[web-app,monitor] 提供后台接口保护，打通前端认证登陆

2021-12-03 09:15:53 +08:00
parent 73d7c0cd5b
commit b632114ebd
10 changed files with 211 additions and 27 deletions
--- a/manager/pom.xml
+++ b/manager/pom.xml
@@ -14,6 +14,7 @@
    <properties>
        <mysql.version>8.0.16</mysql.version>
        <snake.yaml.version>1.26</snake.yaml.version>
+        <sureness-core.version>1.0.5</sureness-core.version>
    </properties>

    <dependencies>
@@ -92,6 +93,12 @@
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-validation</artifactId>
        </dependency>
+        <!--sureness-->
+        <dependency>
+            <groupId>com.usthe.sureness</groupId>
+            <artifactId>spring-boot-starter-sureness</artifactId>
+            <version>1.0.0-beta.2</version>
+        </dependency>
    </dependencies>

    <build>
--- a/manager/src/main/java/com/usthe/manager/controller/AccountController.java
+++ b/manager/src/main/java/com/usthe/manager/controller/AccountController.java
@@ -0,0 +1,118 @@
+package com.usthe.manager.controller;
+
+import com.usthe.common.entity.dto.Message;
+import com.usthe.sureness.provider.SurenessAccount;
+import com.usthe.sureness.provider.SurenessAccountProvider;
+import com.usthe.sureness.provider.ducument.DocumentAccountProvider;
+import com.usthe.sureness.subject.SubjectSum;
+import com.usthe.sureness.util.JsonWebTokenUtil;
+import com.usthe.sureness.util.Md5Util;
+import com.usthe.sureness.util.SurenessContextHolder;
+import io.swagger.annotations.Api;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+import static com.usthe.common.util.CommonConstants.MONITOR_LOGIN_FAILED;
+import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
+
+/**
+ * 认证注册TOKEN管理API
+ * @author tomsun28
+ * @date 13:11 2019-05-26
+ */
+@Api(tags = "认证注册TOKEN管理API")
+@RestController()
+@RequestMapping(value = "/account/auth", produces = {APPLICATION_JSON_VALUE})
+public class AccountController {
+
+    /**
+     * account data provider
+     */
+    private SurenessAccountProvider accountProvider = new DocumentAccountProvider();
+
+    /**
+     * 账户密码登陆获取token
+     * @param requestBody request
+     * @return token与refresh token
+     *
+     */
+    @PostMapping("/form")
+    public ResponseEntity<Message> authGetToken(@RequestBody Map<String,String> requestBody) {
+
+        String identifier = requestBody.get("identifier");
+        String password = requestBody.get("password");
+        SurenessAccount account = accountProvider.loadAccount(identifier);
+        if (account == null || account.getPassword() == null) {
+            Message<Void> message = Message.<Void>builder().msg("账户密码错误")
+                    .code(MONITOR_LOGIN_FAILED).build();
+            return ResponseEntity.ok(message);
+        } else {
+            if (account.getSalt() != null) {
+                password = Md5Util.md5(password + account.getSalt());
+            }
+            if (!account.getPassword().equals(password)) {
+                Message<Void> message = Message.<Void>builder().msg("账户密码错误")
+                        .code(MONITOR_LOGIN_FAILED).build();
+                return ResponseEntity.ok(message);
+            }
+            if (account.isDisabledAccount() || account.isExcessiveAttempts()) {
+                Message<Void> message = Message.<Void>builder().msg("账户过期或被锁定")
+                        .code(MONITOR_LOGIN_FAILED).build();
+                return ResponseEntity.ok(message);
+            }
+        }
+        // Get the roles the user has - rbac
+        List<String> roles = account.getOwnRoles();
+        long periodTime = 3600L;
+        // issue jwt
+        String jwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+                "token-server", periodTime, roles);
+        // issue refresh jwt
+        String refreshJwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+                "token-server-refresh", periodTime, roles);
+        Map<String, String> resp = new HashMap<>(2);
+        resp.put("token", jwt);
+        resp.put("refreshToken", refreshJwt);
+        return ResponseEntity.ok().body(new Message(resp));
+    }
+
+    /**
+     * 账户密码登陆获取token
+     * @param requestBody request
+     * @return token与refresh token
+     *
+     */
+    @PostMapping("/refresh")
+    public ResponseEntity<Message> refreshToken(@RequestBody Map<String,String> requestBody) {
+
+        SubjectSum subjectSum = SurenessContextHolder.getBindSubject();
+        if (subjectSum == null) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }
+        String identifier = String.valueOf(subjectSum.getPrincipal());
+
+        // Get the roles the user has - rbac
+        List<String> roles = (List<String>) subjectSum.getRoles();
+        long periodTime = 3600L;
+        // issue jwt
+        String jwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+                "token-server", periodTime, roles);
+        // issue refresh jwt
+        String refreshJwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+                "token-server-refresh", periodTime, roles);
+        Map<String, String> resp = new HashMap<>(2);
+        resp.put("token", jwt);
+        resp.put("refreshToken", refreshJwt);
+        return ResponseEntity.ok().body(new Message<>(resp));
+    }
+
+}
--- a/manager/src/main/resources/sureness.yml
+++ b/manager/src/main/resources/sureness.yml
@@ -0,0 +1,44 @@
+## -- sureness.yml document dataSource-- ##
+
+# load api resource which need be protected, config role who can access these resource.
+# resources that are not configured are also authenticated and protected by default, but not authorized
+# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post can be access by role2,role3,role4
+# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be access by any role
+resourceRole:
+  - /account/auth/refresh===post===[role1,role2,role3,role4]
+
+# load api resource which do not need be protected, means them need be excluded.
+# these api resource can be access by everyone
+excludedResource:
+  - /account/auth/form===post
+  - /**/*.html===get
+  - /**/*.js===get
+  - /**/*.css===get
+  - /**/*.ico===get
+  - /**/*.ttf===get
+  - /**/*.png===get
+  - /**/*.gif===get
+  - /swagger-resources/**===get
+  - /v2/api-docs===get
+  - /v3/api-docs===get
+  - /**/*.png===*
+
+# account info
+# there are three account: admin, root, tom
+# eg: admin has [role1,role2] ROLE, unencrypted password is admin, encrypted password is 0192023A7BBD73250516F069DF18B500
+# eg: root has role1, unencrypted password is 23456
+# eg: tom has role3, unencrypted password is 32113
+account:
+  - appId: admin
+    credential: admin
+    role: [role1,role2]
+  - appId: tom
+    credential: tom@123
+    role: [role1,role2,role3]
+  - appId: lili
+    # 注意 Digest认证不支持加盐加密的密码账户
+    # 加盐加密的密码，通过 MD5(password+salt)计算
+    # 此账户的原始密码为 lili
+    credential: 1A676730B0C7F54654B0E09184448289
+    salt: 123
+    role: [role1,role2]