登陆后，路由查不出来

jiashaCocoa 2023-06-13 11:17

2. 登陆以后紧接着请求路由列表，顶部菜单，返回都是空的。

3.导致继续请求业务字典、系统字典的相关接口时认证失败，401。截图中能正常返回字典信息，是因为我将这两个接口添加到SIKP_URL中了。

我期待的结果是：正常的返回路由信息

我使用的是blade-x-3.0.1.RELEASE

目前没有相关报错的日志。只是路由信息无承载数据。

• 

  gtfhao (楼主)

  2023-06-13 11:22

  你的token 接下来的接口没有解析到, 是不是你重写的登录方法, token不是jwt?

  作者追问:2023-06-13 11:22

  为了做安全测评中涉及到接口中敏感词的回避，我对oauth/token接口中认证部分的代码做了重写，将blade-auth/src...auth/granter/BladeTokenGranter.java做了如下修改：

  /*
   *      Copyright (c) 2018-2028, Chill Zhuang All rights reserved.
   *
   *  Redistribution and use in source and binary forms, with or without
   *  modification, are permitted provided that the following conditions are met:
   *
   *  Redistributions of source code must retain the above copyright notice,
   *  this list of conditions and the following disclaimer.
   *  Redistributions in binary form must reproduce the above copyright
   *  notice, this list of conditions and the following disclaimer in the
   *  documentation and/or other materials provided with the distribution.
   *  Neither the name of the dreamlu.net developer nor the names of its
   *  contributors may be used to endorse or promote products derived from
   *  this software without specific prior written permission.
   *  Author: Chill 庄骞 (smallchill@163.com)
   */
  package org.springblade.auth.granter;
  
  import org.springblade.core.redis.cache.BladeRedis;
  import org.springblade.core.social.props.SocialProperties;
  import org.springblade.system.user.feign.IUserClient;
  import org.springframework.security.authentication.AuthenticationManager;
  import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
  import org.springframework.security.oauth2.provider.CompositeTokenGranter;
  import org.springframework.security.oauth2.provider.TokenGranter;
  
  import java.util.ArrayList;
  import java.util.Collections;
  import java.util.List;
  import java.util.stream.Collectors;
  
  /**
   * 自定义拓展TokenGranter
   *
   * @author Chill
   */
  public class BladeTokenGranter {
  
      /**
       * 自定义tokenGranter
       */
      public static TokenGranter getTokenGranter(final AuthenticationManager authenticationManager, final AuthorizationServerEndpointsConfigurer endpoints, BladeRedis bladeRedis, IUserClient userClient, SocialProperties socialProperties) {
         // ---------------------修改部分开始---------------------
         //默认tokenGranter集合
         List<TokenGranter> tokenGranters = Collections.singletonList(endpoints.getTokenGranter());
         List<TokenGranter> removeable = tokenGranters.stream().filter(tokenGranter -> tokenGranter.getClass().toString().equals("org.springframework.security.oauth2.provider.password.ResourceOwnerSecurityWordTokenGranter")).collect(Collectors.toList());
         tokenGranters.removeAll(removeable);
         List<TokenGranter> granters = new ArrayList<>();
         //自定义密码验证
         granters.add(new ResourceOwnerSecurityWordTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory()));
         //---------------------修改部分结束--------------------
         // 增加验证码模式
         granters.add(new CaptchaTokenGranter(authenticationManager, endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), bladeRedis));
         // 增加第三方登陆模式
         granters.add(new SocialTokenGranter(endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), userClient, socialProperties));
         // 组合tokenGranter集合
         return new CompositeTokenGranter(granters);
      }
  
  }
  

  在blade-auth/src...auth/granter/增加了ResourceOwnerSecurityWordTokenGranter.java，代码如下。
  

  package org.springblade.auth.granter;
  
  import org.springframework.security.authentication.*;
  import org.springframework.security.core.Authentication;
  import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
  import org.springframework.security.oauth2.provider.*;
  import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
  import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
  
  import java.util.LinkedHashMap;
  import java.util.Map;
  
  public class ResourceOwnerSecurityWordTokenGranter extends ResourceOwnerPasswordTokenGranter {
      private static final String GRANT_TYPE = "secword"; //为了修改这个参数
  
      private final AuthenticationManager authenticationManager;
  
      public ResourceOwnerSecurityWordTokenGranter(AuthenticationManager authenticationManager,
                                                   AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
          this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE);
      }
  
      protected ResourceOwnerSecurityWordTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices,
                                                      ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
          super(authenticationManager, tokenServices, clientDetailsService, requestFactory, grantType);
          this.authenticationManager = authenticationManager;
      }
  
      @Override
      protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
          Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters());
          String username = parameters.get("secuser");//为了修改这个参数
          String password = parameters.get("secword");//为了修改这个参数
          // Protect from downstream leaks of password
          parameters.remove("secword");
  
          Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
          ((AbstractAuthenticationToken) userAuth).setDetails(parameters);
          try {
              userAuth = authenticationManager.authenticate(userAuth);
          } catch (AccountStatusException ase) {
              //covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
              throw new InvalidGrantException(ase.getMessage());
          } catch (BadCredentialsException e) {
              // If the username/password are wrong the spec says we should send 400/invalid grant
              throw new InvalidGrantException(e.getMessage());
          }
          if (userAuth == null || !userAuth.isAuthenticated()) {
              throw new InvalidGrantException("Could not authenticate user: " + username);
          }
  
          OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);
          return new OAuth2Authentication(storedOAuth2Request, userAuth);
      }
  }

  
  
  0 讨论(0)
  发布评论:

  提交评论

  ---

  •  加载中...

验证码

 看不清?

提交回复