|
|
@@ -16,6 +16,7 @@ import com.qmth.themis.common.exception.BusinessException;
|
|
|
import com.qmth.themis.common.signature.SignatureInfo;
|
|
|
import com.qmth.themis.common.signature.SignatureType;
|
|
|
import com.qmth.themis.exam.config.DictionaryConfig;
|
|
|
+import org.apache.commons.lang3.StringUtils;
|
|
|
import org.slf4j.Logger;
|
|
|
import org.slf4j.LoggerFactory;
|
|
|
import org.springframework.web.servlet.HandlerInterceptor;
|
|
|
@@ -36,6 +37,7 @@ import java.util.Set;
|
|
|
* @Date: 2020/6/27
|
|
|
*/
|
|
|
public class AuthInterceptor implements HandlerInterceptor {
|
|
|
+
|
|
|
private final static Logger log = LoggerFactory.getLogger(AuthInterceptor.class);
|
|
|
|
|
|
@Resource
|
|
|
@@ -52,7 +54,6 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|
|
|
|
|
@Override
|
|
|
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
|
|
|
- log.info("exam HandlerInterceptor preHandle is come in");
|
|
|
String url = request.getServletPath();
|
|
|
String method = request.getMethod();
|
|
|
if (url.equalsIgnoreCase(SystemConstant.ERROR)) {
|
|
|
@@ -62,89 +63,103 @@ public class AuthInterceptor implements HandlerInterceptor {
|
|
|
String deviceId = ServletUtil.getRequestDeviceId();
|
|
|
String authorization = ServletUtil.getRequestAuthorization();
|
|
|
String time = ServletUtil.getRequestTime();
|
|
|
- log.info("platform:{},deviceId:{},authorization:{},method:{},time:{}", platform, deviceId, authorization, method, time);
|
|
|
- Long userId = null;
|
|
|
- Long timestamp = Long.parseLong(time);
|
|
|
- if (!SystemConstant.expire(timestamp.longValue())) {
|
|
|
- final SignatureInfo info = SignatureInfo
|
|
|
- .parse(method.toLowerCase(), url, timestamp, authorization);
|
|
|
- //测试
|
|
|
-// final SignatureInfo info = SignatureInfo
|
|
|
-// .parse(authorization);
|
|
|
- if (Objects.nonNull(info) && info.getType() == SignatureType.TOKEN) {
|
|
|
- String sessionId = info.getInvoker();
|
|
|
- TBSession tbSession = (TBSession) redisUtil.getUserSession(sessionId);
|
|
|
- if (Objects.isNull(tbSession)) {
|
|
|
- throw new BusinessException(ExceptionResultEnum.LOGIN_NO);
|
|
|
- } else {
|
|
|
- if (info.validate(tbSession.getAccessToken()) && info.getTimestamp() < tbSession.getExpireTime()
|
|
|
- && platform.name().equalsIgnoreCase(tbSession.getPlatform()) && Objects.equals(deviceId, tbSession.getDeviceId())) {
|
|
|
- userId = Long.parseLong(tbSession.getIdentity());
|
|
|
- Long expireTime = tbSession.getExpireTime();
|
|
|
- //手机端的token时长为一个月,所以会出现缓存没有的情况
|
|
|
- if (expireTime <= System.currentTimeMillis()) {//先判断时间是否过期
|
|
|
- throw new BusinessException(ExceptionResultEnum.LOGIN_NO);
|
|
|
- }
|
|
|
- TEStudentCacheDto teStudentCacheDto = (TEStudentCacheDto) redisUtil.getStudent(userId);
|
|
|
- if (Objects.isNull(teStudentCacheDto)) {
|
|
|
- TEStudent teStudent = teStudentService.getById(userId);
|
|
|
- Gson gson = new Gson();
|
|
|
- teStudentCacheDto = gson.fromJson(gson.toJson(teStudent), TEStudentCacheDto.class);
|
|
|
- redisUtil.setStudent(teStudent.getId(), teStudentCacheDto);
|
|
|
- }
|
|
|
+ log.info("Start authorization: url:{}, method:{}, platform:{}, deviceId:{}, authorization:{}, time:{}", url,
|
|
|
+ method, platform, deviceId, authorization, time);
|
|
|
+ //校验时间戳是否过期
|
|
|
+ long timestamp = StringUtils.isNumeric(time) ? Long.parseLong(time) : 0L;
|
|
|
+ if (SystemConstant.expire(timestamp)) {
|
|
|
+ log.warn("Authorization faile: time expired, server time=" + System.currentTimeMillis());
|
|
|
+ throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ }
|
|
|
+ //校验签名信息
|
|
|
+ final SignatureInfo info = SignatureInfo.parse(method.toLowerCase(), url, timestamp, authorization);
|
|
|
+ if (info == null) {
|
|
|
+ log.warn("Authorization faile: signature decode error");
|
|
|
+ throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ }
|
|
|
+ if (SignatureType.TOKEN != info.getType()) {
|
|
|
+ log.warn("Authorization faile: signature type is not Token");
|
|
|
+ throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ }
|
|
|
+ //校验session
|
|
|
+ String sessionId = info.getInvoker();
|
|
|
+ TBSession tbSession = (TBSession) redisUtil.getUserSession(sessionId);
|
|
|
+ if (Objects.isNull(tbSession)) {
|
|
|
+ log.warn("Authorization faile: session id not exists: " + sessionId);
|
|
|
+ throw new BusinessException(ExceptionResultEnum.LOGIN_NO);
|
|
|
+ }
|
|
|
+ if (tbSession.getExpireTime() < System.currentTimeMillis() || info.getTimestamp() > tbSession.getExpireTime()) {
|
|
|
+ log.warn("Authorization faile: session has expired, expire time=" + tbSession.getExpireTime());
|
|
|
+ throw new BusinessException(ExceptionResultEnum.LOGIN_NO);
|
|
|
+ }
|
|
|
+ if (!info.validate(tbSession.getAccessToken())) {
|
|
|
+ log.warn("Authorization faile: access token invalid, session token is " + tbSession.getAccessToken());
|
|
|
+ throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ }
|
|
|
+ if (!tbSession.getPlatform().equalsIgnoreCase(platform.name())) {
|
|
|
+ log.warn("Authorization faile: platform invalid, session platform is " + tbSession.getPlatform());
|
|
|
+ throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ }
|
|
|
+ if (!tbSession.getDeviceId().equalsIgnoreCase(deviceId)) {
|
|
|
+ log.warn("Authorization faile: deviceId invalid, session deviceId is " + tbSession.getDeviceId());
|
|
|
+ throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ }
|
|
|
+ //Long expireTime = tbSession.getExpireTime();
|
|
|
+ //手机端的token时长为一个月,所以会出现缓存没有的情况
|
|
|
+ //if (expireTime <= System.currentTimeMillis()) {//先判断时间是否过期
|
|
|
+ // throw new BusinessException(ExceptionResultEnum.LOGIN_NO);
|
|
|
+ //}
|
|
|
+ long userId = Long.parseLong(tbSession.getIdentity());
|
|
|
+ TEStudentCacheDto teStudentCacheDto = (TEStudentCacheDto) redisUtil.getStudent(userId);
|
|
|
+ if (Objects.isNull(teStudentCacheDto)) {
|
|
|
+ TEStudent teStudent = teStudentService.getById(userId);
|
|
|
+ Gson gson = new Gson();
|
|
|
+ teStudentCacheDto = gson.fromJson(gson.toJson(teStudent), TEStudentCacheDto.class);
|
|
|
+ redisUtil.setStudent(teStudent.getId(), teStudentCacheDto);
|
|
|
+ }
|
|
|
|
|
|
- request.setAttribute(SystemConstant.SESSION, tbSession);
|
|
|
- request.setAttribute(SystemConstant.STUDENT_ACCOUNT, teStudentCacheDto);
|
|
|
+ request.setAttribute(SystemConstant.SESSION, tbSession);
|
|
|
+ request.setAttribute(SystemConstant.STUDENT_ACCOUNT, teStudentCacheDto);
|
|
|
|
|
|
- AuthDto authDto = (AuthDto) redisUtil.get(SystemConstant.studentOauth + "::" + userId);
|
|
|
- //验证权限
|
|
|
- if (Objects.isNull(authDto)) {
|
|
|
- authDto = cacheService.addStudentCache(userId);
|
|
|
- }
|
|
|
- request.setAttribute(SystemConstant.ORG, authDto.getTbOrg());
|
|
|
- //系统管理员拥有所有权限
|
|
|
-// if (authDto.getRoleCodes().contains(RoleEnum.SUPER_ADMIN.name())) {
|
|
|
-// return true;
|
|
|
-// }
|
|
|
- //系统公用接口不拦截
|
|
|
- List<String> sysUrls = dictionaryConfig.systemUrlDomain().getUrls();
|
|
|
- int sysCount = (int) sysUrls.stream().filter(s -> {
|
|
|
- return s.equalsIgnoreCase(url);
|
|
|
- }).count();
|
|
|
- if (sysCount > 0) {
|
|
|
- return true;
|
|
|
- }
|
|
|
- Set<String> urls = authDto.getUrls();
|
|
|
- int count = (int) urls.stream().filter(s -> {
|
|
|
- return s.equalsIgnoreCase(url);
|
|
|
- }).count();
|
|
|
- if (count == 0) {
|
|
|
- throw new BusinessException(ExceptionResultEnum.UN_AUTHORIZATION);
|
|
|
- }
|
|
|
- } else {
|
|
|
- throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
- }
|
|
|
- }
|
|
|
- } else {
|
|
|
- throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
- }
|
|
|
- } else {
|
|
|
- throw new BusinessException(ExceptionResultEnum.AUTHORIZATION_ERROR);
|
|
|
+ AuthDto authDto = (AuthDto) redisUtil.get(SystemConstant.studentOauth + "::" + userId);
|
|
|
+ //验证权限
|
|
|
+ if (Objects.isNull(authDto)) {
|
|
|
+ authDto = cacheService.addStudentCache(userId);
|
|
|
+ }
|
|
|
+ request.setAttribute(SystemConstant.ORG, authDto.getTbOrg());
|
|
|
+ //系统管理员拥有所有权限
|
|
|
+ // if (authDto.getRoleCodes().contains(RoleEnum.SUPER_ADMIN.name())) {
|
|
|
+ // return true;
|
|
|
+ // }
|
|
|
+ //系统公用接口不拦截
|
|
|
+ List<String> sysUrls = dictionaryConfig.systemUrlDomain().getUrls();
|
|
|
+ int sysCount = (int) sysUrls.stream().filter(s -> {
|
|
|
+ return s.equalsIgnoreCase(url);
|
|
|
+ }).count();
|
|
|
+ if (sysCount > 0) {
|
|
|
+ return true;
|
|
|
+ }
|
|
|
+ Set<String> urls = authDto.getUrls();
|
|
|
+ int count = (int) urls.stream().filter(s -> {
|
|
|
+ return s.equalsIgnoreCase(url);
|
|
|
+ }).count();
|
|
|
+ if (count == 0) {
|
|
|
+ log.warn("Authorization faile: url cannot access");
|
|
|
+ throw new BusinessException(ExceptionResultEnum.UN_AUTHORIZATION);
|
|
|
}
|
|
|
response.setStatus(ExceptionResultEnum.SUCCESS.getCode());
|
|
|
return true;
|
|
|
}
|
|
|
|
|
|
@Override
|
|
|
- public void postHandle(HttpServletRequest request,
|
|
|
- HttpServletResponse response,
|
|
|
- Object o, ModelAndView modelAndView) throws Exception {
|
|
|
+ public void postHandle(HttpServletRequest request, HttpServletResponse response, Object o,
|
|
|
+ ModelAndView modelAndView) throws Exception {
|
|
|
|
|
|
}
|
|
|
|
|
|
@Override
|
|
|
- public void afterCompletion(HttpServletRequest request,
|
|
|
- HttpServletResponse response,
|
|
|
- Object o, Exception e) throws Exception {
|
|
|
+ public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object o, Exception e)
|
|
|
+ throws Exception {
|
|
|
}
|
|
|
+
|
|
|
}
|
