服务内部调用api鉴权忽略token（动态放权）

通常情况下微服务之间调用或开放接口的时候，我们会在资源服务器的security配置当中配置路径，觉得比较麻烦，参考了网上一些案例，写了下面的应用，感觉比较实用的是可以不用谢那么多重复的代码permitAll（）方法。灵活配置动态添加删除，只需要一个注解就可以配置接口是否完全开放，是否内部开放，是否外部开放。希望能帮助到有需要的人。

创建一个注解

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface IgnoreToken {
    /**
     * 是否AOP统一处理
     */
    boolean value() default true;
}

注解配置一个切面

@Aspect
@Component
@Slf4j
public class IgnoreTokenAspect implements Ordered {
    @Autowired
    private HttpServletRequest request;

    @Around("@annotation(ignoreToken)")
    public Object around(ProceedingJoinPoint point, IgnoreToken ignoreToken) throws Throwable {
        String header = request.getHeader(SecurityConstants.FROM);
        if (ignoreToken.value() && !StringUtils.equals(SecurityConstants.FROM_IN, header)){
            log.warn("访问接口 {} 没有权限", point.getSignature().getName());
            throw new AccessDeniedException("Access is denied");
        }
        return point.proceed();
    }

    @Override
    public int getOrder() {
        return Ordered.HIGHEST_PRECEDENCE + 1;
    }
}

常量配置

public final class SecurityConstants {
    public static final String FROM = "from";
    public static final String FROM_IN = "in";
}

初始化忽略token的链接

@Configuration
public class PermitAllUrlProperties implements InitializingBean {

    private static final Pattern PATTERN = Pattern.compile("\\\\{(.*?)\\\\}");

    @Autowired
    private ApplicationContext applicationContext;

    private List urls = new ArrayList<>();

    public static final String ASTERISK = "*";

    @Override
    public void afterPropertiesSet() {
        RequestMappingHandlerMapping mapping = applicationContext.getBean("requestMappingHandlerMapping",RequestMappingHandlerMapping.class);
        Map map = mapping.getHandlerMethods();

        map.keySet().forEach(info -> {
            HandlerMethod handlerMethod = map.get(info);

            // 获取@IgnoreToke注解的替代path variable 为 *
            IgnoreToken method = AnnotationUtils.findAnnotation(handlerMethod.getMethod(), IgnoreToken.class);
            Optional.ofNullable(method).ifPresent(inner -> info.getPatternsCondition().getPatterns()
                    .forEach(url -> urls.add(ReUtil.replaceAll(url, PATTERN, ASTERISK))));

            // 获取@IgnoreToke注解的访问路径替代path variable 为 *
            IgnoreToken controller = AnnotationUtils.findAnnotation(handlerMethod.getBeanType(), IgnoreToken.class);
            Optional.ofNullable(controller).ifPresent(inner -> info.getPatternsCondition().getPatterns()
                    .forEach(url -> urls.add(ReUtil.replaceAll(url, PATTERN, ASTERISK))));
        });
    }

    public List getUrls() {
        return urls;
    }

    public void setUrls(List urls) {
        this.urls = urls;
    }
}

资源服务器配置

@Configuration
@EnableResourceServer
public class EcmContentResourceServerConfigure extends ResourceServerConfigurerAdapter {
    @Autowired
    PermitAllUrlProperties permitAllUrlProperties;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().disable();
        http.csrf().disable()
                .requestMatchers().antMatchers("/**")
                .and()
                .headers().frameOptions().disable()
                .and()
                .authorizeRequests()
                //添加注解动态添加放权
                .antMatchers(permitAllUrlProperties.getUrls().stream().distinct().toArray(String[]::new)).permitAll()
                .antMatchers("/**").authenticated();
    }
}

注解使用，直接添加到controller 方法上value = false表示可外部网关访问true表示内部接口外部无法访问。

    @GetMapping(value = "/getSite/{siteId}")
    @IgnoreToken(value = false)
    public EcmResponse getSite(@ApiParam(value = "siteid", required = true) @PathVariable("siteId") String siteId) {

        return siteServiceI.getSiteById(siteId);
    }

内部feign调佣需要请求头添加from参数

@GetMapping(value = "/public/lvanecm/v1/site/getSite/{siteId}") 
EcmResponse getSiteBySiteId(@PathVariable(value="siteId")String siteId,@RequestHeader(SecurityConstants.FROM) String from);

保证内部接口安全，网关拦截器全局处理，外部请求删除请求头中from参数

// 清洗请求头中from 参数
request = exchange.getRequest().mutate().headers(httpHeaders -> httpHeaders.remove(SecurityConstants.FROM)).build();