修复安全校验逻辑

framework-security/src/main/java/com/chelvc/framework/security/config/SecurityProperties.java

@@ -19,6 +19,11 @@ public class SecurityProperties {
      */
     private String secret;
 
+    /**
+     * 是否启用
+     */
+    private boolean enabled;
+
     /**
      * 请求配置
      */
@@ -39,16 +44,6 @@ public class SecurityProperties {
          */
         private String[] permit;
 
-        /**
-         * 忽略的资源地址，多个地址使用","号隔开
-         */
-        private String[] ignore;
-
-        /**
-         * 必须校验的资源地址，多个地址使用","号隔开
-         */
-        private String[] require;
-
         /**
          * 允许的请求耗时（毫秒）
          */
@@ -64,15 +59,5 @@ public class SecurityProperties {
          * 放行资源地址，多个地址使用","号隔开
          */
         private String[] permit;
-
-        /**
-         * 忽略的资源地址，多个地址使用","号隔开
-         */
-        private String[] ignore;
-
-        /**
-         * 必须校验的资源地址，多个地址使用","号隔开
-         */
-        private String[] require;
     }
 }

framework-security/src/main/java/com/chelvc/framework/security/context/SecurityContextHolder.java

@@ -49,12 +49,21 @@ public class SecurityContextHolder {
     }
 
     /**
-     * 判断是否启用加密
+     * 判断是否启用安全校验
      *
      * @return true/false
      */
     public static boolean isEnabled() {
-        return ApplicationContextHolder.getSafeProperty("security.encrypt.enabled", boolean.class, true);
+        return getProperties().isEnabled();
+    }
+
+    /**
+     * 判断是否忽略安全校验失败请求
+     *
+     * @return true/false
+     */
+    public static boolean isFailureIgnored() {
+        return ApplicationContextHolder.getSafeProperty("security.failure.ignored", boolean.class, false);
     }
 
     /**

framework-security/src/main/java/com/chelvc/framework/security/interceptor/RequestSecurityInterceptor.java

@@ -9,15 +9,14 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import lombok.extern.slf4j.Slf4j;
 import com.chelvc.framework.base.context.SessionContextHolder;
 import com.chelvc.framework.base.model.Result;
 import com.chelvc.framework.base.util.HttpUtils;
 import com.chelvc.framework.base.util.SpringUtils;
-import com.chelvc.framework.common.util.ObjectUtils;
 import com.chelvc.framework.common.util.StringUtils;
 import com.chelvc.framework.security.config.SecurityProperties;
 import com.chelvc.framework.security.context.SecurityContextHolder;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
@@ -48,12 +47,7 @@ public class RequestSecurityInterceptor implements Filter {
 
         // 判断是否需要放行
         SecurityProperties.Request configuration = SecurityContextHolder.getProperties().getRequest();
-        if (ObjectUtils.isEmpty(configuration.getPermit()) && ObjectUtils.isEmpty(configuration.getRequire())) {
-            return true;
-        }
-        String uri = HttpUtils.getRequestURI(request);
-        if (SpringUtils.isPath(uri, configuration.getPermit()) || (ObjectUtils.nonEmpty(configuration.getRequire())
-                && !SpringUtils.isPath(uri, configuration.getRequire()))) {
+        if (SpringUtils.isPath(HttpUtils.getRequestURI(request), configuration.getPermit())) {
             return true;
         }
 
@@ -73,7 +67,7 @@ public class RequestSecurityInterceptor implements Filter {
 
         // 无效请求
         log.warn(SessionContextHolder.getLoggingMessage(request, HttpStatus.FORBIDDEN, "Request invalid"));
-        if (SpringUtils.isPath(uri, configuration.getIgnore())) {
+        if (SecurityContextHolder.isFailureIgnored()) {
             return true;
         }
         if (deadline) {
@@ -81,7 +75,7 @@ public class RequestSecurityInterceptor implements Filter {
             SessionContextHolder.response(response, Result.build(HttpStatus.FORBIDDEN));
         } else {
             response.setStatus(HttpStatus.NOT_ACCEPTABLE.value());
-            Result<?> result = Result.build(HttpStatus.NOT_ACCEPTABLE, null, "您的手机设备时间与北京时间误差较大，请校正");
+            Result<?> result = Result.build(HttpStatus.NOT_ACCEPTABLE, null, "请校准系统时间");
             SessionContextHolder.response(response, result);
         }
         return false;

framework-security/src/main/java/com/chelvc/framework/security/interceptor/SignatureValidateInterceptor.java

@@ -10,15 +10,14 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import lombok.extern.slf4j.Slf4j;
 import com.chelvc.framework.base.context.SessionContextHolder;
 import com.chelvc.framework.base.model.Result;
 import com.chelvc.framework.base.util.HttpUtils;
 import com.chelvc.framework.base.util.SpringUtils;
 import com.chelvc.framework.common.util.CodecUtils;
-import com.chelvc.framework.common.util.ObjectUtils;
 import com.chelvc.framework.security.config.SecurityProperties;
 import com.chelvc.framework.security.context.SecurityContextHolder;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
@@ -49,13 +48,7 @@ public class SignatureValidateInterceptor implements Filter {
 
         // 判断请求是否需要放行
         SecurityProperties properties = SecurityContextHolder.getProperties();
-        SecurityProperties.Signature configuration = properties.getSignature();
-        if (ObjectUtils.isEmpty(configuration.getPermit()) && ObjectUtils.isEmpty(configuration.getRequire())) {
-            return true;
-        }
-        String uri = HttpUtils.getRequestURI(request);
-        if (SpringUtils.isPath(uri, configuration.getPermit()) || (ObjectUtils.nonEmpty(configuration.getRequire())
-                && !SpringUtils.isPath(uri, configuration.getRequire()))) {
+        if (SpringUtils.isPath(HttpUtils.getRequestURI(request), properties.getSignature().getPermit())) {
             return true;
         }
 
@@ -81,7 +74,7 @@ public class SignatureValidateInterceptor implements Filter {
 
         // 签名无效
         log.warn(SessionContextHolder.getLoggingMessage(request, HttpStatus.FORBIDDEN, "Signature invalid"));
-        if (SpringUtils.isPath(uri, configuration.getIgnore())) {
+        if (SecurityContextHolder.isFailureIgnored()) {
             return true;
         }
         response.setStatus(HttpStatus.FORBIDDEN.value());