登陆后,路由查不出来

Blade 未结 1 299
jiashaCocoa
jiashaCocoa 2023-06-13 11:17

一、该问题的重现步骤是什么?

  1. 重写了登录接口,可以正常返回token以及用户信息。
  2. image.png

2. 登陆以后紧接着请求路由列表,顶部菜单,返回都是空的。

image.png

image.png

3.导致继续请求业务字典、系统字典的相关接口时认证失败,401。截图中能正常返回字典信息,是因为我将这两个接口添加到SIKP_URL中了。

image.png

二、你期待的结果是什么?实际看到的又是什么?

我期待的结果是:正常的返回路由信息

三、你正在使用的是什么产品,什么版本?在什么操作系统上?

我使用的是blade-x-3.0.1.RELEASE

四、请提供详细的错误堆栈信息,这很重要。

目前没有相关报错的日志。只是路由信息无承载数据。

五、若有更多详细信息,请在下面提供。

1条回答
  •  gtfhao
    gtfhao (楼主)
    2023-06-13 11:22

    你的token 接下来的接口没有解析到, 是不是你重写的登录方法, token不是jwt?

    作者追问:2023-06-13 11:22

    为了做安全测评中涉及到接口中敏感词的回避,我对oauth/token接口中认证部分的代码做了重写,将blade-auth/src...auth/granter/BladeTokenGranter.java做了如下修改:

    /*
    *      Copyright (c) 2018-2028, Chill Zhuang All rights reserved.
    *
    *  Redistribution and use in source and binary forms, with or without
    *  modification, are permitted provided that the following conditions are met:
    *
    *  Redistributions of source code must retain the above copyright notice,
    *  this list of conditions and the following disclaimer.
    *  Redistributions in binary form must reproduce the above copyright
    *  notice, this list of conditions and the following disclaimer in the
    *  documentation and/or other materials provided with the distribution.
    *  Neither the name of the dreamlu.net developer nor the names of its
    *  contributors may be used to endorse or promote products derived from
    *  this software without specific prior written permission.
    *  Author: Chill 庄骞 (smallchill@163.com)
    */
    package org.springblade.auth.granter;

    import org.springblade.core.redis.cache.BladeRedis;
    import org.springblade.core.social.props.SocialProperties;
    import org.springblade.system.user.feign.IUserClient;
    import org.springframework.security.authentication.AuthenticationManager;
    import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
    import org.springframework.security.oauth2.provider.CompositeTokenGranter;
    import org.springframework.security.oauth2.provider.TokenGranter;

    import java.util.ArrayList;
    import java.util.Collections;
    import java.util.List;
    import java.util.stream.Collectors;

    /**
    * 自定义拓展TokenGranter
    *
    * @author Chill
    */
    public class BladeTokenGranter {

       /**
        * 自定义tokenGranter
        */
       public static TokenGranter getTokenGranter(final AuthenticationManager authenticationManager, final AuthorizationServerEndpointsConfigurer endpoints, BladeRedis bladeRedis, IUserClient userClient, SocialProperties socialProperties) {
          // ---------------------修改部分开始---------------------
          //默认tokenGranter集合
          List<TokenGranter> tokenGranters = Collections.singletonList(endpoints.getTokenGranter());
          List<TokenGranter> removeable = tokenGranters.stream().filter(tokenGranter -> tokenGranter.getClass().toString().equals("org.springframework.security.oauth2.provider.password.ResourceOwnerSecurityWordTokenGranter")).collect(Collectors.toList());
          tokenGranters.removeAll(removeable);
          List<TokenGranter> granters = new ArrayList<>();
          //自定义密码验证
          granters.add(new ResourceOwnerSecurityWordTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory()));
          //---------------------修改部分结束--------------------
          // 增加验证码模式
          granters.add(new CaptchaTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), bladeRedis));
          // 增加第三方登陆模式
          granters.add(new SocialTokenGranter(endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), userClient, socialProperties));
          // 组合tokenGranter集合
          return new CompositeTokenGranter(granters);
       }

    }

    在blade-auth/src...auth/granter/增加了ResourceOwnerSecurityWordTokenGranter.java,代码如下。

    package org.springblade.auth.granter;
    
    import org.springframework.security.authentication.*;
    import org.springframework.security.core.Authentication;
    import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
    import org.springframework.security.oauth2.provider.*;
    import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
    import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
    
    import java.util.LinkedHashMap;
    import java.util.Map;
    
    public class ResourceOwnerSecurityWordTokenGranter extends ResourceOwnerPasswordTokenGranter {
        private static final String GRANT_TYPE = "secword"; //为了修改这个参数
    
        private final AuthenticationManager authenticationManager;
    
        public ResourceOwnerSecurityWordTokenGranter(AuthenticationManager authenticationManager,
                                                     AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
            this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE);
        }
    
        protected ResourceOwnerSecurityWordTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices,
                                                        ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
            super(authenticationManager, tokenServices, clientDetailsService, requestFactory, grantType);
            this.authenticationManager = authenticationManager;
        }
    
        @Override
        protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
            Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters());
            String username = parameters.get("secuser");//为了修改这个参数
            String password = parameters.get("secword");//为了修改这个参数
            // Protect from downstream leaks of password
            parameters.remove("secword");
    
            Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
            ((AbstractAuthenticationToken) userAuth).setDetails(parameters);
            try {
                userAuth = authenticationManager.authenticate(userAuth);
            } catch (AccountStatusException ase) {
                //covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
                throw new InvalidGrantException(ase.getMessage());
            } catch (BadCredentialsException e) {
                // If the username/password are wrong the spec says we should send 400/invalid grant
                throw new InvalidGrantException(e.getMessage());
            }
            if (userAuth == null || !userAuth.isAuthenticated()) {
                throw new InvalidGrantException("Could not authenticate user: " + username);
            }
    
            OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);
            return new OAuth2Authentication(storedOAuth2Request, userAuth);
        }
    }


    0 讨论(0)
提交回复