Merge remote-tracking branch 'ztcloud/main' into main-ztcloud

# Conflicts: # zt-module-system/zt-module-system-server/src/main/java/com/zt/plat/module/system/service/dept/DeptService.java
2025-12-24 11:15:23 +08:00
parent 8823e316a0 7e87465ef9
commit 3903b73905
46 changed files with 1539 additions and 1266 deletions
--- a/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/security/GatewaySecurityFilter.java
+++ b/zt-module-databus/zt-module-databus-server/src/main/java/com/zt/plat/module/databus/framework/integration/gateway/security/GatewaySecurityFilter.java
@@ -33,6 +33,7 @@ import org.springframework.web.util.ContentCachingResponseWrapper;
 import org.springframework.web.util.UriComponentsBuilder;

 import java.io.IOException;
+import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
@@ -286,8 +287,7 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
        try {
            boolean valid = CryptoSignatureUtils.verifySignature(signaturePayload, signatureType);
            if (!valid) {
-                log.error("[API-PORTAL] 签名校验失败");
-                return;
+                throw new SecurityValidationException(HttpStatus.UNAUTHORIZED, "签名校验失败");
            }
        } catch (IllegalArgumentException ex) {
            throw new SecurityValidationException(HttpStatus.INTERNAL_SERVER_ERROR, "签名算法配置异常");
@@ -305,15 +305,28 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
                    .build()
                    .getQueryParams();
            params.forEach((key, values) -> {
-                if (!StringUtils.hasText(key) || "signature".equalsIgnoreCase(key)) {
+                String decodedKey = URLDecoder.decode(key, StandardCharsets.UTF_8);
+                if (!StringUtils.hasText(decodedKey) || "signature".equalsIgnoreCase(decodedKey)) {
                    return;
                }
                if (CollectionUtils.isEmpty(values)) {
-                    target.put(key, "");
-                } else if (values.size() == 1) {
-                    target.put(key, values.get(0));
+                    target.put(decodedKey, "");
+                    return;
+                }
+                // 对每一个 value 做 URL 解码，确保与客户端原文签名一致
+                List<String> decodedValues = values.stream()
+                        .map(val -> URLDecoder.decode(val, StandardCharsets.UTF_8))
+                        .toList();
+                boolean allNullLiteral = decodedValues.stream()
+                        .allMatch(v -> "null".equals(v));
+                if (allNullLiteral) {
+                    // 过滤掉仅包含字符串 "null" 的参数
+                    return;
+                }
+                if (decodedValues.size() == 1) {
+                    target.put(decodedKey, decodedValues.get(0));
                } else {
-                    target.put(key, String.join(",", values));
+                    target.put(decodedKey, String.join(",", decodedValues));
                }
            });
        } catch (IllegalArgumentException ex) {
--- a/zt-module-databus/zt-module-databus-server/src/test/java/com/zt/plat/module/databus/framework/integration/gateway/sample/DatabusApiInvocationExample.java
+++ b/zt-module-databus/zt-module-databus-server/src/test/java/com/zt/plat/module/databus/framework/integration/gateway/sample/DatabusApiInvocationExample.java