增加 auth 认证拦截器（未完全）

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/config/CommonSecurityAutoConfiguration.java

@@ -1,16 +1,38 @@
 package cn.iocoder.mall.security.config;
 
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import cn.iocoder.mall.security.core.interceptor.AccountAuthInterceptor;
+import cn.iocoder.mall.web.config.CommonWebAutoConfiguration;
+import cn.iocoder.mall.web.core.constant.CommonMallConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
+@AutoConfigureAfter(CommonWebAutoConfiguration.class) // 在 CommonWebAutoConfiguration 之后自动配置，保证过滤器的顺序
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-@ConditionalOnClass(name = {"cn.iocoder.mall.system.rpc.api.systemlog.SystemLogRPC", "org.apache.dubbo.config.annotation.Reference"})
 public class CommonSecurityAutoConfiguration implements WebMvcConfigurer {
 
-    // ========== 拦截器相关 ==========
+    private Logger logger = LoggerFactory.getLogger(getClass());
 
+    // ========== 拦截器相关 ==========
+    @Bean
+    @ConditionalOnMissingBean(AccountAuthInterceptor.class)
+    public AccountAuthInterceptor accountAuthInterceptor() {
+        return new AccountAuthInterceptor();
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        // AccountAuthInterceptor 拦截器
+        registry.addInterceptor(this.accountAuthInterceptor())
+                .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
+        logger.info("[addInterceptors][加载 AccountAuthInterceptor 拦截器完成]");
+    }
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresLogin.java

@@ -0,0 +1,16 @@
+package cn.iocoder.mall.security.core.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 要求用户登录注解。通过将该注解添加到 Controller 上，会自动校验用户是否登陆。
+ *
+ * 默认请求下，用户访问的 API 接口，无需登陆。主要的考虑是，
+ * 1. 需要用户登陆的接口，本身会获取在线用户的编号。如果不添加 @RequiresLogin 注解就会报错。
+ * 2. 大多数情况下，用户的 API 接口无需登陆。
+ */
+@Documented
+@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
+@Retention(RetentionPolicy.RUNTIME)
+public @interface RequiresLogin {
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresPermissions.java

@@ -0,0 +1,22 @@
+package cn.iocoder.mall.security.core.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 参考 Shiro @RequiresPermissions 设计 http://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html
+ *
+ * 通过将该注解添加到 Controller 的方法上，进行授权鉴定
+ */
+@Documented
+@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
+@Retention(RetentionPolicy.RUNTIME)
+public @interface RequiresPermissions {
+
+    /**
+     * 当有多个标识时，必须全部拥有权限，才可以操作
+     *
+     * @return 权限标识数组
+     */
+    String[] value();
+
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContext.java

@@ -0,0 +1,28 @@
+package cn.iocoder.mall.security.core.context;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import java.util.Set;
+
+/**
+ * Security 上下文
+ */
+@Data
+@Accessors(chain = true)
+public class AdminSecurityContext {
+
+    /**
+     * 管理员编号
+     */
+    private Integer adminId;
+    /**
+     * 管理员账号
+     */
+    private String username;
+    /**
+     * 拥有的角色编号
+     */
+    private Set<Integer> roleIds;
+
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContextHolder.java

@@ -0,0 +1,30 @@
+package cn.iocoder.mall.security.core.context;
+
+/**
+ * {@link AdminSecurityContext} Holder
+ *
+ * 参考 spring security 的 ThreadLocalSecurityContextHolderStrategy 类，简单实现。
+ */
+public class AdminSecurityContextHolder {
+
+    private static final ThreadLocal<AdminSecurityContext> SECURITY_CONTEXT = new ThreadLocal<>();
+
+    public static void setContext(AdminSecurityContext context) {
+        SECURITY_CONTEXT.set(context);
+    }
+
+    public static AdminSecurityContext getContext() {
+        AdminSecurityContext ctx = SECURITY_CONTEXT.get();
+        // 为空时，设置一个空的进去
+        if (ctx == null) {
+            ctx = new AdminSecurityContext();
+            SECURITY_CONTEXT.set(ctx);
+        }
+        return ctx;
+    }
+
+    public static void clear() {
+        SECURITY_CONTEXT.remove();
+    }
+
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/UserSecurityContext.java

@@ -0,0 +1,18 @@
+package cn.iocoder.mall.security.core.context;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * User Security 上下文
+ */
+@Data
+@Accessors(chain = true)
+public class UserSecurityContext {
+
+    /**
+     * 用户编号
+     */
+    private Integer userId;
+
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/UserSecurityContextHolder.java

@@ -0,0 +1,30 @@
+package cn.iocoder.mall.security.core.context;
+
+/**
+ * {@link UserSecurityContext} Holder
+ *
+ * 参考 spring security 的 ThreadLocalSecurityContextHolderStrategy 类，简单实现。
+ */
+public class UserSecurityContextHolder {
+
+    private static final ThreadLocal<UserSecurityContext> SECURITY_CONTEXT = new ThreadLocal<UserSecurityContext>();
+
+    public static void setContext(UserSecurityContext context) {
+        SECURITY_CONTEXT.set(context);
+    }
+
+    public static UserSecurityContext getContext() {
+        UserSecurityContext ctx = SECURITY_CONTEXT.get();
+        // 为空时，设置一个空的进去
+        if (ctx == null) {
+            ctx = new UserSecurityContext();
+            SECURITY_CONTEXT.set(ctx);
+        }
+        return ctx;
+    }
+
+    public static void clear() {
+        SECURITY_CONTEXT.remove();
+    }
+
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AccountAuthInterceptor.java

@@ -1,4 +1,4 @@
-package cn.iocoder.mall.security.core.account;
+package cn.iocoder.mall.security.core.interceptor;
 
 import cn.iocoder.common.framework.util.HttpUtil;
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
@@ -10,6 +10,7 @@ import cn.iocoder.mall.web.core.util.CommonWebUtil;
 import org.apache.dubbo.config.annotation.Reference;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.util.StringUtils;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
 import javax.servlet.http.HttpServletRequest;
@@ -24,8 +25,12 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
 
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
-        // 执行认证
+        // 获得访问令牌
         String accessToken = HttpUtil.obtainAuthorization(request);
+        if (StringUtils.hasText(accessToken)) { // 如果未传递，则不进行认证
+            return true;
+        }
+        // 执行认证
         OAuth2AccessTokenAuthenticateRequest oauth2AccessTokenAuthenticateRequest = new OAuth2AccessTokenAuthenticateRequest()
                 .setAccessToken(accessToken).setIp(HttpUtil.getIp(request));
         CommonResult<OAuth2AccessTokenResponse> oauth2AccessTokenResponseResult = oauth2RPC.authenticate(oauth2AccessTokenAuthenticateRequest);