实现管理后台登录时，使用 OAuth2 的 access token

2025-07-13 18:45:06 +08:00 · 2022-05-08 23:52:31 +08:00
parent ebee4ddb7c
commit 4f52d1367b
30 changed files with 626 additions and 357 deletions
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoSecurityAutoConfiguration.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoSecurityAutoConfiguration.java
@ -6,6 +6,7 @@ import cn.iocoder.yudao.framework.security.core.filter.TokenAuthenticationFilter
 import cn.iocoder.yudao.framework.security.core.handler.AccessDeniedHandlerImpl;
 import cn.iocoder.yudao.framework.security.core.handler.AuthenticationEntryPointImpl;
 import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler;
+import cn.iocoder.yudao.module.system.api.auth.OAuth2TokenApi;
 import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
@ -72,8 +73,9 @@ public class YudaoSecurityAutoConfiguration {
     * Token 认证过滤器 Bean
     */
    @Bean
-    public TokenAuthenticationFilter authenticationTokenFilter(GlobalExceptionHandler globalExceptionHandler) {
-        return new TokenAuthenticationFilter(securityProperties, globalExceptionHandler);
+    public TokenAuthenticationFilter authenticationTokenFilter(GlobalExceptionHandler globalExceptionHandler,
+                                                               OAuth2TokenApi oauth2TokenApi) {
+        return new TokenAuthenticationFilter(securityProperties, globalExceptionHandler, oauth2TokenApi);
    }

    /**
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/filter/TokenAuthenticationFilter.java
@ -1,5 +1,6 @@
 package cn.iocoder.yudao.framework.security.core.filter;

+import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.util.StrUtil;
 import cn.iocoder.yudao.framework.common.pojo.CommonResult;
 import cn.iocoder.yudao.framework.common.util.servlet.ServletUtils;
@ -8,7 +9,10 @@ import cn.iocoder.yudao.framework.security.core.LoginUser;
 import cn.iocoder.yudao.framework.security.core.util.SecurityFrameworkUtils;
 import cn.iocoder.yudao.framework.web.core.handler.GlobalExceptionHandler;
 import cn.iocoder.yudao.framework.web.core.util.WebFrameworkUtils;
+import cn.iocoder.yudao.module.system.api.auth.OAuth2TokenApi;
+import cn.iocoder.yudao.module.system.api.auth.dto.OAuth2AccessTokenCheckRespDTO;
 import lombok.RequiredArgsConstructor;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.web.filter.OncePerRequestFilter;

 import javax.servlet.FilterChain;
@ -30,6 +34,8 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {

    private final GlobalExceptionHandler globalExceptionHandler;

+    private final OAuth2TokenApi oauth2TokenApi;
+
    @Override
    @SuppressWarnings("NullableProblems")
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
@ -39,11 +45,21 @@ public class TokenAuthenticationFilter extends OncePerRequestFilter {
            Integer userType = WebFrameworkUtils.getLoginUserType(request);
            try {
                // 验证 token 有效性
-                LoginUser loginUser = null; // TODO 芋艿：待实现
+                OAuth2AccessTokenCheckRespDTO accessToken = oauth2TokenApi.checkAccessToken(token);
+                if (accessToken != null && ObjectUtil.notEqual(accessToken.getUserType(), userType)) { // 用户类型不匹配，无权限
+                    throw new AccessDeniedException("错误的用户类型");
+                }
+                LoginUser loginUser = null;
+                if (accessToken != null) { // 如果不为空，说明认证通过，则转换成登录用户
+                    loginUser = new LoginUser().setId(accessToken.getUserId()).setUserType(accessToken.getUserType())
+                            .setTenantId(accessToken.getTenantId());
+                }
+
                // 模拟 Login 功能，方便日常开发调试
                if (loginUser == null) {
                    loginUser = mockLoginUser(request, token, userType);
                }
+
                // 设置当前用户
                if (loginUser != null) {
                    SecurityFrameworkUtils.setLoginUser(loginUser, request);
--- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/service/SecurityAuthFrameworkService.java
+++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/core/service/SecurityAuthFrameworkService.java
@ -1,30 +0,0 @@
-package cn.iocoder.yudao.framework.security.core.service;
-
-import cn.iocoder.yudao.framework.common.enums.UserTypeEnum;
-import cn.iocoder.yudao.framework.security.core.LoginUser;
-import org.springframework.security.core.userdetails.UserDetailsService;
-
-/**
- * Security 框架 Auth Service 接口，定义不同用户类型的 {@link UserTypeEnum} 需要实现的方法
- *
- * @author 芋道源码
- */
-public interface SecurityAuthFrameworkService extends UserDetailsService {
-
-    /**
-     * 校验 token 的有效性，并获取用户信息
-     * 通过后，刷新 token 的过期时间
-     *
-     * @param token token
-     * @return 用户信息
-     */
-    LoginUser verifyTokenAndRefresh(String token);
-
-    /**
-     * 获得用户类型。每个用户类型，对应一个 SecurityAuthFrameworkService 实现类。
-     *
-     * @return 用户类型
-     */
-    UserTypeEnum getUserType();
-
-}