panxuejie
/
tacit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

This commit is contained in:
小李 2026-01-07 17:15:09 +08:00
parent cb08d4a73b f044c4e296
commit 5d8f4ae4fd
8 changed files with 230 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
common/common-core/src/main/java/com/tacit/common/utils/AesUtils.java
View File

@ -6,14 +6,19 @@ import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.Base64; import java.util.Base64;
import java.util.Objects;
/**
* AES加密工具类使用AES-GCM算法进行可逆加密
*/
public class AesUtils { public class AesUtils {
private static final String ALGORITHM = "AES/GCM/NoPadding"; private static final String ALGORITHM = "AES/GCM/NoPadding";
private static final int GCM_IV_LENGTH = 12; private static final int GCM_IV_LENGTH = 12;
private static final int GCM_TAG_LENGTH = 128; private static final int GCM_TAG_LENGTH = 128;
private static final String SECRET_KEY = "1234567890123456"; // 密钥优先从环境变量获取其次使用默认密钥
private static final String SECRET_KEY = Objects.requireNonNullElse(System.getenv("AES_SECRET_KEY"), "1234567890123456");
public static String encrypt(String plainText) { public static String encrypt(String plainText) {
try { try {

5
common/common-core/src/main/java/com/tacit/common/utils/JwtUtils.java
View File

@ -9,11 +9,14 @@ import javax.crypto.SecretKey;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.Date; import java.util.Date;
import java.util.Map; import java.util.Map;
import java.util.Objects;
@Slf4j @Slf4j
public class JwtUtils { public class JwtUtils {
private static final SecretKey SECRET_KEY = Keys.hmacShaKeyFor(CommonConstant.JWT_SECRET.getBytes(StandardCharsets.UTF_8)); // JWT密钥优先从环境变量获取其次使用配置常量
private static final String JWT_SECRET = Objects.requireNonNullElse(System.getenv("JWT_SECRET_KEY"), CommonConstant.JWT_SECRET);
private static final SecretKey SECRET_KEY = Keys.hmacShaKeyFor(JWT_SECRET.getBytes(StandardCharsets.UTF_8));
// private static final SecretKey SECRET_KEY = Keys.secretKeyFor(SignatureAlgorithm.HS256); // private static final SecretKey SECRET_KEY = Keys.secretKeyFor(SignatureAlgorithm.HS256);
/** /**

14
common/common-feign/pom.xml
View File

@ -34,6 +34,20 @@
<artifactId>spring-cloud-starter-openfeign</artifactId> <artifactId>spring-cloud-starter-openfeign</artifactId>
</dependency> </dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<optional>true</optional>
</dependency>
<!-- Servlet API -->
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
<scope>provided</scope>
</dependency>
<!-- Testing --> <!-- Testing -->
<dependency> <dependency>
<groupId>org.junit.jupiter</groupId> <groupId>org.junit.jupiter</groupId>

2
common/common-feign/src/main/java/com/tacit/common/feign/AppApiFeignClient.java
View File

@ -5,7 +5,7 @@ import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.PathVariable;
@FeignClient(name = "tacit-app-api", contextId = "appApiFeignClient") @FeignClient(name = "tacit-app-api", contextId = "appApiFeignClient", configuration = com.tacit.common.feign.config.FeignClientConfig.class)
public interface AppApiFeignClient { public interface AppApiFeignClient {
@GetMapping("/user/info/{userId}") @GetMapping("/user/info/{userId}")

65
common/common-feign/src/main/java/com/tacit/common/feign/FeignAuthInterceptor.java Normal file
View File

@ -0,0 +1,65 @@
package com.tacit.common.feign;
import com.tacit.common.constant.CommonConstant;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import feign.RequestInterceptor;
import feign.RequestTemplate;
import jakarta.servlet.http.HttpServletRequest;
/**
* Feign拦截器用于在服务间调用时传递用户上下文
*/
@Slf4j
public class FeignAuthInterceptor implements RequestInterceptor {
@Override
public void apply(RequestTemplate template) {
// 从当前线程获取认证信息
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && !(authentication instanceof org.springframework.security.authentication.AnonymousAuthenticationToken)) {
// 获取用户名
String username = authentication.getName();
template.header("X-Username", username);
// 获取角色信息
authentication.getAuthorities().forEach(authority -> {
template.header("X-Role", authority.getAuthority().replace("ROLE_", ""));
});
} else {
// 从RequestContextHolder中获取请求信息适用于非Feign调用场景
RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
if (requestAttributes instanceof ServletRequestAttributes) {
ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) requestAttributes;
HttpServletRequest request = servletRequestAttributes.getRequest();
// 传递JWT令牌
String authorization = request.getHeader(CommonConstant.JWT_HEADER);
if (authorization != null && authorization.startsWith(CommonConstant.JWT_PREFIX)) {
template.header(CommonConstant.JWT_HEADER, authorization);
}
// 传递用户上下文
String userId = request.getHeader("X-User-Id");
String username = request.getHeader("X-Username");
String role = request.getHeader("X-Role");
if (userId != null) {
template.header("X-User-Id", userId);
}
if (username != null) {
template.header("X-Username", username);
}
if (role != null) {
template.header("X-Role", role);
}
}
}
}
}

21
common/common-feign/src/main/java/com/tacit/common/feign/config/FeignClientConfig.java Normal file
View File

@ -0,0 +1,21 @@
package com.tacit.common.feign.config;
import com.tacit.common.feign.FeignAuthInterceptor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* Feign客户端配置类用于配置全局Feign拦截器
*/
@Configuration
public class FeignClientConfig {
/**
* 注册Feign认证拦截器用于在服务间调用时传递用户上下文
* @return FeignAuthInterceptor
*/
@Bean
public FeignAuthInterceptor feignAuthInterceptor() {
return new FeignAuthInterceptor();
}
}

45
tacit-admin/src/main/java/com/tacit/admin/config/SecurityConfig.java
View File

@ -1,8 +1,12 @@
package com.tacit.admin.config; package com.tacit.admin.config;
import com.tacit.common.constant.CommonConstant;
import com.tacit.common.utils.AesPasswordEncoder; import com.tacit.common.utils.AesPasswordEncoder;
import com.tacit.common.utils.JwtUtils;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@ -25,6 +29,7 @@ import java.util.Collections;
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true) @EnableMethodSecurity(prePostEnabled = true)
@Slf4j
public class SecurityConfig { public class SecurityConfig {
@Bean @Bean
@ -34,7 +39,8 @@ public class SecurityConfig {
.cors(AbstractHttpConfigurer::disable) .cors(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth .authorizeHttpRequests(auth -> auth
.requestMatchers("/auth/**", "/test/**", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll() .requestMatchers("/auth/**", "/test/hello", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll()
.requestMatchers("/test/feign/**").authenticated()
.anyRequest().authenticated() .anyRequest().authenticated()
) )
.addFilterBefore(authenticationFilter(), org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.class); .addFilterBefore(authenticationFilter(), org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.class);
@ -47,14 +53,37 @@ public class SecurityConfig {
return new OncePerRequestFilter() { return new OncePerRequestFilter() {
@Override @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String userId = request.getHeader("X-User-Id"); // 先检查是否有JWT令牌直接服务间调用时可能传递JWT
String username = request.getHeader("X-Username"); String authorization = request.getHeader(CommonConstant.JWT_HEADER);
String role = request.getHeader("X-Role"); if (authorization != null && authorization.startsWith(CommonConstant.JWT_PREFIX)) {
String token = authorization.substring(CommonConstant.JWT_PREFIX.length());
try {
// 验证JWT令牌
if (JwtUtils.validateToken(token)) {
// 从令牌中获取用户信息
String username = JwtUtils.getUsernameFromToken(token);
String role = JwtUtils.getRoleFromToken(token);
if (userId != null && username != null && role != null) { // 创建认证对象
User principal = new User(username, "", Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase()))); User principal = new User(username, "", Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
var authentication = new org.springframework.security.authentication.UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities()); var authentication = new UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication); SecurityContextHolder.getContext().setAuthentication(authentication);
}
} catch (Exception e) {
log.error("JWT令牌验证失败: {}", e.getMessage());
}
} else {
// 检查是否有用户上下文头网关转发时添加
String userId = request.getHeader("X-User-Id");
String username = request.getHeader("X-Username");
String role = request.getHeader("X-Role");
if (userId != null && username != null && role != null) {
// 创建认证对象
User principal = new User(username, "", Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
var authentication = new UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
}
} }
filterChain.doFilter(request, response); filterChain.doFilter(request, response);

82
tacit-app-api/src/main/java/com/tacit/app/config/AppSecurityConfig.java
View File

@ -1,13 +1,95 @@
package com.tacit.app.config; package com.tacit.app.config;
import com.tacit.common.constant.CommonConstant;
import com.tacit.common.utils.AesPasswordEncoder; import com.tacit.common.utils.AesPasswordEncoder;
import com.tacit.common.utils.JwtUtils;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.web.filter.OncePerRequestFilter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
@Configuration @Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
@Slf4j
public class AppSecurityConfig { public class AppSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth
.requestMatchers("/auth/**", "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html", "/user/info/**").permitAll()
.anyRequest().authenticated()
)
.addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
@Bean
public OncePerRequestFilter authenticationFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
// 先检查是否有JWT令牌直接服务间调用时可能传递JWT
String authorization = request.getHeader(CommonConstant.JWT_HEADER);
if (authorization != null && authorization.startsWith(CommonConstant.JWT_PREFIX)) {
String token = authorization.substring(CommonConstant.JWT_PREFIX.length());
try {
// 验证JWT令牌
if (JwtUtils.validateToken(token)) {
// 从令牌中获取用户信息
Long userId = JwtUtils.getUserIdFromToken(token);
String username = JwtUtils.getUsernameFromToken(token);
String role = JwtUtils.getRoleFromToken(token);
// 创建认证对象
User principal = new User(username, "", Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
var authentication = new org.springframework.security.authentication.UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
}
} catch (Exception e) {
log.error("JWT令牌验证失败: {}", e.getMessage());
}
} else {
// 检查是否有用户上下文头网关转发或服务间调用时添加
String userId = request.getHeader("X-User-Id");
String username = request.getHeader("X-Username");
String role = request.getHeader("X-Role");
if (userId != null && username != null && role != null) {
User principal = new User(username, "", Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + role.toUpperCase())));
var authentication = new org.springframework.security.authentication.UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
filterChain.doFilter(request, response);
}
};
}
@Bean @Bean
public PasswordEncoder passwordEncoder() { public PasswordEncoder passwordEncoder() {
return new AesPasswordEncoder(); return new AesPasswordEncoder();