId();
+            // 设置到 Request 中
+            CommonWebUtil.setUserId(request, adminId);
+            CommonWebUtil.setUserType(request, UserTypeEnum.ADMIN.getValue());
+            // 设置到
+            AdminSecurityContext adminSecurityContext = new AdminSecurityContext().setAdminId(adminId);
+            AdminSecurityContextHolder.setContext(adminSecurityContext);
+        }
+        return adminId;
+    }
+
+    private void checkAuthentication(HandlerMethod handlerMethod, Integer adminId) {
+        boolean requiresAuthenticate = !handlerMethod.hasMethodAnnotation(RequiresNone.class); // 对于 ADMIN 来说，默认需登录
+        if (requiresAuthenticate && adminId == null) {
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_NOT_AUTHENTICATION);
+        }
+    }
+
+    private void checkPermission(HandlerMethod handlerMethod, Integer accountId) {
+        RequiresPermissions requiresPermissions = handlerMethod.getMethodAnnotation(RequiresPermissions.class);
+        if (requiresPermissions == null) {
+            return;
+        }
+        String[] permissions = requiresPermissions.value();
+        if (CollectionUtil.isEmpty(permissions)) {
+            return;
+        }
+        // 权限验证 TODO 待完成
+//        AuthorizationCheckPermissionsRequest authorizationCheckPermissionsRequest = new AuthorizationCheckPermissionsRequest()
+//                .setAccountId(accountId).setPermissions(Arrays.asList(permissions));
+//        CommonResult<Boolean> authorizationCheckPermissionsResult = authorizationRPC.checkPermissions(authorizationCheckPermissionsRequest);
+//        if (authorizationCheckPermissionsResult.isError()) { // TODO 有一个问题点，假设 token 认证失败，但是该 url 是无需认证的，是不是一样能够执行过去？
+//            throw ServiceExceptionUtil.exception(authorizationCheckPermissionsResult);
+//        }
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
+        // 清空 SecurityContext
+        AdminSecurityContextHolder.clear();
+    }
+
+}

common/mall-spring-boot-starter-security-admin/src/main/resources/META-INF/spring.factories

@@ -0,0 +1,2 @@
+org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
+  cn.iocoder.mall.security.admin.config.AdminSecurityAutoConfiguration