1、添加后端鉴权

atms-api/src/main/java/pwc/taxtech/atms/controller/ApprovalController.java

 package pwc.taxtech.atms.controller;
 
+import io.swagger.annotations.ApiOperation;
 import org.activiti.engine.RepositoryService;
 import org.activiti.engine.RuntimeService;
 import org.activiti.engine.TaskService;
@@ -8,14 +9,13 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.*;
 import pwc.taxtech.atms.common.util.MyAsserts;
 import pwc.taxtech.atms.dto.approval.ApprovalDto;
-import pwc.taxtech.atms.dto.approval.ApprovalTask;
 import pwc.taxtech.atms.entity.Template;
 import pwc.taxtech.atms.exception.Exceptions;
 import pwc.taxtech.atms.vat.dpo.ApprovalTaskInfo;
-import pwc.taxtech.atms.vat.entity.PeriodTemplate;
 import pwc.taxtech.atms.vat.service.impl.ApprovalService;
 
 import javax.servlet.http.HttpServletResponse;
@@ -35,7 +35,6 @@ public class ApprovalController {
     @Autowired
     RepositoryService repositoryService;
 
-
     @ResponseBody
     @RequestMapping(value = "/deploy", method = RequestMethod.POST)
     public ResponseEntity deploy() {
@@ -43,8 +42,10 @@ public class ApprovalController {
         return ResponseEntity.ok().build();
     }
 
+    @ApiOperation(value = "提交报表")
     @ResponseBody
     @RequestMapping(value = "/commit", method = RequestMethod.POST)
+    @Secured("vatApproval:commit")
     public ApprovalDto approval(@RequestBody ApprovalDto dto) {
         MyAsserts.assertNotEmpty(dto.getProjectId(), Exceptions.EMPTY_PROJECT_PARAM);
         MyAsserts.assertNotEmpty(dto.getPeriodDate(), Exceptions.EMPTY_PRIODDATE_PARAM);
@@ -64,8 +65,10 @@ public class ApprovalController {
         return approvalService.getTemplateInfo(templateId);
     }
 
+    @ApiOperation(value = "审批报表")
     @ResponseBody
     @RequestMapping(value = "/check/{projectId}/{period}",method = RequestMethod.PUT)
+    @Secured("vatApproval:check")
     public void check(@PathVariable String projectId,@PathVariable Integer period, @RequestParam String decide, @RequestParam String comment) {//only for manager role
         approvalService.checkTask(projectId, period, decide,comment);
     }

atms-api/src/main/java/pwc/taxtech/atms/controller/RoleController.java

@@ -4,6 +4,7 @@ import io.swagger.annotations.ApiOperation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -99,6 +100,7 @@ public class RoleController {
 
     @ApiOperation(value = "删除角色下用户")
     @RequestMapping(value = "removeUserRole", method = RequestMethod.POST)
+    @Secured("role:edit")
     public @ResponseBody
     Boolean removeUserRole(@RequestParam("userID") String userId,
                            @RequestBody List<String> roleIdList, @RequestParam("serviceTypeID") String serviceTypeId) {
@@ -115,6 +117,7 @@ public class RoleController {
 
     @ApiOperation(value = "增加角色分类")
     @RequestMapping(value = "addRoleCategory", method = RequestMethod.GET)
+    @Secured("roleCategory:add")
     public @ResponseBody
     Boolean addRoleCategory(@RequestParam("name") String roleCategoryName,
                             @RequestParam("roleCategoryID") String roleCategoryId) {
@@ -124,6 +127,7 @@ public class RoleController {
 
     @ApiOperation(value = "更新角色分类名称")
     @RequestMapping(value = "updateRoleCategory", method = RequestMethod.GET)
+    @Secured("roleCategory:edit")
     public @ResponseBody
     Boolean updateRoleCategory(@RequestParam("updateName") String roleCategoryName,
                                @RequestParam("id") String roleCategoryId) {
@@ -134,6 +138,7 @@ public class RoleController {
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "删除角色分类")
     @RequestMapping(value = "deleteRoleCategory", method = RequestMethod.GET)
+    @Secured("roleCategory:edit")
     public @ResponseBody
     OperationResultDto deleteRoleCategory(@RequestParam("id") String roleCategoryId) {
         return roleService.deleteRoleCategory(roleCategoryId);
@@ -142,6 +147,7 @@ public class RoleController {
     @SuppressWarnings({"unchecked", "rawtypes"})
     @ApiOperation(value = "Add a role info")
     @RequestMapping(value = "add", method = RequestMethod.POST)
+    @Secured("role:add")
     public @ResponseBody
     Map addRole(@RequestBody RoleDisplayDto roleDisplayDto) {
 
@@ -156,6 +162,7 @@ public class RoleController {
 
     @ApiOperation(value = "Update a role info")
     @RequestMapping(value = "update", method = RequestMethod.PUT)
+    @Secured("role:edit")
     public void updateRole(@RequestBody UpdateRoleInfo updateRole, @RequestParam("roleID") String roleId) {
 
         roleService.updateRole(updateRole, roleId);
@@ -178,6 +185,7 @@ public class RoleController {
 
     @ApiOperation(value = "Delete a role info")
     @RequestMapping(value = "delete", method = RequestMethod.POST)
+    @Secured("role:edit")
     public @ResponseBody
     List<RoleDtoTree> deleteRole(@RequestBody RoleDto roleDto) {
 
@@ -210,6 +218,7 @@ public class RoleController {
 
     @ApiOperation(value = "更新用户角色列表")
     @RequestMapping(value = "updateUserRole", method = RequestMethod.POST)
+    @Secured("role:edit")
     public Boolean updateUserRole(@RequestBody UserRoleUpdateDto userRoleDto) {
 
         roleService.updateUserRole(userRoleDto);
@@ -218,6 +227,7 @@ public class RoleController {
 
     @ApiOperation(value = "用户详情页面，增加范围")
     @RequestMapping(value = "updateDimensionValues", method = RequestMethod.POST)
+    @Secured("role:edit")
     public Boolean updateDimensionValues(@RequestBody DimensionValueUpdateDto dimensionValueUpdateDto) {
 
         roleService.updateDimensionValues(dimensionValueUpdateDto);
@@ -226,6 +236,7 @@ public class RoleController {
 
     @ApiOperation(value = "用户详情页面，增加机构")
     @RequestMapping(value = "updateUserOrg", method = RequestMethod.POST)
+    @Secured("role:edit")
     public Boolean updateUserOrg(@RequestBody List<String> orgIdList, @RequestParam("userID") String userId) {
 
         roleService.updateUserOrg(orgIdList, userId);

atms-api/src/main/java/pwc/taxtech/atms/controller/UserController.java

@@ -5,6 +5,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -113,6 +114,7 @@ public class UserController {
 
     @ApiOperation(value = "为角色添加用户")
     @RequestMapping(value = "addUsersToRole", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("user:add")
     public @ResponseBody
     Boolean addUsersToRole(@RequestBody UserRoleSaveDto userRoleSaveDto) {
         roleService.addUsersToRole(userRoleSaveDto.getRoleId(), userRoleSaveDto.getServiceTypeId(),
@@ -122,6 +124,8 @@ public class UserController {
 
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "为角色添加用户")
+    //  todo 这里应该是错的  @ApiOperation(value = "启用或停用用户")
+    @Secured("user:edit")
     @RequestMapping(value = "enableordisableuser", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
     public @ResponseBody
     OperationResultDto enableOrDisableUser(@RequestBody UpdateParam updateParam) {
@@ -131,6 +135,7 @@ public class UserController {
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "为机构删除用户角色")
     @RequestMapping(value = "deleteUserRoleForOrg", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("user:edit")
     public @ResponseBody
     OperationResultDto deleteUserRoleForOrg(@RequestBody UserOrgDto userDto) {
         logger.debug("enter deleteUserRoleForOrg");
@@ -140,6 +145,7 @@ public class UserController {
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "机构删除，包括维度上的继承删除")
     @RequestMapping(value = "deleteUserRoleOrg", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("userRole:edit")
     public @ResponseBody
     OperationResultDto deleteUserRoleOrg(
             @RequestBody List<UserRoleDimensionValueDto> userRoleList) {
@@ -203,6 +209,7 @@ public class UserController {
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "机构用户权限编辑")
     @RequestMapping(value = "updateUserRoleOrganization", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("user:edit")
     public @ResponseBody
     OperationResultDto updateUserRoleOrganization(
             @RequestBody List<UserRoleDimensionValueDto> userRoleList) {
@@ -211,6 +218,7 @@ public class UserController {
 
     @ApiOperation(value = "添加一个新的用户")
     @RequestMapping(value = "add", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("user:add")
     public @ResponseBody
     OperationResultDto<User> addUser(@RequestBody UserAndUserRoleSaveDto userAndUserRoleSaveDto) {
         return userAccountService.addNewUser(userAndUserRoleSaveDto);
@@ -219,6 +227,7 @@ public class UserController {
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "删除可继承权限", notes = "用户管理>点击用户卡片>点击各机构设置数据的修改按钮>点击角色>取消设置下的允许继承>确定")
     @RequestMapping(value = "deleteUserOrg", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("user:edit")
     public @ResponseBody
     OperationResultDto deleteUserOrg(@RequestBody List<UserRoleDimensionValueDto> userRoleList) {
         return userService.deleteUserOrg(userRoleList);
@@ -227,6 +236,7 @@ public class UserController {
     @SuppressWarnings("rawtypes")
     @ApiOperation(value = "给机构添加用户", notes = "机构管理>点击机构>用户>添加用户>选中用户并提交")
     @RequestMapping(value = "updateUserRoleForOrg", method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
+    @Secured("user:edit")
     public @ResponseBody
     OperationResultDto updateUserRoleForOrg(
             @RequestBody List<UserRoleDimensionValueDto> userRoleList) {

atms-api/src/main/java/pwc/taxtech/atms/security/JwtAuthenticationService.java

@@ -27,7 +27,16 @@ public class JwtAuthenticationService {
     @Cacheable(value = "apiAuthCache", key = "'userName'")
     public List<String> getApiAuthList(String userName) {
         List<String> apiAuthList = new ArrayList<>();
-        apiAuthList.add("template:get");
+        apiAuthList.add("user:add");
+        apiAuthList.add("user:edit");
+        apiAuthList.add("userRole:add");
+        apiAuthList.add("userRole:edit");
+        apiAuthList.add("role:add");
+        apiAuthList.add("role:edit");
+        apiAuthList.add("roleCategory:add");
+        apiAuthList.add("roleCategory:edit");
+        apiAuthList.add("vatApproval:commit");
+        apiAuthList.add("vatApproval:check");
         // todo upm return  response
         logger.debug("get Cache from upm :"+"apiAuthCache-"+"key :"+userName + " value :"+String.join("，",apiAuthList));
         return apiAuthList;

atms-api/src/main/java/pwc/taxtech/atms/security/JwtUtil.java

@@ -11,8 +11,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.cache.annotation.Cacheable;
-import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;