记一次OAuth碰到的问题
@Order @Component public class PcPermissionAuthorizeConfigProvider implements AuthorizeConfigProvider { /** * Config boolean. * * @param config the config * * @return the boolean */ @Override public boolean config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) { config.anyRequest().access("@permissionService.hasPermission(authentication,request)"); return true; } }
@Slf4j @Component("permissionService") public class MucPermissionServiceImpl implements MucPermissionService { private AntPathMatcher antPathMatcher = new AntPathMatcher(); private static final String OAUTH2_CLIENT_PREFIX = "rockysaas-client-"; @Resource private ClientDetailsService clientDetailsService; @Override public boolean hasPermission(Authentication authentication, HttpServletRequest request) { String currentLoginName = SecurityUtils.getCurrentLoginName(); Set<String> currentAuthorityUrl = SecurityUtils.getCurrentAuthorityUrl(); String requestURI = request.getRequestURI(); log.info("验证权限loginName={}, requestURI={}, hasAuthorityUrl={}", currentLoginName, requestURI, Joiner.on(GlobalConstant.Symbol.COMMA).join(currentAuthorityUrl)); // 超级管理员 全部都可以访问 if (StringUtils.equals(currentLoginName, GlobalConstant.Sys.SUPER_MANAGER_LOGIN_NAME)) { return true; } // DEMO项目Feign客户端具有所有权限, 如果需要则在角色权限中控制 if (currentLoginName.contains(OAUTH2_CLIENT_PREFIX)) { ClientDetails clientDetails = clientDetailsService.loadClientByClientId(currentLoginName); return clientDetails != null; } for (final String authority : currentAuthorityUrl) { // DEMO项目放过查询权限 if (requestURI.contains("query") || requestURI.contains("get") || requestURI.contains("check") || requestURI.contains("select")) { return true; } if (antPathMatcher.match(authority, requestURI)) { return true; } } return false; }
@Component public class PcAuthorizeConfigManager implements AuthorizeConfigManager { private final List<AuthorizeConfigProvider> authorizeConfigProviders; /** * Instantiates a new Pc authorize config manager. * * @param authorizeConfigProviders the authorize config providers */ @Autowired public PcAuthorizeConfigManager(List<AuthorizeConfigProvider> authorizeConfigProviders) { this.authorizeConfigProviders = authorizeConfigProviders; } /** * Config. * * @param config the config */ @Override public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) { for (AuthorizeConfigProvider authorizeConfigProvider : authorizeConfigProviders) { authorizeConfigProvider.config(config); } config.anyRequest().authenticated(); } }
请求过来时 permissionService.hasPermission进不去了,原来是PcAuthorizeConfigManager被改坏了,红色部分表示所有url都可以被认证用户访问,代码复原后ok
@Component public class PcAuthorizeConfigManager implements AuthorizeConfigManager { private final List<AuthorizeConfigProvider> authorizeConfigProviders; /** * Instantiates a new Pc authorize config manager. * * @param authorizeConfigProviders the authorize config providers */ @Autowired public PcAuthorizeConfigManager(List<AuthorizeConfigProvider> authorizeConfigProviders) { this.authorizeConfigProviders = authorizeConfigProviders; } /** * Config. * * @param config the config */ @Override public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) { boolean existAnyRequestConfig = false; String existAnyRequestConfigName = null; for (AuthorizeConfigProvider authorizeConfigProvider : authorizeConfigProviders) { boolean currentIsAnyRequestConfig = authorizeConfigProvider.config(config); if (existAnyRequestConfig && currentIsAnyRequestConfig) { throw new RuntimeException("重复的anyRequest配置:" + existAnyRequestConfigName + "," + authorizeConfigProvider.getClass().getSimpleName()); } else if (currentIsAnyRequestConfig) { existAnyRequestConfig = true; existAnyRequestConfigName = authorizeConfigProvider.getClass().getSimpleName(); } } if (!existAnyRequestConfig) { config.anyRequest().authenticated(); } } }
喜欢艺术的码农
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· winform 绘制太阳,地球,月球 运作规律
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 上周热点回顾(3.3-3.9)
· 超详细:普通电脑也行Windows部署deepseek R1训练数据并当服务器共享给他人