From d14ad888e2d6ff9a906115c94d1861f80ee39849 Mon Sep 17 00:00:00 2001 From: jiangqiang Date: Wed, 6 Jul 2022 15:30:18 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=97=A5=E5=BF=97?= =?UTF-8?q?=E4=B8=BA=E5=BD=A9=E8=89=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- yudao-server/src/main/resources/logback-spring.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yudao-server/src/main/resources/logback-spring.xml b/yudao-server/src/main/resources/logback-spring.xml index 8c85ad493..9de3a68b1 100644 --- a/yudao-server/src/main/resources/logback-spring.xml +++ b/yudao-server/src/main/resources/logback-spring.xml @@ -4,7 +4,7 @@ - +       From d9c2da7c919508c52fd2826b90758d0372bacc54 Mon Sep 17 00:00:00 2001 From: YunaiV Date: Wed, 6 Jul 2022 21:45:25 +0800 Subject: [PATCH 2/2] =?UTF-8?q?1.=20=E3=80=90=E6=96=B0=E5=A2=9E=E3=80=91?= =?UTF-8?q?=E6=8E=A5=E5=8F=A3=E6=94=AF=E6=8C=81=E9=80=9A=E8=BF=87=20`@Perm?= =?UTF-8?q?itAll`=20=E6=B3=A8=E8=A7=A3=EF=BC=8C=E5=85=81=E8=AE=B8=E5=8C=BF?= =?UTF-8?q?=E5=90=8D=EF=BC=88=E6=9C=AA=E7=99=BB=E5=BD=95=EF=BC=89=E8=BF=9B?= =?UTF-8?q?=E8=A1=8C=E8=AE=BF=E9=97=AE=202.=20=E3=80=90=E6=96=B0=E5=A2=9E?= =?UTF-8?q?=E3=80=91`yudao.security.permit-all-urls`=20=E9=85=8D=E7=BD=AE?= =?UTF-8?q?=E9=A1=B9=EF=BC=8C=E5=85=81=E8=AE=B8=E5=8C=BF=E5=90=8D=EF=BC=88?= =?UTF-8?q?=E6=9C=AA=E7=99=BB=E5=BD=95=EF=BC=89=E8=BF=9B=E8=A1=8C=E8=AE=BF?= =?UTF-8?q?=E9=97=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../pom.xml | 6 ++ .../security/config/SecurityProperties.java | 7 +++ .../YudaoWebSecurityConfigurerAdapter.java | 63 ++++++++++++++++++- .../controller/admin/file/FileController.java | 2 + .../config/SecurityConfiguration.java | 2 - .../app/auth/AppAuthController.java | 2 + .../module/member/framework/package-info.java | 2 +- .../config/SecurityConfiguration.java | 28 --------- .../framework/security/core/package-info.java | 4 -- .../controller/admin/auth/AuthController.java | 8 +++ .../admin/common/CaptchaController.java | 2 + .../admin/oauth2/OAuth2OpenController.java | 4 ++ .../admin/sms/SmsCallbackController.java | 4 ++ .../admin/tenant/TenantController.java | 2 + .../config/SecurityConfiguration.java | 45 ------------- .../framework/security/core/package-info.java | 4 -- .../src/main/resources/application.yaml | 3 + 17 files changed, 102 insertions(+), 86 deletions(-) delete mode 100644 yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/config/SecurityConfiguration.java delete mode 100644 yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/core/package-info.java delete mode 100644 yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/config/SecurityConfiguration.java delete mode 100644 yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/core/package-info.java diff --git a/yudao-framework/yudao-spring-boot-starter-security/pom.xml b/yudao-framework/yudao-spring-boot-starter-security/pom.xml index 4e32a6c7c..864f1f101 100644 --- a/yudao-framework/yudao-spring-boot-starter-security/pom.xml +++ b/yudao-framework/yudao-spring-boot-starter-security/pom.xml @@ -44,6 +44,12 @@ spring-boot-starter-security + + + com.google.guava + guava + + cn.iocoder.boot diff --git a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/SecurityProperties.java b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/SecurityProperties.java index 9d5f64597..7454b5ff6 100644 --- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/SecurityProperties.java +++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/SecurityProperties.java @@ -6,6 +6,8 @@ import org.springframework.validation.annotation.Validated; import javax.validation.constraints.NotEmpty; import javax.validation.constraints.NotNull; +import java.util.Collections; +import java.util.List; @ConfigurationProperties(prefix = "yudao.security") @Validated @@ -30,4 +32,9 @@ public class SecurityProperties { @NotEmpty(message = "mock 模式的密钥不能为空") // 这里设置了一个默认值,因为实际上只有 mockEnable 为 true 时才需要配置。 private String mockSecret = "test"; + /** + * 免登录的 URL 列表 + */ + private List permitAllUrls = Collections.emptyList(); + } diff --git a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java index 61edba6e8..b938d8287 100644 --- a/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java +++ b/yudao-framework/yudao-spring-boot-starter-security/src/main/java/cn/iocoder/yudao/framework/security/config/YudaoWebSecurityConfigurerAdapter.java @@ -2,7 +2,10 @@ package cn.iocoder.yudao.framework.security.config; import cn.iocoder.yudao.framework.security.core.filter.TokenAuthenticationFilter; import cn.iocoder.yudao.framework.web.config.WebProperties; +import com.google.common.collect.HashMultimap; +import com.google.common.collect.Multimap; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; @@ -14,9 +17,15 @@ import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.web.method.HandlerMethod; +import org.springframework.web.servlet.mvc.method.RequestMappingInfo; +import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import java.util.List; +import java.util.Map; +import java.util.Set; /** * 自定义的 Spring Security 配置适配器实现 @@ -29,6 +38,8 @@ public class YudaoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap @Resource private WebProperties webProperties; + @Resource + private SecurityProperties securityProperties; /** * 认证失败处理类 Bean @@ -54,6 +65,9 @@ public class YudaoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap @Resource private List authorizeRequestsCustomizers; + @Resource + private ApplicationContext applicationContext; + /** * 由于 Spring Security 创建 AuthenticationManager 对象时,没声明 @Bean 注解,导致无法被注入 * 通过覆写父类的该方法,添加 @Bean 注解,解决该问题 @@ -98,13 +112,21 @@ public class YudaoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap .accessDeniedHandler(accessDeniedHandler); // 登录、登录暂时不使用 Spring Security 的拓展点,主要考虑一方面拓展多用户、多种登录方式相对复杂,一方面用户的学习成本较高 + // 获得 @PermitAll 带来的 URL 列表,免登录 + Multimap permitAllUrls = getPermitAllUrlsFromAnnotations(); // 设置每个请求的权限 httpSecurity // ①:全局共享规则 .authorizeRequests() // 静态资源,可匿名访问 .antMatchers(HttpMethod.GET, "/*.html", "/**/*.html", "/**/*.css", "/**/*.js").permitAll() - .antMatchers(HttpMethod.GET, "/admin-ui/**").permitAll() + // 设置 @PermitAll 无需认证 + .antMatchers(HttpMethod.GET, permitAllUrls.get(HttpMethod.GET).toArray(new String[0])).permitAll() + .antMatchers(HttpMethod.POST, permitAllUrls.get(HttpMethod.POST).toArray(new String[0])).permitAll() + .antMatchers(HttpMethod.PUT, permitAllUrls.get(HttpMethod.PUT).toArray(new String[0])).permitAll() + .antMatchers(HttpMethod.DELETE, permitAllUrls.get(HttpMethod.DELETE).toArray(new String[0])).permitAll() + // 基于 yudao.security.permit-all-urls 无需认证 + .antMatchers(securityProperties.getPermitAllUrls().toArray(new String[0])).permitAll() // 设置 App API 无需认证 .antMatchers(buildAppApi("/**")).permitAll() // ②:每个项目的自定义规则 @@ -118,9 +140,46 @@ public class YudaoWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdap // 添加 JWT Filter httpSecurity.addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class); } - + private String buildAppApi(String url) { return webProperties.getAppApi().getPrefix() + url; } + private Multimap getPermitAllUrlsFromAnnotations() { + Multimap result = HashMultimap.create(); + // 获得接口对应的 HandlerMethod 集合 + RequestMappingHandlerMapping requestMappingHandlerMapping = (RequestMappingHandlerMapping) + applicationContext.getBean("requestMappingHandlerMapping"); + Map handlerMethodMap = requestMappingHandlerMapping.getHandlerMethods(); + // 获得有 @PermitAll 注解的接口 + for (Map.Entry entry : handlerMethodMap.entrySet()) { + HandlerMethod handlerMethod = entry.getValue(); + if (!handlerMethod.hasMethodAnnotation(PermitAll.class)) { + continue; + } + if (entry.getKey().getPatternsCondition() == null) { + continue; + } + Set urls = entry.getKey().getPatternsCondition().getPatterns(); + // 根据请求方法,添加到 result 结果 + entry.getKey().getMethodsCondition().getMethods().forEach(requestMethod -> { + switch (requestMethod) { + case GET: + result.putAll(HttpMethod.GET, urls); + break; + case POST: + result.putAll(HttpMethod.POST, urls); + break; + case PUT: + result.putAll(HttpMethod.PUT, urls); + break; + case DELETE: + result.putAll(HttpMethod.DELETE, urls); + break; + } + }); + } + return result; + } + } diff --git a/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java b/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java index fcdca025f..5ea52b7e5 100644 --- a/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java +++ b/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/FileController.java @@ -22,6 +22,7 @@ import org.springframework.web.bind.annotation.*; import org.springframework.web.multipart.MultipartFile; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import javax.servlet.http.HttpServletResponse; import javax.validation.Valid; @@ -59,6 +60,7 @@ public class FileController { } @GetMapping("/{configId}/get/{path}") + @PermitAll @ApiOperation("下载文件") @ApiImplicitParams({ @ApiImplicitParam(name = "configId", value = "配置编号", required = true, dataTypeClass = Long.class), diff --git a/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java b/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java index 048411769..7f671f319 100644 --- a/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java +++ b/yudao-module-infra/yudao-module-infra-biz/src/main/java/cn/iocoder/yudao/module/infra/framework/security/config/SecurityConfiguration.java @@ -35,8 +35,6 @@ public class SecurityConfiguration { // Spring Boot Admin Server 的安全配置 registry.antMatchers(adminSeverContextPath).anonymous() .antMatchers(adminSeverContextPath + "/**").anonymous(); - // 文件的获取接口,可匿名访问 - registry.antMatchers(buildAdminApi("/infra/file/*/get/**"), buildAppApi("/infra/file/get/**")).permitAll(); } }; diff --git a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/controller/app/auth/AppAuthController.java b/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/controller/app/auth/AppAuthController.java index e42554aa8..fadd20733 100644 --- a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/controller/app/auth/AppAuthController.java +++ b/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/controller/app/auth/AppAuthController.java @@ -17,6 +17,7 @@ import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import javax.servlet.http.HttpServletRequest; import javax.validation.Valid; @@ -43,6 +44,7 @@ public class AppAuthController { } @PostMapping("/logout") + @PermitAll @ApiOperation("登出系统") public CommonResult logout(HttpServletRequest request) { String token = SecurityFrameworkUtils.obtainAuthorization(request, securityProperties.getTokenHeader()); diff --git a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/package-info.java b/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/package-info.java index 02d61331a..7e9ca95de 100644 --- a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/package-info.java +++ b/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/package-info.java @@ -1,5 +1,5 @@ /** - * 属于 system 模块的 framework 封装 + * 属于 member 模块的 framework 封装 * * @author 芋道源码 */ diff --git a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/config/SecurityConfiguration.java b/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/config/SecurityConfiguration.java deleted file mode 100644 index c284b35d6..000000000 --- a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/config/SecurityConfiguration.java +++ /dev/null @@ -1,28 +0,0 @@ -package cn.iocoder.yudao.module.member.framework.security.config; - -import cn.iocoder.yudao.framework.security.config.AuthorizeRequestsCustomizer; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; - -/** - * Member 模块的 Security 配置 - */ -@Configuration("memberSecurityConfiguration") -public class SecurityConfiguration { - - @Bean("memberAuthorizeRequestsCustomizer") - public AuthorizeRequestsCustomizer authorizeRequestsCustomizer() { - return new AuthorizeRequestsCustomizer() { - - @Override - public void customize(ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry registry) { - // 登录的接口 - registry.antMatchers(buildAdminApi("/member/auth/logout")).permitAll(); - } - - }; - } - -} diff --git a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/core/package-info.java b/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/core/package-info.java deleted file mode 100644 index 3abf5630f..000000000 --- a/yudao-module-member/yudao-module-member-biz/src/main/java/cn/iocoder/yudao/module/member/framework/security/core/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * 占位 - */ -package cn.iocoder.yudao.module.member.framework.security.core; diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.java index ce44d2153..0a136551f 100644 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.java +++ b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/auth/AuthController.java @@ -27,6 +27,7 @@ import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import javax.servlet.http.HttpServletRequest; import javax.validation.Valid; import java.util.List; @@ -59,6 +60,7 @@ public class AuthController { private SecurityProperties securityProperties; @PostMapping("/login") + @PermitAll @ApiOperation("使用账号密码登录") @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 public CommonResult login(@RequestBody @Valid AuthLoginReqVO reqVO) { @@ -66,6 +68,7 @@ public class AuthController { } @PostMapping("/logout") + @PermitAll @ApiOperation("登出系统") @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 public CommonResult logout(HttpServletRequest request) { @@ -77,6 +80,7 @@ public class AuthController { } @PostMapping("/refresh-token") + @PermitAll @ApiOperation("刷新令牌") @ApiImplicitParam(name = "refreshToken", value = "刷新令牌", required = true, dataTypeClass = String.class) @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 @@ -119,6 +123,7 @@ public class AuthController { // ========== 短信登录相关 ========== @PostMapping("/sms-login") + @PermitAll @ApiOperation("使用短信验证码登录") @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 public CommonResult smsLogin(@RequestBody @Valid AuthSmsLoginReqVO reqVO) { @@ -126,6 +131,7 @@ public class AuthController { } @PostMapping("/send-sms-code") + @PermitAll @ApiOperation(value = "发送手机验证码") @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 public CommonResult sendLoginSmsCode(@RequestBody @Valid AuthSmsSendReqVO reqVO) { @@ -136,6 +142,7 @@ public class AuthController { // ========== 社交登录相关 ========== @GetMapping("/social-auth-redirect") + @PermitAll @ApiOperation("社交授权的跳转") @ApiImplicitParams({ @ApiImplicitParam(name = "type", value = "社交类型", required = true, dataTypeClass = Integer.class), @@ -147,6 +154,7 @@ public class AuthController { } @PostMapping("/social-login") + @PermitAll @ApiOperation(value = "社交快捷登录,使用 code 授权码", notes = "适合未登录的用户,但是社交账号已绑定用户") @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 public CommonResult socialQuickLogin(@RequestBody @Valid AuthSocialLoginReqVO reqVO) { diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/common/CaptchaController.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/common/CaptchaController.java index 5fc0b0a6b..546bbde00 100644 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/common/CaptchaController.java +++ b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/common/CaptchaController.java @@ -10,6 +10,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import static cn.iocoder.yudao.framework.common.pojo.CommonResult.success; @@ -22,6 +23,7 @@ public class CaptchaController { private CaptchaService captchaService; @GetMapping("/get-image") + @PermitAll @ApiOperation("生成图片验证码") public CommonResult getCaptchaImage() { return success(captchaService.getCaptchaImage()); diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/oauth2/OAuth2OpenController.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/oauth2/OAuth2OpenController.java index 6d8ec452e..8ab096587 100644 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/oauth2/OAuth2OpenController.java +++ b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/oauth2/OAuth2OpenController.java @@ -31,6 +31,7 @@ import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import javax.servlet.http.HttpServletRequest; import java.util.Collections; import java.util.List; @@ -82,6 +83,7 @@ public class OAuth2OpenController { * 注意,默认需要传递 client_id + client_secret 参数 */ @PostMapping("/token") + @PermitAll @ApiOperation(value = "获得访问令牌", notes = "适合 code 授权码模式,或者 implicit 简化模式;在 sso.vue 单点登录界面被【获取】调用") @ApiImplicitParams({ @ApiImplicitParam(name = "grant_type", required = true, value = "授权类型", example = "code", dataTypeClass = String.class), @@ -141,6 +143,7 @@ public class OAuth2OpenController { } @DeleteMapping("/token") + @PermitAll @ApiOperation(value = "删除访问令牌") @ApiImplicitParam(name = "token", required = true, value = "访问令牌", example = "biu", dataTypeClass = String.class) @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 @@ -159,6 +162,7 @@ public class OAuth2OpenController { * 对应 Spring Security OAuth 的 CheckTokenEndpoint 类的 checkToken 方法 */ @PostMapping("/check-token") + @PermitAll @ApiOperation(value = "校验访问令牌") @ApiImplicitParam(name = "token", required = true, value = "访问令牌", example = "biu", dataTypeClass = String.class) @OperateLog(enable = false) // 避免 Post 请求被记录操作日志 diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/sms/SmsCallbackController.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/sms/SmsCallbackController.java index a21582cbd..ed32e00cf 100644 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/sms/SmsCallbackController.java +++ b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/sms/SmsCallbackController.java @@ -15,6 +15,7 @@ import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import javax.servlet.http.HttpServletRequest; import static cn.iocoder.yudao.framework.common.pojo.CommonResult.success; @@ -28,6 +29,7 @@ public class SmsCallbackController { private SmsSendService smsSendService; @PostMapping("/yunpian") + @PermitAll @ApiOperation(value = "云片短信的回调", notes = "参见 https://www.yunpian.com/official/document/sms/zh_cn/domestic_push_report 文档") @ApiImplicitParam(name = "sms_status", value = "发送状态", required = true, example = "[{具体内容}]", dataTypeClass = String.class) @OperateLog(enable = false) @@ -38,6 +40,7 @@ public class SmsCallbackController { } @PostMapping("/aliyun") + @PermitAll @ApiOperation(value = "阿里云短信的回调", notes = "参见 https://help.aliyun.com/document_detail/120998.html 文档") @OperateLog(enable = false) public CommonResult receiveAliyunSmsStatus(HttpServletRequest request) throws Throwable { @@ -47,6 +50,7 @@ public class SmsCallbackController { } @PostMapping("/tencent") + @PermitAll @ApiOperation(value = "腾讯云短信的回调", notes = "参见 https://cloud.tencent.com/document/product/382/52077 文档") @OperateLog(enable = false) public CommonResult receiveTencentSmsStatus(HttpServletRequest request) throws Throwable { diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenant/TenantController.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenant/TenantController.java index 427172b18..acc21d3fa 100644 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenant/TenantController.java +++ b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/controller/admin/tenant/TenantController.java @@ -15,6 +15,7 @@ import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; +import javax.annotation.security.PermitAll; import javax.servlet.http.HttpServletResponse; import javax.validation.Valid; import java.io.IOException; @@ -32,6 +33,7 @@ public class TenantController { private TenantService tenantService; @GetMapping("/get-id-by-name") + @PermitAll @ApiOperation(value = "使用租户名,获得租户编号", notes = "登录界面,根据用户的租户名,获得租户编号") @ApiImplicitParam(name = "name", value = "租户名", required = true, example = "1024", dataTypeClass = Long.class) public CommonResult getTenantIdByName(@RequestParam("name") String name) { diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/config/SecurityConfiguration.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/config/SecurityConfiguration.java deleted file mode 100644 index 5b1114fb7..000000000 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/config/SecurityConfiguration.java +++ /dev/null @@ -1,45 +0,0 @@ -package cn.iocoder.yudao.module.system.framework.security.config; - -import cn.iocoder.yudao.framework.security.config.AuthorizeRequestsCustomizer; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; - -/** - * System 模块的 Security 配置 - */ -@Configuration("systemSecurityConfiguration") -public class SecurityConfiguration { - - @Bean("systemAuthorizeRequestsCustomizer") - public AuthorizeRequestsCustomizer authorizeRequestsCustomizer() { - return new AuthorizeRequestsCustomizer() { - - @Override - public void customize(ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry registry) { - // 登录的接口 - registry.antMatchers(buildAdminApi("/system/auth/login")).permitAll(); - registry.antMatchers(buildAdminApi("/system/auth/logout")).permitAll(); - registry.antMatchers(buildAdminApi("/system/auth/refresh-token")).permitAll(); - // 社交登陆的接口 - registry.antMatchers(buildAdminApi("/system/auth/social-auth-redirect")).permitAll(); - registry.antMatchers(buildAdminApi("/system/auth/social-login")).permitAll(); - // 登录登录的接口 - registry.antMatchers(buildAdminApi("/system/auth/sms-login")).permitAll(); - registry.antMatchers(buildAdminApi("/system/auth/send-sms-code")).permitAll(); - // 验证码的接口 - registry.antMatchers(buildAdminApi("/system/captcha/**")).permitAll(); - // 获得租户编号的接口 - registry.antMatchers(buildAdminApi("/system/tenant/get-id-by-name")).permitAll(); - // 短信回调 API - registry.antMatchers(buildAdminApi("/system/sms/callback/**")).permitAll(); - // OAuth2 API - registry.antMatchers(buildAdminApi("/system/oauth2/token")).permitAll(); - registry.antMatchers(buildAdminApi("/system/oauth2/check-token")).permitAll(); - } - - }; - } - -} diff --git a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/core/package-info.java b/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/core/package-info.java deleted file mode 100644 index 04a8d8b37..000000000 --- a/yudao-module-system/yudao-module-system-biz/src/main/java/cn/iocoder/yudao/module/system/framework/security/core/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -/** - * 占位 - */ -package cn.iocoder.yudao.module.system.framework.security.core; diff --git a/yudao-server/src/main/resources/application.yaml b/yudao-server/src/main/resources/application.yaml index 89b1acac8..15d3fdf37 100644 --- a/yudao-server/src/main/resources/application.yaml +++ b/yudao-server/src/main/resources/application.yaml @@ -77,6 +77,9 @@ yudao: web: admin-ui: url: http://dashboard.yudao.iocoder.cn # Admin 管理后台 UI 的地址 + security: + permit-all_urls: + - /admin-ui/** # /resources/admin-ui 目录下的静态资源 swagger: title: 管理后台 description: 提供管理员管理的所有功能