基本环境
nacos1.4.2
源码搭建步骤
1.下载nacos1.4.2
2.导入idea
3.maven之后,启动nacos-console模块下的Nacos
4.本文省略了源码搭建步骤
开发根据ip免登录步骤
1.在配置文件application.properties中增加配置ip的配置
nacos.core.auth.enable.ip=192.168.120.35,192.168.120.37
2.在AuthConfigs类中增加属性authEnableIp,代码如下
/*
* Copyright 1999-2018 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.nacos.auth.common;
import com.alibaba.nacos.common.JustForTest;
import com.alibaba.nacos.sys.env.EnvUtil;
import io.jsonwebtoken.io.Decoders;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import java.util.List;
import java.util.Objects;
/**
* Auth related configurations.
*
* @author nkorange
* @author mai.jh
* @since 1.2.0
*/
@Configuration
public class AuthConfigs {
@JustForTest
private static Boolean cachingEnabled = null;
/**
* secret key.
*/
@Value("${nacos.core.auth.default.token.secret.key:}")
private String secretKey;
/**
* secret key byte array.
*/
private byte[] secretKeyBytes;
/**
* Token validity time(seconds).
*/
@Value("${nacos.core.auth.default.token.expire.seconds:18000}")
private long tokenValidityInSeconds;
/**
* Which auth system is in use.
*/
@Value("${nacos.core.auth.system.type:}")
private String nacosAuthSystemType;
@Value("${nacos.core.auth.server.identity.key:}")
private String serverIdentityKey;
@Value(("${nacos.core.auth.server.identity.value:}"))
private String serverIdentityValue;
@Value(("${nacos.core.auth.enable.userAgentAuthWhite:true}"))
private boolean enableUserAgentAuthWhite;
@Value("${nacos.core.auth.enable.ip}")
private List<String> authEnableIp;
public byte[] getSecretKeyBytes() {
if (secretKeyBytes == null) {
secretKeyBytes = Decoders.BASE64.decode(secretKey);
}
return secretKeyBytes;
}
public long getTokenValidityInSeconds() {
return tokenValidityInSeconds;
}
public String getNacosAuthSystemType() {
return nacosAuthSystemType;
}
public String getServerIdentityKey() {
return serverIdentityKey;
}
public String getServerIdentityValue() {
return serverIdentityValue;
}
public boolean isEnableUserAgentAuthWhite() {
return enableUserAgentAuthWhite;
}
/**
* auth function is open.
*
* @return auth function is open
*/
public boolean isAuthEnabled() {
// Runtime -D parameter has higher priority:
String enabled = System.getProperty("nacos.core.auth.enabled");
if (StringUtils.isNotBlank(enabled)) {
return BooleanUtils.toBoolean(enabled);
}
return BooleanUtils
.toBoolean(EnvUtil.getProperty("nacos.core.auth.enabled", "false"));
}
/**
* Whether permission information can be cached.
*
* @return bool
*/
public boolean isCachingEnabled() {
if (Objects.nonNull(AuthConfigs.cachingEnabled)) {
return cachingEnabled;
}
return BooleanUtils
.toBoolean(EnvUtil.getProperty("nacos.core.auth.caching.enabled", "true"));
}
public List<String> getAuthEnableIp() {
return authEnableIp;
}
public void setAuthEnableIp(List<String> authEnableIp) {
this.authEnableIp = authEnableIp;
}
@JustForTest
public static void setCachingEnabled(boolean cachingEnabled) {
AuthConfigs.cachingEnabled = cachingEnabled;
}
}
/*
* Copyright 1999-2018 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.nacos.auth.common;
import com.alibaba.nacos.common.JustForTest;
import com.alibaba.nacos.sys.env.EnvUtil;
import io.jsonwebtoken.io.Decoders;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import java.util.List;
import java.util.Objects;
/**
* Auth related configurations.
*
* @author nkorange
* @author mai.jh
* @since 1.2.0
*/
@Configuration
public class AuthConfigs {
@JustForTest
private static Boolean cachingEnabled = null;
/**
* secret key.
*/
@Value("${nacos.core.auth.default.token.secret.key:}")
private String secretKey;
/**
* secret key byte array.
*/
private byte[] secretKeyBytes;
/**
* Token validity time(seconds).
*/
@Value("${nacos.core.auth.default.token.expire.seconds:18000}")
private long tokenValidityInSeconds;
/**
* Which auth system is in use.
*/
@Value("${nacos.core.auth.system.type:}")
private String nacosAuthSystemType;
@Value("${nacos.core.auth.server.identity.key:}")
private String serverIdentityKey;
@Value(("${nacos.core.auth.server.identity.value:}"))
private String serverIdentityValue;
@Value(("${nacos.core.auth.enable.userAgentAuthWhite:true}"))
private boolean enableUserAgentAuthWhite;
@Value("${nacos.core.auth.enable.ip}")
private List<String> authEnableIp;
public byte[] getSecretKeyBytes() {
if (secretKeyBytes == null) {
secretKeyBytes = Decoders.BASE64.decode(secretKey);
}
return secretKeyBytes;
}
public long getTokenValidityInSeconds() {
return tokenValidityInSeconds;
}
public String getNacosAuthSystemType() {
return nacosAuthSystemType;
}
public String getServerIdentityKey() {
return serverIdentityKey;
}
public String getServerIdentityValue() {
return serverIdentityValue;
}
public boolean isEnableUserAgentAuthWhite() {
return enableUserAgentAuthWhite;
}
/**
* auth function is open.
*
* @return auth function is open
*/
public boolean isAuthEnabled() {
// Runtime -D parameter has higher priority:
String enabled = System.getProperty("nacos.core.auth.enabled");
if (StringUtils.isNotBlank(enabled)) {
return BooleanUtils.toBoolean(enabled);
}
return BooleanUtils
.toBoolean(EnvUtil.getProperty("nacos.core.auth.enabled", "false"));
}
/**
* Whether permission information can be cached.
*
* @return bool
*/
public boolean isCachingEnabled() {
if (Objects.nonNull(AuthConfigs.cachingEnabled)) {
return cachingEnabled;
}
return BooleanUtils
.toBoolean(EnvUtil.getProperty("nacos.core.auth.caching.enabled", "true"));
}
public List<String> getAuthEnableIp() {
return authEnableIp;
}
public void setAuthEnableIp(List<String> authEnableIp) {
this.authEnableIp = authEnableIp;
}
@JustForTest
public static void setCachingEnabled(boolean cachingEnabled) {
AuthConfigs.cachingEnabled = cachingEnabled;
}
}
3.在类AuthFilter的doFilter方法中增加判断ip的逻辑
/*
* Copyright 1999-2018 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.alibaba.nacos.core.auth;
import com.alibaba.nacos.auth.AuthManager;
import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.common.AuthConfigs;
import com.alibaba.nacos.auth.exception.AccessException;
import com.alibaba.nacos.auth.model.Permission;
import com.alibaba.nacos.auth.parser.ResourceParser;
import com.alibaba.nacos.common.utils.ExceptionUtil;
import com.alibaba.nacos.core.code.ControllerMethodsCache;
import com.alibaba.nacos.core.utils.Loggers;
import com.alibaba.nacos.core.utils.WebUtils;
import com.alibaba.nacos.sys.env.Constants;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
/**
* Unified filter to handle authentication and authorization.
*
* @author nkorange
* @since 1.2.0
*/
public class AuthFilter implements Filter {
@Autowired
private AuthConfigs authConfigs;
@Autowired
private AuthManager authManager;
@Autowired
private ControllerMethodsCache methodsCache;
private Map<Class<? extends ResourceParser>, ResourceParser> parserInstance = new ConcurrentHashMap<>();
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (!authConfigs.isAuthEnabled()) {
chain.doFilter(request, response);
return;
}
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
List<String> authEnableIp = authConfigs.getAuthEnableIp();
String remoteHost = req.getRemoteHost();
Loggers.AUTH.warn("远程访问ip为:{}", remoteHost);
System.out.println("远程访问ip为:" + remoteHost);
System.out.println("配置的ip为:" + authEnableIp.toString());
Loggers.AUTH.warn("配置的ip为:{}", authEnableIp.toString());
if (authEnableIp != null && authEnableIp.size() > 0) {
boolean contains = authEnableIp.contains(remoteHost);
if (contains) {
chain.doFilter(request, response);
return;
}
}
if (authConfigs.isEnableUserAgentAuthWhite()) {
String userAgent = WebUtils.getUserAgent(req);
if (StringUtils.startsWith(userAgent, Constants.NACOS_SERVER_HEADER)) {
chain.doFilter(request, response);
return;
}
} else if (StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils
.isNotBlank(authConfigs.getServerIdentityValue())) {
String serverIdentity = req.getHeader(authConfigs.getServerIdentityKey());
if (authConfigs.getServerIdentityValue().equals(serverIdentity)) {
chain.doFilter(request, response);
return;
}
Loggers.AUTH.warn("Invalid server identity value for {} from {}", authConfigs.getServerIdentityKey(),
req.getRemoteHost());
} else {
resp.sendError(HttpServletResponse.SC_FORBIDDEN,
"Invalid server identity key or value, Please make sure set `nacos.core.auth.server.identity.key`"
+ " and `nacos.core.auth.server.identity.value`, or open `nacos.core.auth.enable.userAgentAuthWhite`");
return;
}
try {
Method method = methodsCache.getMethod(req);
if (method == null) {
chain.doFilter(request, response);
return;
}
if (method.isAnnotationPresent(Secured.class) && authConfigs.isAuthEnabled()) {
if (Loggers.AUTH.isDebugEnabled()) {
Loggers.AUTH.debug("auth start, request: {} {}", req.getMethod(), req.getRequestURI());
}
Secured secured = method.getAnnotation(Secured.class);
String action = secured.action().toString();
String resource = secured.resource();
if (StringUtils.isBlank(resource)) {
ResourceParser parser = getResourceParser(secured.parser());
resource = parser.parseName(req);
}
if (StringUtils.isBlank(resource)) {
// deny if we don't find any resource:
throw new AccessException("resource name invalid!");
}
authManager.auth(new Permission(resource, action), authManager.login(req));
}
chain.doFilter(request, response);
} catch (AccessException e) {
if (Loggers.AUTH.isDebugEnabled()) {
Loggers.AUTH.debug("access denied, request: {} {}, reason: {}", req.getMethod(), req.getRequestURI(),
e.getErrMsg());
}
resp.sendError(HttpServletResponse.SC_FORBIDDEN, e.getErrMsg());
return;
} catch (IllegalArgumentException e) {
resp.sendError(HttpServletResponse.SC_BAD_REQUEST, ExceptionUtil.getAllExceptionMsg(e));
return;
} catch (Exception e) {
resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Server failed," + e.getMessage());
return;
}
}
private ResourceParser getResourceParser(Class<? extends ResourceParser> parseClass)
throws IllegalAccessException, InstantiationException {
ResourceParser parser = parserInstance.get(parseClass);
if (parser == null) {
parser = parseClass.newInstance();
parserInstance.put(parseClass, parser);
}
return parser;
}
}
4.至此代码开发完成,重新启动程序,访问验证;用以下接口访问
http://192.168.120.35:18848/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate
5.使用配置的ip,192.168.120.35机器访问,不加accessToken,发现访问成功
6.去掉192.168.120.35的免登录配置,使用192.168.120.35的机器访问,发现无权限访问
nacos.core.auth.enable.ip=192.168.120.37
7.使用maven对项目进行打包,使用打包好的nacos,即可拥有此功能