权限

e2364153 · guozhipeng · d66e78f9 · e2364153 · e2364153 · e2364153
Commit e2364153 authored Feb 17, 2025 by guozhipeng
Show whitespace changes
Inline Side-by-side

Showing with 111 additions and 63 deletions

mta.yaml mta.yaml +8 -8

OperateAuthFilter.java ...stomer/lianchuangjie/common/filter/OperateAuthFilter.java +101 -53

xs-security.json xs-security.json +2 -2

No files found.
--- a/mta.yaml
+++ b/mta.yaml
@@ -11,7 +11,7 @@ build-parameters:
        - npm ci
        - npx cds build --production
 modules:
-  - name: lianchuangjie-test-srv
+  - name: lianchuangjie-pre-srv
    type: java
    path: srv
    parameters:
@@ -19,7 +19,7 @@ modules:
      readiness-health-check-type: http
      readiness-health-check-http-endpoint: /actuator/health/readiness
      routes:
-        - route: lianchuangjie-test-srv.unibetter-ic.com
+        - route: lianchuangjie-pre-srv.unibetter-ic.com
    properties:
      SPRING_PROFILES_ACTIVE: cloud,sandbox
      JBP_CONFIG_COMPONENTS: "jres: ['com.sap.xs.java.buildpack.jre.SAPMachineJRE']"
@@ -35,7 +35,7 @@ modules:
          srv-url: "${protocol}://${routes/0/route}"
    requires:
      - name: lianchuangjie-pre-db
-      - name: lianchuangjie-test-auth
+      - name: lianchuangjie-pre-auth
      - name: app-api
        properties:
          CDS_MULTITENANCY_APPUI_URL: ~{url}
@@ -63,7 +63,7 @@ modules:
        [ ]
      build-result: .

-  - name: lianchuangjie-test
+  - name: lianchuangjie-pre
    type: approuter.nodejs
    path: app\router
    parameters:
@@ -71,7 +71,7 @@ modules:
      disk-quota: 1024M
      memory: 512M
      routes:
-        - route: lianchuangjie-test.unibetter-ic.com
+        - route: lianchuangjie-pre.unibetter-ic.com
    requires:
      - name: srv-api
        group: destinations
@@ -79,7 +79,7 @@ modules:
          name: srv-api # must be used in xs-app.json as well
          url: ~{srv-url}
          forwardAuthToken: true
-      - name: lianchuangjie-test-auth
+      - name: lianchuangjie-pre-auth
    build-parameters:
      requires:
        - name: orders
@@ -94,14 +94,14 @@ modules:
          url: "${protocol}://${routes/0/route}"

 resources:
-  - name: lianchuangjie-test-auth
+  - name: lianchuangjie-pre-auth
    type: org.cloudfoundry.managed-service
    parameters:
      service: xsuaa
      service-plan: application
      path: ./xs-security.json
      config:
-        xsappname: lianchuangjie-test-${org}-${space}
+        xsappname: lianchuangjie-pre-${org}-${space}
        tenant-mode: dedicated
  - name: lianchuangjie-pre-db
    type: com.sap.xs.hdi-container

--- a/srv/src/main/java/customer/lianchuangjie/common/filter/OperateAuthFilter.java
+++ b/srv/src/main/java/customer/lianchuangjie/common/filter/OperateAuthFilter.java
@@ -21,13 +21,11 @@ import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.stereotype.Component;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
+
+import java.util.*;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.nio.charset.StandardCharsets;
-import java.util.Map;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;

@@ -59,7 +57,11 @@ public class OperateAuthFilter implements Filter {
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        String language = request.getHeader("language");
        String appKey = request.getHeader("appKey"); //用户appKey
+        if (appKey == null || "".equals(appKey)) {
+            appKey = request.getParameter("appKey");
+        }
        String uri = request.getRequestURI();
        String ip = request.getRemoteAddr();
        log.info("requestIP:{}, requestURI:{}, method:{}, appKey:{}", ip, uri, request.getMethod(), appKey);
@@ -75,20 +77,96 @@ public class OperateAuthFilter implements Filter {
            }
            authorities = authentication.getAuthorities();//角色集合[]
        }
-        log.info("[OperateAuthFilter.doFilter]登录用户 username：{}", username);
-        log.info("[OperateAuthFilter.doFilter]角色集合 authorities：{}", authorities);
-        log.info("[OperateAuthFilter.doFilter]权限认证 authorization: {}", request.getHeader("authorization"));
+        if (username == null || "".equals(username)) {
+            Result<Object> wrapResult = Result.error("未登录系统，禁止访问！");
+            writeResult(response, wrapResult);
+            return;
+        } else if (
+            !StringUtils.isEmpty(appKey) &&
+            CommonConstant.userAuthenticationMap.containsKey(appKey) &&
+            CommonConstant.userAuthenticationMap.get(appKey).getIsPassAuth() == Boolean.TRUE
+        ) {
+            // 返回请求体数据 是否通过鉴权(True: 通过， Flase: 失败)
+            Result<Object> wrapResult = Result.error("未登录系统，禁止访问！");
+            writeResult(response, wrapResult);
+            return;
+        }
+        log.info("登录用户 username：{}", username);
+        log.info("角色集合 authorities：{}", authorities);
+        log.info("权限认证 authorization: {}", request.getHeader("authorization"));
+        if (request.getHeader("authorization") == null || "".equals(request.getHeader("authorization"))) {
+            Result<Object> wrapResult = Result.error("authorization is null 未登录系统，禁止访问！");
+            writeResult(response, wrapResult);
+            return;
+        }
+
+        //appKey partyId4Rule roleTypeId4Rule language
+        String partyId4Rule = null;
+        String roleTypeId4Rule = null;
        Cookie[] cookies = request.getCookies();
-        if (cookies != null && cookies.length > 0) {
+        if ((appKey == null || "".equals(appKey))) {
+            if ((cookies != null && cookies.length > 0)) {
                for (Cookie cookie : cookies) {
-                log.info("[OperateAuthFilter.doFilter]cookie: {}", cookie.getName() + "=" + cookie.getValue());
+                    //重新赋值
+                    if ("appKey".equals(cookie.getName())) {
+                        appKey = cookie.getValue();
+                    }
+                    if ("partyId4Rule".equals(cookie.getName())) {
+                        partyId4Rule = cookie.getValue();
+                    }
+                    if ("roleTypeId4Rule".equals(cookie.getName())) {
+                        roleTypeId4Rule = cookie.getValue();
+                    }
+                    if ("language".equals(cookie.getName())) {
+                        language = cookie.getValue();
+                    }
+                }
+                /*if (partyId4Rule == null || "".equals(partyId4Rule)) {
+                    Result<Object> wrapResult = Result.error("partyId4Rule 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }*/
+                if (appKey == null || "".equals(appKey)) {
+                    Result<Object> wrapResult = Result.error("appKey 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }
+                if (roleTypeId4Rule == null || "".equals(roleTypeId4Rule)) {
+                    Result<Object> wrapResult = Result.error("roleTypeId4Rule 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }
+                if (language == null || "".equals(language)) {
+                    Result<Object> wrapResult = Result.error("language 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
                }
            } else {
-            log.info("[OperateAuthFilter.doFilter]cookie: null");
+                Result<Object> wrapResult = Result.error("cookies 不能为空！");
+                writeResult(response, wrapResult);
+                return;
            }
+        } else {
+            if (!CommonConstant.userAuthenticationMap.containsKey(appKey)
+                    || CommonConstant.userAuthenticationMap.get(appKey).getIsPassAuth() != Boolean.TRUE) {
+                String requestParamStr = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
+                Map<String, String> requestValueMap = JsonUtil.convertJsonToMap(requestParamStr);
+                log.info("paramStr:{}, isJson:{}", requestParamStr, JsonUtil.isJsonObject(requestParamStr));
+                //用户角色鉴权校验
+                Result wrapResult = OperateAuthUtil.verifyRequestPermission(requestParamStr, requestValueMap.get("roleTypeId"));
+                if (!ResponseConstant.SUCCESS_CODE.equals(wrapResult.getCode())) {
+                    writeResult(response, wrapResult);
+                    return;
+                }
+            } else {
+                Result<Object> wrapResult = Result.error("appKey 不能为空。。。！");
+                writeResult(response, wrapResult);
+                return;
+            }
+        }
+
        // IP白名单
        if (ipWhitelist) {
-            String language = request.getHeader("language");
            if (ipWhitelistMap.isEmpty()) {
                response.setCharacterEncoding(StandardCharsets.UTF_8.name());
                response.setContentType("text/html; charset=utf-8");
@@ -112,34 +190,9 @@ public class OperateAuthFilter implements Filter {
                }
            }
        }
-        //TODO 郭智朋 测试中 处理ODATA接口
-        /*Cookie[] cookies = request.getCookies();
-        if (appKey == null && cookies != null && cookies.length > 0 && "/odata/v4/orderService/$batch".equals(uri)) {
-            List<Cookie> cookiesList = Arrays.asList(cookies);
-            //appKey partyId4Rule roleTypeId4Rule language
-            String partyId4Rule = null;
-            String roleTypeId4Rule = null;
-            String language = null;
-            for (Cookie cookie : cookiesList) {
-                if ("appKey".equals(cookie.getName())) {
-                    appKey = cookie.getValue();
-                }
-                if ("partyId4Rule".equals(cookie.getName())) {
-                    partyId4Rule = cookie.getValue();
-                }
-                if ("roleTypeId4Rule".equals(cookie.getName())) {
-                    roleTypeId4Rule = cookie.getValue();
-                }
-                if ("language".equals(cookie.getName())) {
-                    language = cookie.getValue();
-                }
-            }
-            // 返回请求体数据 是否通过鉴权(True: 通过， Flase: 失败)
-            if (
-                    !StringUtils.isEmpty(appKey) &&
-                    CommonConstant.userAuthenticationMap.containsKey(appKey) &&
-                    CommonConstant.userAuthenticationMap.get(appKey).getIsPassAuth() == Boolean.TRUE
-            ) {
+
+        //TODO 处理ODATA接口 使用权限控制数据显示
+        if (Pattern.matches("(.*/odata/v4/.*)", uri)) {
            String requestParamStr = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
            //GET OrderHeaderItemView?$count=true&$select=createdBy_Text,docId,headerId,lineNo,modifiedBy_Text&$skip=0&$top=30 HTTP/1.1
            String[] gets = requestParamStr.split("GET ");
@@ -158,19 +211,21 @@ public class OperateAuthFilter implements Filter {
            if (requestResult.isSuccess()) {
                requestParamStrNew = gets[0] + "GET " + requestResult.getResult() + " HTTP" + https[1];
            } else {
+                writeResult(response, requestResult);
                return;// 跳过后面的认证
            }
            log.info("paramStr:{}, isJson:{}", requestParamStrNew, JsonUtil.isJsonObject(requestParamStr));
            request = new AuthHttpServletRequest(request, requestParamStrNew, "appKey", appKey);
        }
-        }
-        log.info("requestIP:{}, requestURI:{}, method:{}, appKey:{}", ip, uri, request.getMethod(), appKey);*/
+        log.info("requestIP:{}, requestURI:{}, method:{}, appKey:{}", ip, uri, request.getMethod(), appKey);
        // 日志文件认证
        if (uri.startsWith("/logs/")) {
            if (StringUtils.isBlank(tokenForLogs)) {
                throw new BtpException("init error!");
            }
            if (!tokenForLogs.equals(request.getParameter("appKey"))) {
+                Result<Object> wrapResult = Result.error("appKey 不能为空！");
+                writeResult(response, wrapResult);
                return;
            }
        }
@@ -179,20 +234,13 @@ public class OperateAuthFilter implements Filter {
            filterChain.doFilter(request, servletResponse);
            return;// 跳过后面的认证
        }
-        // OData接口仅允许本机访问
-        //if (Pattern.matches("(.*/odata/v4/.*)", uri)) {
-        //    if ("127.0.0.1".equals(ip) || "0:0:0:0:0:0:0:1".equals(ip)) {// 本机访问
-        //    } else {
-        //        if (!Pattern.matches("(.*exampleService/ExampleView.*)", uri)) {
-        //            return;
-        //        }
-        //    }
-        //}
        // 禁止非POST/GET方式访问
-        /*if (!request.getMethod().equals("POST") && !request.getMethod().equals("GET")) {
+        if (!request.getMethod().equals("POST") && !request.getMethod().equals("GET")) {
+            Result<Object> wrapResult = Result.error("禁止非POST/GET方式访问");
+            writeResult(response, wrapResult);
            return;
        }
-        if (request.getMethod().equals("GET") && ("/index.html".equals(uri))) {// "/index.html"跳转到"/"
+        /*if (request.getMethod().equals("GET") && ("/index.html".equals(uri))) {// "/index.html"跳转到"/"
            response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
            response.setHeader("Pragma", "no-cache");
            response.setHeader("Expires", "0");
@@ -206,7 +254,7 @@ public class OperateAuthFilter implements Filter {
            request.getServletContext().getRequestDispatcher("/index.html").forward(request, response);//重定向
            return;
        }*/
-        boolean allowUri = Pattern.matches("(.*/login/.*|.*/odata/v4/.*)", uri);
+        boolean allowUri = Pattern.matches("(.*/login/.*|.*/oauth2Login/.*|.*/odata/v4/.*)", uri);
        //排除用户登录和非Post请求
        if (!allowUri && request.getMethod().equals("POST")) {
            //校验请求头中appKey参数: appKey为空或其不存在于系统中，或状态未鉴权通过均拦截

--- a/xs-security.json
+++ b/xs-security.json
 {
-  "xsappname": "lianchuangjie-test",
+  "xsappname": "lianchuangjie-pre",
  "tenant-mode": "dedicated",
  "scopes": [
    {
@@ -20,7 +20,7 @@
  ],
  "role-collections": [
    {
-      "name": "Lianchuangjie_Administrators",
+      "name": "Lianchuangjie-pre_Administrators",
      "description": "Lianchuangjie Administrators",
      "role-template-references": [
        "$XSAPPNAME.Administrators"