1. 统一包名修改

zt-framework/zt-spring-boot-starter-security/pom.xml

@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <groupId>com.zt.plat</groupId>
+        <artifactId>zt-framework</artifactId>
+        <version>${revision}</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>zt-spring-boot-starter-security</artifactId>
+    <packaging>jar</packaging>
+
+    <name>${project.artifactId}</name>
+    <description>
+        1. security：用户的认证、权限的校验，实现「谁」可以做「什么事」
+        2. operatelog：操作日志，实现「谁」在「什么时间」对「什么」做了「什么事」
+    </description>
+    <url>https://github.com/YunaiV/ruoyi-vue-pro</url>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.zt.plat</groupId>
+            <artifactId>zt-common</artifactId>
+        </dependency>
+
+        <!-- Spring 核心 -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-aop</artifactId>
+        </dependency>
+
+        <!-- Web 相关 -->
+        <dependency>
+            <groupId>com.zt.plat</groupId>
+            <artifactId>zt-spring-boot-starter-web</artifactId>
+        </dependency>
+        <!-- spring boot 配置所需依赖 -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-configuration-processor</artifactId>
+            <optional>true</optional>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <!-- RPC 远程调用相关 -->
+        <dependency>
+            <groupId>com.zt.plat</groupId>
+            <artifactId>zt-spring-boot-starter-rpc</artifactId>
+            <optional>true</optional>
+        </dependency>
+
+        <!-- 工具类相关 -->
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+
+        <dependency>
+            <!-- Spring Boot 通用操作日志组件，基于注解实现 -->
+            <!-- 此组件解决的问题是：「谁」在「什么时间」对「什么」做了「什么事」 -->
+            <groupId>io.github.mouzt</groupId>
+            <artifactId>bizlog-sdk</artifactId>
+        </dependency>
+
+    </dependencies>
+
+</project>

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/operatelog/config/CloudOperateLogConfiguration.java

@@ -0,0 +1,27 @@
+package com.zt.plat.framework.operatelog.config;
+
+import com.zt.plat.framework.operatelog.core.service.LogRecordServiceImpl;
+import com.mzt.logapi.service.ILogRecordService;
+import com.mzt.logapi.starter.annotation.EnableLogRecord;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Primary;
+
+/**
+ * 操作日志配置类
+ *
+ * @author HUIHUI
+ */
+@EnableLogRecord(tenant = "") // 貌似用不上 tenant 这玩意给个空好啦
+@AutoConfiguration
+@Slf4j
+public class CloudOperateLogConfiguration {
+
+    @Bean
+    @Primary
+    public ILogRecordService iLogRecordServiceImpl() {
+        return new LogRecordServiceImpl();
+    }
+
+}

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/operatelog/config/CloudOperateLogRpcAutoConfiguration.java

@@ -0,0 +1,15 @@
+package com.zt.plat.framework.operatelog.config;
+
+import com.zt.plat.framework.common.biz.system.logger.OperateLogCommonApi;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.cloud.openfeign.EnableFeignClients;
+
+/**
+ * OperateLog 使用到 Feign 的配置项
+ *
+ * @author ZT
+ */
+@AutoConfiguration
+@EnableFeignClients(clients = {OperateLogCommonApi.class}) // 主要是引入相关的 API 服务
+public class CloudOperateLogRpcAutoConfiguration {
+}

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/operatelog/core/package-info.java

@@ -0,0 +1,4 @@
+/**
+ * 占位，无特殊作用
+ */
+package com.zt.plat.framework.operatelog.core;

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/operatelog/core/service/LogRecordServiceImpl.java

@@ -0,0 +1,92 @@
+package com.zt.plat.framework.operatelog.core.service;
+
+import com.zt.plat.framework.common.biz.system.logger.OperateLogCommonApi;
+import com.zt.plat.framework.common.util.monitor.TracerUtils;
+import com.zt.plat.framework.common.util.servlet.ServletUtils;
+import com.zt.plat.framework.security.core.LoginUser;
+import com.zt.plat.framework.security.core.util.SecurityFrameworkUtils;
+import com.zt.plat.framework.common.biz.system.logger.dto.OperateLogCreateReqDTO;
+import com.mzt.logapi.beans.LogRecord;
+import com.mzt.logapi.service.ILogRecordService;
+import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Qualifier;
+
+import java.util.List;
+
+/**
+ * 操作日志 ILogRecordService 实现类
+ *
+ * 基于 {@link OperateLogCommonApi} 实现，记录操作日志
+ *
+ * @author HUIHUI
+ */
+@Slf4j
+public class LogRecordServiceImpl implements ILogRecordService {
+
+    @Resource
+    private OperateLogCommonApi operateLogApi;
+
+    @Override
+    public void record(LogRecord logRecord) {
+        OperateLogCreateReqDTO reqDTO = new OperateLogCreateReqDTO();
+        try {
+            reqDTO.setTraceId(TracerUtils.getTraceId());
+            // 补充用户信息
+            fillUserFields(reqDTO);
+            // 补全模块信息
+            fillModuleFields(reqDTO, logRecord);
+            // 补全请求信息
+            fillRequestFields(reqDTO);
+
+            // 2. 异步记录日志
+            operateLogApi.createOperateLogAsync(reqDTO);
+        } catch (Throwable ex) {
+            // 由于 @Async 异步调用，这里打印下日志，更容易跟进
+            log.error("[record][url({}) log({}) 发生异常]", reqDTO.getRequestUrl(), reqDTO, ex);
+        }
+    }
+
+    private static void fillUserFields(OperateLogCreateReqDTO reqDTO) {
+        // 使用 SecurityFrameworkUtils。因为要考虑，rpc、mq、job，它其实不是 web；
+        LoginUser loginUser = SecurityFrameworkUtils.getLoginUser();
+        if (loginUser == null) {
+            return;
+        }
+        reqDTO.setUserId(loginUser.getId());
+        reqDTO.setUserType(loginUser.getUserType());
+    }
+
+    public static void fillModuleFields(OperateLogCreateReqDTO reqDTO, LogRecord logRecord) {
+        reqDTO.setType(logRecord.getType()); // 大模块类型，例如：CRM 客户
+        reqDTO.setSubType(logRecord.getSubType());// 操作名称，例如：转移客户
+        reqDTO.setBizId(Long.parseLong(logRecord.getBizNo())); // 业务编号，例如：客户编号
+        reqDTO.setAction(logRecord.getAction());// 操作内容，例如：修改编号为 1 的用户信息，将性别从男改成女，将姓名从ZT改成源码。
+        reqDTO.setExtra(logRecord.getExtra()); // 拓展字段，有些复杂的业务，需要记录一些字段 ( JSON 格式 )，例如说，记录订单编号，{ orderId: "1"}
+    }
+
+    private static void fillRequestFields(OperateLogCreateReqDTO reqDTO) {
+        // 获得 Request 对象
+        HttpServletRequest request = ServletUtils.getRequest();
+        if (request == null) {
+            return;
+        }
+        // 补全请求信息
+        reqDTO.setRequestMethod(request.getMethod());
+        reqDTO.setRequestUrl(request.getRequestURI());
+        reqDTO.setUserIp(ServletUtils.getClientIP(request));
+        reqDTO.setUserAgent(ServletUtils.getUserAgent(request));
+    }
+
+    @Override
+    public List<LogRecord> queryLog(String bizNo, String type) {
+        throw new UnsupportedOperationException("使用 OperateLogApi 进行操作日志的查询");
+    }
+
+    @Override
+    public List<LogRecord> queryLogByBizNo(String bizNo, String type, String subType) {
+        throw new UnsupportedOperationException("使用 OperateLogApi 进行操作日志的查询");
+    }
+
+}

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/operatelog/package-info.java

@@ -0,0 +1,7 @@
+/**
+ * 基于 mzt-log 框架
+ * 实现操作日志功能
+ *
+ * @author HUIHUI
+ */
+package com.zt.plat.framework.operatelog;

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/security/config/AuthorizeRequestsCustomizer.java

@@ -0,0 +1,35 @@
+package com.zt.plat.framework.security.config;
+
+import com.zt.plat.framework.web.config.WebProperties;
+import jakarta.annotation.Resource;
+import org.springframework.core.Ordered;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
+
+/**
+ * 自定义的 URL 的安全配置
+ * 目的：每个 Maven Module 可以自定义规则！
+ *
+ * @author ZT
+ */
+public abstract class AuthorizeRequestsCustomizer
+        implements Customizer<AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry>, Ordered {
+
+    @Resource
+    private WebProperties webProperties;
+
+    protected String buildAdminApi(String url) {
+        return webProperties.getAdminApi().getPrefix() + url;
+    }
+
+    protected String buildAppApi(String url) {
+        return webProperties.getAppApi().getPrefix() + url;
+    }
+
+    @Override
+    public int getOrder() {
+        return 0;
+    }
+
+}

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/security/config/CloudSecurityAutoConfiguration.java

@@ -0,0 +1,94 @@
+package com.zt.plat.framework.security.config;
+
+import com.zt.plat.framework.common.biz.system.permission.PermissionCommonApi;
+import com.zt.plat.framework.security.core.context.TransmittableThreadLocalSecurityContextHolderStrategy;
+import com.zt.plat.framework.security.core.filter.TokenAuthenticationFilter;
+import com.zt.plat.framework.security.core.handler.AccessDeniedHandlerImpl;
+import com.zt.plat.framework.security.core.handler.AuthenticationEntryPointImpl;
+import com.zt.plat.framework.security.core.service.SecurityFrameworkService;
+import com.zt.plat.framework.security.core.service.SecurityFrameworkServiceImpl;
+import com.zt.plat.framework.web.core.handler.GlobalExceptionHandler;
+import com.zt.plat.framework.common.biz.system.oauth2.OAuth2TokenCommonApi;
+import jakarta.annotation.Resource;
+import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.AutoConfigureOrder;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+/**
+ * Spring Security 自动配置类，主要用于相关组件的配置
+ *
+ * 注意，不能和 {@link CloudWebSecurityConfigurerAdapter} 用一个，原因是会导致初始化报错。
+ * 参见 https://stackoverflow.com/questions/53847050/spring-boot-delegatebuilder-cannot-be-null-on-autowiring-authenticationmanager 文档。
+ *
+ * @author ZT
+ */
+@AutoConfiguration
+@AutoConfigureOrder(-1) // 目的：先于 Spring Security 自动配置，避免一键改包后，org.* 基础包无法生效
+@EnableConfigurationProperties(SecurityProperties.class)
+public class CloudSecurityAutoConfiguration {
+
+    @Resource
+    private SecurityProperties securityProperties;
+
+    /**
+     * 认证失败处理类 Bean
+     */
+    @Bean
+    public AuthenticationEntryPoint authenticationEntryPoint() {
+        return new AuthenticationEntryPointImpl();
+    }
+
+    /**
+     * 权限不够处理器 Bean
+     */
+    @Bean
+    public AccessDeniedHandler accessDeniedHandler() {
+        return new AccessDeniedHandlerImpl();
+    }
+
+    /**
+     * Spring Security 加密器
+     * 考虑到安全性，这里采用 BCryptPasswordEncoder 加密器
+     *
+     * @see <a href="http://stackabuse.com/password-encoding-with-spring-security/">Password Encoding with Spring Security</a>
+     */
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder(securityProperties.getPasswordEncoderLength());
+    }
+
+    /**
+     * Token 认证过滤器 Bean
+     */
+    @Bean
+    public TokenAuthenticationFilter authenticationTokenFilter(GlobalExceptionHandler globalExceptionHandler,
+                                                               OAuth2TokenCommonApi oauth2TokenApi) {
+        return new TokenAuthenticationFilter(securityProperties, globalExceptionHandler, oauth2TokenApi);
+    }
+
+    @Bean("ss") // 使用 Spring Security 的缩写，方便使用
+    public SecurityFrameworkService securityFrameworkService(PermissionCommonApi permissionApi) {
+        return new SecurityFrameworkServiceImpl(permissionApi);
+    }
+
+    /**
+     * 声明调用 {@link SecurityContextHolder#setStrategyName(String)} 方法，
+     * 设置使用 {@link TransmittableThreadLocalSecurityContextHolderStrategy} 作为 Security 的上下文策略
+     */
+    @Bean
+    public MethodInvokingFactoryBean securityContextHolderMethodInvokingFactoryBean() {
+        MethodInvokingFactoryBean methodInvokingFactoryBean = new MethodInvokingFactoryBean();
+        methodInvokingFactoryBean.setTargetClass(SecurityContextHolder.class);
+        methodInvokingFactoryBean.setTargetMethod("setStrategyName");
+        methodInvokingFactoryBean.setArguments(TransmittableThreadLocalSecurityContextHolderStrategy.class.getName());
+        return methodInvokingFactoryBean;
+    }
+
+}

zt-framework/zt-spring-boot-starter-security/src/main/java/com/zt/plat/framework/security/config/CloudSecurityRpcAutoConfiguration.java

@@ -0,0 +1,25 @@
+package com.zt.plat.framework.security.config;
+
+import com.zt.plat.framework.common.biz.system.permission.PermissionCommonApi;
+import com.zt.plat.framework.security.core.rpc.LoginUserRequestInterceptor;
+import com.zt.plat.framework.common.biz.system.oauth2.OAuth2TokenCommonApi;
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.cloud.openfeign.EnableFeignClients;
+import org.springframework.context.annotation.Bean;
+
+/**
+ * Security 使用到 Feign 的配置项
+ *
+ * @author ZT
+ */
+@AutoConfiguration
+@EnableFeignClients(clients = {OAuth2TokenCommonApi.class, // 主要是引入相关的 API 服务
+        PermissionCommonApi.class})
+public class CloudSecurityRpcAutoConfiguration {
+
+    @Bean
+    public LoginUserRequestInterceptor loginUserRequestInterceptor() {
+        return new LoginUserRequestInterceptor();
+    }
+
+}