update 优化 客户端管理 增加白名单路径和白名单IP功能 可限制客户端能访问的具体路径与可访问的具体IP地址

ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java

@@ -1,6 +1,7 @@
 package org.dromara.gateway.filter;
 
 import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.exception.NotPermissionException;
 import cn.dev33.satoken.filter.SaServletFilter;
 import cn.dev33.satoken.httpauth.basic.SaHttpBasicUtil;
 import cn.dev33.satoken.interceptor.SaInterceptor;
@@ -8,21 +9,21 @@ import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
 import cn.dev33.satoken.util.SaResult;
 import cn.dev33.satoken.util.SaTokenConsts;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.dromara.common.core.constant.HttpStatus;
+import org.dromara.common.core.utils.NetUtils;
 import org.dromara.common.core.utils.ServletUtils;
 import org.dromara.common.core.utils.SpringUtils;
 import org.dromara.common.core.utils.StringUtils;
 import org.dromara.common.satoken.utils.LoginHelper;
 import org.dromara.gateway.config.properties.IgnoreWhiteProperties;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.Ordered;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
+import java.util.List;
 
 /**
  * [Sa-Token 权限认证] 拦截器配置
@@ -32,6 +33,8 @@ import jakarta.servlet.http.HttpServletResponse;
 @Configuration
 public class AuthFilter implements WebMvcConfigurer {
 
+    private static final String CLIENT_RULE_SEPARATOR_REGEX = "[,;\\r\\n]+";
+
     private final IgnoreWhiteProperties ignoreWhite;
 
     public AuthFilter(IgnoreWhiteProperties ignoreWhite) {
@@ -60,6 +63,7 @@ public class AuthFilter implements WebMvcConfigurer {
                         "-100", "客户端ID与Token不匹配",
                         StpUtil.getTokenValue());
                 }
+                validateClientAccessRules(request);
             })))
             .addPathPatterns("/**")
             .excludePathPatterns("/favicon.ico", "/actuator", "/actuator/**", "/resource/sse" , "/error");
@@ -86,4 +90,36 @@ public class AuthFilter implements WebMvcConfigurer {
             });
     }
 
+    /**
+     * 按客户端配置校验接口访问路径与来源IP。
+     */
+    private void validateClientAccessRules(HttpServletRequest request) {
+        String requestPath = StringUtils.blankToDefault(request.getServletPath(), request.getRequestURI());
+        String accessPath = getTokenExtra(LoginHelper.CLIENT_ACCESS_PATH_KEY);
+        if (StringUtils.isNotBlank(accessPath)) {
+            List<String> accessPathList = StringUtils.str2List(accessPath, CLIENT_RULE_SEPARATOR_REGEX, true, true);
+            if (!StringUtils.matches(requestPath, accessPathList)) {
+                throw new NotPermissionException("当前客户端未授权访问该接口路径");
+            }
+        }
+
+        String ipWhitelist = getTokenExtra(LoginHelper.CLIENT_IP_WHITELIST_KEY);
+        if (StringUtils.isNotBlank(ipWhitelist)) {
+            String clientIp = ServletUtils.getClientIP(request);
+            List<String> ipWhitelistList = StringUtils.str2List(ipWhitelist, CLIENT_RULE_SEPARATOR_REGEX, true, true);
+            boolean matched = ipWhitelistList.stream().anyMatch(rule -> NetUtils.isMatchIpRule(rule, clientIp));
+            if (!matched) {
+                throw new NotPermissionException("当前客户端IP不在白名单内");
+            }
+        }
+    }
+
+    /**
+     * 读取token扩展信息，兼容空值场景。
+     */
+    private String getTokenExtra(String key) {
+        Object extra = StpUtil.getExtra(key);
+        return extra == null ? null : extra.toString();
+    }
+
 }