feat(config): 更新开发环境数据库连接和安全过滤器加密功能
- 修改 application-dev.yml 中的数据库连接地址和凭据信息 - 在 GatewaySecurityFilter 中实现条件加密验证逻辑 - 添加 wzy 环境配置文件支持 Nacos 配置中心连接 - 优化请求体解密和签名验证流程以支持选择性加密处理 - 更新缓存请求体构造以确保解密后数据正确传递
This commit is contained in:
wuzongyong
13
pom.xml
13
pom.xml
@@ -243,6 +243,19 @@
|
|||||||
<config.version>1.0.0</config.version>
|
<config.version>1.0.0</config.version>
|
||||||
</properties>
|
</properties>
|
||||||
</profile>
|
</profile>
|
||||||
|
<profile>
|
||||||
|
<id>wzy</id>
|
||||||
|
<properties>
|
||||||
|
<env.name>dev</env.name>
|
||||||
|
<!--Nacos 配置-->
|
||||||
|
<config.server-addr>172.16.46.63:30848</config.server-addr>
|
||||||
|
<config.namespace>wzy</config.namespace>
|
||||||
|
<config.group>DEFAULT_GROUP</config.group>
|
||||||
|
<config.username>nacos</config.username>
|
||||||
|
<config.password>P@ssword25</config.password>
|
||||||
|
<config.version>1.0.0</config.version>
|
||||||
|
</properties>
|
||||||
|
</profile>
|
||||||
<profile>
|
<profile>
|
||||||
<id>klw-dev</id>
|
<id>klw-dev</id>
|
||||||
<properties>
|
<properties>
|
||||||
|
|||||||
@@ -108,7 +108,9 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
|
|||||||
credential = credentialService.findActiveCredential(appId)
|
credential = credentialService.findActiveCredential(appId)
|
||||||
.orElseThrow(() -> new SecurityValidationException(HttpStatus.UNAUTHORIZED, "应用凭证不存在或已禁用"));
|
.orElseThrow(() -> new SecurityValidationException(HttpStatus.UNAUTHORIZED, "应用凭证不存在或已禁用"));
|
||||||
boolean allowAnonymous = Boolean.TRUE.equals(credential.getAllowAnonymous());
|
boolean allowAnonymous = Boolean.TRUE.equals(credential.getAllowAnonymous());
|
||||||
|
boolean enableEncryption = Boolean.TRUE.equals(credential.getEnableEncryption());
|
||||||
ApiAnonymousUserService.AnonymousUserDetails anonymousDetails = null;
|
ApiAnonymousUserService.AnonymousUserDetails anonymousDetails = null;
|
||||||
|
byte[] requestBody = StreamUtils.copyToByteArray(request.getInputStream());
|
||||||
if (allowAnonymous) {
|
if (allowAnonymous) {
|
||||||
Long anonymousUserId = credential.getAnonymousUserId();
|
Long anonymousUserId = credential.getAnonymousUserId();
|
||||||
if (anonymousUserId == null) {
|
if (anonymousUserId == null) {
|
||||||
@@ -117,24 +119,25 @@ public class GatewaySecurityFilter extends OncePerRequestFilter {
|
|||||||
anonymousDetails = anonymousUserService.find(anonymousUserId)
|
anonymousDetails = anonymousUserService.find(anonymousUserId)
|
||||||
.orElseThrow(() -> new SecurityValidationException(HttpStatus.UNAUTHORIZED, "匿名访问固定用户不可用"));
|
.orElseThrow(() -> new SecurityValidationException(HttpStatus.UNAUTHORIZED, "匿名访问固定用户不可用"));
|
||||||
}
|
}
|
||||||
|
|
||||||
String timestampHeader = requireHeader(request, TIMESTAMP_HEADER, "缺少时间戳");
|
String timestampHeader = requireHeader(request, TIMESTAMP_HEADER, "缺少时间戳");
|
||||||
// 校验时间戳与随机数,防止请求被重放
|
// 校验时间戳与随机数,防止请求被重放
|
||||||
validateTimestamp(timestampHeader, security);
|
validateTimestamp(timestampHeader, security);
|
||||||
String nonce = requireHeader(request, NONCE_HEADER, "缺少随机数");
|
if (enableEncryption){
|
||||||
if (nonce.length() < 8) {
|
String nonce = requireHeader(request, NONCE_HEADER, "缺少随机数");
|
||||||
throw new SecurityValidationException(HttpStatus.BAD_REQUEST, "随机数长度不足");
|
if (nonce.length() < 8) {
|
||||||
}
|
throw new SecurityValidationException(HttpStatus.BAD_REQUEST, "随机数长度不足");
|
||||||
String signature = requireHeader(request, SIGNATURE_HEADER, "缺少签名");
|
}
|
||||||
|
String signature = requireHeader(request, SIGNATURE_HEADER, "缺少签名");
|
||||||
|
|
||||||
byte[] originalBody = StreamUtils.copyToByteArray(request.getInputStream());
|
// 尝试按凭证配置解密请求体,并构建签名载荷进行校验
|
||||||
// 尝试按凭证配置解密请求体,并构建签名载荷进行校验
|
byte[] decryptedBody = decryptRequestBody(requestBody, credential, security);
|
||||||
byte[] decryptedBody = decryptRequestBody(originalBody, credential, security);
|
verifySignature(request, decryptedBody, signature, credential, security, appId, timestampHeader);
|
||||||
verifySignature(request, decryptedBody, signature, credential, security, appId, timestampHeader);
|
ensureNonce(tenantId, appId, nonce, security);
|
||||||
ensureNonce(tenantId, appId, nonce, security);
|
requestBody = decryptedBody;
|
||||||
|
}
|
||||||
|
|
||||||
// 使用可重复读取的请求包装,供后续过滤器继续消费
|
// 使用可重复读取的请求包装,供后续过滤器继续消费
|
||||||
CachedBodyHttpServletRequest securedRequest = new CachedBodyHttpServletRequest(request, decryptedBody);
|
CachedBodyHttpServletRequest securedRequest = new CachedBodyHttpServletRequest(request, requestBody);
|
||||||
securedRequest.setHeader(APP_ID_HEADER, credential.getAppId());
|
securedRequest.setHeader(APP_ID_HEADER, credential.getAppId());
|
||||||
securedRequest.setHeader(HEADER_CREDENTIAL_ID, credential.getId() != null ? String.valueOf(credential.getId()) : null);
|
securedRequest.setHeader(HEADER_CREDENTIAL_ID, credential.getId() != null ? String.valueOf(credential.getId()) : null);
|
||||||
ApiGatewayAccessLogger.propagateLogIdHeader(securedRequest, accessLogId);
|
ApiGatewayAccessLogger.propagateLogIdHeader(securedRequest, accessLogId);
|
||||||
|
|||||||
Reference in New Issue
Block a user