解决bug，租户是否有效判断有误

2 years ago · 0a00bd8a7c
parent e90efbb52f
commit 0a00bd8a7c
1 changed files with 24 additions and 3 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
@ -11,6 +11,7 @@ import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.config.TenantContext;
+import org.jeecg.common.constant.CacheConstant;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.system.vo.LoginUser;
@ -148,9 +149,29 @@ public class ShiroRealm extends AuthorizingRealm {
                //update-begin-author:taoyan date:20211227 for: /issues/I4O14W 用户租户信息变更判断漏洞
                String[] arr = userTenantIds.split(",");
                if(!oConvertUtils.isIn(contextTenantId, arr)){
-                    log.info("租户异常——登录租户：" + contextTenantId);
-                    log.info("租户异常——用户拥有租户组：" + userTenantIds);
-                    throw new AuthenticationException("登录租户授权变更，请重新登陆!");
+                    boolean isAuthorization = false;
+                    //========================================================================
+                    // 查询用户信息（如果租户不匹配从数据库中重新查询一次用户信息）
+                    LoginUser loginUserFromDb = commonApi.getUserByName(username);
+                    if (oConvertUtils.isNotEmpty(loginUserFromDb.getRelTenantIds())) {
+                        String[] newArray = loginUserFromDb.getRelTenantIds().split(",");
+                        if (oConvertUtils.isIn(contextTenantId, newArray)) { 
+                            isAuthorization = true;
+
+                            //清空redis缓存
+                            String loginUserKey = CacheConstant.SYS_USERS_CACHE + "::" + username;
+                            redisUtil.del(loginUserKey);
+                        }
+                    }
+                    //========================================================================
+
+                    //*********************************************
+                    if(!isAuthorization){
+                        log.info("租户异常——登录租户：" + contextTenantId);
+                        log.info("租户异常——用户拥有租户组：" + userTenantIds);
+                        throw new AuthenticationException("登录租户授权变更，请重新登陆!");
+                    }
+                    //*********************************************
                }
                //update-end-author:taoyan date:20211227 for: /issues/I4O14W 用户租户信息变更判断漏洞
            }