devbox
人工智能uu
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Spring Gateway + Oauth2 + Jwt网关统一鉴权_网关鉴权

作者:人工智能uu | 2024-08-20 09:38:37

网关鉴权

之前文章里说过,分布式系统的鉴权有两种方式,一是在网关进行统一的鉴权操作,二是在各个微服务里单独鉴权。

第二种方式比较常见,代码网上也是很多。今天主要是说第一种方式。

1.网关鉴权的流程

重要前提:需要收集各个接口的uri路径和所需权限列表的对应关系,并存入缓存。

2.收集uri路径和对应权限

服务启动的时候,执行缓存数据的初始化操作:扫描服务内的所有controller接口方法,利用反射,获取方法的完整uri路径,方法上指定注解中的权限值,再存入Redis缓存

服务启动时做一些操作,方法有很多,可以继承CommandLineRunner或者其他方式。不熟悉的可以去查一下有关资料。

因为后续可能会有很多微服务,因此将该缓存数据的初始化的操作放在common模块中,微服务依赖该模块完成。

1.1.初始化方法

  1. import cn.hutool.core.collection.CollectionUtil;
  2. import cn.hutool.core.text.StrPool;
  3. import cn.hutool.core.util.ArrayUtil;
  4. import com.eden4cloud.common.core.contant.CacheConstants;
  5. import com.eden4cloud.common.security.anno.Perms;
  6. import com.eden4cloud.common.security.constant.MethodTypeConstant;
  7. import com.eden4cloud.common.security.utils.RequestUriUtils;
  8. import com.eden4cloud.common.util.StringUtils;
  9. import lombok.extern.slf4j.Slf4j;
  10. import org.apache.poi.util.StringUtil;
  11. import org.springframework.beans.BeansException;
  12. import org.springframework.beans.factory.annotation.Autowired;
  13. import org.springframework.context.ApplicationContext;
  14. import org.springframework.context.ApplicationContextAware;
  15. import org.springframework.core.annotation.AnnotationUtils;
  16. import org.springframework.data.redis.core.RedisTemplate;
  17. import org.springframework.stereotype.Controller;
  18.  
  19. import java.lang.reflect.Method;
  20. import java.util.ArrayList;
  21. import java.util.HashMap;
  22. import java.util.List;
  23. import java.util.Map;
  24.  
  25. /**
  26.  * @Param:
  27.  * @Return:
  28.  * @Date: 2022/12/3 15:31
  29.  * @Author: Yan
  30.  * @Description: 接口权限初始化采集,获取数据库中的权限标识,没有权限标识的其它接口使用**表示
  31.  */
  32. @Slf4j
  33. public class ApiPermsInit implements ApplicationContextAware {
  34.  
  35.     /**
  36.      * 接口路径及权限列表
  37.      * 比如:/user/list<br>
  38.      * 不支持@PathVariable格式的URI
  39.      */
  40.     public static List<Map<String, String>> oauthUrls = new ArrayList<>();
  41.     Map<String, String> uriAuthMap = new HashMap<>();
  42.  
  43.     /**
  44.      * Url参数需要解密的配置
  45.      * 比如:/user/list?name=加密内容<br>
  46.      * 格式:Key API路径  Value 需要解密的字段
  47.      * 示列:/user/list  [name,age]
  48.      */
  49.     public static Map<String, List<String>> requestDecryptParamMap = new HashMap<>();
  50.  
  51.     private String applicationPath;
  52.  
  53.     @Autowired
  54.     private RedisTemplate redisTemplate;
  55.  
  56.     @Override
  57.     public void setApplicationContext(ApplicationContext ctx) throws BeansException {
  58.         this.applicationPath = ctx.getEnvironment().getProperty("spring.application.name");
  59.         Map<String, Object> beanMap = ctx.getBeansWithAnnotation(Controller.class);
  60.         initData(beanMap);
  61.         if (CollectionUtil.isNotEmpty(uriAuthMap)) {
  62.             redisTemplate.boundHashOps(CacheConstants.OAUTH_URLS).putAll(uriAuthMap);
  63.         }
  64.     }
  65.  
  66.     /**
  67.      * 初始化,获取所有接口的加解密配置状态并保存
  68.      *
  69.      * @param beanMap
  70.      */
  71.     private void initData(Map<String, Object> beanMap) {
  72.         if (beanMap != null) {
  73.             beanMap.values().parallelStream().map(Object::getClass).forEach(clz -> {
  74.                 for (Method method : clz.getDeclaredMethods()) {
  75.                     String uriKey = RequestUriUtils.getApiUri(clz, method, applicationPath);
  76.                     //收集带有Perms注解的api接口的uri路径
  77.                     Perms perms = AnnotationUtils.findAnnotation(method, Perms.class);
  78.                     if (StringUtils.isNotEmpty(uriKey) && perms != null && ArrayUtil.isNotEmpty(perms.value())) {
  79.                         //解析权限标识
  80.                         String authValue = StringUtil.join(perms.value(), StrPool.COMMA);
  81.                         uriAuthMap.put(uriKey, authValue);
  82.                     } else if (uriKey.startsWith(MethodTypeConstant.GET)) {
  83.                         /* 屏蔽没有请求方式的api接口 */
  84.                         //没有权限标识的,直接使用**表示
  85.                         uriAuthMap.put(uriKey, "**");
  86.                     } else if (uriKey.startsWith(MethodTypeConstant.POST)) {
  87.                         //没有权限标识的,直接使用**表示
  88.                         uriAuthMap.put(uriKey, "**");
  89.                     } else if (uriKey.startsWith(MethodTypeConstant.PUT)) {
  90.                         //没有权限标识的,直接使用**表示
  91.                         uriAuthMap.put(uriKey, "**");
  92.                     } else if (uriKey.startsWith(MethodTypeConstant.DELETE)) {
  93.                         //没有权限标识的,直接使用**表示
  94.                         uriAuthMap.put(uriKey, "**");
  95.                     } else {
  96.                         //不在上述情况中的,一般为框架提供的api接口
  97.                         log.info(uriKey);
  98.                     }
  99.                 }
  100.             });
  101.         }
  102.     }
  103. }

1.2.对应的工具类

  1. import com.eden4cloud.common.security.constant.MethodTypeConstant;
  2. import org.springframework.core.annotation.AnnotationUtils;
  3. import org.springframework.web.bind.annotation.*;
  4.  
  5. import java.lang.reflect.Method;
  6.  
  7. public class RequestUriUtils {
  8.  
  9.     private static final String SEPARATOR = "/";
  10.  
  11.     /**
  12.      * 获取接口的uri路径
  13.      *
  14.      * @param clz
  15.      * @param method
  16.      * @param applicationPath
  17.      * @return
  18.      */
  19.     public static String getApiUri(Class<?> clz, Method method, String applicationPath) {
  20.         String methodType = "";
  21.         StringBuilder uri = new StringBuilder();
  22.  
  23.         // 处理类路径
  24.         RequestMapping reqMapping = AnnotationUtils.findAnnotation(clz, RequestMapping.class);
  25.         if (reqMapping != null && reqMapping.value().length > 0) {
  26.             uri.append(formatUri(reqMapping.value()[0]));
  27.         }
  28.  
  29.         //处理方法上的路径
  30.         GetMapping getMapping = AnnotationUtils.findAnnotation(method, GetMapping.class);
  31.         PostMapping postMapping = AnnotationUtils.findAnnotation(method, PostMapping.class);
  32.         RequestMapping requestMapping = AnnotationUtils.findAnnotation(method, RequestMapping.class);
  33.         PutMapping putMapping = AnnotationUtils.findAnnotation(method, PutMapping.class);
  34.         DeleteMapping deleteMapping = AnnotationUtils.findAnnotation(method, DeleteMapping.class);
  35.  
  36.         if (getMapping != null && getMapping.value().length > 0) {
  37.             methodType = MethodTypeConstant.GET;
  38.             uri.append(formatUri(getMapping.value()[0]));
  39.         } else if (postMapping != null && postMapping.value().length > 0) {
  40.             methodType = MethodTypeConstant.POST;
  41.             uri.append(formatUri(postMapping.value()[0]));
  42.         } else if (putMapping != null && putMapping.value().length > 0) {
  43.             methodType = MethodTypeConstant.PUT;
  44.             uri.append(formatUri(putMapping.value()[0]));
  45.         } else if (deleteMapping != null && deleteMapping.value().length > 0) {
  46.             methodType = MethodTypeConstant.DELETE;
  47.             uri.append(formatUri(deleteMapping.value()[0]));
  48.         } else if (requestMapping != null && requestMapping.value().length > 0) {
  49.             RequestMethod requestMethod = RequestMethod.GET;
  50.             if (requestMapping.method().length > 0) {
  51.                 requestMethod = requestMapping.method()[0];
  52.             }
  53.             methodType = requestMethod.name().toLowerCase() + ":";
  54.             uri.append(formatUri(requestMapping.value()[0]));
  55.         }
  56.  
  57.         // 框架自带的接口,返回null后,直接忽略处理
  58.         if (uri.indexOf("${") > 0) {
  59.             return "";
  60.         }
  61.  
  62.         // 针对Rest请求,路径上的请求参数进行处理,以**代替
  63.         int idx = uri.indexOf("{");
  64.         if (idx > 0) {
  65.             uri = new StringBuilder(uri.substring(0, idx)).append("**");
  66.         }
  67.  
  68.         return methodType + SEPARATOR + applicationPath + uri;
  69.     }
  70.  
  71.     private static String formatUri(String uri) {
  72.         if (uri.startsWith(SEPARATOR)) {
  73.             return uri;
  74.         }
  75.         return SEPARATOR + uri;
  76.     }
  77. }

收集结果:

 说明:

  1. 要求一个请求的完整路径格式为:请求方式:/服务名/类路径/方法路径;
  2. 请求方式必须要有,防止路径处理后,会出现重复,加上请求方式可以极大避免;
  3. 服务名是为了做网关路由使用,在配置网关的路由规则时,断言的路由规则即为/服务名;代码里获取服务路径的方式是:ctx.getEnvironment().getProperty("spring.application.name");如果觉得不安全可以在yml文件中自定义一个路径名,改一下此处的获取值即可。只需要记得一定要和网关的路由断言规则匹配就行!!!!
  4. 类路径必须有。
  5. 方法路径必须有。方法上的第一个路径必须是固定路径,而不能是请求参数,另外不同方法上的第一个固定路径避免设置成相同的;也是为了防止最终出现请求方式相同、路径也相同的情况。
  6. 对Rest风格,且方法路径上带有路径参数的路径必须做特殊处理,即将路径参数替换成**。举例如下:原完整路径为/user-Service/user/queryUser/{username}/{age},方法上的路径为/queryUser/{username}/{age}不论有多少个路径参数,从第一个路径参数开始,全部替换掉,处理为/queryUser/**,最终存入缓存所使用的完整路径为:GET:/user-Service/user/queryUser/**。否则当请求到达网关,你想要根据路径去缓存中匹配对应的路径时,你会发现没办法处理,因为从请求的uri路径上你是看不出来哪是固定路径,哪是路径参数的。例如:/user-Service/user/queryUser/zhangsan/18,这个例子你虽然你看都知道哪个是路径参数,但毕竟是框架,万一路径上有很多的/../../..,还怎么猜?有些规则该定死,还是要定死的。
  7. 真实请求到达网关后,我们对真实请求也做了一些处理,即:只保留/服务名/类路径/方法路径的第一个,后续的路径均使用一个/**替换掉。举例:真实请求为/user-Service/user/queryUser/zhangsan/18,我们处理后为/user-Service/user/queryUser/**。

经过上述的规定和路径处理后,在下面的代码中进行匹配操作:

  •  methodValue + uri + CacheConstants.FUZZY_PATH即为/user-Service/user/queryUser/**
  • k.toString()即为/user-Service/user/queryUser/**;
  • 判断结果为true

2.网关整合Security Oauth2

Gateway网关是基于webFlux实现的,所以和一般微服务整合方式不太一样。

2.1.认证管理器

  1. import lombok.extern.slf4j.Slf4j;
  2. import org.springframework.beans.factory.annotation.Autowired;
  3. import org.springframework.security.authentication.ReactiveAuthenticationManager;
  4. import org.springframework.security.core.Authentication;
  5. import org.springframework.security.oauth2.common.OAuth2AccessToken;
  6. import org.springframework.security.oauth2.provider.OAuth2Authentication;
  7. import org.springframework.security.oauth2.provider.token.TokenStore;
  8. import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
  9. import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
  10. import org.springframework.stereotype.Component;
  11. import reactor.core.publisher.Mono;
  12.  
  13. /**
  14.  * @Since: 2023/4/13
  15.  * @Author: Yan
  16.  * @Description Jwt认证管理器,对token的真实性、有效性进行校验
  17.  */
  18. @Component
  19. @Slf4j
  20. public class JwtAuthenticationManager implements ReactiveAuthenticationManager {
  21.  
  22.     @Autowired
  23.     private TokenStore tokenStore;
  24.  
  25.  
  26.     @Override
  27.     public Mono<Authentication> authenticate(Authentication authentication) {
  28.         return Mono.justOrEmpty(authentication)
  29.                 .filter(a -> a instanceof BearerTokenAuthenticationToken)
  30.                 .cast(BearerTokenAuthenticationToken.class)
  31.                 .map(BearerTokenAuthenticationToken::getToken)
  32.                 .flatMap((accessToken -> {
  33.                     //解析令牌
  34.                     OAuth2AccessToken oAuth2AccessToken = this.tokenStore.readAccessToken(accessToken);
  35.                     if (oAuth2AccessToken == null) {
  36.                         return Mono.error(new InvalidBearerTokenException("无效的token"));
  37.                     } else if (oAuth2AccessToken.isExpired()) {
  38.                         return Mono.error(new InvalidBearerTokenException("token已过期"));
  39.                     }
  40.                     OAuth2Authentication oAuth2Authentication = this.tokenStore.readAuthentication(accessToken);
  41.                     if (oAuth2Authentication == null) {
  42.                         return Mono.error(new InvalidBearerTokenException("无效的token"));
  43.                     } else {
  44.                         return Mono.just(oAuth2Authentication);
  45.                     }
  46.                 }))
  47.                 .cast(Authentication.class);
  48.     }
  49. }

2.2..鉴权管理器

  1. import cn.hutool.core.text.AntPathMatcher;
  2. import cn.hutool.core.text.StrPool;
  3. import com.eden4cloud.common.core.contant.CacheConstants;
  4. import lombok.extern.slf4j.Slf4j;
  5. import org.springframework.beans.factory.annotation.Autowired;
  6. import org.springframework.data.redis.core.RedisTemplate;
  7. import org.springframework.security.authorization.AuthorizationDecision;
  8. import org.springframework.security.authorization.ReactiveAuthorizationManager;
  9. import org.springframework.security.core.Authentication;
  10. import org.springframework.security.core.GrantedAuthority;
  11. import org.springframework.security.web.server.authorization.AuthorizationContext;
  12. import org.springframework.stereotype.Component;
  13. import reactor.core.publisher.Mono;
  14.  
  15. import java.util.*;
  16. import java.util.concurrent.atomic.AtomicBoolean;
  17.  
  18. /**
  19.  * @Since: 2023/4/13
  20.  * @Author: Yan
  21.  * @Description Jwt鉴权管理器:从Redis中获取所请求的Url所需要的权限,和用户token中所携带的权限进行比对
  22.  */
  23. @Slf4j
  24. @Component
  25. public class JwtAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
  26.  
  27.     @Autowired
  28.     private RedisTemplate<String, Object> redisTemplate;
  29.     private AntPathMatcher matcher = new AntPathMatcher();
  30.  
  31.     /**
  32.      * *****当前匹配方法要求一个API接口方法上必须要有路径*****
  33.      *
  34.      * @param mono
  35.      * @param authorizationContext
  36.      * @return
  37.      */
  38.     @Override
  39.     public Mono<AuthorizationDecision> check(Mono<Authentication> mono, AuthorizationContext authorizationContext) {
  40.         // 处理当前请求的uri路径,最终格式为:/服务路径/类路径/方法上的路径 /eden-system/user/add
  41.         StringBuilder builder = new StringBuilder();
  42.         String[] split = authorizationContext.getExchange().getRequest().getURI().getPath().split(StrPool.SLASH);
  43.         String uri = builder.append(StrPool.SLASH).append(split[1])//服务路径
  44.                 .append(StrPool.SLASH).append(split[2])//类路径
  45.                 .append(StrPool.SLASH).append(split[3])//方法路径
  46.                 .toString();
  47.         // 请求方式拼接处理 ,格式为 GET:
  48.         String methodValue = authorizationContext.getExchange().getRequest().getMethodValue() + StrPool.COLON;
  49.         // 获取所有路径的权限列表
  50.         Map<Object, Object> entries = redisTemplate.opsForHash().entries(CacheConstants.OAUTH_PERMS);
  51.         List<String> authorities = new ArrayList<>();
  52.         AtomicBoolean authFlag = new AtomicBoolean(false);
  53.         entries.forEach((k, v) -> {
  54.             // 根据请求uri路径,获取到匹配的缓存权限数据
  55.             if (k.equals(methodValue + uri)
  56.                     || matcher.match(methodValue + uri + CacheConstants.FUZZY_PATH, k.toString())) {
  57.                 if (CacheConstants.ANONYMOUS.equals(v.toString())) {
  58.                     // 权限为**,表示允许匿名访问
  59.                     authFlag.set(true);
  60.                 } else {
  61.                     // 收集当前路径所需的权限列表
  62.                     authorities.addAll(Arrays.asList((v.toString()).split(StrPool.COMMA)));
  63.                 }
  64.             }
  65.         });
  66.         // Collection<? extends GrantedAuthority> authorities1 = mono.block().getAuthorities();
  67.  
  68.  
  69.         List<String> finalAuthorities = authorities;
  70.         return mono
  71.                 //判断是否认证成功
  72.                 .filter(Authentication::isAuthenticated)
  73.                 //获取认证后的全部权限列表
  74.                 .flatMapIterable(Authentication::getAuthorities)
  75.                 .map(GrantedAuthority::getAuthority)
  76.                 //如果包含在url要求的权限内,则返回true
  77.                 .any(auth -> authFlag.get() || finalAuthorities.contains(auth))
  78.                 .map(AuthorizationDecision::new)
  79.                 .defaultIfEmpty(new AuthorizationDecision(false))
  80.                 ;
  81.     }
  82.  
  83. }

2.3.security安全配置

  1. import com.eden4cloud.gateway.component.JwtAuthorizationManager;
  2. import com.eden4cloud.gateway.handler.RequestAccessDeniedHandler;
  3. import com.eden4cloud.gateway.handler.RequestAuthenticationEntrypoint;
  4. import org.springframework.beans.factory.annotation.Autowired;
  5. import org.springframework.context.annotation.Bean;
  6. import org.springframework.context.annotation.Configuration;
  7. import org.springframework.security.authentication.ReactiveAuthenticationManager;
  8. import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
  9. import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
  10. import org.springframework.security.config.web.server.ServerHttpSecurity;
  11. import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
  12. import org.springframework.security.web.server.SecurityWebFilterChain;
  13. import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
  14. import org.springframework.web.cors.reactive.CorsWebFilter;
  15.  
  16. /**
  17.  * @Since: 2023/4/2
  18.  * @Author: Yan
  19.  * @Description security安全配置
  20.  */
  21. @Configuration
  22. @EnableWebFluxSecurity
  23. public class EdenGatewayWebSecurityConfig {
  24.  
  25.     @Autowired
  26.     private JwtAuthorizationManager jwtAuthorizationManager;
  27.  
  28.     @Autowired
  29.     private ReactiveAuthenticationManager authenticationManager;
  30.  
  31.     @Autowired
  32.     private RequestAuthenticationEntrypoint requestAuthenticationEntrypoint;
  33.  
  34.     @Autowired
  35.     private RequestAccessDeniedHandler requestAccessDeniedHandler;
  36.  
  37.     @Autowired
  38.     private CorsWebFilter corsWebFilter;
  39.  
  40.     // @Autowired
  41.     // private GlobalAuthenticationFilter authenticationFilter;
  42.  
  43.     @Bean
  44.     public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
  45.         AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(authenticationManager);
  46.         authenticationWebFilter.setServerAuthenticationConverter(new ServerBearerTokenAuthenticationConverter());
  47.  
  48.         http
  49.                 .csrf().disable()
  50.                 .authorizeExchange()
  51.                 //对oauth的端点进行放行
  52.                 .pathMatchers("/eden-oauth/oauth/**").permitAll()
  53.                 //其他请求必须鉴权,使用鉴权管理器
  54.                 .anyExchange().access(jwtAuthorizationManager)
  55.                 .and()
  56.                 //鉴权异常处理
  57.                 .exceptionHandling()
  58.                 .authenticationEntryPoint(requestAuthenticationEntrypoint)
  59.                 .accessDeniedHandler(requestAccessDeniedHandler)
  60.                 .and()
  61.                 //跨域过滤器
  62.                 .addFilterAt(corsWebFilter, SecurityWebFiltersOrder.CORS)
  63.                 //token认证过滤器
  64.                 .addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
  65.                 // .addFilterAfter(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
  66.         ;
  67.         return http.build();
  68.     }
  69. }

2.4.将网关作为资源服务

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.context.annotation.Configuration;
  3. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  4. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  5. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
  6. import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
  7. import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
  8. import org.springframework.security.oauth2.provider.token.TokenStore;
  9. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  10.  
  11. /**
  12.  * @Author: Yan
  13.  * @Since: 2023/2/4
  14.  * @Description: 资源服务器解析鉴权配置类
  15.  */
  16. @Configuration
  17. public class EdenGatewayResourceServerConfig extends ResourceServerConfigurerAdapter {
  18.  
  19.     @Autowired
  20.     private TokenStore tokenStore;
  21.  
  22.     //公钥
  23.     private static final String RESOURCE_ID = "eden-gateway";
  24.  
  25.     /**
  26.      * Http安全配置,对每个到达系统的http请求链接进行校验
  27.      *
  28.      * @param http
  29.      * @throws Exception
  30.      */
  31.     @Override
  32.     public void configure(HttpSecurity http) throws Exception {
  33.         http
  34.                 .authorizeRequests()
  35.                 .antMatchers("/**").permitAll();
  36.     }
  37.  
  38.     /**
  39.      * 资源服务的安全配置
  40.      *
  41.      * @param resources
  42.      * @throws Exception
  43.      */
  44.     @Override
  45.     public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
  46.         resources
  47.                 .resourceId(RESOURCE_ID)
  48.                 .tokenStore(tokenStore)
  49.                 .stateless(true);
  50.     }
  51. }

2.5.其他配置

  1. import org.springframework.boot.autoconfigure.AutoConfigureAfter;
  2. import org.springframework.cloud.gateway.config.GatewayAutoConfiguration;
  3. import org.springframework.context.annotation.Bean;
  4. import org.springframework.context.annotation.Configuration;
  5. import org.springframework.web.cors.CorsConfiguration;
  6. import org.springframework.web.cors.reactive.CorsWebFilter;
  7. import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
  8. import org.springframework.web.util.pattern.PathPatternParser;
  9.  
  10. /**
  11.  * @CreateTime: 2023-01-2023/1/11 15:09
  12.  * @Author: Yan
  13.  * @Description  注册网关过滤器示例
  14.  */
  15. @Configuration
  16. @AutoConfigureAfter(GatewayAutoConfiguration.class)
  17. public class GatewayRoutesConfiguration {
  18.  
  19.     /**
  20.      * 跨域配置
  21.      *
  22.      * @return
  23.      */
  24.     @Bean
  25.     public CorsWebFilter corsWebFilter() {
  26.         CorsConfiguration config = new CorsConfiguration();
  27.         config.addAllowedMethod("*");
  28.         config.addAllowedOrigin("*");
  29.         config.addAllowedHeader("*");
  30.  
  31.         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(new PathPatternParser());
  32.         source.registerCorsConfiguration("/**", config);
  33.  
  34.         return new CorsWebFilter(source);
  35.     }
  36.  
  37.     // @Bean(name = "ipKeyResolver")
  38.     // public KeyResolver userIpKeyResolver() {
  39.     //     return new IpKeyResolver();
  40.     // }
  41.     //
  42.     // @Bean
  43.     // public RouteLocator routeLocator(RouteLocatorBuilder builder) {
  44.     //     StripPrefixGatewayFilterFactory filterFactory = new StripPrefixGatewayFilterFactory();
  45.     //     StripPrefixGatewayFilterFactory.Config partsConfig = filterFactory.newConfig();
  46.     //     partsConfig.setParts(1);
  47.     //
  48.     //     MyGatewayFilterFactory factory = new MyGatewayFilterFactory();
  49.     //     MyGatewayFilterFactory.PathsConfig pathsConfig = factory.newConfig();
  50.     //     pathsConfig.setPaths(Arrays.asList("/AAA", "/BBB"));
  51.     //
  52.     //     return builder.routes()
  53.     //             .route(r -> r.path("/life/**")
  54.     //                     .uri("lb://eden-life")
  55.     //                     .filters(factory.apply(pathsConfig), filterFactory.apply(partsConfig))
  56.     //                     .id("eden-life"))
  57.     //             .build();
  58.     // }
  59. }

2.6.自定义鉴权过滤器工厂

  1. import cn.hutool.core.util.StrUtil;
  2. import com.alibaba.fastjson2.JSONObject;
  3. import com.eden4cloud.common.security.exception.InvalidTokenException;
  4. import com.eden4cloud.common.security.utils.JwtUtils;
  5. import com.eden4cloud.common.util.sign.Base64;
  6. import lombok.Data;
  7. import org.springframework.beans.factory.annotation.Autowired;
  8. import org.springframework.cloud.gateway.filter.GatewayFilter;
  9. import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
  10. import org.springframework.http.server.reactive.ServerHttpRequest;
  11. import org.springframework.security.oauth2.common.OAuth2AccessToken;
  12. import org.springframework.security.oauth2.provider.token.TokenStore;
  13. import org.springframework.stereotype.Component;
  14. import org.springframework.web.server.ServerWebExchange;
  15. import reactor.core.publisher.Mono;
  16.  
  17. import java.nio.charset.StandardCharsets;
  18. import java.util.Collections;
  19. import java.util.List;
  20. import java.util.Map;
  21.  
  22. /**
  23.  * @CreateTime: 2023-01-2023/1/11 9:34
  24.  * @Author: Yan
  25.  * @Description 自定义鉴权过滤器工厂:设置访问白名单;重新封装鉴权认证通过的请求头;
  26.  */
  27. //1. 编写实现类继承AbstractGatewayFilterFactory抽象类
  28. @Component
  29. public class AuthGatewayFilterFactory extends AbstractGatewayFilterFactory<AuthGatewayFilterFactory.IgnoreUrlsConfig> {//4. 指定泛型,静态的内部实体类
  30.  
  31.     @Autowired
  32.     private TokenStore tokenStore;
  33.  
  34.     //5. 重写无参构造方法,指定内部实体类接收参数
  35.     public AuthGatewayFilterFactory() {
  36.         super(IgnoreUrlsConfig.class);
  37.     }
  38.  
  39.     @Override
  40.     public GatewayFilter apply(IgnoreUrlsConfig config) {
  41.         return (exchange, chain) -> {
  42.             ServerHttpRequest request = exchange.getRequest();
  43.             //直接放行部分请求路径,如登录、退出等  需要排除的路径弄成可yaml配置的
  44.             boolean flag = config.ignoreUrls.contains(request.getURI().getPath())
  45.                     || config.ignoreUrls.stream().filter(i -> i.endsWith("/**"))
  46.                     .anyMatch(i -> exchange.getRequest().getURI().getPath().startsWith(i.replace("**", "")));
  47.             if (flag) {
  48.                 return chain.filter(exchange);
  49.             }
  50.             //重新封装新的请求中数据
  51.             ServerWebExchange webExchange = rebuildRequestHeaders(exchange, request);
  52.             if (webExchange == null) {
  53.                 return Mono.error(new InvalidTokenException());
  54.             }
  55.             return chain.filter(webExchange);
  56.         };
  57.     }
  58.  
  59.     /**
  60.      * 重新封装新的请求数据
  61.      *
  62.      * @param exchange
  63.      * @param request
  64.      * @return
  65.      */
  66.     private ServerWebExchange rebuildRequestHeaders(ServerWebExchange exchange, ServerHttpRequest request) {
  67.         //获取请求头中的令牌
  68.         String token = JwtUtils.getToken(request);
  69.         if (StrUtil.isBlank(token)) {
  70.             return null;
  71.         }
  72.  
  73.         OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(token);
  74.         Map<String, Object> additionalInformation = oAuth2AccessToken.getAdditionalInformation();
  75.         List<String> authorities = (List<String>) additionalInformation.get("authorities");
  76.         //获取用户名
  77.         String username = additionalInformation.get("user_name").toString();
  78.         //获取用户权限
  79.         JSONObject jsonObject = new JSONObject();
  80.         jsonObject.put("username", username);
  81.         jsonObject.put("authorities", authorities);
  82.         //将解析后的token加密后重新放入请求头,方便后续微服务解析获取用户信息
  83.         String base64 = Base64.encode(jsonObject.toJSONString().getBytes(StandardCharsets.UTF_8));
  84.         request = exchange.getRequest().mutate().header("token", base64).build();
  85.         exchange.mutate().request(request);
  86.         return exchange;
  87.     }
  88.  
  89.     /**
  90.      * 6. 重写shortcutFieldOrder()指定接收参数的字段顺序
  91.      * Returns hints about the number of args and the order for shortcut parsing.
  92.      *
  93.      * @return the list of hints
  94.      */
  95.     @Override
  96.     public List<String> shortcutFieldOrder() {
  97.         return Collections.singletonList("ignoreUrls");
  98.     }
  99.  
  100.     /**
  101.      * 7. 重写shortcutType()指定接收参数的字段类型
  102.      */
  103.     @Override
  104.     public ShortcutType shortcutType() {
  105.         return ShortcutType.GATHER_LIST;
  106.     }
  107.  
  108.     /**
  109.      * 3. 定义匿名内部实体类,定义接收参数的字段
  110.      */
  111.     @Data
  112.     public static class IgnoreUrlsConfig {
  113.         //传递多个参数
  114.         private List<String> ignoreUrls;
  115.     }
  116. }

2.7.网关路由规则

  1. #路由配置
  2. spring:
  3.   cloud:
  4.     gateway:
  5.       routes:
  6.         - id: eden-life
  7.           uri: lb://eden-life
  8.           predicates:
  9.             - Path=/eden-life/**
  10.           filters:
  11.             - StripPrefix=1
  12.             - name: Auth
  13.               args:
  14.                 ignoreUrls:
  15.                   - /auth-server/login
  16.                   - /oauth/**
  17.                   - /life/**

2.6和2.7主要是展示配置了动态的请求白名单功能。基于nacos的配置中心功能,可以实现动态刷新,白名单设置实时生效。

2.8.异常处理

  1. import cn.hutool.json.JSONUtil;
  2. import com.eden4cloud.common.core.entity.R;
  3. import com.eden4cloud.common.security.exception.SecurityExceptionEnum;
  4. import org.apache.http.HttpHeaders;
  5. import org.springframework.core.io.buffer.DataBuffer;
  6. import org.springframework.http.HttpStatus;
  7. import org.springframework.http.MediaType;
  8. import org.springframework.http.server.reactive.ServerHttpResponse;
  9. import org.springframework.security.access.AccessDeniedException;
  10. import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
  11. import org.springframework.stereotype.Component;
  12. import org.springframework.web.server.ServerWebExchange;
  13. import reactor.core.publisher.Mono;
  14.  
  15. import java.nio.charset.StandardCharsets;
  16.  
  17. /**
  18.  * @Since: 2023/4/17
  19.  * @Author: Yan
  20.  * @Description TODO
  21.  */
  22. @Component
  23. public class RequestAccessDeniedHandler implements ServerAccessDeniedHandler {
  24.  
  25.     @Override
  26.     public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException e) {
  27.         ServerHttpResponse response = exchange.getResponse();
  28.         response.setStatusCode(HttpStatus.OK);
  29.         response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
  30.         DataBuffer buffer = response.bufferFactory()
  31.                 .wrap(JSONUtil.toJsonStr(R.error(SecurityExceptionEnum.NO_PERMISSION.getMsg())).getBytes(StandardCharsets.UTF_8));
  32.         return response.writeWith(Mono.just(buffer));
  33.     }
  34. }
  1. import cn.hutool.json.JSONUtil;
  2. import com.eden4cloud.common.core.entity.R;
  3. import com.eden4cloud.common.security.exception.SecurityExceptionEnum;
  4. import org.apache.http.HttpHeaders;
  5. import org.springframework.core.io.buffer.DataBuffer;
  6. import org.springframework.http.HttpStatus;
  7. import org.springframework.http.MediaType;
  8. import org.springframework.http.server.reactive.ServerHttpResponse;
  9. import org.springframework.security.core.AuthenticationException;
  10. import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
  11. import org.springframework.stereotype.Component;
  12. import org.springframework.web.server.ServerWebExchange;
  13. import reactor.core.publisher.Mono;
  14.  
  15. import java.nio.charset.StandardCharsets;
  16.  
  17. /**
  18.  * @Since: 2023/4/17
  19.  * @Author: Yan
  20.  * @Description TODO
  21.  */
  22. @Component
  23. public class RequestAuthenticationEntrypoint implements ServerAuthenticationEntryPoint {
  24.  
  25.     @Override
  26.     public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException e) {
  27.         ServerHttpResponse response = exchange.getResponse();
  28.         response.setStatusCode(HttpStatus.OK);
  29.         response.getHeaders().add(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
  30.         DataBuffer buffer = response.bufferFactory()
  31.                 .wrap(JSONUtil.toJsonStr(R.error(SecurityExceptionEnum.INVALID_TOKEN.getMsg())).getBytes(StandardCharsets.UTF_8));
  32.         return response.writeWith(Mono.just(buffer));
  33.     }
  34. }

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/人工智能uu/article/detail/1006386
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号