Spring Gateway + Oauth2 + Jwt网关统一鉴权_oauth2.1鉴权

之前文章里说过，分布式系统的鉴权有两种方式，一是在网关进行统一的鉴权操作，二是在各个微服务里单独鉴权。

第二种方式比较常见，代码网上也是很多。今天主要是说第一种方式。

1.网关鉴权的流程

重要前提：需要收集各个接口的uri路径和所需权限列表的对应关系，并存入缓存。

2.收集uri路径和对应权限

服务启动的时候，执行缓存数据的初始化操作：扫描服务内的所有controller接口方法，利用反射，获取方法的完整uri路径，方法上指定注解中的权限值，再存入Redis缓存。

服务启动时做一些操作，方法有很多，可以继承CommandLineRunner或者其他方式。不熟悉的可以去查一下有关资料。

因为后续可能会有很多微服务，因此将该缓存数据的初始化的操作放在common模块中，微服务依赖该模块完成。

1.1.初始化方法

import cn.hutool.core.collection.CollectionUtil;
import cn.hutool.core.text.StrPool;
import cn.hutool.core.util.ArrayUtil;
import com.eden4cloud.common.core.contant.CacheConstants;
import com.eden4cloud.common.security.anno.Perms;
import com.eden4cloud.common.security.constant.MethodTypeConstant;
import com.eden4cloud.common.security.utils.RequestUriUtils;
import com.eden4cloud.common.util.StringUtils;
import lombok.extern.slf4j.Slf4j;
import org.apache.poi.util.StringUtil;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Controller;
 
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
 
/**
 * @Param:
 * @Return:
 * @Date: 2022/12/3 15:31
 * @Author: Yan
 * @Description: 接口权限初始化采集，获取数据库中的权限标识，没有权限标识的其它接口使用**表示
 */
@Slf4j
public class ApiPermsInit implements ApplicationContextAware {
 
    /**
     * 接口路径及权限列表
     * 比如：/user/list<br>
     * 不支持@PathVariable格式的URI
     */
    public static List<Map<String, String>> oauthUrls = new ArrayList<>();
    Map<String, String> uriAuthMap = new HashMap<>();
 
    /**
     * Url参数需要解密的配置
     * 比如：/user/list?name=加密内容<br>
     * 格式：Key API路径  Value 需要解密的字段
     * 示列：/user/list  [name,age]
     */
    public static Map<String, List<String>> requestDecryptParamMap = new HashMap<>();
 
    private String applicationPath;
 
    @Autowired
    private RedisTemplate redisTemplate;
 
    @Override
    public void setApplicationContext(ApplicationContext ctx) throws BeansException {
        this.applicationPath = ctx.getEnvironment().getProperty("spring.application.name");
        Map<String, Object> beanMap = ctx.getBeansWithAnnotation(Controller.class);
        initData(beanMap);
        if (CollectionUtil.isNotEmpty(uriAuthMap)) {
            redisTemplate.boundHashOps(CacheConstants.OAUTH_URLS).putAll(uriAuthMap);
        }
    }
 
    /**
     * 初始化，获取所有接口的加解密配置状态并保存
     *
     * @param beanMap
     */
    private void initData(Map<String, Object> beanMap) {
        if (beanMap != null) {
            beanMap.values().parallelStream().map(Object::getClass).forEach(clz -> {
                for (Method method : clz.getDeclaredMethods()) {
                    String uriKey = RequestUriUtils.getApiUri(clz, method, applicationPath);
                    //收集带有Perms注解的api接口的uri路径
                    Perms perms = AnnotationUtils.findAnnotation(method, Perms.class);
                    if (StringUtils.isNotEmpty(uriKey) && perms != null && ArrayUtil.isNotEmpty(perms.value())) {
                        //解析权限标识
                        String authValue = StringUtil.join(perms.value(), StrPool.COMMA);
                        uriAuthMap.put(uriKey, authValue);
                    } else if (uriKey.startsWith(MethodTypeConstant.GET)) {
                        /* 屏蔽没有请求方式的api接口 */
                        //没有权限标识的，直接使用**表示
                        uriAuthMap.put(uriKey, "**");
                    } else if (uriKey.startsWith(MethodTypeConstant.POST)) {
                        //没有权限标识的，直接使用**表示
                        uriAuthMap.put(uriKey, "**");
                    } else if (uriKey.startsWith(MethodTypeConstant.PUT)) {
                        //没有权限标识的，直接使用**表示
                        uriAuthMap.put(uriKey, "**");
                    } else if (uriKey.startsWith(MethodTypeConstant.DELETE)) {
                        //没有权限标识的，直接使用**表示
                        uriAuthMap.put(uriKey, "**");
                    } else {
                        //不在上述情况中的，一般为框架提供的api接口
                        log.info(uriKey);
                    }
                }
            });
        }
    }
}

1.2.对应的工具类

import com.eden4cloud.common.security.constant.MethodTypeConstant;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.web.bind.annotation.*;
 
import java.lang.reflect.Method;
 
public class RequestUriUtils {
 
    private static final String SEPARATOR = "/";
 
    /**
     * 获取接口的uri路径
     *
     * @param clz
     * @param method
     * @param applicationPath
     * @return
     */
    public static String getApiUri(Class<?> clz, Method method, String applicationPath) {
        String methodType = "";
        StringBuilder uri = new StringBuilder();
 
        // 处理类路径
        RequestMapping reqMapping = AnnotationUtils.findAnnotation(clz, RequestMapping.class);
        if (reqMapping != null && reqMapping.value().length > 0) {
            uri.append(formatUri(reqMapping.value()[0]));
        }
 
        //处理方法上的路径
        GetMapping getMapping = AnnotationUtils.findAnnotation(method, GetMapping.class);
        PostMapping postMapping = AnnotationUtils.findAnnotation(method, PostMapping.class);
        RequestMapping requestMapping = AnnotationUtils.findAnnotation(method, RequestMapping.class);
        PutMapping putMapping = AnnotationUtils.findAnnotation(method, PutMapping.class);
        DeleteMapping deleteMapping = AnnotationUtils.findAnnotation(method, DeleteMapping.class);
 
        if (getMapping != null && getMapping.value().length > 0) {
            methodType = MethodTypeConstant.GET;
            uri.append(formatUri(getMapping.value()[0]));
        } else if (postMapping != null && postMapping.value().length > 0) {
            methodType = MethodTypeConstant.POST;
            uri.append(formatUri(postMapping.value()[0]));
        } else if (putMapping != null && putMapping.value().length > 0) {
            methodType = MethodTypeConstant.PUT;
            uri.append(formatUri(putMapping.value()[0]));
        } else if (deleteMapping != null && deleteMapping.value().length > 0) {
            methodType = MethodTypeConstant.DELETE;
            uri.append(formatUri(deleteMapping.value()[0]));
        } else if (requestMapping != null && requestMapping.value().length > 0) {
            RequestMethod requestMethod = RequestMethod.GET;
            if (requestMapping.method().length > 0) {
                requestMethod = requestMapping.method()[0];
            }
            methodType = requestMethod.name().toLowerCase() + ":";
            uri.append(formatUri(requestMapping.value()[0]));
        }
 
        // 框架自带的接口，返回null后，直接忽略处理
        if (uri.indexOf("${") > 0) {
            return "";
        }
 
        // 针对Rest请求，路径上的请求参数进行处理，以**代替
        int idx = uri.indexOf("{");
        if (idx > 0) {
            uri = new StringBuilder(uri.substring(0, idx)).append("**");
        }
 
        return methodType + SEPARATOR + applicationPath + uri;
    }
 
    private static String formatUri(String uri) {
        if (uri.startsWith(SEPARATOR)) {
            return uri;
        }
        return SEPARATOR + uri;
    }
}

收集结果：

 说明：

1. 要求一个请求的完整路径格式为：请求方式:/服务名/类路径/方法路径；
2. 请求方式必须要有，防止路径处理后，会出现重复，加上请求方式可以极大避免；
3. 服务名是为了做网关路由使用，在配置网关的路由规则时，断言的路由规则即为/服务名；代码里获取服务路径的方式是：ctx.getEnvironment().getProperty("spring.application.name");如果觉得不安全可以在yml文件中自定义一个路径名，改一下此处的获取值即可。只需要记得一定要和网关的路由断言规则匹配就行！！！！
4. 类路径必须有。
5. 方法路径必须有。方法上的第一个路径必须是固定路径，而不能是请求参数，另外不同方法上的第一个固定路径避免设置成相同的；也是为了防止最终出现请求方式相同、路径也相同的情况。
6. 对Rest风格，且方法路径上带有路径参数的路径必须做特殊处理，即将路径参数替换成**。举例如下：原完整路径为/user-Service/user/queryUser/{username}/{age}，方法上的路径为/queryUser/{username}/{age}，不论有多少个路径参数，从第一个路径参数开始，全部替换掉，处理为/queryUser/**，最终存入缓存所使用的完整路径为：GET:/user-Service/user/queryUser/**。否则当请求到达网关，你想要根据路径去缓存中匹配对应的路径时，你会发现没办法处理，因为从请求的uri路径上你是看不出来哪是固定路径，哪是路径参数的。例如：/user-Service/user/queryUser/zhangsan/18，这个例子你虽然你看都知道哪个是路径参数，但毕竟是框架，万一路径上有很多的/../../..，还怎么猜？有些规则该定死，还是要定死的。
7. 真实请求到达网关后，我们对真实请求也做了一些处理，即：只保留/服务名/类路径/方法路径的第一个，后续的路径均使用一个/**替换掉。举例：真实请求为/user-Service/user/queryUser/zhangsan/18，我们处理后为/user-Service/user/queryUser/**。

经过上述的规定和路径处理后，在下面的代码中进行匹配操作：

•  methodValue + uri + CacheConstants.FUZZY_PATH即为/user-Service/user/queryUser/**；
• k.toString()即为/user-Service/user/queryUser/**；
• 判断结果为true。

2.网关整合Security Oauth2

Gateway网关是基于webFlux实现的，所以和一般微服务整合方式不太一样。

2.1.认证管理器

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;
 
/**
 * @Since: 2023/4/13
 * @Author: Yan
 * @Description Jwt认证管理器，对token的真实性、有效性进行校验
 */
@Component
@Slf4j
public class JwtAuthenticationManager implements ReactiveAuthenticationManager {
 
    @Autowired
    private TokenStore tokenStore;
 
 
    @Override
    public Mono<Authentication> authenticate(Authentication authentication) {
        return Mono.justOrEmpty(authentication)
                .filter(a -> a instanceof BearerTokenAuthenticationToken)
                .cast(BearerTokenAuthenticationToken.class)
                .map(BearerTokenAuthenticationToken::getToken)
                .flatMap((accessToken -> {
                    //解析令牌
                    OAuth2AccessToken oAuth2AccessToken = this.tokenStore.readAccessToken(accessToken);
                    if (oAuth2AccessToken == null) {
                        return Mono.error(new InvalidBearerTokenException("无效的token"));
                    } else if (oAuth2AccessToken.isExpired()) {
                        return Mono.error(new InvalidBearerTokenException("token已过期"));
                    }
                    OAuth2Authentication oAuth2Authentication = this.tokenStore.readAuthentication(accessToken);
                    if (oAuth2Authentication == null) {
                        return Mono.error(new InvalidBearerTokenException("无效的token"));
                    } else {
                        return Mono.just(oAuth2Authentication);
                    }
                }))
                .cast(Authentication.class);
    }
}

2.2..鉴权管理器

import cn.hutool.core.text.AntPathMatcher;
import cn.hutool.core.text.StrPool;
import com.eden4cloud.common.core.contant.CacheConstants;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;
 
import java.util.*;
import java.util.concurrent.atomic.AtomicBoolean;
 
/**
 * @Since: 2023/4/13
 * @Author: Yan
 * @Description Jwt鉴权管理器：从Redis中获取所请求的Url所需要的权限，和用户token中所携带的权限进行比对
 */
@Slf4j
@Component
public class JwtAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
 
    @Autowired
    private RedisTemplate<String, Object> redisTemplate;
    private AntPathMatcher matcher = new AntPathMatcher();
 
    /**
     * *****当前匹配方法要求一个API接口方法上必须要有路径*****
     *
     * @param mono
     * @param authorizationContext
     * @return
     */
    @Override
    public Mono<AuthorizationDecision> check(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
        // 处理当前请求的uri路径，最终格式为：/服务路径/类路径/方法上的路径 /eden-system/user/add
        StringBuilder builder = new StringBuilder();
        String[] split = authorizationContext.getExchange().getRequest().getURI().getPath().split(StrPool.SLASH);
        String uri = builder.append(StrPool.SLASH).append(split[1])//服务路径
                .append(StrPool.SLASH).append(split[2])//类路径
                .append(StrPool.SLASH).append(split[3])//方法路径
                .toString();
        // 请求方式拼接处理 ，格式为 GET:
        String methodValue = authorizationContext.getExchange().getRequest().getMethodValue() + StrPool.COLON;
        // 获取所有路径的权限列表
        Map<Object, Object> entries = redisTemplate.opsForHash().entries(CacheConstants.OAUTH_PERMS);
        List<String> authorities = new ArrayList<>();
        AtomicBoolean authFlag = new AtomicBoolean(false);
        entries.forEach((k, v) -> {
            // 根据请求uri路径，获取到匹配的缓存权限数据
            if (k.equals(methodValue + uri)
                    || matcher.match(methodValue + uri + CacheConstants.FUZZY_PATH, k.toString())) {
                if (CacheConstants.ANONYMOUS.equals(v.toString())) {
                    // 权限为**,表示允许匿名访问
                    authFlag.set(true);
                } else {
                    // 收集当前路径所需的权限列表
                    authorities.addAll(Arrays.asList((v.toString()).split(StrPool.COMMA)));
                }
            }
        });
        // Collection<? extends GrantedAuthority> authorities1 = mono.block().getAuthorities();
 
 
        List<String> finalAuthorities = authorities;
        return mono
                //判断是否认证成功
                .filter(Authentication::isAuthenticated)
                //获取认证后的全部权限列表
                .flatMapIterable(Authentication::getAuthorities)
                .map(GrantedAuthority::getAuthority)
                //如果包含在url要求的权限内，则返回true
                .any(auth -> authFlag.get() || finalAuthorities.contains(auth))
                .map(AuthorizationDecision::new)
                .defaultIfEmpty(new AuthorizationDecision(false))
                ;
    }
 
}

2.3.security安全配置

import com.eden4cloud.gateway.component.JwtAuthorizationManager;
import com.eden4cloud.gateway.handler.RequestAccessDeniedHandler;
import com.eden4cloud.gateway.handler.RequestAuthenticationEntrypoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.web.cors.reactive.CorsWebFilter;
 
/**
 * @Since: 2023/4/2
 * @Author: Yan
 * @Description security安全配置
 */
@Configuration
@EnableWebFluxSecurity
public class EdenGatewayWebSecurityConfig {
 
    @Autowired
    private JwtAuthorizationManager jwtAuthorizationManager;
 
    @Autowired
    private ReactiveAuthenticationManager authenticationManager;
 
    @Autowired
    private RequestAuthenticationEntrypoint requestAuthenticationEntrypoint;
 
    @Autowired
    private RequestAccessDeniedHandler requestAccessDeniedHandler;
 
    @Autowired
    private CorsWebFilter corsWebFilter;
 
    // @Autowired
    // private GlobalAuthenticationFilter authenticationFilter;
 
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(authenticationManager);
        authenticationWebFilter.setServerAuthenticationConverter(new ServerBearerTokenAuthenticationConverter());
 
        http
                .csrf().disable()
                .authorizeExchange()
                //对oauth的端点进行放行
                .pathMatchers("/eden-oauth/oauth/**").permitAll()
                //其他请求必须鉴权，使用鉴权管理器
                .anyExchange().access(jwtAuthorizationManager)
                .and()
                //鉴权异常处理
                .exceptionHandling()
                .authenticationEntryPoint(requestAuthenticationEntrypoint)
                .accessDeniedHandler(requestAccessDeniedHandler)
                .and()
                //跨域过滤器
                .addFilterAt(corsWebFilter, SecurityWebFiltersOrder.CORS)
                //token认证过滤器
                .addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
                // .addFilterAfter(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
        ;
        return http.build();
    }
}

2.4.将网关作为资源服务

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
 
/**
 * @Author: Yan
 * @Since: 2023/2/4
 * @Description: 资源服务器解析鉴权配置类
 */
@Configuration
public class EdenGatewayResourceServerConfig extends ResourceServerConfigurerAdapter {
 
    @Autowired
    private TokenStore tokenStore;
 
    //公钥
    private static final String RESOURCE_ID = "eden-gateway";
 
    /**
     * Http安全配置，对每个到达系统的http请求链接进行校验
     *
     * @param http
     * @throws Exception
     */
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/**").permitAll();
    }
 
    /**
     * 资源服务的安全配置
     *
     * @param resources
     * @throws Exception
     */
    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources
                .resourceId(RESOURCE_ID)
                .tokenStore(tokenStore)
                .stateless(true);
    }
}

2.5.其他配置

import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.cloud.gateway.config.GatewayAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsWebFilter;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
import org.springframework.web.util.pattern.PathPatternParser;
 
/**
 * @CreateTime: 2023-01-2023/1/11 15:09
 * @Author: Yan
 * @Description  注册网关过滤器示例
 */
@Configuration
@AutoConfigureAfter(GatewayAutoConfiguration.class)
public class GatewayRoutesConfiguration {
 
    /**
     * 跨域配置
     *
     * @return
     */
    @Bean
    public CorsWebFilter corsWebFilter() {
        CorsConfiguration config = new CorsConfiguration();
        config.addAllowedMethod("*");
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
 
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(new PathPatternParser());
        source.registerCorsConfiguration("/**", config);
 
        return new CorsWebFilter(source);
    }
 
    // @Bean(name = "ipKeyResolver")
    // public KeyResolver userIpKeyResolver() {
    //     return new IpKeyResolver();
    // }
    //
    // @Bean
    // public RouteLocator routeLocator(RouteLocatorBuilder builder) {
    //     StripPrefixGatewayFilterFactory filterFactory = new StripPrefixGatewayFilterFactory();
    //     StripPrefixGatewayFilterFactory.Config partsConfig = filterFactory.newConfig();
    //     partsConfig.setParts(1);
    //
    //     MyGatewayFilterFactory factory = new MyGatewayFilterFactory();
    //     MyGatewayFilterFactory.PathsConfig pathsConfig = factory.newConfig();
    //     pathsConfig.setPaths(Arrays.asList("/AAA", "/BBB"));
    //
    //     return builder.routes()
    //             .route(r -> r.path("/life/**")
    //                     .uri("lb://eden-life")
    //                     .filters(factory.apply(pathsConfig), filterFactory.apply(partsConfig))
    //                     .id("eden-life"))
    //             .build();
    // }
}

2.6.自定义鉴权过滤器工厂

import cn.hutool.core.util.StrUtil;
import com.alibaba.fastjson2.JSONObject;
import com.eden4cloud.common.security.exception.InvalidTokenException;
import com.eden4cloud.common.security.utils.JwtUtils;
import com.eden4cloud.common.util.sign.Base64;
import lombok.Data;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilter;
import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
 
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.List;
import java.util.Map;
 
/**
 * @CreateTime: 2023-01-2023/1/11 9:34
 * @Author: Yan
 * @Description 自定义鉴权过滤器工厂：设置访问白名单；重新封装鉴权认证通过的请求头；
 */
//1. 编写实现类继承AbstractGatewayFilterFactory抽象类
@Component
public class AuthGatewayFilterFactory extends AbstractGatewayFilterFactory<AuthGatewayFilterFactory.IgnoreUrlsConfig> {//4. 指定泛型,静态的内部实体类
 
    @Autowired
    private TokenStore tokenStore;
 
    //5. 重写无参构造方法,指定内部实体类接收参数
    public AuthGatewayFilterFactory() {
        super(IgnoreUrlsConfig.class);
    }
 
    @Override
    public GatewayFilter apply(IgnoreUrlsConfig config) {
        return (exchange, chain) -> {
            ServerHttpRequest request = exchange.getRequest();
            //直接放行部分请求路径，如登录、退出等  需要排除的路径弄成可yaml配置的
            boolean flag = config.ignoreUrls.contains(request.getURI().getPath())
                    || config.ignoreUrls.stream().filter(i -> i.endsWith("/**"))
                    .anyMatch(i -> exchange.getRequest().getURI().getPath().startsWith(i.replace("**", "")));
            if (flag) {
                return chain.filter(exchange);
            }
            //重新封装新的请求中数据
            ServerWebExchange webExchange = rebuildRequestHeaders(exchange, request);
            if (webExchange == null) {
                return Mono.error(new InvalidTokenException());
            }
            return chain.filter(webExchange);
        };
    }
 
    /**
     * 重新封装新的请求数据
     *
     * @param exchange
     * @param request
     * @return
     */
    private ServerWebExchange rebuildRequestHeaders(ServerWebExchange exchange, ServerHttpRequest request) {
        //获取请求头中的令牌
        String token = JwtUtils.getToken(request);
        if (StrUtil.isBlank(token)) {
            return null;
        }
 
        OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(token);
        Map<String, Object> additionalInformation = oAuth2AccessToken.getAdditionalInformation();
        List<String> authorities = (List<String>) additionalInformation.get("authorities");
        //获取用户名
        String username = additionalInformation.get("user_name").toString();
        //获取用户权限
        JSONObject jsonObject = new JSONObject();
        jsonObject.put("username", username);
        jsonObject.put("authorities", authorities);
        //将解析后的token加密后重新放入请求头，方便后续微服务解析获取用户信息
        String base64 = Base64.encode(jsonObject.toJSONString().getBytes(StandardCharsets.UTF_8));
        request = exchange.getRequest().mutate().header("token", base64).build();
        exchange.mutate().request(request);
        return exchange;
    }
 
    /**
     * 6. 重写shortcutFieldOrder()指定接收参数的字段顺序
     * Returns hints about the number of args and the order for shortcut parsing.
     *
     * @return the list of hints
     */
    @Override
    public List<String> shortcutFieldOrder() {
        return Collections.singletonList("ignoreUrls");
    }
 
    /**
     * 7. 重写shortcutType()指定接收参数的字段类型
     */
    @Override
    public ShortcutType shortcutType() {
        return ShortcutType.GATHER_LIST;
    }
 
    /**
     * 3. 定义匿名内部实体类,定义接收参数的字段
     */
    @Data
    public static class IgnoreUrlsConfig {
        //传递多个参数
        private List<String> ignoreUrls;
    }
}

2.7.网关路由规则

#路由配置
spring:
  cloud:
    gateway:
      routes:
        - id: eden-life
          uri: lb://eden-life
          predicates:
            - Path=/eden-life/**
          filters:
            - StripPrefix=1
            - name: Auth
              args:
                ignoreUrls:
                  - /auth-server/login
                  - /oauth/**
                  - /life/**

2.6和2.7主要是展示配置了动态的请求白名单功能。基于nacos的配置中心功能，可以实现动态刷新，白名单设置实时生效。

2.8.异常处理

import cn.hutool.json.JSONUtil;
import com.eden4cloud.common.core.entity.R;
import com.eden4cloud.common.security.exception.SecurityExceptionEnum;
import org.apache.http.HttpHeaders;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
 
import java.nio.charset.StandardCharsets;
 
/**
 * @Since: 2023/4/17
 * @Author: Yan
 * @Description TODO
 */
@Component
public class RequestAccessDeniedHandler implements ServerAccessDeniedHandler {
 
    @Override
    public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException e) {
        ServerHttpResponse response = exchange.getResponse();
        response.setStatusCode(HttpStatus.OK);
        response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
        DataBuffer buffer = response.bufferFactory()
                .wrap(JSONUtil.toJsonStr(R.error(SecurityExceptionEnum.NO_PERMISSION.getMsg())).getBytes(StandardCharsets.UTF_8));
        return response.writeWith(Mono.just(buffer));
    }
}

import cn.hutool.json.JSONUtil;
import com.eden4cloud.common.core.entity.R;
import com.eden4cloud.common.security.exception.SecurityExceptionEnum;
import org.apache.http.HttpHeaders;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
 
import java.nio.charset.StandardCharsets;
 
/**
 * @Since: 2023/4/17
 * @Author: Yan
 * @Description TODO
 */
@Component
public class RequestAuthenticationEntrypoint implements ServerAuthenticationEntryPoint {
 
    @Override
    public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
        ServerHttpResponse response = exchange.getResponse();
        response.setStatusCode(HttpStatus.OK);
        response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
        DataBuffer buffer = response.bufferFactory()
                .wrap(JSONUtil.toJsonStr(R.error(SecurityExceptionEnum.INVALID_TOKEN.getMsg())).getBytes(StandardCharsets.UTF_8));
        return response.writeWith(Mono.just(buffer));
    }
}