1. 完成 auth 鉴权逻辑

2. 完成 admin 获取 Admin 上下文
3. 完成 user 获取 User 上下文

common/common-framework/src/main/java/cn/iocoder/common/framework/util/CollectionUtil.java

@@ -28,12 +28,17 @@ public class CollectionUtil {
         return from.stream().map(func).collect(Collectors.toSet());
     }
 
+    public static <T, K> Map<K, T> convertMap(List<T> from, Function<T, K> keyFunc) {
+        return from.stream().collect(Collectors.toMap(keyFunc, item -> item));
+    }
+
     public static <T, K, V> Map<K, V> convertMap(List<T> from, Function<T, K> keyFunc, Function<T, V> valueFunc) {
         return from.stream().collect(Collectors.toMap(keyFunc, valueFunc));
     }
 
-    public static <T, K> Map<K, T> convertMap(List<T> from, Function<T, K> keyFunc) {
-        return from.stream().collect(Collectors.toMap(keyFunc, item -> item));
+    public static <T, K, V> Map<K, List<V>> convertMultiMap(List<T> from, Function<T, K> keyFunc, Function<T, V> valueFunc) {
+        return from.stream().collect(Collectors.groupingBy(keyFunc,
+                Collectors.mapping(valueFunc, Collectors.toList())));
     }
 
     public static boolean containsAny(Collection<?> source, Collection<?> candidates) {

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/config/CommonSecurityAutoConfiguration.java

@@ -1,6 +1,9 @@
 package cn.iocoder.mall.security.config;
 
 import cn.iocoder.mall.security.core.interceptor.AccountAuthInterceptor;
+import cn.iocoder.mall.security.core.interceptor.AdminDemoInterceptor;
+import cn.iocoder.mall.security.core.interceptor.AdminSecurityInterceptor;
+import cn.iocoder.mall.security.core.interceptor.UserSecurityInterceptor;
 import cn.iocoder.mall.web.config.CommonWebAutoConfiguration;
 import cn.iocoder.mall.web.core.constant.CommonMallConstants;
 import org.slf4j.Logger;
@@ -30,6 +33,21 @@ public class CommonSecurityAutoConfiguration implements WebMvcConfigurer {
         return new AccountAuthInterceptor(false);
     }
 
+    @Bean
+    public AdminSecurityInterceptor adminSecurityInterceptor() {
+        return new AdminSecurityInterceptor();
+    }
+
+    @Bean
+    public UserSecurityInterceptor userSecurityInterceptor() {
+        return new UserSecurityInterceptor();
+    }
+
+    @Bean
+    public AdminDemoInterceptor adminDemoInterceptor() {
+        return new AdminDemoInterceptor();
+    }
+
     @Override
     public void addInterceptors(InterceptorRegistry registry) {
         // AccountAuthInterceptor 拦截器
@@ -38,6 +56,18 @@ public class CommonSecurityAutoConfiguration implements WebMvcConfigurer {
         registry.addInterceptor(this.adminAccountAuthInterceptor())
                 .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**");
         logger.info("[addInterceptors][加载 AccountAuthInterceptor 拦截器完成]");
+        // AdminSecurityInterceptor 拦截器
+        registry.addInterceptor(this.adminSecurityInterceptor())
+                .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**");
+        logger.info("[addInterceptors][加载 AdminSecurityInterceptor 拦截器完成]");
+        // UserSecurityInterceptor 拦截器
+        registry.addInterceptor(this.userAccountAuthInterceptor())
+                .addPathPatterns(CommonMallConstants.ROOT_PATH_USER + "/**");
+        logger.info("[addInterceptors][加载 UserSecurityInterceptor 拦截器完成]");
+        // AdminDemoInterceptor 拦截器
+        registry.addInterceptor(this.adminDemoInterceptor())
+                .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**");
+        logger.info("[addInterceptors][加载 AdminDemoInterceptor 拦截器完成]");
     }
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresPermissions.java

@@ -19,6 +19,6 @@ public @interface RequiresPermissions {
      *
      * @return 权限标识数组
      */
-    String[] value();
+    String[] value() default {};
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContext.java

@@ -14,9 +14,5 @@ public class AdminSecurityContext {
      * 管理员编号
      */
     private Integer adminId;
-    /**
-     * 管理员账号
-     */
-    private String username;
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AccountAuthInterceptor.java

@@ -8,7 +8,9 @@ import cn.iocoder.mall.security.core.annotation.RequiresAuthenticate;
 import cn.iocoder.mall.security.core.annotation.RequiresNone;
 import cn.iocoder.mall.security.core.annotation.RequiresPermissions;
 import cn.iocoder.mall.system.biz.enums.SystemErrorCodeEnum;
+import cn.iocoder.mall.system.rpc.api.authorization.AuthorizationRPC;
 import cn.iocoder.mall.system.rpc.api.oauth2.OAuth2RPC;
+import cn.iocoder.mall.system.rpc.request.authorization.AuthorizationCheckPermissionsRequest;
 import cn.iocoder.mall.system.rpc.request.oauth2.OAuth2AccessTokenAuthenticateRequest;
 import cn.iocoder.mall.system.rpc.response.oauth2.OAuth2AccessTokenResponse;
 import cn.iocoder.mall.web.core.util.CommonWebUtil;
@@ -21,6 +23,7 @@ import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.util.Arrays;
 
 public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
 
@@ -28,7 +31,8 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
 
     @Reference(validation = "true", version = "${dubbo.consumer.OAuth2RPC.version}")
     private OAuth2RPC oauth2RPC;
-
+    @Reference(validation = "true", version = "${dubbo.consumer.AuthorizationRPC.version}")
+    private AuthorizationRPC authorizationRPC;
 
     /**
      * 是否默认要求认证
@@ -51,7 +55,7 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
         // 判断是否需要认证
         this.checkAuthenticate(handlerMethod, accountId);
         // 判断是否需要权限
-
+        this.checkPermission(handlerMethod, accountId);
         return true;
     }
 
@@ -63,12 +67,12 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
         // 执行认证
         OAuth2AccessTokenAuthenticateRequest oauth2AccessTokenAuthenticateRequest = new OAuth2AccessTokenAuthenticateRequest()
                 .setAccessToken(accessToken).setIp(HttpUtil.getIp(request));
-        CommonResult<OAuth2AccessTokenResponse> oauth2AccessTokenResponseResult = oauth2RPC.authenticate(oauth2AccessTokenAuthenticateRequest);
-        if (oauth2AccessTokenResponseResult.isError()) { // TODO 有一个问题点，假设 token 认证失败，但是该 url 是无需认证的，是不是一样能够执行过去？
-            throw ServiceExceptionUtil.exception(oauth2AccessTokenResponseResult);
+        CommonResult<OAuth2AccessTokenResponse> oauth2AccessTokenResult = oauth2RPC.authenticate(oauth2AccessTokenAuthenticateRequest);
+        if (oauth2AccessTokenResult.isError()) { // TODO 有一个问题点，假设 token 认证失败，但是该 url 是无需认证的，是不是一样能够执行过去？
+            throw ServiceExceptionUtil.exception(oauth2AccessTokenResult);
         }
         // 设置账号编号
-        Integer accountId = oauth2AccessTokenResponseResult.getData().getAccountId();
+        Integer accountId = oauth2AccessTokenResult.getData().getAccountId();
         CommonWebUtil.setAccountId(request, accountId);
         return accountId;
     }
@@ -96,7 +100,12 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
             return;
         }
         // 权限验证
-
+        AuthorizationCheckPermissionsRequest authorizationCheckPermissionsRequest = new AuthorizationCheckPermissionsRequest()
+                .setAccountId(accountId).setPermissions(Arrays.asList(permissions));
+        CommonResult<Boolean> authorizationCheckPermissionsResult = authorizationRPC.checkPermissions(authorizationCheckPermissionsRequest);
+        if (authorizationCheckPermissionsResult.isError()) { // TODO 有一个问题点，假设 token 认证失败，但是该 url 是无需认证的，是不是一样能够执行过去？
+            throw ServiceExceptionUtil.exception(authorizationCheckPermissionsResult);
+        }
     }
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AdminDemoInterceptor.java

@@ -0,0 +1,30 @@
+package cn.iocoder.mall.security.core.interceptor;
+
+import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.mall.security.core.context.AdminSecurityContextHolder;
+import cn.iocoder.mall.system.biz.enums.SystemErrorCodeEnum;
+import org.springframework.http.HttpMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Objects;
+
+/**
+ * Admin 演示拦截器
+ *
+ * 这是个比较“奇怪”的拦截器，用于演示的管理员账号，禁止使用 POST 请求，从而实现即达到阉割版的演示的效果，又避免影响了数据
+ */
+public class AdminDemoInterceptor extends HandlerInterceptorAdapter {
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        // 当 Admin 编号等于 0 时，约定为演示账号
+        if (Objects.equals(AdminSecurityContextHolder.getContext().getAdminId(), 0)
+            && request.getMethod().equalsIgnoreCase(HttpMethod.POST.toString())) {
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.AUTHORIZATION_DEMO_PERMISSION_DENY.getCode());
+        }
+        return true;
+    }
+
+}

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AdminSecurityInterceptor.java

@@ -1,5 +1,12 @@
 package cn.iocoder.mall.security.core.interceptor;
 
+import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.core.context.AdminSecurityContext;
+import cn.iocoder.mall.security.core.context.AdminSecurityContextHolder;
+import cn.iocoder.mall.system.rpc.api.admin.AdminRPC;
+import cn.iocoder.mall.system.rpc.response.admin.AdminResponse;
+import org.apache.dubbo.config.annotation.Reference;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
 import javax.servlet.http.HttpServletRequest;
@@ -7,16 +14,30 @@ import javax.servlet.http.HttpServletResponse;
 
 public class AdminSecurityInterceptor extends HandlerInterceptorAdapter {
 
-    @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-        // 获得 Admin 信息
+    @Reference(validation = "true", version = "${dubbo.consumer.AdminRPC.version}")
+    private AdminRPC adminRPC;
 
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        Integer accountId = AdminSecurityContextHolder.getContext().getAdminId();
+        if (accountId != null) {
+            // 获得 Admin 信息
+            CommonResult<AdminResponse> adminResult = adminRPC.getAdminByAccountId(accountId);
+            if (adminResult.isError()) {
+                throw ServiceExceptionUtil.exception(adminResult);
+            }
+            // 设置到 SecurityContext 中
+            AdminResponse adminResponse = adminResult.getData();
+            AdminSecurityContext context = new AdminSecurityContext().setAdminId(adminResponse.getId());
+            AdminSecurityContextHolder.setContext(context);
+        }
         return true;
     }
 
     @Override
-    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
-
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
+        // 清空 SecurityContext
+        AdminSecurityContextHolder.clear();
     }
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/UserSecurityInterceptor.java

@@ -1,5 +1,13 @@
 package cn.iocoder.mall.security.core.interceptor;
 
+import cn.iocoder.common.framework.util.ServiceExceptionUtil;
+import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.core.context.AdminSecurityContextHolder;
+import cn.iocoder.mall.security.core.context.UserSecurityContext;
+import cn.iocoder.mall.security.core.context.UserSecurityContextHolder;
+import cn.iocoder.mall.system.rpc.api.user.UserRPC;
+import cn.iocoder.mall.system.rpc.response.user.UserResponse;
+import org.apache.dubbo.config.annotation.Reference;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
 import javax.servlet.http.HttpServletRequest;
@@ -7,15 +15,30 @@ import javax.servlet.http.HttpServletResponse;
 
 public class UserSecurityInterceptor extends HandlerInterceptorAdapter {
 
+    @Reference(validation = "true", version = "${dubbo.consumer.UserRPC.version}")
+    private UserRPC userRPC;
+
     @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-        // 获得用户信息
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        Integer accountId = AdminSecurityContextHolder.getContext().getAdminId();
+        if (accountId != null) {
+            // 获得 Admin 信息
+            CommonResult<UserResponse> userResult = userRPC.getUserByAccountId(accountId);
+            if (userResult.isError()) {
+                throw ServiceExceptionUtil.exception(userResult);
+            }
+            // 设置到 SecurityContext 中
+            UserResponse userResponse = userResult.getData();
+            UserSecurityContext context = new UserSecurityContext().setUserId(userResponse.getId());
+            UserSecurityContextHolder.setContext(context);
+        }
         return true;
     }
 
     @Override
-    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
-        super.afterCompletion(request, response, handler, ex);
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
+        // 清空 SecurityContext
+        UserSecurityContextHolder.clear();
     }
 
 }

common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/package-info.java

@@ -1 +0,0 @@
-package cn.iocoder.mall.security.core;

common/mall-spring-boot/pom.xml

@@ -18,18 +18,6 @@
             <artifactId>common-framework</artifactId>
             <version>1.0-SNAPSHOT</version>
         </dependency>
-        <dependency>
-            <groupId>cn.iocoder.mall</groupId>
-            <artifactId>system-sdk</artifactId>
-            <version>1.0-SNAPSHOT</version>
-            <optional>true</optional>
-        </dependency>
-        <dependency>
-            <groupId>cn.iocoder.mall</groupId>
-            <artifactId>user-sdk</artifactId>
-            <version>1.0-SNAPSHOT</version>
-            <optional>true</optional>
-        </dependency>
 
         <!-- Spring 核心 -->
         <dependency>
@@ -49,17 +37,6 @@
             <optional>true</optional>
         </dependency>
 
-        <dependency>
-            <groupId>io.springfox</groupId>
-            <artifactId>springfox-swagger2</artifactId>
-            <optional>true</optional>
-        </dependency>
-        <dependency>
-            <groupId>com.github.xiaoymin</groupId>
-            <artifactId>swagger-bootstrap-ui</artifactId>
-            <optional>true</optional>
-        </dependency>
-
         <!-- 监控相关 -->
         <dependency>
             <groupId>org.springframework.boot</groupId>

common/mall-spring-boot/src/main/java/cn/iocoder/mall/spring/boot/web/AdminMVCAutoConfiguration.java

@@ -1,49 +0,0 @@
-package cn.iocoder.mall.spring.boot.web;
-
-import cn.iocoder.common.framework.constant.MallConstants;
-import cn.iocoder.common.framework.servlet.CorsFilter;
-import cn.iocoder.mall.system.sdk.interceptor.AdminDemoInterceptor;
-import cn.iocoder.mall.spring.boot.web.interceptor.AccessLogInterceptor;
-import cn.iocoder.mall.system.sdk.interceptor.AdminSecurityInterceptor;
-import cn.iocoder.mall.spring.boot.web.handler.GlobalExceptionHandler;
-import cn.iocoder.mall.spring.boot.web.handler.GlobalResponseBodyHandler;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.DispatcherServlet;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-
-@Configuration
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) // TODO 芋艿，未来可能考虑 REACTIVE
-@ConditionalOnClass({
-        DispatcherServlet.class,
-        WebMvcConfigurer.class, // 有 Spring MVC 容器
-        AdminSecurityInterceptor.class,
-        AccessLogInterceptor.class
-}) // 有引入 system-sdk
-public class AdminMVCAutoConfiguration implements WebMvcConfigurer {
-
-    @Bean
-    @ConditionalOnMissingBean(AdminSecurityInterceptor.class)
-    public AdminSecurityInterceptor adminSecurityInterceptor() {
-        return new AdminSecurityInterceptor();
-    }
-
-    @Bean
-    @ConditionalOnMissingBean(AdminDemoInterceptor.class)
-    public AdminDemoInterceptor adminDemoInterceptor() {
-        return new AdminDemoInterceptor();
-    }
-
-    @Override
-    public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(adminAccessLogInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_ADMIN + "/**");
-        registry.addInterceptor(adminSecurityInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_ADMIN + "/**");
-        registry.addInterceptor(adminDemoInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_ADMIN + "/**");
-    }
-
-}

common/mall-spring-boot/src/main/java/cn/iocoder/mall/spring/boot/web/UserMVCAutoConfiguration.java

@@ -1,58 +0,0 @@
-package cn.iocoder.mall.spring.boot.web;
-
-import cn.iocoder.common.framework.constant.MallConstants;
-import cn.iocoder.common.framework.servlet.CorsFilter;
-import cn.iocoder.mall.spring.boot.web.interceptor.AccessLogInterceptor;
-import cn.iocoder.mall.spring.boot.web.handler.GlobalExceptionHandler;
-import cn.iocoder.mall.spring.boot.web.handler.GlobalResponseBodyHandler;
-import cn.iocoder.mall.user.sdk.interceptor.UserSecurityInterceptor;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.servlet.DispatcherServlet;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-
-@Configuration
-@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET) // TODO 芋艿，未来可能考虑 REACTIVE
-@ConditionalOnClass({DispatcherServlet.class, WebMvcConfigurer.class, // 有 Spring MVC 容器
-        UserSecurityInterceptor.class, // 有引入 user-sdk
-        AccessLogInterceptor.class}) // 有引入 system-sdk
-public class UserMVCAutoConfiguration implements WebMvcConfigurer {
-
-    @Bean
-//    @ConditionalOnMissingBean(AccessLogInterceptor.class)
-    public AccessLogInterceptor userAccessLogInterceptor() {
-        return new AccessLogInterceptor();
-    }
-
-    @Bean
-    @ConditionalOnMissingBean(UserSecurityInterceptor.class)
-    public UserSecurityInterceptor userSecurityInterceptor() {
-        return new UserSecurityInterceptor();
-    }
-
-    @Bean
-    @ConditionalOnMissingBean(GlobalResponseBodyHandler.class)
-    public GlobalResponseBodyHandler globalReturnValueHandler() {
-        return new GlobalResponseBodyHandler();
-    }
-
-    @Bean
-    @ConditionalOnMissingBean(GlobalExceptionHandler.class)
-    public GlobalExceptionHandler globalExceptionHandler() {
-        return new GlobalExceptionHandler();
-    }
-
-    @Override
-    public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(userAccessLogInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_USER + "/**");
-        registry.addInterceptor(userSecurityInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_USER + "/**");
-    }
-
-
-
-}

common/mall-spring-boot/src/main/resources/META-INF/spring.factories

@@ -1,4 +1,2 @@
 org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
-  cn.iocoder.mall.spring.boot.web.AdminMVCAutoConfiguration, \
-  cn.iocoder.mall.spring.boot.web.UserMVCAutoConfiguration, \
   cn.iocoder.mall.spring.boot.metrics.MetricsAutoConfiguration