feat: 添加 jwt 和 redis 两种 token 校验模式

Author: cadecode

simple-application/src/main/resources/application.yml

@@ -37,7 +37,6 @@ sra:
   config:
     dynamic-ds-on: true
     swagger-on: true
-    security-on: true
   # 动态数据源配置
   dynamic-ds:
     master: db1
@@ -67,7 +66,7 @@ sra:
       test: top.cadecode.sra.test
   # security 配置
   security:
-    auth-model: redis
+    auth-model: jwt
     token:
       header: token
       expiration: 86400

simple-common/src/main/java/top/cadecode/sra/common/consts/RedisKeyPrefix.java

@@ -0,0 +1,15 @@
+package top.cadecode.sra.common.consts;
+
+/**
+ * @author Cade Li
+ * @date 2022/5/29
+ * @description Redis key 命名前缀
+ */
+public class RedisKeyPrefix {
+
+    /**
+     * 登录用户信息
+     */
+    public static final String LOGIN_USER = "sra:login:user";
+
+}

simple-common/src/main/java/top/cadecode/sra/common/datasource/RedisKeyGenerator.java

@@ -0,0 +1,25 @@
+package top.cadecode.sra.common.datasource;
+
+/**
+ * @author Cade Li
+ * @date 2022/5/29
+ * @description Redis key 命名生成器
+ */
+public class RedisKeyGenerator {
+
+    /**
+     * 生成 ： 分割的 redis key
+     *
+     * @param prefix 前缀
+     * @param extra  其他字符串
+     * @return redis key
+     */
+    public static String key(String prefix, String... extra) {
+        StringBuilder prefixBuilder = new StringBuilder(prefix);
+        for (String str : extra) {
+            prefixBuilder.append(":").append(str);
+        }
+        return prefixBuilder.toString();
+    }
+
+}

simple-framework/src/main/java/top/cadecode/sra/framework/config/core/SRAMainConfig.java

@@ -32,10 +32,4 @@ public class SRAMainConfig {
      * 是否开启 swagger 文档
      */
     private boolean swaggerOn;
-
-    /**
-     * 是否开启 spring security
-     */
-    private boolean securityOn;
-
 }

simple-framework/src/main/java/top/cadecode/sra/framework/config/core/SecurityConfig.java

@@ -11,24 +11,30 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.access.vote.UnanimousBased;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity.IgnoredRequestConfigurer;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.access.expression.WebExpressionVoter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import top.cadecode.sra.common.enums.AuthModelEnum;
+import top.cadecode.sra.framework.security.LoginSuccessHandler;
 import top.cadecode.sra.framework.security.TokenAuthFilter;
-import top.cadecode.sra.framework.security.handler.*;
+import top.cadecode.sra.framework.security.handler.LoginFailureHandler;
+import top.cadecode.sra.framework.security.handler.NoAuthenticationHandler;
+import top.cadecode.sra.framework.security.handler.NoAuthorityHandler;
+import top.cadecode.sra.framework.security.handler.SignOutSuccessHandler;
+import top.cadecode.sra.framework.security.voter.DataBaseRoleVoter;
 
 import java.util.Arrays;
 import java.util.List;
-import java.util.Objects;
-import java.util.stream.Collectors;
 
 /**
  * @author Cade Li
@@ -39,9 +45,9 @@
 @Data
 @RequiredArgsConstructor
 @EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
 @Configuration
 @ConfigurationProperties("sra.security")
-@ConditionalOnProperty(name = "sra.config.security-on", havingValue = "true")
 public class SecurityConfig {
 
     /**
@@ -76,14 +82,38 @@ public class SecurityConfig {
     /**
      * 注入 Token 过滤器
      */
-    private final List<TokenAuthFilter> tokenAuthFilters;
+    private final TokenAuthFilter tokenAuthFilter;
 
     /**
-     * security 配置
+     * 注入投票器
+     */
+    private final DataBaseRoleVoter dataBaseRoleVoter;
+
+    /**
+     * 注入 UserDetailsService
+     */
+    private final UserDetailsService userDetailsService;
+
+    /**
+     * 密码加密器
+     */
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    /**
+     * Security 配置
      */
     @Bean
-    public WebSecurityConfigurerAdapter webSecurityConfigurer() {
+    public WebSecurityConfigurerAdapter webSecurityConfigurer(PasswordEncoder passwordEncoder) {
         return new WebSecurityConfigurerAdapter() {
+
+            @Override
+            protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+                auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
+            }
+
             @Override
             protected void configure(HttpSecurity http) throws Exception {
                 // 关闭 csrf
@@ -95,11 +125,6 @@ protected void configure(HttpSecurity http) throws Exception {
                         // 尝试请求直接通过
                         .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                         .anyRequest().authenticated();
-                // 配置登录处理器
-                http.formLogin().permitAll()
-                        .loginProcessingUrl(LOGIN_URL)
-                        .successHandler(loginSuccessHandler)
-                        .failureHandler(loginFailureHandler);
                 // 配置注销处理器
                 http.logout().permitAll()
                         .logoutUrl(LOGOUT_URL)
@@ -109,24 +134,18 @@ protected void configure(HttpSecurity http) throws Exception {
                         // 配置未登录处理器
                         .authenticationEntryPoint(noAuthenticationHandler)
                         // 配置无权限处理器
-                        .accessDeniedHandler(noAuthorityHandler)
-                        .and()
-                        // 自定义的 accessDecisionManager
-                        .authorizeRequests()
+                        .accessDeniedHandler(noAuthorityHandler);
+                // 自定义的 accessDecisionManager
+                http.authorizeRequests()
                         .accessDecisionManager(new UnanimousBased(Arrays.asList(new WebExpressionVoter())));
-                // 根据认证模式配置过滤器
-                if (Objects.isNull(authModel)) {
-                    authModel = AuthModelEnum.JWT;
-                    log.info("没有配置认证模式，默认为 {}", authModel);
-                }
+                // 配置登录处理器
+                http.formLogin().permitAll()
+                        .loginProcessingUrl(LOGIN_URL)
+                        .successHandler(loginSuccessHandler)
+                        .failureHandler(loginFailureHandler);
                 // 配置 Token 校验过滤器
-                List<TokenAuthFilter> filters = tokenAuthFilters.stream()
-                        .filter(o -> o.getAuthModel() == authModel)
-                        .collect(Collectors.toList());
-                if (!filters.isEmpty()) {
-                    http.addFilterBefore(filters.get(0), UsernamePasswordAuthenticationFilter.class);
-                    log.info("完成 Security 配置，认证模式 {}", authModel);
-                }
+                http.addFilterBefore(tokenAuthFilter, UsernamePasswordAuthenticationFilter.class);
+                log.info("完成 Security 配置，认证模式 {}", authModel);
             }
 
             @Override
@@ -143,13 +162,4 @@ public void configure(WebSecurity web) {
             }
         };
     }
-
-    /**
-     * 密码加密器
-     */
-    @Bean
-    public PasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
-    }
-
 }

simple-framework/src/main/java/top/cadecode/sra/framework/security/LoginSuccessHandler.java

@@ -0,0 +1,17 @@
+package top.cadecode.sra.framework.security;
+
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import top.cadecode.sra.common.enums.AuthModelEnum;
+
+/**
+ * @author Cade Li
+ * @date 2022/5/28
+ * @description 登录成功处理器抽象
+ */
+public abstract class LoginSuccessHandler implements AuthenticationSuccessHandler {
+
+    /**
+     * 返回当前模式，用于策略模式
+     */
+    public abstract AuthModelEnum getAuthModel();
+}

simple-framework/src/main/java/top/cadecode/sra/framework/security/TokenAuthFilter.java

@@ -1,7 +1,21 @@
 package top.cadecode.sra.framework.security;
 
+import cn.hutool.core.util.CharsetUtil;
+import cn.hutool.extra.servlet.ServletUtil;
+import cn.hutool.http.ContentType;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.web.filter.OncePerRequestFilter;
 import top.cadecode.sra.common.enums.AuthModelEnum;
+import top.cadecode.sra.common.exception.ApiErrorCode;
+import top.cadecode.sra.common.response.ApiResult;
+import top.cadecode.sra.common.response.ApiStatus;
+import top.cadecode.sra.framework.util.JacksonUtil;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 /**
  * @author Cade Li
@@ -14,4 +28,31 @@ public abstract class TokenAuthFilter extends OncePerRequestFilter {
      * 返回当前模式，用于策略模式
      */
     public abstract AuthModelEnum getAuthModel();
+
+    /**
+     * 设置认证信息
+     *
+     * @param request     请求对象
+     * @param userDetails 用户信息
+     */
+    protected void setAuthentication(HttpServletRequest request, UserDetails userDetails) {
+        // 构造 UsernamePasswordAuthenticationToken
+        UsernamePasswordAuthenticationToken authentication =
+                new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
+        // 设置认证信息，用于后面的过滤器使用
+        authentication.setDetails(new WebAuthenticationDetails(request));
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+    }
+
+    /**
+     * 将错误信息写入响应
+     *
+     * @param response   响应对象
+     * @param errorCode  错误信息枚举类
+     * @param requestURI 请求路径
+     */
+    protected void writeResponse(HttpServletResponse response, ApiErrorCode errorCode, String requestURI) {
+        ApiResult<Object> result = ApiResult.error(errorCode).status(ApiStatus.NO_AUTHENTICATION).path(requestURI);
+        ServletUtil.write(response, JacksonUtil.toJson(result), ContentType.JSON.toString(CharsetUtil.CHARSET_UTF_8));
+    }
 }

simple-framework/src/main/java/top/cadecode/sra/framework/security/filter/JwtTokenAuthFilter.java

@@ -1,10 +1,15 @@
 package top.cadecode.sra.framework.security.filter;
 
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.json.JSONObject;
 import lombok.RequiredArgsConstructor;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 import top.cadecode.sra.common.enums.AuthModelEnum;
-import top.cadecode.sra.framework.security.JwtTokenHolder;
+import top.cadecode.sra.common.enums.error.AuthErrorEnum;
 import top.cadecode.sra.framework.security.TokenAuthFilter;
+import top.cadecode.sra.framework.security.TokenAuthHolder;
+import top.cadecode.sra.system.bean.dto.SysUserDto;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -19,9 +24,10 @@
  */
 @RequiredArgsConstructor
 @Component
+@ConditionalOnProperty(name = "sra.security.auth-model", havingValue = "jwt")
 public class JwtTokenAuthFilter extends TokenAuthFilter {
 
-    private final JwtTokenHolder jwtTokenHolder;
+    private final TokenAuthHolder tokenAuthHolder;
 
     @Override
     public AuthModelEnum getAuthModel() {
@@ -30,6 +36,40 @@ public AuthModelEnum getAuthModel() {
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
-
+        String requestURI = request.getRequestURI();
+        String jwtToken = request.getHeader(tokenAuthHolder.getHeader());
+        // token 不存在
+        if (StrUtil.isEmpty(jwtToken)) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+        // token 不合法
+        if (!tokenAuthHolder.verifyToken(jwtToken)) {
+            writeResponse(response, AuthErrorEnum.TOKEN_ERROR, requestURI);
+            return;
+        }
+        // token 已过期
+        if (tokenAuthHolder.isExpired(jwtToken)) {
+            writeResponse(response, AuthErrorEnum.TOKEN_EXPIRED, requestURI);
+            return;
+        }
+        // 获取 jwt 内容
+        JSONObject payload = tokenAuthHolder.getPayload(jwtToken);
+        SysUserDto sysUserDto = payload.toBean(SysUserDto.class);
+        // 设置 AuthenticationToken
+        setAuthentication(request, sysUserDto);
+        // 判断是否需要刷新 token
+        // 获取过期时间，单位秒
+        int expiresAt = (int) payload.get("exp");
+        // 过期时间的一半，秒转为毫秒
+        long halfExpiration = tokenAuthHolder.getExpiration() / 2;
+        // 如果当时时间距离过期时间不到配置的 expiration 一半，就下发新的 token
+        if (expiresAt - System.currentTimeMillis() / 1000 < halfExpiration) {
+            // 生成 jwt token
+            String newJwtToken = tokenAuthHolder.generateToken(sysUserDto.getId(), sysUserDto.getUsername(), sysUserDto.getRoles());
+            // token 放在请求头
+            response.addHeader(tokenAuthHolder.getHeader(), newJwtToken);
+        }
+        filterChain.doFilter(request, response);
     }
 }