Merge branch 'dev-sx' of http://129.211.46.84:8800/platform/hp-smart into dev

src/main/java/com/baosight/iplat4j/core/security/PlatServiceValidateFilter.java

+package com.baosight.iplat4j.core.security;
+
+import com.baosight.iplat4j.core.ei.EiConstant;
+import com.baosight.iplat4j.core.ei.EiInfo;
+import com.baosight.iplat4j.core.service.soa.XLocalManager;
+import com.baosight.iplat4j.core.service.soa.XServiceManager;
+import com.baosight.iplat4j.core.util.StringUtils;
+import com.baosight.iplat4j.core.web.WebUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
+/**
+ * @author:songx
+ * @date:2024/8/26,17:01
+ */
+public class PlatServiceValidateFilter implements Filter {
+	
+	private final Logger logger = LogManager.getLogger(PlatServiceValidateFilter.class);
+	protected ITokenValidateFilter iTokenValidateFilter = null;
+	private AuthenticationEntryPoint entryPoint;
+	private String filterServiceId = null;
+	private OrRequestMatcher orRequestMatcher;
+	
+	public PlatServiceValidateFilter() {
+	}
+	
+	public void setFilterServiceId(String filterServiceId) {
+		this.filterServiceId = filterServiceId;
+	}
+	
+	protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
+			FilterChain filterChain) throws ServletException, IOException {
+		String ip = WebUtils.getRemoteAddr(httpServletRequest);
+		this.logger.debug("******cached ip:" + ip + "**********");
+		boolean authed = false;
+		String uri = httpServletRequest.getServletPath();
+		SecurityContext context = SecurityContextHolder.getContext();
+		if (context != null && context.getAuthentication() != null) {
+			Collection<? extends GrantedAuthority> authoritis = context.getAuthentication().getAuthorities();
+			if (authoritis != null && !authoritis.isEmpty()) {
+				Iterator var9 = authoritis.iterator();
+				
+				while (var9.hasNext()) {
+					GrantedAuthority authority = (GrantedAuthority) var9.next();
+					authed = authority.getAuthority().equals("ROLE_VERIFIED");
+					if (!authed && authority.getAuthority().equals("CHANGEPASS")) {
+						authed = uri.indexOf("service/XS0104/") >= 0;
+					}
+					
+					if (authed) {
+						break;
+					}
+				}
+			}
+		}
+		
+		if (uri.indexOf("service") < 0) {
+			authed = true;
+		}
+		// modify by songx at 20240826 if条件去掉authed，否则token会串
+		if (this.iTokenValidateFilter != null) {
+			this.iTokenValidateFilter.doFilter(httpServletRequest, httpServletResponse);
+			if (!authed) {
+				authed = this.isAuthedByJwt(httpServletRequest);
+			}
+		}
+		
+		Map headerMap = new HashMap();
+		Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
+		
+		String headValue;
+		String serviceParam;
+		boolean hasXPlatHeader;
+		for (hasXPlatHeader = false; headerNames.hasMoreElements(); headerMap.put(serviceParam, headValue)) {
+			String name = (String) headerNames.nextElement();
+			headValue = httpServletRequest.getHeader(name);
+			this.logger.debug("******cached header:" + name + "****** value:" + headValue + "********");
+			serviceParam = name.toLowerCase();
+			if (serviceParam.contains("xplat")) {
+				hasXPlatHeader = true;
+			}
+		}
+		
+		if (authed) {
+			filterChain.doFilter(httpServletRequest, httpServletResponse);
+		} else {
+			try {
+				EiInfo securityInfo = new EiInfo();
+				securityInfo.set("headerMap", headerMap);
+				securityInfo.set("clientIp", ip);
+				if (uri.indexOf("service/") > 0) {
+					String[] uriParts = uri.split("service/");
+					serviceParam = uriParts[uriParts.length - 1];
+					if (serviceParam.contains("/")) {
+						String[] serviceInfos = serviceParam.split("/");
+						securityInfo.set("paramServiceName", serviceInfos[0]);
+						securityInfo.set("paramMethodName", serviceInfos[1]);
+					} else {
+						securityInfo.set("paramServiceId", serviceParam);
+					}
+				}
+				
+				securityInfo.set("uri", uri);
+				EiInfo outInfo = null;
+				if (StringUtils.isNotEmpty(this.filterServiceId)) {
+					securityInfo.set(EiConstant.serviceId, this.filterServiceId);
+					outInfo = XServiceManager.call(securityInfo);
+				} else {
+					if (!hasXPlatHeader) {
+						throw new AccessDeniedException("Access is denied, reason: no service validate public key!");
+					}
+					
+					securityInfo.set(EiConstant.serviceName, "EPFI01");
+					securityInfo.set(EiConstant.methodName, "validate");
+					outInfo = XLocalManager.call(securityInfo);
+				}
+				
+				if (outInfo.getStatus() < 0) {
+					throw new AccessDeniedException("Access is denied, reason:" + outInfo.getMsg());
+				}
+				
+				Object jwtMapObj = outInfo.get("jwt_map");
+				if (jwtMapObj != null && jwtMapObj instanceof Map) {
+					httpServletRequest.setAttribute("jwt_map", jwtMapObj);
+				}
+				
+				filterChain.doFilter(httpServletRequest, httpServletResponse);
+			} catch (Exception var15) {
+				if (this.orRequestMatcher != null && this.orRequestMatcher.matches(httpServletRequest)) {
+					filterChain.doFilter(httpServletRequest, httpServletResponse);
+				} else {
+					this.logger.warn(var15.getMessage());
+					if (this.entryPoint == null) {
+						if (var15 instanceof AccessDeniedException) {
+							throw var15;
+						}
+						
+						throw new AccessDeniedException("Access is denied, reason:" + var15.getMessage());
+					}
+					
+					this.entryPoint.commence(httpServletRequest, httpServletResponse, (AuthenticationException) null);
+				}
+			}
+		}
+		
+	}
+	
+	private boolean isAuthedByJwt(HttpServletRequest httpServletRequest) {
+		boolean authed = false;
+		Object jwtMapObj = httpServletRequest.getAttribute("jwt_map");
+		if (jwtMapObj != null && jwtMapObj instanceof Map) {
+			Map jwtMap = (Map) jwtMapObj;
+			String s_loginName = (String) jwtMap.get("sub");
+			if (s_loginName != null) {
+				authed = true;
+			}
+		}
+		
+		return authed;
+	}
+	
+	public void init(FilterConfig filterConfig) throws ServletException {
+	}
+	
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+		this.doFilterInternal((HttpServletRequest) request, (HttpServletResponse) response, chain);
+	}
+	
+	public void destroy() {
+	}
+	
+	public OrRequestMatcher getOrRequestMatcher() {
+		return this.orRequestMatcher;
+	}
+	
+	public void setOrRequestMatcher(OrRequestMatcher orRequestMatcher) {
+		this.orRequestMatcher = orRequestMatcher;
+	}
+	
+	public AuthenticationEntryPoint getEntryPoint() {
+		return this.entryPoint;
+	}
+	
+	public void setEntryPoint(AuthenticationEntryPoint entryPoint) {
+		this.entryPoint = entryPoint;
+	}
+	
+	public void setITokenValidateFilter(ITokenValidateFilter iTokenValidateFilter) {
+		this.iTokenValidateFilter = iTokenValidateFilter;
+	}
+	
+}