diff --git a/modules/core/src/main/java/com/jeesite/common/shiro/filter/InnerFilter.java b/modules/core/src/main/java/com/jeesite/common/shiro/filter/InnerFilter.java new file mode 100644 index 00000000..f2a51a01 --- /dev/null +++ b/modules/core/src/main/java/com/jeesite/common/shiro/filter/InnerFilter.java @@ -0,0 +1,47 @@ +/** + * Copyright (c) 2013-Now http://jeesite.com All rights reserved. + */ +package com.jeesite.common.shiro.filter; + +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +import org.apache.shiro.web.filter.AccessControlFilter; + +import com.jeesite.common.config.Global; +import com.jeesite.common.lang.StringUtils; + +/** + * 内部系统访问过滤器 + * @author ThinkGem + * @version 2018-11-10 + */ +public class InnerFilter extends AccessControlFilter { + + @Override + protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { + boolean result = false; + String[] prefixes = (String[])mappedValue; + if (prefixes == null){ + prefixes = StringUtils.split(Global.getProperty( + "shiro.innerFilterAllowRemoteAddrs", "127.0.0.1"), ","); + } + if (prefixes != null && request instanceof HttpServletRequest){ + String ip = ((HttpServletRequest)request).getRemoteAddr(); + for (String prefix : prefixes){ + result = StringUtils.startsWithIgnoreCase(ip, StringUtils.trim(prefix)); + if (result){ + break; + } + } + } + return result; + } + + @Override + protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { + return PermissionsAuthorizationFilter.redirectTo403Page(request, response); + } + +} diff --git a/modules/core/src/main/java/com/jeesite/modules/config/ShiroConfig.java b/modules/core/src/main/java/com/jeesite/modules/config/ShiroConfig.java index bdc242c2..829a7ca8 100644 --- a/modules/core/src/main/java/com/jeesite/modules/config/ShiroConfig.java +++ b/modules/core/src/main/java/com/jeesite/modules/config/ShiroConfig.java @@ -27,6 +27,7 @@ import com.jeesite.common.shiro.cas.CasOutHandler; import com.jeesite.common.shiro.config.FilterChainDefinitionMap; import com.jeesite.common.shiro.filter.CasAuthenticationFilter; import com.jeesite.common.shiro.filter.FormAuthenticationFilter; +import com.jeesite.common.shiro.filter.InnerFilter; import com.jeesite.common.shiro.filter.LogoutFilter; import com.jeesite.common.shiro.filter.PermissionsAuthorizationFilter; import com.jeesite.common.shiro.filter.RolesAuthorizationFilter; @@ -60,6 +61,13 @@ public class ShiroConfig { bean.addUrlPatterns("/*"); return bean; } + + /** + * 内部系统访问过滤器 + */ + private InnerFilter shiroInnerFilter() { + return new InnerFilter(); + } /** * CAS登录过滤器 @@ -120,6 +128,7 @@ public class ShiroConfig { bean.setLoginUrl(Global.getProperty("shiro.loginUrl")); bean.setSuccessUrl(Global.getProperty("adminPath")+"/index"); Map filters = bean.getFilters(); + filters.put("inner", shiroInnerFilter()); filters.put("cas", shiroCasFilter(casAuthorizingRealm)); filters.put("authc", shiroAuthcFilter(authorizingRealm)); filters.put("logout", shiroLogoutFilter(authorizingRealm)); diff --git a/modules/core/src/main/resources/config/jeesite-core.yml b/modules/core/src/main/resources/config/jeesite-core.yml index 67d27a46..5f85dc99 100644 --- a/modules/core/src/main/resources/config/jeesite-core.yml +++ b/modules/core/src/main/resources/config/jeesite-core.yml @@ -323,6 +323,9 @@ shiro: # 是否在登录后生成新的Session(默认false) isGenerateNewSessionAfterLogin: false + # 内部系统访问过滤器,可设置多个允许的内部系统IP地址串,多个用逗号隔开 + innerFilter.allowIp: 127.0.0.1 + # URI 权限过滤器定义 # filterChainDefinitions: | # /ReportServer/** = user @@ -442,7 +445,7 @@ web: id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}' user.loginCode: '[a-zA-Z0-9_\u4e00-\u9fa5]{4,20}' - # 关闭核心模块的Web功能(仅作为微服务时设为false) + # 核心模块的Web功能(仅作为微服务时设为false) core: enabled: true diff --git a/web/src/main/resources/config/application.yml b/web/src/main/resources/config/application.yml index 7222033a..ff7ebb69 100644 --- a/web/src/main/resources/config/application.yml +++ b/web/src/main/resources/config/application.yml @@ -369,6 +369,9 @@ logging: # # # 是否在登录后生成新的Session(默认false) # isGenerateNewSessionAfterLogin: false +# +# # 内部系统访问过滤器,可设置多个允许的内部系统IP地址串,多个用逗号隔开 +# innerFilter.allowIp: 127.0.0.1 # # # URI 权限过滤器定义 # filterChainDefinitions: | @@ -458,7 +461,7 @@ logging: # id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}' # user.loginCode: '[a-zA-Z0-9_\u4e00-\u9fa5]{4,20}' # -# # 关闭核心模块的Web功能(仅作为微服务时设为false) +# # 核心模块的Web功能(仅作为微服务时设为false) # core: # enabled: true