Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
sureness
Sureness
提交
9fc23cad
Sureness
项目概览
sureness
/
Sureness
8 个月 前同步成功
通知
32
Star
813
Fork
161
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
Sureness
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
未验证
提交
9fc23cad
编写于
3月 30, 2021
作者:
sinat_25235033
提交者:
GitHub
3月 30, 2021
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix api can be accessed by any role when accessRole not config (#83)
上级
ad3ba2b0
变更
13
隐藏空白更改
内联
并排
Showing
13 changed file
with
26 addition
and
43 deletion
+26
-43
core/src/main/java/com/usthe/sureness/processor/BaseProcessor.java
...main/java/com/usthe/sureness/processor/BaseProcessor.java
+2
-3
core/src/main/java/com/usthe/sureness/processor/support/NoneProcessor.java
...a/com/usthe/sureness/processor/support/NoneProcessor.java
+0
-15
core/src/main/resources/sureness-sample.yml
core/src/main/resources/sureness-sample.yml
+2
-2
core/src/test/java/com/usthe/sureness/mgt/SurenessSecurityManagerTest.java
...a/com/usthe/sureness/mgt/SurenessSecurityManagerTest.java
+4
-4
docs/cn/default-datasource.md
docs/cn/default-datasource.md
+2
-2
docs/default-datasource.md
docs/default-datasource.md
+2
-2
sample-bootstrap/src/main/resources/sureness.yml
sample-bootstrap/src/main/resources/sureness.yml
+2
-2
sample-tom/src/main/java/com/usthe/sureness/sample/tom/sureness/processor/CustomTokenProcessor.java
...s/sample/tom/sureness/processor/CustomTokenProcessor.java
+2
-3
sample-tom/src/main/resources/sureness.yml
sample-tom/src/main/resources/sureness.yml
+2
-2
samples/javalin-sureness/src/main/resources/sureness.yml
samples/javalin-sureness/src/main/resources/sureness.yml
+2
-2
samples/ktor-sureness/resources/sureness.yml
samples/ktor-sureness/resources/sureness.yml
+2
-2
samples/quarkus-sureness/src/main/resources/sureness.yml
samples/quarkus-sureness/src/main/resources/sureness.yml
+2
-2
samples/spring-webflux-sureness/src/main/resources/sureness.yml
...s/spring-webflux-sureness/src/main/resources/sureness.yml
+2
-2
未找到文件。
core/src/main/java/com/usthe/sureness/processor/BaseProcessor.java
浏览文件 @
9fc23cad
...
...
@@ -55,9 +55,8 @@ public abstract class BaseProcessor implements Processor{
public
void
authorized
(
Subject
var
)
throws
SurenessAuthorizationException
{
List
<
String
>
ownRoles
=
(
List
<
String
>)
var
.
getOwnRoles
();
List
<
String
>
supportRoles
=
(
List
<
String
>)
var
.
getSupportRoles
();
if
(
supportRoles
==
null
||
supportRoles
.
isEmpty
())
{
return
;
}
else
if
(
ownRoles
!=
null
&&
supportRoles
.
stream
().
anyMatch
(
ownRoles:
:
contains
))
{
if
(
supportRoles
!=
null
&&
!
supportRoles
.
isEmpty
()
&&
ownRoles
!=
null
&&
supportRoles
.
stream
().
anyMatch
(
ownRoles:
:
contains
))
{
return
;
}
throw
new
UnauthorizedException
(
"do not have the role to access resource"
);
...
...
core/src/main/java/com/usthe/sureness/processor/support/NoneProcessor.java
浏览文件 @
9fc23cad
...
...
@@ -2,15 +2,12 @@ package com.usthe.sureness.processor.support;
import
com.usthe.sureness.processor.BaseProcessor
;
import
com.usthe.sureness.processor.exception.SurenessAuthenticationException
;
import
com.usthe.sureness.processor.exception.SurenessAuthorizationException
;
import
com.usthe.sureness.processor.exception.UnauthorizedException
;
import
com.usthe.sureness.processor.exception.UnknownAccountException
;
import
com.usthe.sureness.subject.Subject
;
import
com.usthe.sureness.subject.support.NoneSubject
;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
import
java.util.List
;
/**
* the processor support nonToken
...
...
@@ -36,16 +33,4 @@ public class NoneProcessor extends BaseProcessor {
public
Subject
authenticated
(
Subject
var
)
throws
SurenessAuthenticationException
{
throw
new
UnknownAccountException
(
"the request do not have the auth detail, please input your auth"
);
}
@SuppressWarnings
(
"unchecked"
)
@Override
public
void
authorized
(
Subject
var
)
throws
SurenessAuthorizationException
{
List
<
String
>
supportRoles
=
(
List
<
String
>)
var
.
getSupportRoles
();
if
(
supportRoles
!=
null
&&
!
supportRoles
.
isEmpty
())
{
if
(
logger
.
isDebugEnabled
())
{
logger
.
debug
(
"NoneProcessor authorized fail, due {} need role access"
,
var
.
getTargetResource
());
}
throw
new
UnauthorizedException
(
"authorized forbidden, the request do not have the role access"
);
}
}
}
core/src/main/resources/sureness-sample.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v2/host===get===[role2,role3,role4]
...
...
core/src/test/java/com/usthe/sureness/mgt/SurenessSecurityManagerTest.java
浏览文件 @
9fc23cad
...
...
@@ -47,7 +47,7 @@ class SurenessSecurityManagerTest {
expect
(
request
.
getHeader
(
AUTHORIZATION
)).
andStubReturn
(
BASIC
+
" "
+
new
String
(
Base64
.
getEncoder
().
encode
(
"admin:admin"
.
getBytes
(
StandardCharsets
.
UTF_8
))));
expect
(
request
.
getRequestURI
()).
andStubReturn
(
"/api/v
1/book
"
);
expect
(
request
.
getRequestURI
()).
andStubReturn
(
"/api/v
2/host
"
);
expect
(
request
.
getMethod
()).
andStubReturn
(
"put"
);
expect
(
request
.
getRemoteHost
()).
andStubReturn
(
"192.167.2.1"
);
replay
(
request
);
...
...
@@ -56,7 +56,7 @@ class SurenessSecurityManagerTest {
assertNotNull
(
subjectSum
.
get
());
assertEquals
(
"admin"
,
subjectSum
.
get
().
getPrincipal
());
assertTrue
(
subjectSum
.
get
().
hasAllRoles
(
Arrays
.
asList
(
"role1"
,
"role2"
)));
assertEquals
(
"/api/v
1/book
===put"
,
subjectSum
.
get
().
getTargetResource
());
assertEquals
(
"/api/v
2/host
===put"
,
subjectSum
.
get
().
getTargetResource
());
verify
(
request
);
reset
(
request
);
...
...
@@ -77,7 +77,7 @@ class SurenessSecurityManagerTest {
null
,
Boolean
.
FALSE
);
HttpServletRequest
request
=
createNiceMock
(
HttpServletRequest
.
class
);
expect
(
request
.
getHeader
(
AUTHORIZATION
)).
andStubReturn
(
BEARER
+
" "
+
jwt
);
expect
(
request
.
getRequestURI
()).
andStubReturn
(
"/api/v
2/book
"
);
expect
(
request
.
getRequestURI
()).
andStubReturn
(
"/api/v
1/source1
"
);
expect
(
request
.
getMethod
()).
andStubReturn
(
"get"
);
expect
(
request
.
getRemoteHost
()).
andStubReturn
(
"192.167.2.1"
);
replay
(
request
);
...
...
@@ -86,7 +86,7 @@ class SurenessSecurityManagerTest {
assertNotNull
(
subjectSum
.
get
());
assertEquals
(
"tom"
,
subjectSum
.
get
().
getPrincipal
());
assertTrue
(
subjectSum
.
get
().
hasAllRoles
(
Arrays
.
asList
(
"role2"
,
"role3"
)));
assertEquals
(
"/api/v
2/book
===get"
,
subjectSum
.
get
().
getTargetResource
());
assertEquals
(
"/api/v
1/source1
===get"
,
subjectSum
.
get
().
getTargetResource
());
verify
(
request
);
}
}
\ No newline at end of file
docs/cn/default-datasource.md
浏览文件 @
9fc23cad
...
...
@@ -12,8 +12,8 @@
# 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
# 没有配置的资源也默认被认证保护,但不鉴权
# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2这一种角色访问
# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源
支持所有角色或无角色访问 前提是认证成功
# eg: /api/v1/source1===get===[role2] 表示 /api/v2/host===post 这条资源支持 role2
这一种角色访问
# eg: /api/v1/source2===get===[] 表示 /api/v1/source2===get 这条资源
不支持任何角色访问
resourceRole:
- /api/v1/source1===get===[role2]
- /api/v1/source1===delete===[role3]
...
...
docs/default-datasource.md
浏览文件 @
9fc23cad
...
...
@@ -10,8 +10,8 @@ eg:
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole:
- /api/v2/host===post===[role2,role3,role4]
- /api/v2/host===get===[role2,role3,role4]
...
...
sample-bootstrap/src/main/resources/sureness.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v2/host===get===[role2,role3,role4]
...
...
sample-tom/src/main/java/com/usthe/sureness/sample/tom/sureness/processor/CustomTokenProcessor.java
浏览文件 @
9fc23cad
...
...
@@ -83,9 +83,8 @@ public class CustomTokenProcessor extends BaseProcessor {
public
void
authorized
(
Subject
var
)
throws
SurenessAuthorizationException
{
List
<
String
>
ownRoles
=
(
List
<
String
>)
var
.
getOwnRoles
();
List
<
String
>
supportRoles
=
(
List
<
String
>)
var
.
getSupportRoles
();
if
(
supportRoles
==
null
||
supportRoles
.
isEmpty
())
{
return
;
}
else
if
(
ownRoles
!=
null
&&
supportRoles
.
stream
().
anyMatch
(
ownRoles:
:
contains
))
{
if
(
supportRoles
!=
null
&&
!
supportRoles
.
isEmpty
()
&&
ownRoles
!=
null
&&
supportRoles
.
stream
().
anyMatch
(
ownRoles:
:
contains
))
{
return
;
}
throw
new
UnauthorizedException
(
"custom authorized: do not have the role to access resource"
);
...
...
sample-tom/src/main/resources/sureness.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v1/getSource3===get===[]
...
...
samples/javalin-sureness/src/main/resources/sureness.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v2/host===get===[role2,role3,role4]
...
...
samples/ktor-sureness/resources/sureness.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v2/host===get===[role2,role3,role4]
...
...
samples/quarkus-sureness/src/main/resources/sureness.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v2/host===get===[role2,role3,role4]
...
...
samples/spring-webflux-sureness/src/main/resources/sureness.yml
浏览文件 @
9fc23cad
...
...
@@ -2,8 +2,8 @@
# load api resource which need be protected, config role who can access these resource.
# resources that are not configured are also authenticated and protected by default, but not authorized
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
is be all role or no role supported access
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post
can be access by role2,role3,role4
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get
can not be access by any role
resourceRole
:
-
/api/v2/host===post===[role2,role3,role4]
-
/api/v2/host===get===[role2,role3,role4]
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录