多模块重构 12：【新增】Spring Security 新增 AuthorizeRequestsCustomizer 抽象类， 自定义每个 Maven Module 的 URL 的安全配置

yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/AuthorizeRequestsCustomizer.java

@@ -0,0 +1,36 @@
+package cn.iocoder.yudao.framework.security.config;
+
+import cn.iocoder.yudao.framework.web.config.WebProperties;
+import org.springframework.core.Ordered;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+
+import javax.annotation.Resource;
+
+/**
+ * 自定义的 URL 的安全配置
+ * 目的：每个 Maven Module 可以自定义规则！
+ *
+ * @author 芋道源码
+ */
+public abstract class AuthorizeRequestsCustomizer
+        implements Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>, Ordered {
+
+    @Resource
+    private WebProperties webProperties;
+
+    protected String buildAdminApi(String url) {
+        return webProperties.getAdminApi().getPrefix() + url;
+    }
+
+    protected String buildAppApi(String url) {
+        return webProperties.getAppApi().getPrefix() + url;
+    }
+
+    @Override
+    public int getOrder() {
+        return 0;
+    }
+
+}

yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java

@@ -26,6 +26,8 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+import java.util.function.Consumer;
 
 /**
  * 自定义的 Spring Security 配置适配器实现
@@ -62,14 +64,22 @@ public class YudaoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap
     @Resource
     private JWTAuthenticationTokenFilter authenticationTokenFilter;
 
+//    /**
+//     * 自定义的权限映射 Bean
+//     *
+//     * @see #configure(HttpSecurity)
+//     */
+//    @Resource
+//    private Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>
+//            authorizeRequestsCustomizer;
+
     /**
-     * 自定义的权限映射 Bean
+     * 自定义的权限映射 Bean 们
      *
      * @see #configure(HttpSecurity)
      */
     @Resource
-    private Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>
-            authorizeRequestsCustomizer;
+    private List<AuthorizeRequestsCustomizer> authorizeRequestsCustomizers;
 
     /**
      * 由于 Spring Security 创建 AuthenticationManager 对象时，没声明 @Bean 注解，导致无法被注入
@@ -126,44 +136,31 @@ public class YudaoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap
                         StrUtil.equalsAny(request.getRequestURI(), buildAdminApi("/system/logout"),
                                                                    buildAppApi("/member/logout")));
 
-        // 设置每个请求的权限 ①：全局共享规则
-        httpSecurity.authorizeRequests()
-                    // 登录的接口，可匿名访问
-                    .antMatchers(buildAdminApi("/system/login"), buildAdminApi("/member/login")).anonymous()
+        // 设置每个请求的权限
+        httpSecurity
+                // ①：全局共享规则
+                .authorizeRequests()
                     // 静态资源，可匿名访问
                     .antMatchers(HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js").permitAll()
-                    // 文件的获取接口，可匿名访问
-                    .antMatchers(buildAdminApi("/infra/file/get/**")).anonymous()
-                    // Swagger 接口文档
-                    .antMatchers("/swagger-ui.html").anonymous()
-                    .antMatchers("/swagger-resources/**").anonymous()
-                    .antMatchers("/webjars/**").anonymous()
-                    .antMatchers("/*/api-docs").anonymous()
-                    // Spring Boot Actuator 的安全配置
-                    .antMatchers("/actuator").anonymous()
-                    .antMatchers("/actuator/**").anonymous()
-                    // Druid 监控 TODO 芋艿：等对接了 druid admin 后，在调整下。
-                    .antMatchers("/druid/**").anonymous()
-                    // oAuth2 auth2/login/gitee TODO 芋艿：貌似可以删除
-                    .antMatchers(buildAdminApi("/auth2/login/**")).anonymous()
-                    .antMatchers(buildAdminApi("/auth2/authorization/**")).anonymous()
-                    .antMatchers("/api/callback/**").anonymous()
-                // 设置每个请求的权限 ②：每个项目的自定义规则 TODO 芋艿：改造成多个，方便每个模块自定义规则
-                .and().authorizeRequests(authorizeRequestsCustomizer)
-                // 设置每个请求的权限 ③：兜底规则，必须认证
-                .authorizeRequests().anyRequest().authenticated()
+                    // 设置 App API 无需认证
+                    .antMatchers(buildAppApi("/**")).permitAll()
+                // ②：每个项目的自定义规则
+                .and().authorizeRequests(registry -> // 下面，循环设置自定义规则
+                        authorizeRequestsCustomizers.forEach(customizer -> customizer.customize(registry)))
+                // ③：兜底规则，必须认证
+                .authorizeRequests()
+                    .anyRequest().authenticated()
         ;
+
         // 添加 JWT Filter
         httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
     }
 
     private String buildAdminApi(String url) {
-        // TODO 芋艿：多模块
         return webProperties.getAdminApi().getPrefix() + url;
     }
 
     private String buildAppApi(String url) {
-        // TODO 芋艿：多模块
         return webProperties.getAppApi().getPrefix() + url;
     }