zhoutg преди 6 години
родител
ревизия
04cb3ad56c

+ 9 - 9
icssman-service/src/main/java/com/diagbot/config/ResourceServerConfigurer.java

@@ -26,15 +26,15 @@ public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter {
         http
                 .csrf().disable()
                 .authorizeRequests()
-//                .regexMatchers(".*swagger.*", ".*v2.*", ".*webjars.*", "/druid.*", "/actuator.*", "/hystrix.*").permitAll()
-//                .antMatchers("/file/deleteRemoteFile").permitAll()
-//                .antMatchers("/file/uploadImage").permitAll()
-//                .antMatchers("/introduceInfo/saveIntroduce").permitAll()
-//                .antMatchers("/dictionaryInfo/getList").permitAll()
-//                .antMatchers("/deptInfo/getAllDepts").permitAll()
-//                .antMatchers("/getIcssEnumsData").permitAll()
-//                .antMatchers("/**").authenticated();
-                        .antMatchers("/**").permitAll();
+                .regexMatchers(".*swagger.*", ".*v2.*", ".*webjars.*", "/druid.*", "/actuator.*", "/hystrix.*").permitAll()
+                .antMatchers("/file/deleteRemoteFile").permitAll()
+                .antMatchers("/file/uploadImage").permitAll()
+                .antMatchers("/introduceInfo/saveIntroduce").permitAll()
+                .antMatchers("/dictionaryInfo/getList").permitAll()
+                .antMatchers("/deptInfo/getAllDepts").permitAll()
+                .antMatchers("/getIcssEnumsData").permitAll()
+                .antMatchers("/**").authenticated();
+//                        .antMatchers("/**").permitAll();
 
 
     }

+ 42 - 34
icssman-service/src/main/java/com/diagbot/config/security/UrlAccessDecisionManager.java

@@ -1,12 +1,20 @@
 package com.diagbot.config.security;
 
 import com.diagbot.client.UserServiceClient;
+import com.diagbot.dto.RespDTO;
+import com.diagbot.entity.Token;
+import com.diagbot.exception.CommonErrorCode;
+import com.diagbot.util.HttpUtils;
+import com.diagbot.util.StringUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.AccountExpiredException;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.stereotype.Service;
 
@@ -25,40 +33,40 @@ public class UrlAccessDecisionManager implements AccessDecisionManager {
 
     @Override
     public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
-//        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
-//        String url, method;
-//        if (matchPermitAllUrl(request)) {
-//            return;
-//        }
-//        if ("anonymousUser".equals(authentication.getPrincipal())) {
-//            throw new AccessDeniedException("no right");
-//        } else {
-//            //验证token有效性
-//            String tokenStr = HttpUtils.getHeaders(request).get("Authorization");
-//            if (StringUtil.isNotEmpty(tokenStr)) {
-//                Token token = new Token();
-//                tokenStr = tokenStr.replaceFirst("Bearer ", "");
-//                token.setToken(tokenStr);
-//                RespDTO<Boolean> res = userServiceClient.verifyToken(token);
-//                if (res == null || !CommonErrorCode.OK.getCode().equals(res.code)) {
-//                    throw new AccountExpiredException("token expire");
-//                }
-//                if (!res.data) {
-//                    throw new AccountExpiredException("token expire");
-//                }
-//            }
-//            for (GrantedAuthority ga : authentication.getAuthorities()) {
-//                String[] authority = ga.getAuthority().split(";");
-//                url = authority[0];
-//                method = authority[1];
-//                if (matchers(url, request)) {
-//                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
-//                        return;
-//                    }
-//                }
-//            }
-//        }
-//        throw new AccessDeniedException("no right");
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        if (matchPermitAllUrl(request)) {
+            return;
+        }
+        if ("anonymousUser".equals(authentication.getPrincipal())) {
+            throw new AccessDeniedException("no right");
+        } else {
+            //验证token有效性
+            String tokenStr = HttpUtils.getHeaders(request).get("Authorization");
+            if (StringUtil.isNotEmpty(tokenStr)) {
+                Token token = new Token();
+                tokenStr = tokenStr.replaceFirst("Bearer ", "");
+                token.setToken(tokenStr);
+                RespDTO<Boolean> res = userServiceClient.verifyToken(token);
+                if (res == null || !CommonErrorCode.OK.getCode().equals(res.code)) {
+                    throw new AccountExpiredException("token expire");
+                }
+                if (!res.data) {
+                    throw new AccountExpiredException("token expire");
+                }
+            }
+            for (GrantedAuthority ga : authentication.getAuthorities()) {
+                String[] authority = ga.getAuthority().split(";");
+                url = authority[0];
+                method = authority[1];
+                if (matchers(url, request)) {
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
     }