refactor: 优化针对生产环境的请求限制拦截处理

72f3b70c · 郝先瑞 · f5cdc7df · 72f3b70c · 72f3b70c · 72f3b70c
3 changed file
--- a/youlai-common/common-core/src/main/java/com/youlai/common/constant/SecurityConstants.java
+++ b/youlai-common/common-core/src/main/java/com/youlai/common/constant/SecurityConstants.java
 package com.youlai.common.constant;

+import java.util.Arrays;
+import java.util.List;
+
 public interface SecurityConstants {

    /**
@@ -38,7 +41,6 @@ public interface SecurityConstants {
     */
    String TOKEN_BLACKLIST_PREFIX = "auth:token:blacklist:";

-    String USER_ID_KEY = "userId";

    String USER_NAME_KEY = "username";

@@ -63,15 +65,6 @@ public interface SecurityConstants {
     */
    String AUTHENTICATION_IDENTITY_KEY = "authenticationIdentity";

-    String APP_API_PATTERN = "/*/app-api/**";
-
-    String LOGOUT_PATH = "/youlai-auth/oauth/logout";
-
-    /**
-     * 新增菜单路径,新增不存在的路由会导致系统无法访问，线上禁止新增菜单的操作
-     */
-    String SAVE_MENU_PATH = "/youlai-admin/api/v1/menus";
-
    /**
     * 验证码key前缀
     */
@@ -102,4 +95,21 @@ public interface SecurityConstants {
     */
    String WEAPP_CLIENT_ID = "mall-weapp";

+
+    /**
+     * 线上环境放行的请求路径
+     */
+    List<String> PROD_PERMIT_PATHS= Arrays.asList("/youlai-lab","/app-api","/youlai-auth/oauth/logout");
+
+    /**
+     * 线上环境禁止的请求路径
+     */
+    List<String> PROD_FORBID_PATHS= Arrays.asList("/youlai-admin/api/v1/menus");
+
+    /**
+     * 线上环境禁止方法
+     */
+    List<String> PROD_FORBID_METHODS= Arrays.asList("PUT","DELETE");
+
+
 }
--- a/youlai-gateway/src/main/java/com/youlai/gateway/security/ResourceServerManager.java
+++ b/youlai-gateway/src/main/java/com/youlai/gateway/security/ResourceServerManager.java
@@ -50,7 +50,7 @@ public class ResourceServerManager implements ReactiveAuthorizationManager<Autho
        // 如果token以"bearer "为前缀，到此方法里说明JWT有效即已认证
        String token = request.getHeaders().getFirst(SecurityConstants.AUTHORIZATION_KEY);
        if (StrUtil.isNotBlank(token) && StrUtil.startWithIgnoreCase(token, SecurityConstants.JWT_PREFIX) ) {
-            if (pathMatcher.match(SecurityConstants.APP_API_PATTERN, path)) {
+            if (path.contains("/app-api")) {
                // 商城移动端请求需认证不需鉴权放行（根据实际场景需求）
                return Mono.just(new AuthorizationDecision(true));
            }

--- a/youlai-gateway/src/main/java/com/youlai/gateway/security/SecurityGlobalFilter.java
+++ b/youlai-gateway/src/main/java/com/youlai/gateway/security/SecurityGlobalFilter.java
@@ -16,7 +16,6 @@ import org.springframework.cloud.gateway.filter.GatewayFilterChain;
 import org.springframework.cloud.gateway.filter.GlobalFilter;
 import org.springframework.core.Ordered;
 import org.springframework.data.redis.core.RedisTemplate;
-import org.springframework.http.HttpMethod;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.stereotype.Component;
@@ -51,19 +50,22 @@ public class SecurityGlobalFilter implements GlobalFilter, Ordered {
        ServerHttpRequest request = exchange.getRequest();
        ServerHttpResponse response = exchange.getResponse();

-        // 线上演示环境修改和删除行为的接口禁止操作
-        String requestPath = request.getPath().toString();
-        if (env.equals("prod") && !SecurityConstants.LOGOUT_PATH.equals(requestPath)
-                && !StrUtil.contains(requestPath,"/youlai-lab") // 实验室接口放行
-                && !StrUtil.contains(requestPath, "/app-api") // APP所有接口放行
-                && (HttpMethod.DELETE.toString().equals(request.getMethodValue()) // 删除方法禁止
-                || HttpMethod.PUT.toString().equals(request.getMethodValue())// 修改方法禁止
-                || SecurityConstants.SAVE_MENU_PATH.equals(request.getPath().toString()) // 新增菜单禁止
-        )) {
-            return ResponseUtils.writeErrorInfo(response, ResultCode.FORBIDDEN_OPERATION);
+        // 线上环境
+        String requestPath = request.getPath().pathWithinApplication().value();
+        if (env.equals("prod")) {
+            String methodValue = request.getMethodValue();
+            if (SecurityConstants.PROD_FORBID_METHODS.contains(methodValue)) { // PUT和DELETE方法禁止
+                if (!SecurityConstants.PROD_PERMIT_PATHS.contains(requestPath)) { // PUT和DELETE方法需要放行的方法
+                    return ResponseUtils.writeErrorInfo(response, ResultCode.FORBIDDEN_OPERATION);
+                }
+            } else {
+                if (SecurityConstants.PROD_FORBID_PATHS.contains(requestPath)) { // POST等放行的方法禁止的路径
+                    return ResponseUtils.writeErrorInfo(response, ResultCode.FORBIDDEN_OPERATION);
+                }
+            }
        }

-        // 错误的JWT不做解析处理
+        // 非JWT放行不做后续解析处理
        String token = request.getHeaders().getFirst(SecurityConstants.AUTHORIZATION_KEY);
        if (StrUtil.isBlank(token) || !StrUtil.startWithIgnoreCase(token, SecurityConstants.JWT_PREFIX)) {
            return chain.filter(exchange);