Merge branch 'master' of https://gitee.com/y_project/RuoYi-Cloud

Conflicts: ruoyi-api/ruoyi-api-system/src/main/java/com/ruoyi/system/api/domain/SysUser.java ruoyi-api/ruoyi-api-system/src/main/java/com/ruoyi/system/api/factory/RemoteLogFallbackFactory.java ruoyi-api/ruoyi-api-system/src/main/java/com/ruoyi/system/api/factory/RemoteUserFallbackFactory.java ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/handler/GlobalExceptionHandler.java ruoyi-gateway/src/main/java/com/ruoyi/gateway/config/properties/IgnoreWhiteProperties.java ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/domain/vo/MetaVo.java
2025-09-08 13:27:46 +00:00 · 2021-08-02 13:18:22 +08:00
parent 8059655012 24be1a436e
commit c10d4faf9d
115 changed files with 3478 additions and 1502 deletions
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/annotation/InnerAuth.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/annotation/InnerAuth.java
@@ -0,0 +1,19 @@
+package com.ruoyi.common.security.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 内部认证注解
+ * 
+ * @author ruoyi
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface InnerAuth
+{
+    /**
+     * 是否校验用户信息
+     */
+    boolean isUser() default false;
+}
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/aspect/InnerAuthAspect.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/aspect/InnerAuthAspect.java
@@ -0,0 +1,51 @@
+package com.ruoyi.common.security.aspect;
+
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.springframework.core.Ordered;
+import org.springframework.stereotype.Component;
+import com.ruoyi.common.core.constant.SecurityConstants;
+import com.ruoyi.common.core.exception.InnerAuthException;
+import com.ruoyi.common.core.utils.ServletUtils;
+import com.ruoyi.common.core.utils.StringUtils;
+import com.ruoyi.common.security.annotation.InnerAuth;
+
+/**
+ * 内部服务调用验证处理
+ * 
+ * @author ruoyi
+ */
+@Aspect
+@Component
+public class InnerAuthAspect implements Ordered
+{
+    @Around("@annotation(innerAuth)")
+    public Object innerAround(ProceedingJoinPoint point, InnerAuth innerAuth) throws Throwable
+    {
+        String source = ServletUtils.getRequest().getHeader(SecurityConstants.FROM_SOURCE);
+        // 内部请求验证
+        if (!StringUtils.equals(SecurityConstants.INNER, source))
+        {
+            throw new InnerAuthException("没有内部访问权限，不允许访问");
+        }
+
+        String userid = ServletUtils.getRequest().getHeader(SecurityConstants.DETAILS_USER_ID);
+        String username = ServletUtils.getRequest().getHeader(SecurityConstants.DETAILS_USERNAME);
+        // 用户信息验证
+        if (innerAuth.isUser() && (StringUtils.isEmpty(userid) || StringUtils.isEmpty(username)))
+        {
+            throw new InnerAuthException("没有设置用户信息，不允许访问 ");
+        }
+        return point.proceed();
+    }
+
+    /**
+     * 确保在权限认证aop执行前执行
+     */
+    @Override
+    public int getOrder()
+    {
+        return Ordered.HIGHEST_PRECEDENCE + 1;
+    }
+}
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/feign/FeignRequestInterceptor.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/feign/FeignRequestInterceptor.java
@@ -2,11 +2,11 @@ package com.ruoyi.common.security.feign;

 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
-import com.ruoyi.common.core.utils.ip.IpUtils;
 import org.springframework.stereotype.Component;
-import com.ruoyi.common.core.constant.CacheConstants;
+import com.ruoyi.common.core.constant.SecurityConstants;
 import com.ruoyi.common.core.utils.ServletUtils;
 import com.ruoyi.common.core.utils.StringUtils;
+import com.ruoyi.common.core.utils.ip.IpUtils;
 import feign.RequestInterceptor;
 import feign.RequestTemplate;

@@ -26,20 +26,20 @@ public class FeignRequestInterceptor implements RequestInterceptor
        {
            Map<String, String> headers = ServletUtils.getHeaders(httpServletRequest);
            // 传递用户信息请求头，防止丢失
-            String userId = headers.get(CacheConstants.DETAILS_USER_ID);
+            String userId = headers.get(SecurityConstants.DETAILS_USER_ID);
            if (StringUtils.isNotEmpty(userId))
            {
-                requestTemplate.header(CacheConstants.DETAILS_USER_ID, userId);
+                requestTemplate.header(SecurityConstants.DETAILS_USER_ID, userId);
            }
-            String userName = headers.get(CacheConstants.DETAILS_USERNAME);
+            String userName = headers.get(SecurityConstants.DETAILS_USERNAME);
            if (StringUtils.isNotEmpty(userName))
            {
-                requestTemplate.header(CacheConstants.DETAILS_USERNAME, userName);
+                requestTemplate.header(SecurityConstants.DETAILS_USERNAME, userName);
            }
-            String authentication = headers.get(CacheConstants.AUTHORIZATION_HEADER);
+            String authentication = headers.get(SecurityConstants.AUTHORIZATION_HEADER);
            if (StringUtils.isNotEmpty(authentication))
            {
-                requestTemplate.header(CacheConstants.AUTHORIZATION_HEADER, authentication);
+                requestTemplate.header(SecurityConstants.AUTHORIZATION_HEADER, authentication);
            }

            // 配置客户端IP
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/handler/GlobalExceptionHandler.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/handler/GlobalExceptionHandler.java
@@ -10,6 +10,7 @@ import org.springframework.web.bind.annotation.RestControllerAdvice;
 import com.ruoyi.common.core.exception.BaseException;
 import com.ruoyi.common.core.exception.CustomException;
 import com.ruoyi.common.core.exception.DemoModeException;
+import com.ruoyi.common.core.exception.InnerAuthException;
 import com.ruoyi.common.core.exception.PreAuthorizeException;
 import com.ruoyi.common.core.utils.StringUtils;
 import com.ruoyi.common.core.web.domain.AjaxResult;
@@ -76,6 +77,15 @@ public class GlobalExceptionHandler {
        return AjaxResult.error("没有权限，请联系管理员授权");
    }

+    /**
+     * 内部认证异常
+     */
+    @ExceptionHandler(InnerAuthException.class)
+    public AjaxResult InnerAuthException(InnerAuthException e)
+    {
+        return AjaxResult.error(e.getMessage());
+    }
+
    /**
     * 演示模式异常
     */
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
@@ -73,6 +73,16 @@ public class TokenService
    {
        // 获取请求携带的令牌
        String token = SecurityUtils.getToken(request);
+        return getLoginUser(token);
+    }
+
+    /**
+     * 获取用户身份信息
+     *
+     * @return 用户信息
+     */
+    public LoginUser getLoginUser(String token)
+    {
        if (StringUtils.isNotEmpty(token))
        {
            String userKey = getTokenKey(token);
--- a/ruoyi-common/ruoyi-common-security/src/main/resources/META-INF/spring.factories
+++ b/ruoyi-common/ruoyi-common-security/src/main/resources/META-INF/spring.factories
@@ -1,4 +1,5 @@
 org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
  com.ruoyi.common.security.service.TokenService,\
  com.ruoyi.common.security.aspect.PreAuthorizeAspect,\
+  com.ruoyi.common.security.aspect.InnerAuthAspect,\
  com.ruoyi.common.security.handler.GlobalExceptionHandler