From e4c3895e59aed13ad86c65bb326f4431681ab47d Mon Sep 17 00:00:00 2001
From: yandanyang <yandy_java@163.com>
Date: Thu, 23 Sep 2021 18:47:46 +0800
Subject: [PATCH] =?UTF-8?q?security-=E5=BF=BD=E7=95=A5url=E5=8C=B9?=
 =?UTF-8?q?=E9=85=8D=E4=BC=98=E5=8C=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../security/SmartSecurityMetadataSource.java      | 10 +++++++---
 .../common/security/SmartSecurityUrlMatchers.java  | 14 ++++++++------
 .../service/util/SmartEmployeeTokenUtil.java       |  9 +++++++--
 3 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityMetadataSource.java b/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityMetadataSource.java
index d38df8ce..dbbfba06 100644
--- a/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityMetadataSource.java
+++ b/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityMetadataSource.java
@@ -4,6 +4,7 @@ import net.lab1024.smartadmin.service.common.anno.NoValidPrivilege;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.prepost.*;
+import org.springframework.util.AntPathMatcher;
 import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -79,7 +80,10 @@ public class SmartSecurityMetadataSource extends PrePostAnnotationSecurityMetada
         String uriPrefix = SmartSecurityUrl.getUriPrefix(method);
         List<String> annotationValueList = SmartSecurityUrl.getAnnotationValueList(method, uriPrefix);
         //判断是否被忽略
-        if (this.contain(noValidUrlList, annotationValueList)) {
+        AntPathMatcher antPathMatcher = new AntPathMatcher();
+        antPathMatcher.setCaseSensitive(false);
+        antPathMatcher.setTrimTokens(true);
+        if (this.contain(antPathMatcher, noValidUrlList, annotationValueList)) {
             return super.getAttributes(method, targetClass);
         }
         ArrayList<ConfigAttribute> configAttributes = new ArrayList(1);
@@ -96,13 +100,13 @@ public class SmartSecurityMetadataSource extends PrePostAnnotationSecurityMetada
         return configAttributes;
     }
 
-    public Boolean contain(List<String> ignores, List<String> valueList) {
+    public Boolean contain(AntPathMatcher antPathMatcher, List<String> ignores, List<String> valueList) {
         if (CollectionUtils.isEmpty(ignores)) {
             return false;
         }
         for (String ignoreUrl : ignores) {
             for (String uri : valueList) {
-                if (uri.contains(ignoreUrl)) {
+                if (antPathMatcher.match(ignoreUrl, uri)) {
                     return true;
                 }
             }
diff --git a/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityUrlMatchers.java b/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityUrlMatchers.java
index 346ffed9..01e76868 100644
--- a/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityUrlMatchers.java
+++ b/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/common/security/SmartSecurityUrlMatchers.java
@@ -2,6 +2,7 @@ package net.lab1024.smartadmin.service.common.security;
 
 import com.google.common.collect.Lists;
 import net.lab1024.smartadmin.service.common.anno.NoNeedLogin;
+import net.lab1024.smartadmin.service.common.constant.CommonConst;
 import org.reflections.Reflections;
 import org.reflections.scanners.MethodAnnotationsScanner;
 import org.reflections.scanners.TypeAnnotationsScanner;
@@ -23,7 +24,7 @@ public class SmartSecurityUrlMatchers {
     /**
      * 匿名访问URL
      */
-    private List<String> PERMIT_URL;
+    private List<String> ANONYMOUS_URL;
 
     /**
      * 忽略的URL(注意，加入忽略的URL，无法进入Security filter)
@@ -41,6 +42,7 @@ public class SmartSecurityUrlMatchers {
         IGNORE_URL.add("/swagger-resources/**");
         IGNORE_URL.add("/webjars/**");
         IGNORE_URL.add("/*/api-docs");
+        IGNORE_URL.add(CommonConst.ApiUrl.API_PREFIX_SUPPORT +"/**");
 
         AUTHENTICATED_URL = new ArrayList<>();
         AUTHENTICATED_URL.add("/admin/**");
@@ -51,7 +53,7 @@ public class SmartSecurityUrlMatchers {
      * @param scanPath 需要扫描的类路径
      */
     public SmartSecurityUrlMatchers(String scanPath){
-        this.PERMIT_URL = this.initAnonymousUrlList(scanPath);
+        this.ANONYMOUS_URL = this.initAnonymousUrlList(scanPath);
     }
 
     /**
@@ -63,7 +65,7 @@ public class SmartSecurityUrlMatchers {
     }
 
     public List<String> getPermitUrlList() {
-        return PERMIT_URL;
+        return ANONYMOUS_URL;
     }
 
     public List<String> getAuthenticatedUrlList() {
@@ -77,7 +79,7 @@ public class SmartSecurityUrlMatchers {
     public List<String> getNoValidUrlList() {
         List<String> noValidUrl = Lists.newArrayList();
         noValidUrl.addAll(IGNORE_URL);
-        noValidUrl.addAll(PERMIT_URL);
+        noValidUrl.addAll(ANONYMOUS_URL);
         return noValidUrl;
     }
 
@@ -86,8 +88,8 @@ public class SmartSecurityUrlMatchers {
         return ignoreUrlArray;
     }
 
-    public String [] getPermitUrlArray() {
-        String [] anonymousUrlArray = PERMIT_URL.toArray(new String[PERMIT_URL.size()]);
+    public String [] getAnonymousUrlArray() {
+        String [] anonymousUrlArray = ANONYMOUS_URL.toArray(new String[ANONYMOUS_URL.size()]);
         return anonymousUrlArray;
     }
 
diff --git a/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/util/SmartEmployeeTokenUtil.java b/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/util/SmartEmployeeTokenUtil.java
index bb053c29..0c1ad6f1 100644
--- a/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/util/SmartEmployeeTokenUtil.java
+++ b/admin-api/java-api/src/main/java/net/lab1024/smartadmin/service/util/SmartEmployeeTokenUtil.java
@@ -1,6 +1,6 @@
 package net.lab1024.smartadmin.service.util;
 
-import net.lab1024.smartadmin.service.common.exception.SmartBusinessException;
+import lombok.extern.slf4j.Slf4j;
 import net.lab1024.smartadmin.service.module.system.login.domain.EmployeeLoginInfoDTO;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -8,22 +8,26 @@ import org.springframework.security.core.context.SecurityContextHolder;
 /**
  * @author 罗伊
  */
+@Slf4j
 public class SmartEmployeeTokenUtil {
 
     /**
      * 获取用户信息
+     *
      * @return
      */
     public static EmployeeLoginInfoDTO getRequestEmployee() {
         try {
             return (EmployeeLoginInfoDTO) getAuthentication().getPrincipal();
         } catch (Exception e) {
-            throw new SmartBusinessException("获取用户信息异常");
+            log.error("获取用户信息异常：{}", e);
         }
+        return null;
     }
 
     /**
      * 获取用户认证信息
+     *
      * @return
      */
     public static Authentication getAuthentication() {
@@ -32,6 +36,7 @@ public class SmartEmployeeTokenUtil {
 
     /**
      * 获取用户id
+     *
      * @return
      */
     public static Long getRequestEmployeeId() {