创建 mall-spring-boot-starter-security-user 模块，用于用户的认证拦截器

2020-07-04 23:25:22 +08:00
parent d89e5bad98
commit 93c646890d
27 changed files with 345 additions and 186 deletions
--- a/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/config/UserSecurityAutoConfiguration.java
+++ b/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/config/UserSecurityAutoConfiguration.java
@@ -0,0 +1,35 @@
+package cn.iocoder.mall.security.user.config;
+
+import cn.iocoder.mall.security.user.core.interceptor.UserSecurityInterceptor;
+import cn.iocoder.mall.web.config.CommonWebAutoConfiguration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+@AutoConfigureAfter(CommonWebAutoConfiguration.class) // 在 CommonWebAutoConfiguration 之后自动配置，保证过滤器的顺序
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
+public class UserSecurityAutoConfiguration implements WebMvcConfigurer {
+
+    private Logger logger = LoggerFactory.getLogger(getClass());
+
+    // ========== 拦截器相关 ==========
+
+    @Bean
+    public UserSecurityInterceptor userSecurityInterceptor() {
+        return new UserSecurityInterceptor();
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        // UserSecurityInterceptor 拦截器
+        registry.addInterceptor(this.userSecurityInterceptor());
+        logger.info("[addInterceptors][加载 UserSecurityInterceptor 拦截器完成]");
+    }
+
+}
--- a/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/core/context/UserSecurityContext.java
+++ b/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/core/context/UserSecurityContext.java
@@ -0,0 +1,18 @@
+package cn.iocoder.mall.security.user.core.context;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * User Security 上下文
+ */
+@Data
+@Accessors(chain = true)
+public class UserSecurityContext {
+
+    /**
+     * 用户编号
+     */
+    private Integer userId;
+
+}
--- a/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/core/context/UserSecurityContextHolder.java
+++ b/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/core/context/UserSecurityContextHolder.java
@@ -0,0 +1,35 @@
+package cn.iocoder.mall.security.user.core.context;
+
+/**
+ * {@link UserSecurityContext} Holder
+ *
+ * 参考 spring security 的 ThreadLocalSecurityContextHolderStrategy 类，简单实现。
+ */
+public class UserSecurityContextHolder {
+
+    private static final ThreadLocal<UserSecurityContext> SECURITY_CONTEXT = new ThreadLocal<UserSecurityContext>();
+
+    public static void setContext(UserSecurityContext context) {
+        SECURITY_CONTEXT.set(context);
+    }
+
+    public static UserSecurityContext getContext() {
+        UserSecurityContext ctx = SECURITY_CONTEXT.get();
+        // 为空时，设置一个空的进去
+        if (ctx == null) {
+            ctx = new UserSecurityContext();
+            SECURITY_CONTEXT.set(ctx);
+        }
+        return ctx;
+    }
+
+    public static Integer getUserId() {
+        UserSecurityContext ctx = SECURITY_CONTEXT.get();
+        return ctx != null ? ctx.getUserId() : null;
+    }
+
+    public static void clear() {
+        SECURITY_CONTEXT.remove();
+    }
+
+}
--- a/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/core/interceptor/UserSecurityInterceptor.java
+++ b/common/mall-spring-boot-starter-security-user/src/main/java/cn/iocoder/mall/security/user/core/interceptor/UserSecurityInterceptor.java
@@ -0,0 +1,72 @@
+package cn.iocoder.mall.security.user.core.interceptor;
+
+import cn.iocoder.common.framework.enums.UserTypeEnum;
+import cn.iocoder.common.framework.util.HttpUtil;
+import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.user.core.context.UserSecurityContext;
+import cn.iocoder.mall.security.user.core.context.UserSecurityContextHolder;
+import cn.iocoder.mall.systemservice.enums.SystemErrorCodeEnum;
+import cn.iocoder.mall.systemservice.rpc.oauth.OAuth2Rpc;
+import cn.iocoder.mall.systemservice.rpc.oauth.vo.OAuth2AccessTokenVO;
+import cn.iocoder.mall.web.core.util.CommonWebUtil;
+import cn.iocoder.security.annotations.RequiresAuthenticate;
+import cn.iocoder.security.annotations.RequiresPermissions;
+import org.apache.dubbo.config.annotation.Reference;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static cn.iocoder.mall.systemservice.enums.SystemErrorCodeEnum.OAUTH_USER_TYPE_ERROR;
+
+public class UserSecurityInterceptor extends HandlerInterceptorAdapter {
+
+    @Reference(validation = "true", version = "${dubbo.consumer.OAuth2Rpc.version}")
+    private OAuth2Rpc oauth2Rpc;
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        // 获得访问令牌
+        String accessToken = HttpUtil.obtainAuthorization(request);
+        Integer userId = null;
+        if (accessToken != null) {
+            CommonResult<OAuth2AccessTokenVO> checkAccessTokenResult = oauth2Rpc.checkAccessToken(accessToken);
+            checkAccessTokenResult.checkError();
+            // 校验用户类型正确
+            if (!UserTypeEnum.USER.getValue().equals(checkAccessTokenResult.getData().getUserType())) {
+                throw ServiceExceptionUtil.exception(OAUTH_USER_TYPE_ERROR);
+            }
+            // 获得用户编号
+            userId = checkAccessTokenResult.getData().getUserId();
+            // 设置到 Request 中
+            CommonWebUtil.setUserId(request, userId);
+            CommonWebUtil.setUserType(request, UserTypeEnum.USER.getValue());
+            // 设置到
+            UserSecurityContext userSecurityContext = new UserSecurityContext().setUserId(userId);
+            UserSecurityContextHolder.setContext(userSecurityContext);
+        }
+        // 校验认证
+        this.checkAuthentication((HandlerMethod) handler, userId);
+        return true;
+    }
+
+    private void checkAuthentication(HandlerMethod handlerMethod, Integer userId) {
+        boolean requiresAuthenticate = false; // 对于 USER 来说，默认无需登录
+        if (handlerMethod.hasMethodAnnotation(RequiresAuthenticate.class)
+                || handlerMethod.hasMethodAnnotation(RequiresPermissions.class)) { // 如果需要权限验证，也认为需要认证
+            requiresAuthenticate = true;
+        }
+        if (requiresAuthenticate && userId == null) {
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_NOT_AUTHENTICATION);
+        }
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
+        // 清空 SecurityContext
+        UserSecurityContextHolder.clear();
+    }
+
+}
--- a/common/mall-spring-boot-starter-security-user/src/main/resources/META-INF/spring.factories
+++ b/common/mall-spring-boot-starter-security-user/src/main/resources/META-INF/spring.factories
@@ -0,0 +1,2 @@
+org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
+  cn.iocoder.mall.security.user.config.UserSecurityAutoConfiguration