一 原理
基于dubbo全局过滤器
首先在项目src\main\resources\META-INF
新建文件夹dubbo,在下面新建以过滤器包名为文件名的文件com.alibaba.dubbo.rpc.Filter
配置文件里面配置两个过滤器
AuthFilter=com.base.dubbo.filter.AuthFilter
DubboServiceFilter=com.base.dubbo.filter.DubboServiceFilter
服务鉴权过滤器
package com.base.dubbo.filter;
import com.alibaba.dubbo.common.Constants;
import com.alibaba.dubbo.common.extension.Activate;
import com.alibaba.dubbo.rpc.*;
import com.zto.base.config.AuthFilterConfig;
import com.zto.base.dubbo.cache.DubboFilterCache;
import com.zto.base.model.BaseInterfaceAppModel;
import com.zto.base.service.CacheServiceImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import tk.mybatis.mapper.util.StringUtil;
import java.util.Map;
import java.util.Objects;
import static com.base.dubbo.cache.DubboFilterCache.CHECKTOKEN;
/**
* @desc: 全局的鉴权
* @author: mark
* @since: 2020/9/9 16:08
**/
@Activate(group = Constants.PROVIDER, order = -30000)
public class AuthFilter implements Filter {
//全局鉴权是否开启
private AuthFilterConfig authFilterConfig;
/**
* dubbo通过setter方式自动注入
**/
public void setAuthFilterConfig(AuthFilterConfig authFilterConfig) {
this.authFilterConfig = authFilterConfig;
}
//1-开启
public static final String ON = "1";
//0-关闭
public static final String OFF = "0";
private static Logger log = LoggerFactory
.getLogger(AuthFilter.class);
@Override
public Result invoke(Invoker<?> invoker, Invocation invocation) throws RpcException {
if (OFF.equals(authFilterConfig.getOpen())) {
return invoker.invoke(invocation);
}
//全局开关
log.info("dubbo鉴权全局过滤器开启!");
Map<String, String> attachments = invocation.getAttachments();
String appId = attachments.get("appid");
String appKey = attachments.get("appkey");
log.info("appId:{}:,appKey:{}", appId, appKey);
//从缓存查询mdm_interface_app有没有appId
String methodName = invocation.getMethodName();
if (methodName == null || "$invoke".equalsIgnoreCase(methodName)) {
methodName = (String) invocation.getArguments()[0];
}
//头里面有没有传,不传的放行
if (Objects.isNull(appId)) {
log.info("头里面没有传appId,放行");
return invoker.invoke(invocation);
}
String str = attachments.get("path");
String interfaceClass = str.substring(str.lastIndexOf(".") + 1, str.length());
log.info("methodName:{}", methodName);
BaseInterfaceAppModel model = DubboFilterCache.cache.get(CacheServiceImpl.generateKey(interfaceClass, methodName, appId));
//缓存里面是否有,没有则放行
//如果配置不校验缓存进行放行
if (Objects.isNull(model) || !CHECKTOKEN.equals(model.getCheckToken())) {
return invoker.invoke(invocation);
}
//appKey是否匹配
if (!StringUtil.isEmpty(appKey) && model.getTokens().contains(appKey)) {
return invoker.invoke(invocation);
}
log.error("接口没有调用权限,请求方Ip:{}, 方法{}", RpcContext.getContext().getRemoteAddressString(), methodName);
return new RpcResult(new Throwable("没有访问权限"));
}
}
接口信息使用本地缓存
package com.zto.base.dubbo.cache;
import com.base.bean.MdmAppResponseParameter;
import com.base.model.BaseInterfaceAppModel;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
/**
* @desc: dubbo接口鉴权本地缓存, 每个应用启动时候需要初始化
* @author: mark
* @since: 2020/9/10 9:16
**/
public class DubboFilterCache {
/**
* @Desc: 接口的本地缓存
* @author mark
* @date 2020/9/10 14:20
* @param
* @return
*/
public static Map<String, BaseInterfaceAppModel> cache = new HashMap<>();
//是否校验,0不需要 1需要
public static final Byte CHECKTOKEN = 1;
public static Map<String, Long> appMap = new HashMap<>();
static {
appMap.put("base-center-outlet-api", 1L);
appMap.put("base-center-emp", 2L);
appMap.put("base-center-area", 3L);
appMap.put("base-center-config", 4L);
}
/**
* 服务应用方信息(key),value(返参)
**/
public static Map<String/*interfaceClass:method:appId */, List<MdmAppResponseParameter>> interfaceAppAttrMap = new ConcurrentHashMap<>();
/**
* 获取应用方返参信息
*
* @param key
* @return
*/
public static List<MdmAppResponseParameter> getMdmEntityAttr(String key) {
return interfaceAppAttrMap.get(key);
}
/**
* 修改或者新增应用方信息
*
* @return
*/
public static void setMdmEntityAttr(String key, List<MdmAppResponseParameter> obj) {
interfaceAppAttrMap.put(key, obj);
}
/**
* 删除应用方信息
*
* @return
*/
public static void delMdmEntityAttr(String key) {
interfaceAppAttrMap.remove(key);
}
}
字段过滤
package com.base.dubbo.filter;
import com.alibaba.dubbo.common.Constants;
import com.alibaba.dubbo.common.extension.Activate;
import com.alibaba.dubbo.rpc.*;
import com.alibaba.fastjson.JSONObject;
import com.base.bean.MdmAppResponseParameter;
import com.base.config.ResponseFilterConfig;
import com.base.constant.FieldSensitiveLevelConstant;
import com.base.dubbo.cache.DubboFilterCache;
import com.base.service.CacheServiceImpl;
import com.titans.common.util.JsonUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StopWatch;
import java.util.ArrayList;
import java.util.List;
/**
* @author mark
* @ClassName: DubboServiceFilter
* @Description: 返参安全级别过滤/返参字段过滤
* @date 2020/8/25 17:13
* @Version 1.0
*/
@Activate(group = {Constants.PROVIDER})
public class DubboServiceFilter implements Filter {
//1-开启
public static final String ON = "1";
//0-关闭
public static final String OFF = "0";
private final static Logger log = LoggerFactory.getLogger(DubboServiceFilter.class);
//全局鉴权是否开启
private ResponseFilterConfig responseFilterConfig;
/**
* dubbo通过setter方式自动注入
**/
public void setResponseFilterConfig(ResponseFilterConfig responseFilterConfig) {
this.responseFilterConfig = responseFilterConfig;
}
@Override
public Result invoke(Invoker<?> invoker, Invocation invocation) {
if (OFF.equals(responseFilterConfig.getOpen())) {
return invoker.invoke(invocation);
}
Result result = null;
Long takeTime = 0L;
try {
Long startTime = System.currentTimeMillis();
StopWatch sw = new StopWatch("task");
sw.start("process");
result = invoker.invoke(invocation);
sw.stop();
sw.start("json-converter");
//从缓存查询返参信息
String methodName = invocation.getMethodName();
if (methodName == null || "$invoke".equalsIgnoreCase(methodName)) {
methodName = (String) invocation.getArguments()[0];
}
String str = invocation.getAttachments().get("path");
String interfaceClass = str.substring(str.lastIndexOf(".") + 1, str.length());
String appId = invocation.getAttachments().get("appid");
log.info("methodName:{}", methodName);
List<MdmAppResponseParameter> mdmEntityAttr = DubboFilterCache.getMdmEntityAttr(CacheServiceImpl.generateKey(interfaceClass, methodName, appId));
//获取返参需要过滤的字段
List<String> securityAttrNames = new ArrayList<>();
if (mdmEntityAttr != null && mdmEntityAttr.size() > 0) {
mdmEntityAttr.forEach(mdm -> {
if (FieldSensitiveLevelConstant.NOT_AVAILABLE.equals(mdm.getSensitiveLevel()) || mdm.getIsSelect() == 0) {
securityAttrNames.add(mdm.getAttrCode());
}
});
}
if (securityAttrNames.size() == 0) {
return result;
}
String tmpStr = JSONObject.toJSONString(result, new SecurityResponseFilter(securityAttrNames));
JSONObject jsonObject = JSONObject.parseObject(tmpStr);
Object o = jsonObject.get("result");
result = new RpcResult(o);
sw.stop();
System.out.println(sw.prettyPrint());
if (result.getException() instanceof Exception) {
throw new Exception(result.getException());
}
takeTime = System.currentTimeMillis() - startTime;
} catch (Exception e) {
log.error("DubboServiceFilter Exception:{},request{},curr error:{},msg:{}", invocation.getClass(),
invocation.getArguments(), e.toString(), e.getCause());
result = new RpcResult(e);
return result;
} finally {
log.info("method:[{}],request:{},response:{},takeTime:{} ms",
invocation.getMethodName(), invocation.getArguments(), JsonUtil.toJSON(result),
takeTime);
}
return result;
}
}
参数过滤,基于json
package com.base.dubbo.filter;
import com.alibaba.fastjson.serializer.ValueFilter;
import java.util.List;
/**
* @author mark
* @ClassName: SecurityResponseFilter
* @Description: 响应参数过滤
* @date 2020/8/27 20:27
* @Version 1.0
*/
public class SecurityResponseFilter implements ValueFilter {
private List<String> securityAttrNames;
public SecurityResponseFilter(List<String> securityAttrNames) {
this.securityAttrNames = securityAttrNames;
}
@Override
public Object process(Object object, String name, Object value) {
for (String san : securityAttrNames) {
if (san.equals(name)) {
return "";
}
}
return value;
}
}