增加 auth 授权相关处理（未完成）

6 years ago · a545d673ab
parent 6f37500f62
commit a545d673ab
36 changed files with 528 additions and 54 deletions
--- a/common/common-framework/src/main/java/cn/iocoder/common/framework/util/CollectionUtil.java
+++ b/common/common-framework/src/main/java/cn/iocoder/common/framework/util/CollectionUtil.java
@ -12,6 +12,10 @@ public class CollectionUtil {
        return collection == null || collection.isEmpty();
    }

+    public static boolean isEmpty(Object[] arrays) {
+        return arrays == null || arrays.length == 0;
+    }
+
    public static <T> Set<T> asSet(T... objs) {
        return new HashSet<>(Arrays.asList(objs));
    }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/config/CommonSecurityAutoConfiguration.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/config/CommonSecurityAutoConfiguration.java
@ -6,7 +6,6 @@ import cn.iocoder.mall.web.core.constant.CommonMallConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -22,16 +21,22 @@ public class CommonSecurityAutoConfiguration implements WebMvcConfigurer {

    // ========== 拦截器相关 ==========
    @Bean
-    @ConditionalOnMissingBean(AccountAuthInterceptor.class)
-    public AccountAuthInterceptor accountAuthInterceptor() {
-        return new AccountAuthInterceptor();
+    public AccountAuthInterceptor adminAccountAuthInterceptor() {
+        return new AccountAuthInterceptor(true);
+    }
+
+    @Bean
+    public AccountAuthInterceptor userAccountAuthInterceptor() {
+        return new AccountAuthInterceptor(false);
    }

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // AccountAuthInterceptor 拦截器
-        registry.addInterceptor(this.accountAuthInterceptor())
-                .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**", CommonMallConstants.ROOT_PATH_USER + "/**");
+        registry.addInterceptor(this.userAccountAuthInterceptor())
+                .addPathPatterns(CommonMallConstants.ROOT_PATH_USER + "/**");
+        registry.addInterceptor(this.adminAccountAuthInterceptor())
+                .addPathPatterns(CommonMallConstants.ROOT_PATH_ADMIN + "/**");
        logger.info("[addInterceptors][加载 AccountAuthInterceptor 拦截器完成]");
    }

--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresAuthenticate.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresAuthenticate.java
@ -3,14 +3,16 @@ package cn.iocoder.mall.security.core.annotation;
 import java.lang.annotation.*;

 /**
- * 要求用户登录注解。通过将该注解添加到 Controller 上，会自动校验用户是否登陆。
+ * 要求用户认证（登陆）注解。通过将该注解添加到 Controller 上，会自动校验用户是否登陆。
 *
 * 默认请求下，用户访问的 API 接口，无需登陆。主要的考虑是，
 * 1. 需要用户登陆的接口，本身会获取在线用户的编号。如果不添加 @RequiresLogin 注解就会报错。
 * 2. 大多数情况下，用户的 API 接口无需登陆。
+ *
+ * ps：同样适用于管理员 Admin
 */
@Documented
@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
@Retention(RetentionPolicy.RUNTIME)
-public @interface RequiresLogin {
+public @interface RequiresAuthenticate {
 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresNone.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresNone.java
@ -0,0 +1,12 @@
+package cn.iocoder.mall.security.core.annotation;
+
+import java.lang.annotation.*;
+
+/**
+ * 通过将该注解添加到 Controller 的方法上，声明无需进行登陆
+ */
+@Documented
+@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
+@Retention(RetentionPolicy.RUNTIME)
+public @interface RequiresNone {
+}
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresPermissions.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/annotation/RequiresPermissions.java
@ -6,6 +6,8 @@ import java.lang.annotation.*;
 * 参考 Shiro @RequiresPermissions 设计 http://shiro.apache.org/static/1.3.2/apidocs/org/apache/shiro/authz/annotation/RequiresPermissions.html
 *
 * 通过将该注解添加到 Controller 的方法上，进行授权鉴定
+ *
+ * ps：目前暂时只有管理员 Admin 使用到
 */
@Documented
@Target({ElementType.METHOD}) // 暂时不支持 ElementType.TYPE ，因为没有场景
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContext.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/context/AdminSecurityContext.java
@ -3,10 +3,8 @@ package cn.iocoder.mall.security.core.context;
 import lombok.Data;
 import lombok.experimental.Accessors;

-import java.util.Set;
-
 /**
- * Security 上下文
+ * Admin Security 上下文
 */
@Data
@Accessors(chain = true)
@ -20,9 +18,5 @@ public class AdminSecurityContext {
     * 管理员账号
     */
    private String username;
-    /**
-     * 拥有的角色编号
-     */
-    private Set<Integer> roleIds;

 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AccountAuthInterceptor.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AccountAuthInterceptor.java
@ -1,8 +1,13 @@
 package cn.iocoder.mall.security.core.interceptor;

+import cn.iocoder.common.framework.util.CollectionUtil;
 import cn.iocoder.common.framework.util.HttpUtil;
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
 import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.core.annotation.RequiresAuthenticate;
+import cn.iocoder.mall.security.core.annotation.RequiresNone;
+import cn.iocoder.mall.security.core.annotation.RequiresPermissions;
+import cn.iocoder.mall.system.biz.enums.SystemErrorCodeEnum;
 import cn.iocoder.mall.system.rpc.api.oauth2.OAuth2RPC;
 import cn.iocoder.mall.system.rpc.request.oauth2.OAuth2AccessTokenAuthenticateRequest;
 import cn.iocoder.mall.system.rpc.response.oauth2.OAuth2AccessTokenResponse;
@ -11,6 +16,7 @@ import org.apache.dubbo.config.annotation.Reference;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.util.StringUtils;
+import org.springframework.web.method.HandlerMethod;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

 import javax.servlet.http.HttpServletRequest;
@ -23,12 +29,36 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
    @Reference(validation = "true", version = "${dubbo.consumer.OAuth2RPC.version}")
    private OAuth2RPC oauth2RPC;

+
+    /**
+     * 是否默认要求认证
+     *
+     * 针对 /users/** 接口，一般默认不要求认证，因为面向用户的接口，往往不需要登陆即可访问
+     * 针对 /admins/** 接口，一般默认要求认证，因为面向管理员的接口，往往是内部需要更严格的安全控制
+     */
+    private final boolean defaultRequiresAuthenticate;
+
+    public AccountAuthInterceptor(boolean defaultRequiresAuthenticate) {
+        this.defaultRequiresAuthenticate = defaultRequiresAuthenticate;
+    }
+
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
-        // 获得访问令牌
-        String accessToken = HttpUtil.obtainAuthorization(request);
-        if (StringUtils.hasText(accessToken)) { // 如果未传递，则不进行认证
-            return true;
+        // 1. 进行认证
+        Integer accountId = this.obtainAccount(request);
+        // 2. 进行鉴权
+        HandlerMethod handlerMethod = (HandlerMethod) handler;
+        // 判断是否需要认证
+        this.checkAuthenticate(handlerMethod, accountId);
+        // 判断是否需要权限
+
+        return true;
+    }
+
+    private Integer obtainAccount(HttpServletRequest request) {
+        String accessToken = HttpUtil.obtainAuthorization(request); // 获得访问令牌
+        if (!StringUtils.hasText(accessToken)) { // 如果未传递，则不进行认证
+            return null;
        }
        // 执行认证
        OAuth2AccessTokenAuthenticateRequest oauth2AccessTokenAuthenticateRequest = new OAuth2AccessTokenAuthenticateRequest()
@ -38,8 +68,35 @@ public class AccountAuthInterceptor extends HandlerInterceptorAdapter {
            throw ServiceExceptionUtil.exception(oauth2AccessTokenResponseResult);
        }
        // 设置账号编号
-        CommonWebUtil.setAccountId(request, oauth2AccessTokenResponseResult.getData().getAccountId());
-        return true;
+        Integer accountId = oauth2AccessTokenResponseResult.getData().getAccountId();
+        CommonWebUtil.setAccountId(request, accountId);
+        return accountId;
+    }
+
+    private void checkAuthenticate(HandlerMethod handlerMethod, Integer accountId) {
+        boolean requiresAuthenticate = defaultRequiresAuthenticate;
+        if (handlerMethod.hasMethodAnnotation(RequiresAuthenticate.class)
+                || handlerMethod.hasMethodAnnotation(RequiresPermissions.class)) { // 如果需要权限验证，也认为需要认证
+            requiresAuthenticate = true;
+        } else if (handlerMethod.hasMethodAnnotation(RequiresNone.class)) {
+            requiresAuthenticate = false;
+        }
+        if (requiresAuthenticate && accountId == null) {
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_NOT_AUTHENTICATE);
+        }
+    }
+
+    private void checkPermission(HandlerMethod handlerMethod, Integer accountId) {
+        RequiresPermissions requiresPermissions = handlerMethod.getMethodAnnotation(RequiresPermissions.class);
+        if (requiresPermissions == null) {
+            return;
+        }
+        String[] permissions = requiresPermissions.value();
+        if (CollectionUtil.isEmpty(permissions)) {
+            return;
+        }
+        // 权限验证
+
    }

 }
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AdminSecurityInterceptor.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/AdminSecurityInterceptor.java
@ -0,0 +1,22 @@
+package cn.iocoder.mall.security.core.interceptor;
+
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class AdminSecurityInterceptor extends HandlerInterceptorAdapter {
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        // 获得 Admin 信息
+
+        return true;
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
+
+    }
+
+}
--- a/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/UserSecurityInterceptor.java
+++ b/common/mall-spring-boot-starter-security/src/main/java/cn/iocoder/mall/security/core/interceptor/UserSecurityInterceptor.java
@ -0,0 +1,21 @@
+package cn.iocoder.mall.security.core.interceptor;
+
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class UserSecurityInterceptor extends HandlerInterceptorAdapter {
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        // 获得用户信息
+        return true;
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
+        super.afterCompletion(request, response, handler, ex);
+    }
+
+}
--- a/common/mall-spring-boot/src/main/java/cn/iocoder/mall/spring/boot/web/AdminMVCAutoConfiguration.java
+++ b/common/mall-spring-boot/src/main/java/cn/iocoder/mall/spring/boot/web/AdminMVCAutoConfiguration.java
@ -46,13 +46,4 @@ public class AdminMVCAutoConfiguration implements WebMvcConfigurer {
        registry.addInterceptor(adminDemoInterceptor()).addPathPatterns(MallConstants.ROOT_PATH_ADMIN + "/**");
    }

-    @Bean
-    @ConditionalOnMissingBean
-    public FilterRegistrationBean<CorsFilter> corsFilter() {
-        FilterRegistrationBean<CorsFilter> registrationBean = new FilterRegistrationBean<>();
-        registrationBean.setFilter(new CorsFilter());
-        registrationBean.addUrlPatterns("/*");
-        return registrationBean;
-    }
-
 }
--- a/system/pom.xml
+++ b/system/pom.xml
@ -22,6 +22,7 @@
        <module>system-rpc</module>
        <module>system-rest</module>
        <module>system-biz</module>
+        <module>system-biz-api</module>
    </modules>

    <dependencyManagement>
--- a/system/system-biz-api/pom.xml
+++ b/system/system-biz-api/pom.xml
@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>system</artifactId>
+        <groupId>cn.iocoder.mall</groupId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>system-biz-api</artifactId>
+
+    <dependencies>
+        <!-- Mall 相关 -->
+        <dependency>
+            <groupId>cn.iocoder.mall</groupId>
+            <artifactId>common-framework</artifactId>
+            <version>1.0-SNAPSHOT</version>
+        </dependency>
+    </dependencies>
+
+</project>
--- a/system/system-biz-api/src/main/java/cn/iocoder/mall/system/biz/enums/SystemErrorCodeEnum.java
+++ b/system/system-biz-api/src/main/java/cn/iocoder/mall/system/biz/enums/SystemErrorCodeEnum.java
@ -11,24 +11,22 @@ public enum SystemErrorCodeEnum implements ServiceExceptionUtil.Enumerable {

    // ========== OAUTH2 模块 ==========
    OAUTH2_UNKNOWN(1001001000, "未知错误"), // 预留
-    OAUTH2_ACCOUNT_NOT_FOUND(1001001001, "账号不存在"),
-    OAUTH2_ACCOUNT_PASSWORD_ERROR(1001001002, "密码不正确"),
-    OAUTH2_INVALID_TOKEN_NOT_FOUND(1002001011, "访问令牌不存在"),
-    OAUTH2_INVALID_TOKEN_EXPIRED(1002001012, "访问令牌已过期"),
-    OAUTH2_INVALID_TOKEN_INVALID(1002001013, "访问令牌已失效"),
-//    OAUTH2_NOT_LOGIN(1002001015, "账号未登陆"),
-//    OAUTH_INVALID_REFRESH_TOKEN_NOT_FOUND(1002001017, "刷新令牌不存在"),
-//    OAUTH_INVALID_REFRESH_TOKEN_EXPIRED(1002001018, "访问令牌已过期"),
-
+    // 预留 1001001001 ~ 1001001099 错误码，方便前端
+    OAUTH2_ACCESS_TOKEN_NOT_FOUND(1001001001, "访问令牌不存在"),
+    OAUTH2_ACCESS_TOKEN_TOKEN_EXPIRED(1001001002, "访问令牌已过期"),
+    OAUTH2_ACCESS_TOKEN_INVALID(1001001003, "访问令牌已失效"),
+    OAUTH2_NOT_AUTHENTICATE(1001001004, "账号未登陆"),
+    // 其它 1001001100 开始
+    OAUTH2_ACCOUNT_NOT_FOUND(1001001100, "账号不存在"),
+    OAUTH2_ACCOUNT_PASSWORD_ERROR(1001001101, "密码不正确"),

    // ========== OAuth 手机验证码模块 ==========
-    OAUTH2_MOBILE_CODE_NOT_FOUND(1001001100, "验证码不存在"),
-    OAUTH2_MOBILE_CODE_EXPIRED(1001001101, "验证码已过期"),
-    OAUTH2_MOBILE_CODE_USED(1001001102, "验证码已使用"),
-    OAUTH2_MOBILE_CODE_NOT_CORRECT(1001001104, "验证码不正确"),
-    OAUTH2_MOBILE_CODE_EXCEED_SEND_MAXIMUM_QUANTITY_PER_DAY(1001001105, "超过每日短信发送数量"),
-    OAUTH2_MOBILE_CODE_SEND_TOO_FAST(1001001106, "短信发送过于频率"),
-
+    OAUTH2_MOBILE_CODE_NOT_FOUND(1001001200, "验证码不存在"),
+    OAUTH2_MOBILE_CODE_EXPIRED(1001001201, "验证码已过期"),
+    OAUTH2_MOBILE_CODE_USED(1001001202, "验证码已使用"),
+    OAUTH2_MOBILE_CODE_NOT_CORRECT(1001001203, "验证码不正确"),
+    OAUTH2_MOBILE_CODE_EXCEED_SEND_MAXIMUM_QUANTITY_PER_DAY(1001001204, "超过每日短信发送数量"),
+    OAUTH2_MOBILE_CODE_SEND_TOO_FAST(1001001205, "短信发送过于频率"),

    // ========== 管理员模块 1002002000 ==========
    ADMIN_NOT_FOUND(1002002000, "管理员不存在"),
--- a/system/system-biz-api/src/main/java/cn/iocoder/mall/system/biz/package-info.java
+++ b/system/system-biz-api/src/main/java/cn/iocoder/mall/system/biz/package-info.java
@ -0,0 +1,6 @@
+/**
+ * 该项目，主要用于暴露一些共享的枚举类等。
+ *
+ * 例如说，RPC 接口提供错误码给调用方
+ */
+package cn.iocoder.mall.system.biz;
--- a/system/system-biz/pom.xml
+++ b/system/system-biz/pom.xml
@ -15,7 +15,7 @@
        <!-- Mall 相关 -->
        <dependency>
            <groupId>cn.iocoder.mall</groupId>
-            <artifactId>common-framework</artifactId>
+            <artifactId>system-biz-api</artifactId>
            <version>1.0-SNAPSHOT</version>
        </dependency>

--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/bo/authorization/AuthorizationBO.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/bo/authorization/AuthorizationBO.java
@ -0,0 +1,15 @@
+package cn.iocoder.mall.system.biz.bo.authorization;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * 授权模块 - 授权信息 BO
+ */
+@Data
+@Accessors(chain = true)
+public class AuthorizationBO {
+
+
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/AccountRoleDO.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/AccountRoleDO.java
@ -0,0 +1,34 @@
+package cn.iocoder.mall.system.biz.dataobject.authorization;
+
+import cn.iocoder.common.framework.dataobject.DeletableDO;
+import cn.iocoder.mall.system.biz.dataobject.account.AccountDO;
+import com.baomidou.mybatisplus.annotation.TableName;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * {@link AccountDO} 和 {@link RoleDO} 的关联表
+ */
+@TableName("admin_role")
+@Data
+@Accessors(chain = true)
+public class AccountRoleDO extends DeletableDO {
+
+    /**
+     * 编号
+     */
+    private Integer id;
+    /**
+     * 账号编号
+     *
+     * 关联 {@link AccountDO#getId()}
+     */
+    private Integer accountId;
+    /**
+     * 角色编号
+     *
+     * 关联 {@link RoleDO#getId()}
+     */
+    private Integer roleId;
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/ResourceDO.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/ResourceDO.java
@ -0,0 +1,73 @@
+package cn.iocoder.mall.system.biz.dataobject.authorization;
+
+import cn.iocoder.common.framework.dataobject.DeletableDO;
+import com.baomidou.mybatisplus.annotation.TableName;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.experimental.Accessors;
+
+/**
+ * 资源实体
+ */
+@Data
+@EqualsAndHashCode(callSuper = true)
+@Accessors(chain = true)
+@TableName(value = "resource")
+public class ResourceDO extends DeletableDO {
+
+    /**
+     * 资源编号
+     */
+    private Integer id;
+    /**
+     * 菜单名
+     */
+    private String name;
+    /**
+     * 权限标识
+     *
+     * 一般格式为：${系统}:${模块}:${操作}
+     * 例如说：system:admin:add，即 system 服务的添加管理员。
+     *
+     * 当我们把该 ResourceDO 赋予给角色后，意味着该角色有该资源：
+     * - 对于后端，配合 @RequiresPermissions 注解，配置 API 接口需要该权限，从而对 API 接口进行权限控制。
+     * - 对于前端，配合前端标签，配置按钮是否展示，避免用户没有该权限时，结果可以看到该操作。
+     */
+    private String permission;
+    /**
+     * 资源类型
+     *
+     * 关联 {@link Resource}
+     */
+    private Integer type;
+    /**
+     * 排序
+     */
+    private Integer sort;
+    /**
+     * 父级资源编号
+     *
+     * 关联：{@link ResourceDO#getId()}
+     */
+    private Integer pid;
+    /**
+     *
+     *
+     * 目前当且仅当资源类型为【菜单】时，才会生效，即 handler 配置为界面 URL ，或者前端组件名，或者前端的路由。
+     */
+    private String handler;
+    /**
+     * 图标
+     *
+     * 目前当且仅当资源类型为【菜单】时，才会生效
+     */
+    private String icon;
+    /**
+     * 权限标识数组，使用逗号分隔。
+     *
+     * 例如：system:admin:add
+     * 推荐格式为 ${系统}:${模块}:${操作}
+     */
+    private String permissions;
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/RoleDO.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/RoleDO.java
@ -0,0 +1,25 @@
+package cn.iocoder.mall.system.biz.dataobject.authorization;
+
+import cn.iocoder.common.framework.dataobject.DeletableDO;
+import com.baomidou.mybatisplus.annotation.TableName;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * 角色实体
+ */
+@TableName("role")
+@Data
+@Accessors(chain = true)
+public class RoleDO extends DeletableDO {
+
+    /**
+     * 角色编号
+     */
+    private Integer id;
+    /**
+     * 角色名
+     */
+    private String name;
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/RoleResourceDO.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dataobject/authorization/RoleResourceDO.java
@ -0,0 +1,29 @@
+package cn.iocoder.mall.system.biz.dataobject.authorization;
+
+import cn.iocoder.common.framework.dataobject.DeletableDO;
+import com.baomidou.mybatisplus.annotation.TableName;
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * {@link RoleDO} 和 {@link ResourceDO} 的关联表
+ */
+@TableName("role_resource")
+@Data
+@Accessors(chain = true)
+public class RoleResourceDO extends DeletableDO {
+
+    /**
+     * 编号
+     */
+    private Integer id;
+    /**
+     * 角色编号(外键：{@link RoleDO}
+     */
+    private Integer roleId;
+    /**
+     * 资源编号(外键：{@link ResourceDO}
+     */
+    private Integer resourceId;
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dto/authorization/AuthorizationCheckPermissionsDTO.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/dto/authorization/AuthorizationCheckPermissionsDTO.java
@ -0,0 +1,20 @@
+package cn.iocoder.mall.system.biz.dto.authorization;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import javax.validation.constraints.NotNull;
+
+/**
+ * OAuth2 模块 - 访问令牌认证 Request
+ */
+@Data
+@Accessors(chain = true)
+public class AuthorizationCheckPermissionsDTO {
+
+    @NotNull(message = "访问令牌不能为空")
+    private String accessToken;
+    @NotNull(message = "IP 不能为空")
+    private String ip;
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/enums/authorization/ResourceTypeEnum.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/enums/authorization/ResourceTypeEnum.java
@ -0,0 +1,44 @@
+package cn.iocoder.mall.system.biz.enums.authorization;
+
+import cn.iocoder.common.framework.core.IntArrayValuable;
+
+import java.util.Arrays;
+
+/**
+ * 资源类型枚举
+ */
+public enum ResourceTypeEnum implements IntArrayValuable {
+
+    MENU(1, "菜单"),
+    BUTTON(2, "按钮");
+
+    public static final int[] ARRAYS = Arrays.stream(values()).mapToInt(ResourceTypeEnum::getValue).toArray();
+
+    /**
+     * 资源类型
+     */
+    private final Integer value;
+    /**
+     * 资源类型名
+     */
+    private final String name;
+
+    ResourceTypeEnum(Integer value, String name) {
+        this.value = value;
+        this.name = name;
+    }
+
+    public Integer getValue() {
+        return value;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public int[] array() {
+        return ARRAYS;
+    }
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/admin/AuthorizationService.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/admin/AuthorizationService.java
@ -0,0 +1,10 @@
+package cn.iocoder.mall.system.biz.service.admin;
+
+/**
+ * 授权 Service 接口
+ */
+public class AuthorizationService {
+
+
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/AuthorizationService.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/AuthorizationService.java
@ -0,0 +1,9 @@
+package cn.iocoder.mall.system.biz.service.authorization;
+
+import cn.iocoder.mall.system.biz.dto.authorization.AuthorizationCheckPermissionsDTO;
+
+public interface AuthorizationService {
+
+    void checkPermissions(AuthorizationCheckPermissionsDTO checkPermissionsDTO);
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/AuthorizationServiceImpl.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/AuthorizationServiceImpl.java
@ -0,0 +1,14 @@
+package cn.iocoder.mall.system.biz.service.authorization;
+
+import cn.iocoder.mall.system.biz.dto.authorization.AuthorizationCheckPermissionsDTO;
+import org.springframework.stereotype.Service;
+
+@Service
+public class AuthorizationServiceImpl implements AuthorizationService {
+
+    @Override
+    public void checkPermissions(AuthorizationCheckPermissionsDTO checkPermissionsDTO) {
+
+    }
+
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/ResourceService.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/ResourceService.java
@ -0,0 +1,4 @@
+package cn.iocoder.mall.system.biz.service.authorization;
+
+public interface ResourceService {
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/RoleService.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/authorization/RoleService.java
@ -0,0 +1,4 @@
+package cn.iocoder.mall.system.biz.service.authorization;
+
+public interface RoleService {
+}
--- a/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/oauth2/OAuth2ServiceImpl.java
+++ b/system/system-biz/src/main/java/cn/iocoder/mall/system/biz/service/oauth2/OAuth2ServiceImpl.java
@ -53,7 +53,7 @@ public class OAuth2ServiceImpl implements OAuth2Service {

    @Override
    @Transactional
-    public OAuth2AccessTokenBO  authenticate(OAuth2UsernameAuthenticateDTO authenticateDTO) {
+    public OAuth2AccessTokenBO authenticate(OAuth2UsernameAuthenticateDTO authenticateDTO) {
        // 获得账号
        AccountBO accountBO = accountService.getByUsername(authenticateDTO.getUsername());
        if (accountBO == null) {
@ -101,13 +101,13 @@ public class OAuth2ServiceImpl implements OAuth2Service {
    public OAuth2AccessTokenBO authenticate(OAuth2AccessTokenAuthenticateDTO authenticateDTO) {
        OAuth2AccessTokenDO oauth2AccessTokenDO = oauth2AccessTokenMapper.selectById(authenticateDTO.getAccessToken());
        if (oauth2AccessTokenDO == null) { // 不存在
-            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_INVALID_TOKEN_NOT_FOUND.getCode());
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_ACCESS_TOKEN_NOT_FOUND.getCode());
        }
        if (oauth2AccessTokenDO.getExpiresTime().getTime() < System.currentTimeMillis()) { // 已过期
-            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_INVALID_TOKEN_EXPIRED.getCode());
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_ACCESS_TOKEN_TOKEN_EXPIRED.getCode());
        }
        if (!oauth2AccessTokenDO.getValid()) { // 无效
-            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_INVALID_TOKEN_INVALID.getCode());
+            throw ServiceExceptionUtil.exception(SystemErrorCodeEnum.OAUTH2_ACCESS_TOKEN_INVALID.getCode());
        }
        // 转换返回
        return OAuth2Convert.INSTANCE.convert(oauth2AccessTokenDO);
--- a/system/system-rest/src/main/java/cn/iocoder/mall/system/rest/controller/oauth2/AdminsOAuth2Controller.java
+++ b/system/system-rest/src/main/java/cn/iocoder/mall/system/rest/controller/oauth2/AdminsOAuth2Controller.java
@ -3,6 +3,7 @@ package cn.iocoder.mall.system.rest.controller.oauth2;
 import cn.iocoder.common.framework.constant.MallConstants;
 import cn.iocoder.common.framework.util.ServiceExceptionUtil;
 import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.core.annotation.RequiresNone;
 import cn.iocoder.mall.system.biz.bo.admin.AdminBO;
 import cn.iocoder.mall.system.biz.bo.ouath2.OAuth2AccessTokenBO;
 import cn.iocoder.mall.system.biz.dto.oatuh2.OAuth2UsernameAuthenticateDTO;
@ -31,7 +32,8 @@ public class AdminsOAuth2Controller {
    private AdminService adminService;

    @PostMapping("/username-authenticate")
-    @ApiOperation("用户名认证")
+    @ApiOperation("用户名认证（登陆）")
+    @RequiresNone
    public CommonResult<AdminsOAuth2AuthenticateResponse> usernameAuthenticate(AdminsOAuth2UsernameAuthenticateRequest request) {
        // 执行认证
        OAuth2UsernameAuthenticateDTO authenticateDTO = AdminsOAuth2Convert.INSTANCE.convert(request);
--- a/system/system-rest/src/main/java/cn/iocoder/mall/system/rest/controller/oauth2/UsersOAuth2Controller.java
+++ b/system/system-rest/src/main/java/cn/iocoder/mall/system/rest/controller/oauth2/UsersOAuth2Controller.java
@ -3,6 +3,7 @@ package cn.iocoder.mall.system.rest.controller.oauth2;
 import cn.iocoder.common.framework.constant.MallConstants;
 import cn.iocoder.common.framework.util.HttpUtil;
 import cn.iocoder.common.framework.vo.CommonResult;
+import cn.iocoder.mall.security.core.annotation.RequiresNone;
 import cn.iocoder.mall.system.biz.bo.user.UserAuthenticateBO;
 import cn.iocoder.mall.system.biz.dto.oatuh2.OAuth2MobileCodeAuthenticateDTO;
 import cn.iocoder.mall.system.biz.dto.oatuh2.OAuth2MobileCodeSendDTO;
@ -37,6 +38,7 @@ public class UsersOAuth2Controller {

    @PostMapping("/mobile-code-authenticate")
    @ApiOperation("手机验证码认证")
+    @RequiresNone
    public CommonResult<UsersOAuth2AuthenticateResponse> mobileCodeAuthenticate(UsersOAuth2MobileCodeAuthenticateRequest request,
            HttpServletRequest httpRequest) {
        // 执行认证
@ -52,6 +54,7 @@ public class UsersOAuth2Controller {
    @PostMapping("/send-mobile-code")
    @ApiOperation("发送手机验证码")
    @ApiImplicitParam(name = "mobile", value = "手机号", required = true, example = "15601691234")
+    @RequiresNone
    public CommonResult<Boolean> sendMobileCode(@RequestParam("mobile") String mobile,
                                                HttpServletRequest request) {
        // 执行发送验证码
--- a/system/system-rpc-api/pom.xml
+++ b/system/system-rpc-api/pom.xml
@ -15,7 +15,7 @@
        <!-- Mall 相关 -->
        <dependency>
            <groupId>cn.iocoder.mall</groupId>
-            <artifactId>common-framework</artifactId>
+            <artifactId>system-biz-api</artifactId>
            <version>1.0-SNAPSHOT</version>
        </dependency>

--- a/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/api/admin/AdminRPC.java
+++ b/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/api/admin/AdminRPC.java
@ -0,0 +1,7 @@
+package cn.iocoder.mall.system.rpc.api.admin;
+
+/**
+ * Admin RPC 接口
+ */
+public interface AdminRPC {
+}
--- a/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/api/oauth2/OAuth2RPC.java
+++ b/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/api/oauth2/OAuth2RPC.java
@ -4,6 +4,9 @@ import cn.iocoder.common.framework.vo.CommonResult;
 import cn.iocoder.mall.system.rpc.request.oauth2.OAuth2AccessTokenAuthenticateRequest;
 import cn.iocoder.mall.system.rpc.response.oauth2.OAuth2AccessTokenResponse;

+/**
+ * OAuth2 RPC 接口
+ */
 public interface OAuth2RPC {

    CommonResult<OAuth2AccessTokenResponse> authenticate(OAuth2AccessTokenAuthenticateRequest request);
--- a/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/request/authorization/AuthorizationCheckPermissionsRequest.java
+++ b/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/request/authorization/AuthorizationCheckPermissionsRequest.java
@ -0,0 +1,21 @@
+package cn.iocoder.mall.system.rpc.request.authorization;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+import javax.validation.constraints.NotNull;
+import java.util.List;
+
+/**
+ * 鉴权模块 - 校验账号是否有权限 Request
+ */
+@Data
+@Accessors(chain = true)
+public class AuthorizationCheckPermissionsRequest {
+
+    @NotNull(message = "账号不能为空")
+    private Integer accountId;
+    @NotNull(message = "校验的权限不能为空")
+    private List<String> permissions;
+
+}
--- a/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/request/oauth2/OAuth2AccessTokenAuthenticateRequest.java
+++ b/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/request/oauth2/OAuth2AccessTokenAuthenticateRequest.java
@ -6,7 +6,7 @@ import lombok.experimental.Accessors;
 import javax.validation.constraints.NotNull;

 /**
- * OAuth2 访问令牌认证 Request
+ * OAuth2 模块 - 访问令牌认证 Request
 */
@Data
@Accessors(chain = true)
--- a/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/response/admin/AdminResponse.java
+++ b/system/system-rpc-api/src/main/java/cn/iocoder/mall/system/rpc/response/admin/AdminResponse.java
@ -0,0 +1,19 @@
+package cn.iocoder.mall.system.rpc.response.admin;
+
+import lombok.Data;
+import lombok.experimental.Accessors;
+
+/**
+ * Admin 信息 Response
+ */
+@Data
+@Accessors(chain = true)
+public class AdminResponse {
+
+    /**
+     * 管理员编号
+     */
+    private Integer id;
+//    private String
+
+}