微服务之间调用加上token

spring5-admin/pom.xml

@@ -106,11 +106,11 @@
 			<scope>test</scope>
 		</dependency>
 		
-<!-- 		<dependency> -->
-<!--             <groupId>com.yaozhitech</groupId> -->
-<!--             <artifactId>spring5-auth-client</artifactId> -->
-<!--             <version>0.1.0</version> -->
-<!--         </dependency> -->
+		<dependency>
+            <groupId>com.yaozhitech</groupId>
+            <artifactId>spring5-auth-client</artifactId>
+            <version>0.1.0</version>
+        </dependency>
 
 	</dependencies>
 </project>

spring5-admin/src/main/java/com/yaozhitech/spring5/config/RoleResourceConfiguration.java

@@ -1,23 +1,25 @@
 package com.yaozhitech.spring5.config;
 
+import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
+import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
 import org.springframework.context.annotation.Configuration;
 
 @Configuration
-public class RoleResourceConfiguration /*extends ShiroConfiguration*/{
+public class RoleResourceConfiguration extends ShiroConfiguration {
 	
-	/*@Override
+	@Override
 	public ShiroFilterChainDefinition shiroFilterChainDefinition() {
 		
 		
 		DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
 //    chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
 //    chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
-//    chainDefinition.addPathDefinition("/image/**", "anon"); ,anyRole[admin,manager]
+        chainDefinition.addPathDefinition("/**", "anon");
 //		chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 只允许admin或manager角色的用户访问
 //		chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authc");
 //		chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authc[permissive]");
 //		chainDefinition.addPathDefinition("/**", "noSessionCreation,authc"); // 默认进行用户鉴权
 		
 		return chainDefinition;
-	}*/
+	}
 }

spring5-auth/spring5-auth-client/pom.xml

@@ -34,6 +34,15 @@
             <artifactId>java-jwt</artifactId>
             <version>3.2.0</version>
         </dependency>
-		
+        
+        <!-- feign -->
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-openfeign</artifactId>
+        </dependency>
+		<dependency>
+            <groupId>io.github.openfeign</groupId>
+            <artifactId>feign-okhttp</artifactId>
+        </dependency>
 	</dependencies>
 </project>

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/FeignOkHttpConfig.java

@@ -0,0 +1,40 @@
+package com.yaozhitech.spring5.config;
+
+import java.util.concurrent.TimeUnit;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.AutoConfigureBefore;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.cloud.openfeign.FeignAutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import com.yaozhitech.spring5.intercept.OkHttpTokenInterceptor;
+
+import feign.Feign;
+import okhttp3.ConnectionPool;
+
+@AutoConfigureBefore(FeignAutoConfiguration.class)
+@Configuration
+@ConditionalOnClass(Feign.class)
+public class FeignOkHttpConfig {
+
+	@Autowired
+	OkHttpTokenInterceptor okHttpLoggingInterceptor;
+
+	private int feignOkHttpReadTimeout = 60;
+	private int feignConnectTimeout = 60;
+	private int feignWriteTimeout = 120;
+
+//	@Bean
+//	public okhttp3.OkHttpClient okHttpClient() {
+//		return new okhttp3.OkHttpClient.Builder()
+//				.readTimeout(feignOkHttpReadTimeout, TimeUnit.SECONDS)
+//				.connectTimeout(feignConnectTimeout, TimeUnit.SECONDS)
+//				.writeTimeout(feignWriteTimeout, TimeUnit.SECONDS)
+//				.connectionPool(new ConnectionPool())
+////				.addInterceptor(okHttpLoggingInterceptor)
+//				.addInterceptor(interceptor)
+//				.build();
+//	}
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/ServiceAuthConfig.java

@@ -0,0 +1,24 @@
+package com.yaozhitech.spring5.config;
+
+import org.springframework.beans.factory.annotation.Value;
+
+import lombok.Data;
+
+/**
+ * 微服务之间的认证
+ * @author EDZ
+ *
+ */
+@Data
+public class ServiceAuthConfig {
+
+	private byte[] pubKeyByte;
+    @Value("${auth.client.id:null}")
+    private String clientId;
+    @Value("${auth.client.secret}")
+    private String clientSecret;
+    @Value("${auth.client.token-header}")
+    private String tokenHeader;
+    @Value("${spring.application.name}")
+    private String applicationName;
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/ShiroConfiguration.java

@@ -17,18 +17,20 @@ import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
 import org.apache.shiro.web.mgt.DefaultWebSessionStorageEvaluator;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 
 import com.yaozhitech.spring5.filter.AnyRolesAuthorizationFilter;
 import com.yaozhitech.spring5.filter.JwtAuthFilter;
 import com.yaozhitech.spring5.jwt.JWTShiroRealm;
-import com.yaozhitech.spring5.service.UserService;
+import com.yaozhitech.spring5.service.JwtUserService;
 
+@Configuration
 public abstract class ShiroConfiguration {
 	/**
 	 * 注册shiro的Filter，拦截请求
 	 */
 	@Bean
-    public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,UserService userService) throws Exception{
+    public FilterRegistrationBean<Filter> filterRegistrationBean(SecurityManager securityManager,JwtUserService userService) throws Exception{
         FilterRegistrationBean<Filter> filterRegistration = new FilterRegistrationBean<Filter>();
         filterRegistration.setFilter((Filter)shiroFilter(securityManager, userService).getObject());
         filterRegistration.addInitParameter("targetFilterLifecycle", "true");
@@ -40,7 +42,7 @@ public abstract class ShiroConfiguration {
     }
 
     @Bean
-    public Authenticator authenticator(UserService userService) {
+    public Authenticator authenticator(JwtUserService userService) {
         ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
         authenticator.setRealms(Arrays.asList(jwtShiroRealm(userService)));
         authenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
@@ -62,7 +64,7 @@ public abstract class ShiroConfiguration {
           * 用于JWT token认证的realm
      */
     @Bean("jwtRealm")
-    public Realm jwtShiroRealm(UserService userService) {
+    public Realm jwtShiroRealm(JwtUserService userService) {
         JWTShiroRealm myShiroRealm = new JWTShiroRealm(userService);
         return myShiroRealm;
     }
@@ -71,7 +73,7 @@ public abstract class ShiroConfiguration {
           * 设置过滤器，将自定义的Filter加入
      */
     @Bean
-    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, UserService userService) {
+    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager, JwtUserService userService) {
     	ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
         factoryBean.setSecurityManager(securityManager);
         Map<String, Filter> filterMap = factoryBean.getFilters();
@@ -86,7 +88,7 @@ public abstract class ShiroConfiguration {
     public abstract ShiroFilterChainDefinition shiroFilterChainDefinition() ;
 
    //注意不要加@Bean注解，不然spring会自动注册成filter
-    protected JwtAuthFilter createAuthFilter(UserService userService){
+    protected JwtAuthFilter createAuthFilter(JwtUserService userService){
         return new JwtAuthFilter(userService);
     }
 

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/config/WebSecurityConfig.java

@@ -0,0 +1,23 @@
+package com.yaozhitech.spring5.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import com.yaozhitech.spring5.intercept.ServiceAuthRestInterceptor;
+
+@Configuration
+public class WebSecurityConfig implements WebMvcConfigurer{
+
+	@Bean
+    public HandlerInterceptor serviceAuthRestInterceptor() {
+        return new ServiceAuthRestInterceptor();
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(serviceAuthRestInterceptor());
+    }
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/filter/JwtAuthFilter.java

@@ -21,7 +21,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 
 import com.yaozhitech.spring5.dto.UserDto;
 import com.yaozhitech.spring5.jwt.JWTToken;
-import com.yaozhitech.spring5.service.UserService;
+import com.yaozhitech.spring5.service.JwtUserService;
 import com.yaozhitech.spring5.utils.JwtUtils;
 
 import lombok.extern.slf4j.Slf4j;
@@ -36,9 +36,9 @@ public class JwtAuthFilter extends AuthenticatingFilter {
     private String tokenHead;
 
     private static final int tokenRefreshInterval = 300;
-    private UserService userService;
+    private JwtUserService userService;
 
-    public JwtAuthFilter(UserService userService){
+    public JwtAuthFilter(JwtUserService userService){
         this.userService = userService;
         this.setLoginUrl("/login");
     }

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/intercept/OkHttpTokenInterceptor.java

@@ -0,0 +1,16 @@
+package com.yaozhitech.spring5.intercept;
+
+import org.springframework.context.annotation.Configuration;
+
+import feign.RequestInterceptor;
+import feign.RequestTemplate;
+
+@Configuration
+public class OkHttpTokenInterceptor implements RequestInterceptor{
+
+	@Override
+	public void apply(RequestTemplate template) {
+		template.header("X-Forwarded-For", "origin.host.com");
+	}
+
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/intercept/ServiceAuthRestInterceptor.java

@@ -0,0 +1,58 @@
+package com.yaozhitech.spring5.intercept;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import com.yaozhitech.spring5.config.ServiceAuthConfig;
+
+/**
+ * 微服务之间的认证
+ * @author EDZ
+ *
+ */
+public class ServiceAuthRestInterceptor extends HandlerInterceptorAdapter {
+    private Logger logger = LoggerFactory.getLogger(ServiceAuthRestInterceptor.class);
+
+//  @Autowired
+//  private ServiceAuthUtil serviceAuthUtil;
+//
+//  @Autowired
+  private ServiceAuthConfig serviceAuthConfig;
+
+  private List<String> allowedClient;
+
+  @Override
+  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+      HandlerMethod handlerMethod = (HandlerMethod) handler;
+//      // 配置该注解，说明不进行服务拦截
+//      IgnoreClientToken annotation = handlerMethod.getBeanType().getAnnotation(IgnoreClientToken.class);
+//      if (annotation == null) {
+//          annotation = handlerMethod.getMethodAnnotation(IgnoreClientToken.class);
+//      }
+//      if(annotation!=null) {
+//          return super.preHandle(request, response, handler);
+//      }
+
+      String token = request.getHeader("X-Forwarded-For");
+      logger.info(token);
+      
+//      IJWTInfo infoFromToken = serviceAuthUtil.getInfoFromToken(token);
+//      String uniqueName = infoFromToken.getUniqueName();
+//      for(String client:serviceAuthUtil.getAllowedClient()){
+//          if(client.equals(uniqueName)){
+//              return super.preHandle(request, response, handler);
+//          }
+//      }
+//      throw new ClientForbiddenException("Client is Forbidden!");
+      
+      return super.preHandle(request, response, handler);
+  }
+}

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/jwt/JWTShiroRealm.java

@@ -10,7 +10,7 @@ import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 
 import com.yaozhitech.spring5.dto.UserDto;
-import com.yaozhitech.spring5.service.UserService;
+import com.yaozhitech.spring5.service.JwtUserService;
 import com.yaozhitech.spring5.utils.JwtUtils;
 
 
@@ -21,9 +21,9 @@ import com.yaozhitech.spring5.utils.JwtUtils;
 
 public class JWTShiroRealm extends AuthorizingRealm {
 
-    protected UserService userService;
+    protected JwtUserService userService;
 
-    public JWTShiroRealm(UserService userService){
+    public JWTShiroRealm(JwtUserService userService){
         this.userService = userService;
         this.setCredentialsMatcher(new JWTCredentialsMatcher());
     }

spring5-auth/spring5-auth-client/src/main/java/com/yaozhitech/spring5/service/UserService.java

@@ -14,7 +14,7 @@ import com.yaozhitech.spring5.dto.UserDto;
 import com.yaozhitech.spring5.utils.JwtUtils;
 
 @Service
-public class UserService {
+public class JwtUserService {
 
 	@Value("${password.salt}")
 	private String encryptSalt;

spring5-order/src/main/java/com/yaozhitech/spring5/config/RoleResourceConfiguration.java

@@ -15,7 +15,7 @@ public class RoleResourceConfiguration extends ShiroConfiguration{
 //    chainDefinition.addPathDefinition("/login", "noSessionCreation,anon");  //login不做认证，noSessionCreation的作用是用户在操作session时会抛异常
 //    chainDefinition.addPathDefinition("/logout", "noSessionCreation,authcToken[permissive]"); //做用户认证，permissive参数的作用是当token无效时也允许请求访问，不会返回鉴权未通过的错误
 //    chainDefinition.addPathDefinition("/image/**", "anon"); ,anyRole[admin,manager]
-		chainDefinition.addPathDefinition("/**", "noSessionCreation,authcToken"); // 只允许admin或manager角色的用户访问
+		chainDefinition.addPathDefinition("/**", "anon"); // 只允许admin或manager角色的用户访问
 //		chainDefinition.addPathDefinition("/article/list", "noSessionCreation,authc");
 //		chainDefinition.addPathDefinition("/article/*", "noSessionCreation,authc[permissive]");
 //		chainDefinition.addPathDefinition("/**", "noSessionCreation,authc"); // 默认进行用户鉴权