alibaba · sczyh30 · Mar 8, 2021 · Feb 27, 2021 · Feb 27, 2021 · Feb 27, 2021
diff --git a/...board/src/main/java/com/alibaba/csp/sentinel/dashboard/auth/AuthorizationInterceptor.java b/...board/src/main/java/com/alibaba/csp/sentinel/dashboard/auth/AuthorizationInterceptor.java
@@ -15,58 +15,15 @@
  */
 package com.alibaba.csp.sentinel.dashboard.auth;
 
-import com.alibaba.csp.sentinel.dashboard.domain.Result;
-import com.alibaba.fastjson.JSON;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Component;
-import org.springframework.web.method.HandlerMethod;
 import org.springframework.web.servlet.HandlerInterceptor;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.lang.reflect.Method;
-
 /**
  * The web interceptor for privilege-based authorization.
  *
  * @author lkxiaolou
+ * @author wxq
  * @since 1.7.1
  */
-@Component
-public class AuthorizationInterceptor implements HandlerInterceptor {
-
-    @Autowired
-    private AuthService<HttpServletRequest> authService;
-
-    @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
-            throws Exception {
-        if (handler.getClass().isAssignableFrom(HandlerMethod.class)) {
-            Method method = ((HandlerMethod) handler).getMethod();
-
-            AuthAction authAction = method.getAnnotation(AuthAction.class);
-            if (authAction != null) {
-                AuthService.AuthUser authUser = authService.getAuthUser(request);
-                if (authUser == null) {
-                    responseNoPrivilegeMsg(response, authAction.message());
-                    return false;
-                }
-                String target = request.getParameter(authAction.targetName());
-
-                if (!authUser.authTarget(target, authAction.value())) {
-                    responseNoPrivilegeMsg(response, authAction.message());
-                    return false;
-                }
-            }
-        }
-
-        return true;
-    }
+public interface AuthorizationInterceptor extends HandlerInterceptor {
 
-    private void responseNoPrivilegeMsg(HttpServletResponse response, String message) throws IOException {
-        Result result = Result.ofFail(-1, message);
-        response.addHeader("Content-Type", "application/json;charset=UTF-8");
-        response.getOutputStream().write(JSON.toJSONBytes(result));
-    }
 }
diff --git a/...rc/main/java/com/alibaba/csp/sentinel/dashboard/auth/DefaultAuthorizationInterceptor.java b/...rc/main/java/com/alibaba/csp/sentinel/dashboard/auth/DefaultAuthorizationInterceptor.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alibaba.csp.sentinel.dashboard.auth;
+
+import com.alibaba.csp.sentinel.dashboard.domain.Result;
+import com.alibaba.fastjson.JSON;
+import org.springframework.web.method.HandlerMethod;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.lang.reflect.Method;
+
+/**
+ * The web interceptor for privilege-based authorization.
+ * <p>
+ * move from old {@link AuthorizationInterceptor}.
+ *
+ * @author lkxiaolou
+ * @author wxq
+ * @since 1.7.1
+ */
+public class DefaultAuthorizationInterceptor implements AuthorizationInterceptor {
+
+    private final AuthService<HttpServletRequest> authService;
+
+    public DefaultAuthorizationInterceptor(AuthService<HttpServletRequest> authService) {
+        this.authService = authService;
+    }
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+            throws Exception {
+        if (handler.getClass().isAssignableFrom(HandlerMethod.class)) {
+            Method method = ((HandlerMethod) handler).getMethod();
+
+            AuthAction authAction = method.getAnnotation(AuthAction.class);
+            if (authAction != null) {
+                AuthService.AuthUser authUser = authService.getAuthUser(request);
+                if (authUser == null) {
+                    responseNoPrivilegeMsg(response, authAction.message());
+                    return false;
+                }
+                String target = request.getParameter(authAction.targetName());
+
+                if (!authUser.authTarget(target, authAction.value())) {
+                    responseNoPrivilegeMsg(response, authAction.message());
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+
+    private void responseNoPrivilegeMsg(HttpServletResponse response, String message) throws IOException {
+        Result result = Result.ofFail(-1, message);
+        response.addHeader("Content-Type", "application/json;charset=UTF-8");
+        response.getOutputStream().write(JSON.toJSONBytes(result));
+    }
+
+}
diff --git a/...c/main/java/com/alibaba/csp/sentinel/dashboard/auth/DefaultLoginAuthenticationFilter.java b/...c/main/java/com/alibaba/csp/sentinel/dashboard/auth/DefaultLoginAuthenticationFilter.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.alibaba.csp.sentinel.dashboard.auth;
+
+import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.util.AntPathMatcher;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * <p>The Servlet filter for authentication.</p>
+ *
+ * <p>Note: some urls are excluded as they needn't auth, such as:</p>
+ * <ul>
+ * <li>index url: {@code /}</li>
+ * <li>authentication request url: {@code /login}, {@code /logout}</li>
+ * <li>machine registry: {@code /registry/machine}</li>
+ * <li>static resources</li>
+ * </ul>
+ * <p>
+ * The excluded urls and urlSuffixes could be configured in {@code application.properties} file.
+ *
+ * @author cdfive
+ * @since 1.6.0
+ */
+public class DefaultLoginAuthenticationFilter implements LoginAuthenticationFilter {
+
+    private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
+
+    private static final String URL_SUFFIX_DOT = ".";
+
+    /**
+     * Some urls which needn't auth, such as /auth/login, /registry/machine and so on.
+     */
+    @Value("#{'${auth.filter.exclude-urls}'.split(',')}")
+    private List<String> authFilterExcludeUrls;
+
+    /**
+     * Some urls with suffixes which needn't auth, such as htm, html, js and so on.
+     */
+    @Value("#{'${auth.filter.exclude-url-suffixes}'.split(',')}")
+    private List<String> authFilterExcludeUrlSuffixes;
+
+    /**
+     * Authentication using AuthService interface.
+     */
+    private final AuthService<HttpServletRequest> authService;
+
+    public DefaultLoginAuthenticationFilter(AuthService<HttpServletRequest> authService) {
+        this.authService = authService;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+
+        String servletPath = httpRequest.getServletPath();
+
+        // Exclude the urls which needn't auth
+        boolean authFilterExcludeMatch = authFilterExcludeUrls.stream()
+                .anyMatch(authFilterExcludeUrl -> PATH_MATCHER.match(authFilterExcludeUrl, servletPath));
+        if (authFilterExcludeMatch) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        // Exclude the urls with suffixes which needn't auth
+        for (String authFilterExcludeUrlSuffix : authFilterExcludeUrlSuffixes) {
+            if (StringUtils.isBlank(authFilterExcludeUrlSuffix)) {
+                continue;
+            }
+
+            // Add . for url suffix so that we needn't add . in property file
+            if (!authFilterExcludeUrlSuffix.startsWith(URL_SUFFIX_DOT)) {
+                authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix;
+            }
+
+            if (servletPath.endsWith(authFilterExcludeUrlSuffix)) {
+                chain.doFilter(request, response);
+                return;
+            }
+        }
+
+        AuthService.AuthUser authUser = authService.getAuthUser(httpRequest);
+
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        if (authUser == null) {
+            // If auth fail, set response status code to 401
+            httpResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
+        } else {
+            chain.doFilter(request, response);
+        }
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}
diff --git a/...-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/auth/FakeAuthServiceImpl.java b/...-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/auth/FakeAuthServiceImpl.java
@@ -15,19 +15,25 @@
  */
 package com.alibaba.csp.sentinel.dashboard.auth;
 
-import javax.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import org.springframework.stereotype.Component;
+import javax.servlet.http.HttpServletRequest;
 
 /**
  * A fake AuthService implementation, which will pass all user auth checking.
  *
  * @author Carpenter Lee
  * @since 1.5.0
  */
-@Component
 public class FakeAuthServiceImpl implements AuthService<HttpServletRequest> {
 
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    public FakeAuthServiceImpl() {
+        this.logger.warn("there is no auth, use {} by implementation {}", AuthService.class, this.getClass());
+    }
+
     @Override
     public AuthUser getAuthUser(HttpServletRequest request) {
         return new AuthUserImpl();