权限

mta.yaml

@@ -11,7 +11,7 @@ build-parameters:
         - npm ci
         - npx cds build --production
 modules:
-  - name: lianchuangjie-test-srv
+  - name: lianchuangjie-pre-srv
     type: java
     path: srv
     parameters:
@@ -19,7 +19,7 @@ modules:
       readiness-health-check-type: http
       readiness-health-check-http-endpoint: /actuator/health/readiness
       routes:
-        - route: lianchuangjie-test-srv.unibetter-ic.com
+        - route: lianchuangjie-pre-srv.unibetter-ic.com
     properties:
       SPRING_PROFILES_ACTIVE: cloud,sandbox
       JBP_CONFIG_COMPONENTS: "jres: ['com.sap.xs.java.buildpack.jre.SAPMachineJRE']"
@@ -35,7 +35,7 @@ modules:
           srv-url: "${protocol}://${routes/0/route}"
     requires:
       - name: lianchuangjie-pre-db
-      - name: lianchuangjie-test-auth
+      - name: lianchuangjie-pre-auth
       - name: app-api
         properties:
           CDS_MULTITENANCY_APPUI_URL: ~{url}
@@ -63,7 +63,7 @@ modules:
         [ ]
       build-result: .
 
-  - name: lianchuangjie-test
+  - name: lianchuangjie-pre
     type: approuter.nodejs
     path: app\router
     parameters:
@@ -71,7 +71,7 @@ modules:
       disk-quota: 1024M
       memory: 512M
       routes:
-        - route: lianchuangjie-test.unibetter-ic.com
+        - route: lianchuangjie-pre.unibetter-ic.com
     requires:
       - name: srv-api
         group: destinations
@@ -79,7 +79,7 @@ modules:
           name: srv-api # must be used in xs-app.json as well
           url: ~{srv-url}
           forwardAuthToken: true
-      - name: lianchuangjie-test-auth
+      - name: lianchuangjie-pre-auth
     build-parameters:
       requires:
         - name: orders
@@ -94,14 +94,14 @@ modules:
           url: "${protocol}://${routes/0/route}"
 
 resources:
-  - name: lianchuangjie-test-auth
+  - name: lianchuangjie-pre-auth
     type: org.cloudfoundry.managed-service
     parameters:
       service: xsuaa
       service-plan: application
       path: ./xs-security.json
       config:
-        xsappname: lianchuangjie-test-${org}-${space}
+        xsappname: lianchuangjie-pre-${org}-${space}
         tenant-mode: dedicated
   - name: lianchuangjie-pre-db
     type: com.sap.xs.hdi-container

srv/src/main/java/customer/lianchuangjie/common/filter/OperateAuthFilter.java

@@ -21,13 +21,11 @@ import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.stereotype.Component;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
+
+import java.util.*;
 import java.io.IOException;
 import java.io.PrintWriter;
 import java.nio.charset.StandardCharsets;
-import java.util.Map;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
@@ -59,7 +57,11 @@ public class OperateAuthFilter implements Filter {
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
         HttpServletRequest request = (HttpServletRequest) servletRequest;
         HttpServletResponse response = (HttpServletResponse) servletResponse;
+        String language = request.getHeader("language");
         String appKey = request.getHeader("appKey"); //用户appKey
+        if (appKey == null || "".equals(appKey)) {
+            appKey = request.getParameter("appKey");
+        }
         String uri = request.getRequestURI();
         String ip = request.getRemoteAddr();
         log.info("requestIP:{}, requestURI:{}, method:{}, appKey:{}", ip, uri, request.getMethod(), appKey);
@@ -75,20 +77,96 @@ public class OperateAuthFilter implements Filter {
             }
             authorities = authentication.getAuthorities();//角色集合[]
         }
-        log.info("[OperateAuthFilter.doFilter]登录用户 username：{}", username);
-        log.info("[OperateAuthFilter.doFilter]角色集合 authorities：{}", authorities);
-        log.info("[OperateAuthFilter.doFilter]权限认证 authorization: {}", request.getHeader("authorization"));
+        if (username == null || "".equals(username)) {
+            Result<Object> wrapResult = Result.error("未登录系统，禁止访问！");
+            writeResult(response, wrapResult);
+            return;
+        } else if (
+            !StringUtils.isEmpty(appKey) &&
+            CommonConstant.userAuthenticationMap.containsKey(appKey) &&
+            CommonConstant.userAuthenticationMap.get(appKey).getIsPassAuth() == Boolean.TRUE
+        ) {
+            // 返回请求体数据 是否通过鉴权(True: 通过， Flase: 失败)
+            Result<Object> wrapResult = Result.error("未登录系统，禁止访问！");
+            writeResult(response, wrapResult);
+            return;
+        }
+        log.info("登录用户 username：{}", username);
+        log.info("角色集合 authorities：{}", authorities);
+        log.info("权限认证 authorization: {}", request.getHeader("authorization"));
+        if (request.getHeader("authorization") == null || "".equals(request.getHeader("authorization"))) {
+            Result<Object> wrapResult = Result.error("authorization is null 未登录系统，禁止访问！");
+            writeResult(response, wrapResult);
+            return;
+        }
+
+        //appKey partyId4Rule roleTypeId4Rule language
+        String partyId4Rule = null;
+        String roleTypeId4Rule = null;
         Cookie[] cookies = request.getCookies();
-        if (cookies != null && cookies.length > 0) {
-            for (Cookie cookie : cookies) {
-                log.info("[OperateAuthFilter.doFilter]cookie: {}", cookie.getName() + "=" + cookie.getValue());
+        if ((appKey == null || "".equals(appKey))) {
+            if ((cookies != null && cookies.length > 0)) {
+                for (Cookie cookie : cookies) {
+                    //重新赋值
+                    if ("appKey".equals(cookie.getName())) {
+                        appKey = cookie.getValue();
+                    }
+                    if ("partyId4Rule".equals(cookie.getName())) {
+                        partyId4Rule = cookie.getValue();
+                    }
+                    if ("roleTypeId4Rule".equals(cookie.getName())) {
+                        roleTypeId4Rule = cookie.getValue();
+                    }
+                    if ("language".equals(cookie.getName())) {
+                        language = cookie.getValue();
+                    }
+                }
+                /*if (partyId4Rule == null || "".equals(partyId4Rule)) {
+                    Result<Object> wrapResult = Result.error("partyId4Rule 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }*/
+                if (appKey == null || "".equals(appKey)) {
+                    Result<Object> wrapResult = Result.error("appKey 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }
+                if (roleTypeId4Rule == null || "".equals(roleTypeId4Rule)) {
+                    Result<Object> wrapResult = Result.error("roleTypeId4Rule 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }
+                if (language == null || "".equals(language)) {
+                    Result<Object> wrapResult = Result.error("language 不能为空！");
+                    writeResult(response, wrapResult);
+                    return;
+                }
+            } else {
+                Result<Object> wrapResult = Result.error("cookies 不能为空！");
+                writeResult(response, wrapResult);
+                return;
             }
         } else {
-            log.info("[OperateAuthFilter.doFilter]cookie: null");
+            if (!CommonConstant.userAuthenticationMap.containsKey(appKey)
+                    || CommonConstant.userAuthenticationMap.get(appKey).getIsPassAuth() != Boolean.TRUE) {
+                String requestParamStr = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
+                Map<String, String> requestValueMap = JsonUtil.convertJsonToMap(requestParamStr);
+                log.info("paramStr:{}, isJson:{}", requestParamStr, JsonUtil.isJsonObject(requestParamStr));
+                //用户角色鉴权校验
+                Result wrapResult = OperateAuthUtil.verifyRequestPermission(requestParamStr, requestValueMap.get("roleTypeId"));
+                if (!ResponseConstant.SUCCESS_CODE.equals(wrapResult.getCode())) {
+                    writeResult(response, wrapResult);
+                    return;
+                }
+            } else {
+                Result<Object> wrapResult = Result.error("appKey 不能为空。。。！");
+                writeResult(response, wrapResult);
+                return;
+            }
         }
+
         // IP白名单
         if (ipWhitelist) {
-            String language = request.getHeader("language");
             if (ipWhitelistMap.isEmpty()) {
                 response.setCharacterEncoding(StandardCharsets.UTF_8.name());
                 response.setContentType("text/html; charset=utf-8");
@@ -112,65 +190,42 @@ public class OperateAuthFilter implements Filter {
                 }
             }
         }
-        //TODO 郭智朋 测试中 处理ODATA接口
-        /*Cookie[] cookies = request.getCookies();
-        if (appKey == null && cookies != null && cookies.length > 0 && "/odata/v4/orderService/$batch".equals(uri)) {
-            List<Cookie> cookiesList = Arrays.asList(cookies);
-            //appKey partyId4Rule roleTypeId4Rule language
-            String partyId4Rule = null;
-            String roleTypeId4Rule = null;
-            String language = null;
-            for (Cookie cookie : cookiesList) {
-                if ("appKey".equals(cookie.getName())) {
-                    appKey = cookie.getValue();
-                }
-                if ("partyId4Rule".equals(cookie.getName())) {
-                    partyId4Rule = cookie.getValue();
-                }
-                if ("roleTypeId4Rule".equals(cookie.getName())) {
-                    roleTypeId4Rule = cookie.getValue();
-                }
-                if ("language".equals(cookie.getName())) {
-                    language = cookie.getValue();
-                }
-            }
-            // 返回请求体数据 是否通过鉴权(True: 通过， Flase: 失败)
-            if (
-                    !StringUtils.isEmpty(appKey) &&
-                    CommonConstant.userAuthenticationMap.containsKey(appKey) &&
-                    CommonConstant.userAuthenticationMap.get(appKey).getIsPassAuth() == Boolean.TRUE
-            ) {
-                String requestParamStr = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
-                //GET OrderHeaderItemView?$count=true&$select=createdBy_Text,docId,headerId,lineNo,modifiedBy_Text&$skip=0&$top=30 HTTP/1.1
-                String[] gets = requestParamStr.split("GET ");
-                String[] https = gets[1].split(" HTTP");
-                String cdsView = https[0];
-                JSONObject param = new JSONObject();
-                //"url": "orderService/OrderHeaderItemView",
-                //    "param": "$filter=(contains(ID, '61fe46ab-8226-4735-8384-f612ed648819'))",
-                String[] urlparam = cdsView.split("\\?");
-                param.put("url", urlparam[0]);
-                param.put("param", urlparam.length>1?urlparam[1]:"");
-                param.put("partyId4Rule", partyId4Rule);
-                param.put("roleTypeId4Rule", roleTypeId4Rule);
-                Result<?> requestResult = commonService.getRequestParamRuleCdsList(param, language);
-                String requestParamStrNew = requestParamStr;
-                if (requestResult.isSuccess()) {
-                    requestParamStrNew = gets[0] + "GET " + requestResult.getResult() + " HTTP" + https[1];
-                } else {
-                    return;// 跳过后面的认证
-                }
-                log.info("paramStr:{}, isJson:{}", requestParamStrNew, JsonUtil.isJsonObject(requestParamStr));
-                request = new AuthHttpServletRequest(request, requestParamStrNew, "appKey", appKey);
+
+        //TODO 处理ODATA接口 使用权限控制数据显示
+        if (Pattern.matches("(.*/odata/v4/.*)", uri)) {
+            String requestParamStr = request.getReader().lines().collect(Collectors.joining(System.lineSeparator()));
+            //GET OrderHeaderItemView?$count=true&$select=createdBy_Text,docId,headerId,lineNo,modifiedBy_Text&$skip=0&$top=30 HTTP/1.1
+            String[] gets = requestParamStr.split("GET ");
+            String[] https = gets[1].split(" HTTP");
+            String cdsView = https[0];
+            JSONObject param = new JSONObject();
+            //"url": "orderService/OrderHeaderItemView",
+            //    "param": "$filter=(contains(ID, '61fe46ab-8226-4735-8384-f612ed648819'))",
+            String[] urlparam = cdsView.split("\\?");
+            param.put("url", urlparam[0]);
+            param.put("param", urlparam.length>1?urlparam[1]:"");
+            param.put("partyId4Rule", partyId4Rule);
+            param.put("roleTypeId4Rule", roleTypeId4Rule);
+            Result<?> requestResult = commonService.getRequestParamRuleCdsList(param, language);
+            String requestParamStrNew = requestParamStr;
+            if (requestResult.isSuccess()) {
+                requestParamStrNew = gets[0] + "GET " + requestResult.getResult() + " HTTP" + https[1];
+            } else {
+                writeResult(response, requestResult);
+                return;// 跳过后面的认证
             }
+            log.info("paramStr:{}, isJson:{}", requestParamStrNew, JsonUtil.isJsonObject(requestParamStr));
+            request = new AuthHttpServletRequest(request, requestParamStrNew, "appKey", appKey);
         }
-        log.info("requestIP:{}, requestURI:{}, method:{}, appKey:{}", ip, uri, request.getMethod(), appKey);*/
+        log.info("requestIP:{}, requestURI:{}, method:{}, appKey:{}", ip, uri, request.getMethod(), appKey);
         // 日志文件认证
         if (uri.startsWith("/logs/")) {
             if (StringUtils.isBlank(tokenForLogs)) {
                 throw new BtpException("init error!");
             }
             if (!tokenForLogs.equals(request.getParameter("appKey"))) {
+                Result<Object> wrapResult = Result.error("appKey 不能为空！");
+                writeResult(response, wrapResult);
                 return;
             }
         }
@@ -179,20 +234,13 @@ public class OperateAuthFilter implements Filter {
             filterChain.doFilter(request, servletResponse);
             return;// 跳过后面的认证
         }
-        // OData接口仅允许本机访问
-        //if (Pattern.matches("(.*/odata/v4/.*)", uri)) {
-        //    if ("127.0.0.1".equals(ip) || "0:0:0:0:0:0:0:1".equals(ip)) {// 本机访问
-        //    } else {
-        //        if (!Pattern.matches("(.*exampleService/ExampleView.*)", uri)) {
-        //            return;
-        //        }
-        //    }
-        //}
         // 禁止非POST/GET方式访问
-        /*if (!request.getMethod().equals("POST") && !request.getMethod().equals("GET")) {
+        if (!request.getMethod().equals("POST") && !request.getMethod().equals("GET")) {
+            Result<Object> wrapResult = Result.error("禁止非POST/GET方式访问");
+            writeResult(response, wrapResult);
             return;
         }
-        if (request.getMethod().equals("GET") && ("/index.html".equals(uri))) {// "/index.html"跳转到"/"
+        /*if (request.getMethod().equals("GET") && ("/index.html".equals(uri))) {// "/index.html"跳转到"/"
             response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
             response.setHeader("Pragma", "no-cache");
             response.setHeader("Expires", "0");
@@ -206,7 +254,7 @@ public class OperateAuthFilter implements Filter {
             request.getServletContext().getRequestDispatcher("/index.html").forward(request, response);//重定向
             return;
         }*/
-        boolean allowUri = Pattern.matches("(.*/login/.*|.*/odata/v4/.*)", uri);
+        boolean allowUri = Pattern.matches("(.*/login/.*|.*/oauth2Login/.*|.*/odata/v4/.*)", uri);
         //排除用户登录和非Post请求
         if (!allowUri && request.getMethod().equals("POST")) {
             //校验请求头中appKey参数: appKey为空或其不存在于系统中，或状态未鉴权通过均拦截

xs-security.json

 {
-  "xsappname": "lianchuangjie-test",
+  "xsappname": "lianchuangjie-pre",
   "tenant-mode": "dedicated",
   "scopes": [
     {
@@ -20,7 +20,7 @@
   ],
   "role-collections": [
     {
-      "name": "Lianchuangjie_Administrators",
+      "name": "Lianchuangjie-pre_Administrators",
       "description": "Lianchuangjie Administrators",
       "role-template-references": [
         "$XSAPPNAME.Administrators"