package com.gkhy.safePlatform.config.security; import com.alibaba.fastjson.JSONArray; import com.alibaba.fastjson.JSONObject; import com.gkhy.safePlatform.account.rpc.apimodel.AccountAuthService; import com.gkhy.safePlatform.commons.co.ContextCacheAuthority; import com.gkhy.safePlatform.commons.co.ContextCacheUser; import com.gkhy.safePlatform.commons.enums.RedisKeyEnum; import com.gkhy.safePlatform.commons.enums.ResultCodes; import com.gkhy.safePlatform.commons.exception.BusinessException; import com.gkhy.safePlatform.commons.utils.RPCUtils; import com.gkhy.safePlatform.commons.utils.RequestContextHolder; import com.gkhy.safePlatform.commons.utils.StringUtils; import com.gkhy.safePlatform.commons.vo.ResultVO; import com.gkhy.safePlatform.config.redis.RedisUtils; import org.apache.dubbo.config.annotation.DubboReference; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; import java.util.ArrayList; import java.util.List; /** * @Description: token登录过滤器 */ @Component public class TokenAuthenticationFilter extends OncePerRequestFilter { @Autowired private TokenConfig tokenConfig; @DubboReference(check = false) private AccountAuthService userAccountService; @Autowired private RedisUtils redisUtils; @Override protected void doFilterInternal(HttpServletRequest req, HttpServletResponse resp, FilterChain chain) throws IOException, ServletException { try { //获取当前认证成功用户权限信息 UsernamePasswordAuthenticationToken authRequest = getAuthentication(req, resp); if (authRequest != null) { SecurityContextHolder.getContext().setAuthentication(authRequest); } // 执行下一个 filter 过滤器链 chain.doFilter(req, resp); } catch (BusinessException e) { // 返回异常 this.writeJSON(req, resp, new ResultVO<>(e.getCode(),e.getMessage())); } } private UsernamePasswordAuthenticationToken getAuthentication(HttpServletRequest req,HttpServletResponse resp) { // header获取token String authToken = req.getHeader(tokenConfig.getHeader()); String loginUserId = req.getHeader(tokenConfig.getLoginUserHeader()); if(authToken != null) { // header 传入 userId if (StringUtils.isBlank(loginUserId)) { throw new BusinessException(ResultCodes.CLIENT_CREDENTIALS_LACK); } // 登录成功时,会将权限数据存入redis // 这里是验证获取权限信息 // 1.从redis中获取对应该用户的权限信息 String accessTokenKey = RedisKeyEnum.authKey(RedisKeyEnum.AUTH_TOKEN, loginUserId); Object o = redisUtils.get(accessTokenKey); // 2.token是否存在 if (o == null) { // 是否存在 uid未登录 throw new BusinessException(ResultCodes.CLIENT_CREDENTIALS_TOKEN_INVALID); }else{ Long userId = Long.valueOf(loginUserId); ContextCacheUser ContextCacheUser = JSONObject.parseObject(o.toString(), ContextCacheUser.class); assert userId.equals(ContextCacheUser.getUid()); if ( !authToken.equals(ContextCacheUser.getAccessToken())) { throw new BusinessException(ResultCodes.CLIENT_CREDENTIALS_TOKEN_INVALID); } Long expireSecondsLeft = redisUtils.getExpireTime(accessTokenKey); // 60m 内请求则续期 时长为原本的有效时间 if (expireSecondsLeft != null && 0L < expireSecondsLeft && expireSecondsLeft < 60 * 60) { redisUtils.resetKeyExpireTime(accessTokenKey, tokenConfig.getExpiration()); } // 3.redis获取权限 String authoritiesKey = RedisKeyEnum.authKey(RedisKeyEnum.AUTH_AUTHORITIES, userId); Object oo = redisUtils.get(authoritiesKey); List authorities = new ArrayList<>(); // 4.redis中是否存在 if (oo != null) { List cacheAuthorities = JSONArray.parseArray(oo.toString(), ContextCacheAuthority.class); for (ContextCacheAuthority cacheAuthority: cacheAuthorities) { authorities.add(new SimpleGrantedAuthority(cacheAuthority.getAuthority())); } }else { // 6.不存在=>数据库查询 ResultVO rpcResultRole = userAccountService.getUserRoleCodeByUserId(userId); if (rpcResultRole == null) { throw new BusinessException(ResultCodes.RPC_RESULT_NULL); } if (!ResultCodes.OK.getCode().equals(rpcResultRole.getCode())) { throw new BusinessException(rpcResultRole.getCode(), rpcResultRole.getMsg()); } if (rpcResultRole.getData() == null) { throw new BusinessException(ResultCodes.RPC_DATA_NULL); } if (!(rpcResultRole.getData() instanceof String)) { throw new BusinessException(ResultCodes.RPC_DATA_TYPE_NOT_MATCH); } // role authorities.add(new SimpleGrantedAuthority("ROLE_" + rpcResultRole.getData().toString())); // permission ResultVO> rpcResultPermission = userAccountService.getUserPermissionByUserId(userId); if (rpcResultPermission == null) { throw new BusinessException(ResultCodes.RPC_RESULT_NULL); } if (!ResultCodes.OK.getCode().equals(rpcResultPermission.getCode())) { throw new BusinessException(rpcResultRole.getCode(), rpcResultRole.getMsg()); } if (rpcResultPermission.getData() == null) { throw new BusinessException(ResultCodes.RPC_DATA_NULL); } if (!(rpcResultPermission.getData() instanceof List)) { throw new BusinessException(ResultCodes.RPC_DATA_TYPE_NOT_MATCH); } List permissions = RPCUtils.castList(rpcResultPermission.getData(), String.class); for (String permission : permissions) { authorities.add(new SimpleGrantedAuthority(permission)); } } // threadLocal存入用户信息 RequestContextHolder.contextUserLocal.set(ContextCacheUser); // security对象中存入登陆者信息 return new UsernamePasswordAuthenticationToken(ContextCacheUser,authToken,authorities); } } return null; } protected void writeJSON(HttpServletRequest req, HttpServletResponse resp, ResultVO resultVO) throws IOException { // 设置编码格式 resp.setContentType("text/json;charset=utf-8"); // 处理跨域问题 resp.setHeader("Access-Control-Allow-Origin", "*"); resp.setHeader("Access-Control-Allow-Methods", "POST, GET"); //输出JSON PrintWriter out = resp.getWriter(); out.write(JSONObject.toJSONString(resultVO)); out.flush(); out.close(); } }