!68 v2.7.4.3

Merge pull request !68 from 码匠君/develop

README.md

@@ -12,7 +12,7 @@
     <a href="https://nacos.io/zh-cn/index.html" target="_blank"><img src="https://shields.io/badge/Nacos-2.1.1-brightgreen" alt="Nacos 2.1.1"></a>
 </p>
 <p align="center">
-    <a href="#" target="_blank"><img src="https://shields.io/badge/Version-2.7.4.2-red" alt="Version 2.7.4.2"></a>
+    <a href="#" target="_blank"><img src="https://shields.io/badge/Version-2.7.4.3-red" alt="Version 2.7.4.3"></a>
     <a href="https://www.oracle.com/java/technologies/javase-downloads.html" target="_blank"><img src="https://img.shields.io/badge/JDK-8%2C11%2C17-green" alt="Java 8,11,17"></a>
     <a href="./LICENSE"><img src="https://shields.io/badge/License-Apache--2.0-blue" alt="License Apache 2.0"></a>
     <a href="https://blog.csdn.net/Pointer_v" target="_blank"><img src="https://shields.io/badge/Author-%E7%A0%81%E5%8C%A0%E5%90%9B-orange" alt="码匠君"></a>

configurations/docker/docker-compose/linux/herodotus/.env

@@ -1,4 +1,4 @@
-VERSION=2.7.4.2
+VERSION=2.7.4.3
 GATEWAY_SERVICE_NAME=dante-cloud-gateway
 GATEWAY_SERVICE_PORT=8847
 UAA_SERVICE_NAME=dante-cloud-uaa

configurations/docker/docker-compose/windows/herodotus/.env

@@ -1,4 +1,4 @@
-VERSION=2.7.4.2
+VERSION=2.7.4.3
 GATEWAY_SERVICE_NAME=dante-cloud-gateway
 GATEWAY_SERVICE_PORT=8847
 UAA_SERVICE_NAME=dante-cloud-uaa

dependencies/pom.xml

@@ -32,13 +32,13 @@
     <parent>
         <groupId>cn.herodotus.engine</groupId>
         <artifactId>dependencies</artifactId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
         <relativePath/>
     </parent>
 
     <groupId>cn.herodotus.dante</groupId>
     <artifactId>dependencies</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>pom</packaging>
 
     <name>dante-cloud-dependencies</name>

modules/dante-module-common/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>modules</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>dante-module-common</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>

modules/dante-module-security/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>modules</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>dante-module-security</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>

modules/dante-module-strategy/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>modules</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>dante-module-strategy</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>

modules/dante-module-strategy/src/main/java/cn/herodotus/dante/module/strategy/condition/LocalDataAccessCondition.java

@@ -26,7 +26,7 @@
 package cn.herodotus.dante.module.strategy.condition;
 
 import cn.herodotus.dante.module.strategy.support.StrategyPropertyFinder;
-import cn.herodotus.engine.web.core.enums.DataAccessStrategy;
+import cn.herodotus.engine.assistant.core.enums.Target;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -47,8 +47,8 @@ public class LocalDataAccessCondition implements Condition {
     @SuppressWarnings("NullableProblems")
     @Override
     public boolean matches(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
-        String property = StrategyPropertyFinder.getDataAccessStrategy(conditionContext.getEnvironment(), DataAccessStrategy.LOCAL.name());
-        boolean result = StringUtils.isNotBlank(property) && StringUtils.equalsIgnoreCase(property, DataAccessStrategy.LOCAL.name());
+        String property = StrategyPropertyFinder.getDataAccessStrategy(conditionContext.getEnvironment(), Target.LOCAL.name());
+        boolean result = StringUtils.isNotBlank(property) && StringUtils.equalsIgnoreCase(property, Target.LOCAL.name());
         log.debug("[Herodotus] |- Condition [Local Data Access] value is [{}]", result);
         return result;
     }

modules/dante-module-strategy/src/main/java/cn/herodotus/dante/module/strategy/condition/RemoteDataAccessCondition.java

@@ -26,7 +26,7 @@
 package cn.herodotus.dante.module.strategy.condition;
 
 import cn.herodotus.dante.module.strategy.support.StrategyPropertyFinder;
-import cn.herodotus.engine.web.core.enums.DataAccessStrategy;
+import cn.herodotus.engine.assistant.core.enums.Target;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -48,7 +48,7 @@ public class RemoteDataAccessCondition implements Condition {
     @Override
     public boolean matches(ConditionContext conditionContext, AnnotatedTypeMetadata annotatedTypeMetadata) {
         String property = StrategyPropertyFinder.getDataAccessStrategy(conditionContext.getEnvironment());
-        boolean result = StringUtils.isNotBlank(property) && StringUtils.equalsIgnoreCase(property, DataAccessStrategy.REMOTE.name());
+        boolean result = StringUtils.isNotBlank(property) && StringUtils.equalsIgnoreCase(property, Target.REMOTE.name());
         log.debug("[Herodotus] |- Condition [Remote Data Access] value is [{}]", result);
         return result;
     }

modules/dante-module-upms-logic/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>modules</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>dante-module-upms-logic</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>

modules/dante-module-upms-rest/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>modules</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>dante-module-upms-rest</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>

modules/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>dante-cloud</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>modules</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>pom</packaging>
 
     <name>dante-cloud-modules</name>

packages/authentication-spring-boot-starter/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>packages</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>authentication-spring-boot-starter</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>

packages/authentication-spring-boot-starter/src/main/java/cn/herodotus/dante/authentication/configuration/AuthorizationServerConfiguration.java

@@ -27,16 +27,15 @@
 
 import cn.herodotus.engine.assistant.core.utils.ResourceUtils;
 import cn.herodotus.engine.oauth2.authorization.authentication.*;
-import cn.herodotus.engine.oauth2.authorization.customizer.HerodotusTokenCustomizer;
+import cn.herodotus.engine.oauth2.authorization.customizer.HerodotusJwtTokenCustomizer;
+import cn.herodotus.engine.oauth2.authorization.customizer.HerodotusOpaqueTokenCustomizer;
 import cn.herodotus.engine.oauth2.authorization.response.HerodotusAuthenticationSuccessHandler;
 import cn.herodotus.engine.oauth2.authorization.utils.OAuth2ConfigurerUtils;
 import cn.herodotus.engine.oauth2.core.definition.service.ClientDetailsService;
 import cn.herodotus.engine.oauth2.core.enums.Certificate;
 import cn.herodotus.engine.oauth2.core.properties.OAuth2ComplianceProperties;
 import cn.herodotus.engine.oauth2.core.properties.OAuth2Properties;
 import cn.herodotus.engine.oauth2.core.response.DefaultOAuth2AuthenticationEventPublisher;
-import cn.herodotus.engine.oauth2.core.response.HerodotusAccessDeniedHandler;
-import cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationEntryPoint;
 import cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationFailureHandler;
 import cn.herodotus.engine.protect.web.crypto.processor.HttpCryptoProcessor;
 import cn.herodotus.engine.protect.web.tenant.interceptor.MultiTenancyFilter;
@@ -70,14 +69,14 @@
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimsContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 import org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter;
 import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter;
 import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter;
 import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
-import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
 import org.springframework.security.rsa.crypto.KeyStoreKeyFactory;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
@@ -128,6 +127,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
             endpoint.consentPage("/oauth2/consent");
         });
         authorizationServerConfigurer.tokenRevocationEndpoint(endpoint -> endpoint.errorResponseHandler(failureHandler));
+        authorizationServerConfigurer.tokenIntrospectionEndpoint(endpoint -> endpoint.errorResponseHandler(failureHandler));
         authorizationServerConfigurer.clientAuthentication(endpoint -> {
             endpoint.errorResponseHandler(failureHandler);
         });
@@ -157,11 +157,6 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
                 .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())
                 // 禁用对 OAuth2 Authorization Server 相关 endpoint 的 CSRF 防御
                 .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
-                .oauth2ResourceServer(configurer -> configurer
-                        .jwt(jwt -> jwt.decoder(jwtDecoder))
-                        .bearerTokenResolver(new DefaultBearerTokenResolver())
-                        .accessDeniedHandler(new HerodotusAccessDeniedHandler())
-                        .authenticationEntryPoint(new HerodotusAuthenticationEntryPoint()))
                 // 应用 OAuth2 相关设置
                 .apply(authorizationServerConfigurer)
                 .oidc(oidc -> oidc
@@ -255,10 +250,17 @@ public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
     }
 
     @Bean
-    public OAuth2TokenCustomizer<JwtEncodingContext> oAuth2TokenCustomizer() {
-        HerodotusTokenCustomizer herodotusTokenCustomizer = new HerodotusTokenCustomizer();
-        log.trace("[Herodotus] |- Bean [OAuth2 Token Customizer] Auto Configure.");
-        return herodotusTokenCustomizer;
+    public OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer() {
+        HerodotusJwtTokenCustomizer herodotusJwtTokenCustomizer = new HerodotusJwtTokenCustomizer();
+        log.trace("[Herodotus] |- Bean [OAuth2 Jwt Token Customizer] Auto Configure.");
+        return herodotusJwtTokenCustomizer;
+    }
+
+    @Bean
+    public OAuth2TokenCustomizer<OAuth2TokenClaimsContext> opaqueTokenCustomizer() {
+        HerodotusOpaqueTokenCustomizer herodotusOpaqueTokenCustomizer = new HerodotusOpaqueTokenCustomizer();
+        log.trace("[Herodotus] |- Bean [OAuth2 Opaque Token Customizer] Auto Configure.");
+        return herodotusOpaqueTokenCustomizer;
     }
 
     @Bean

packages/authentication-spring-boot-starter/src/main/java/cn/herodotus/dante/authentication/configuration/DefaultSecurityConfiguration.java

@@ -26,12 +26,14 @@
 package cn.herodotus.dante.authentication.configuration;
 
 import cn.herodotus.dante.module.security.processor.HerodotusSecurityMetadataSource;
+import cn.herodotus.engine.assistant.core.enums.Target;
 import cn.herodotus.engine.captcha.core.processor.CaptchaRendererFactory;
 import cn.herodotus.engine.oauth2.authorization.authorization.OAuth2FormLoginConfigurer;
 import cn.herodotus.engine.oauth2.authorization.properties.OAuth2UiProperties;
 import cn.herodotus.engine.oauth2.core.definition.service.ClientDetailsService;
 import cn.herodotus.engine.oauth2.core.definition.strategy.StrategyUserDetailsService;
 import cn.herodotus.engine.oauth2.core.processor.HerodotusSecurityConfigureHandler;
+import cn.herodotus.engine.oauth2.core.properties.SecurityProperties;
 import cn.herodotus.engine.oauth2.core.response.DefaultOAuth2AuthenticationEventPublisher;
 import cn.herodotus.engine.oauth2.core.response.HerodotusAccessDeniedHandler;
 import cn.herodotus.engine.oauth2.core.response.HerodotusAuthenticationEntryPoint;
@@ -40,12 +42,14 @@
 import cn.herodotus.engine.oauth2.server.authorization.processor.HerodotusUserDetailsService;
 import cn.herodotus.engine.oauth2.server.authorization.service.OAuth2ApplicationService;
 import cn.herodotus.engine.oauth2.server.resource.converter.HerodotusJwtAuthenticationConverter;
+import cn.herodotus.engine.oauth2.server.resource.introspector.HerodotusOpaqueTokenIntrospector;
+import cn.herodotus.engine.web.core.properties.EndpointProperties;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
@@ -71,32 +75,25 @@ public class DefaultSecurityConfiguration {
 
     private static final Logger log = LoggerFactory.getLogger(DefaultSecurityConfiguration.class);
 
-    private final ExpressionSecurityMetadataParser securityMetadataExpressionParser;
-    private final HerodotusSecurityMetadataSource herodotusSecurityMetadataSource;
-    private final HerodotusSecurityConfigureHandler herodotusSecurityConfigureHandler;
-    private final JwtDecoder jwtDecoder;
-    private final OAuth2UiProperties uiProperties;
-    private final CaptchaRendererFactory captchaRendererFactory;
-
-    @Autowired
-    public DefaultSecurityConfiguration(ExpressionSecurityMetadataParser securityMetadataExpressionParser, HerodotusSecurityMetadataSource herodotusSecurityMetadataSource, HerodotusSecurityConfigureHandler herodotusSecurityConfigureHandler, JwtDecoder jwtDecoder, OAuth2UiProperties uiProperties, CaptchaRendererFactory captchaRendererFactory) {
-        this.securityMetadataExpressionParser = securityMetadataExpressionParser;
-        this.herodotusSecurityMetadataSource = herodotusSecurityMetadataSource;
-        this.herodotusSecurityConfigureHandler = herodotusSecurityConfigureHandler;
-        this.jwtDecoder = jwtDecoder;
-        this.uiProperties = uiProperties;
-        this.captchaRendererFactory = captchaRendererFactory;
-    }
-
     @Bean
-    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http, UserDetailsService userDetailsService) throws Exception {
+    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity httpSecurity,
+                                                   HerodotusSecurityConfigureHandler herodotusSecurityConfigureHandler,
+                                                   ExpressionSecurityMetadataParser securityMetadataExpressionParser,
+                                                   HerodotusSecurityMetadataSource herodotusSecurityMetadataSource,
+                                                   JwtDecoder jwtDecoder,
+                                                   OAuth2UiProperties uiProperties,
+                                                   SecurityProperties securityProperties,
+                                                   OAuth2ResourceServerProperties resourceServerProperties,
+                                                   UserDetailsService userDetailsService,
+                                                   CaptchaRendererFactory captchaRendererFactory,
+                                                   EndpointProperties endpointProperties) throws Exception {
 
         log.debug("[Herodotus] |- Core [Default Security Filter Chain] Auto Configure.");
         // 禁用CSRF 开启跨域
-        http.csrf().disable().cors();
+        httpSecurity.csrf().disable().cors();
 
         // @formatter:off
-        http.authorizeRequests(authorizeRequests ->
+        httpSecurity.authorizeRequests(authorizeRequests ->
                         authorizeRequests
                                 .antMatchers(herodotusSecurityConfigureHandler.getPermitAllArray()).permitAll()
                                 .antMatchers(herodotusSecurityConfigureHandler.getStaticResourceArray()).permitAll()
@@ -126,14 +123,22 @@ public <O extends FilterSecurityInterceptor> O postProcess(O fsi) {
                 .authenticationEntryPoint(new HerodotusAuthenticationEntryPoint())
                 .accessDeniedHandler(new HerodotusAccessDeniedHandler())
                 .and()
-                .oauth2ResourceServer(configurer -> configurer
-                        .jwt(jwt -> jwt.decoder(jwtDecoder).jwtAuthenticationConverter(new HerodotusJwtAuthenticationConverter()))
-                        .bearerTokenResolver(new DefaultBearerTokenResolver())
-                        .accessDeniedHandler(new HerodotusAccessDeniedHandler())
-                        .authenticationEntryPoint(new HerodotusAuthenticationEntryPoint()))
                 .apply(new OAuth2FormLoginConfigurer(userDetailsService, uiProperties, captchaRendererFactory));
+
+        if (securityProperties.getValidate() == Target.REMOTE) {
+            httpSecurity.oauth2ResourceServer(configurer -> configurer
+                    .opaqueToken(opaque -> opaque.introspector(new HerodotusOpaqueTokenIntrospector(endpointProperties, resourceServerProperties)))
+                    .accessDeniedHandler(new HerodotusAccessDeniedHandler())
+                    .authenticationEntryPoint(new HerodotusAuthenticationEntryPoint()));
+        } else {
+            httpSecurity.oauth2ResourceServer(configurer -> configurer
+                    .jwt(jwt -> jwt.decoder(jwtDecoder).jwtAuthenticationConverter(new HerodotusJwtAuthenticationConverter()))
+                    .bearerTokenResolver(new DefaultBearerTokenResolver())
+                    .accessDeniedHandler(new HerodotusAccessDeniedHandler())
+                    .authenticationEntryPoint(new HerodotusAuthenticationEntryPoint()));
+        }
         // @formatter:on
-        return http.build();
+        return httpSecurity.build();
     }
 
     @Bean

packages/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>dante-cloud</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>packages</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>pom</packaging>
 
     <name>dante-cloud-packages</name>

packages/service-spring-boot-starter/pom.xml

@@ -32,11 +32,11 @@
     <parent>
         <artifactId>packages</artifactId>
         <groupId>cn.herodotus.dante</groupId>
-        <version>2.7.4.2</version>
+        <version>2.7.4.3</version>
     </parent>
 
     <artifactId>service-spring-boot-starter</artifactId>
-    <version>2.7.4.2</version>
+    <version>2.7.4.3</version>
     <packaging>jar</packaging>
 
     <dependencies>