Merge pull request #6243 from EightMonth/springboot3_sas

sas兼容shiro处理

.gitee/ISSUE_TEMPLATE.md

@@ -1,21 +0,0 @@
-##### 版本号：
-
-
-##### 前端版本：vue3版？还是 vue2版？
-
-
-##### 问题描述：
-
-
-##### 截图&代码：
-
-
-
-
-#### 友情提示（为了提高issue处理效率）：
-  - 未按格式要求发帖，会被直接删掉;
-  - 描述过于简单或模糊，导致无法处理的，会被直接删掉；
-  - 请自己初判问题描述是否清楚，是否方便我们调查处理；
-  - 针对问题请说明是Online在线功能(需说明用的主题模板)，还是生成的代码功能；
-
-  

.gitignore

@@ -9,3 +9,6 @@ rebel.xml
 
 ## front
 **/*.lock
+os_del.cmd
+
+*.log

LICENSE

@@ -203,7 +203,7 @@
    In any case, you must not make any such use of this software as to develop software which may be considered competitive with this software.
 
   开源协议补充
-    JeecgBoot 是由 北京敲敲云科技有限公司 发行的软件。 总部位于北京，地址：中国·北京·朝阳区科荟前街1号院奥林佳泰大厦。邮箱：jeecgos@163.com
+    JeecgBoot 是由 北京国炬信息技术有限公司 发行的软件。 总部位于北京，地址：中国·北京·朝阳区科荟前街1号院奥林佳泰大厦。邮箱：jeecgos@163.com
     本软件受适用的国家软件著作权法（包括国际条约）和双重保护许可。
   
    1.允许基于本平台软件开展业务系统开发。

README-EN.md

@@ -7,13 +7,13 @@
 JEECG BOOT Low Code Development Platform
 ===============
 
-The Latest Version： 3.5.5（Release date：2023-09-22） 
+当前最新版本： 3.6.1（发布日期：2023-12-11） 
 
 
 [![AUR](https://img.shields.io/badge/license-Apache%20License%202.0-blue.svg)](https://github.com/zhangdaiscott/jeecg-boot/blob/master/LICENSE)
-[![](https://img.shields.io/badge/Author-qiaoqiaoyun-orange.svg)](http://www.jeecg.com)
+[![](https://img.shields.io/badge/Author-guojusoft-orange.svg)](http://www.jeecg.com)
 [![](https://img.shields.io/badge/Blog-blog-blue.svg)](https://jeecg.blog.csdn.net)
-[![](https://img.shields.io/badge/version-3.5.5-brightgreen.svg)](https://github.com/zhangdaiscott/jeecg-boot)
+[![](https://img.shields.io/badge/version-3.6.1-brightgreen.svg)](https://github.com/zhangdaiscott/jeecg-boot)
 [![GitHub stars](https://img.shields.io/github/stars/zhangdaiscott/jeecg-boot.svg?style=social&label=Stars)](https://github.com/zhangdaiscott/jeecg-boot)
 [![GitHub forks](https://img.shields.io/github/forks/zhangdaiscott/jeecg-boot.svg?style=social&label=Fork)](https://github.com/zhangdaiscott/jeecg-boot)
 
@@ -46,10 +46,10 @@ Download the source code
 -----------------------------------
 项目源码
 -----------------------------------
-| Source |Front-end source (Vue3 version) | Front-end source (Vue2 version) | The background source |
-|-|-|-|-|
-| Github | [jeecgboot-vue3](https://github.com/jeecgboot/jeecgboot-vue3)  | [ant-design-vue-jeecg](https://github.com/jeecgboot/ant-design-vue-jeecg) | [jeecg-boot](https://github.com/jeecgboot/jeecg-boot) |
-| Gitee | [jeecgboot-vue3](https://gitee.com/jeecg/jeecgboot-vue3)  | [ant-design-vue-jeecg](https://gitee.com/jeecg/ant-design-vue-jeecg)  | [jeecg-boot](https://gitee.com/jeecg/jeecg-boot) |
+| Source |Front-end source (Vue3 version) | The background source |
+|-|-|-|
+| Github | [jeecgboot-vue3](https://github.com/jeecgboot/jeecgboot-vue3)  | [jeecg-boot](https://github.com/jeecgboot/jeecg-boot) |
+| Gitee | [jeecgboot-vue3](https://gitee.com/jeecg/jeecgboot-vue3)    | [jeecg-boot](https://gitee.com/jeecg/jeecg-boot) |
 
 ##### Project description
 
@@ -57,15 +57,13 @@ Download the source code
 |--------------------|------------------------|
 | `jeecg-boot`    | SpringBoot background source code (support microservices)      |
 | `jeecgboot-vue3` | Vue3+TS new front-end source code|
-| `ant-design-vue-jeecg`  |Vue2 version front-end source code     |
 | `jeecg-uniapp` | [APP development framework, a code multi terminal adaptation, and support APP, small program, H5](https://github.com/jeecgboot/jeecg-uniapp) |
-| `jeecg-boot-starter` | [Stater relies on the project to be maintained separately. Click Download](https://gitee.com/jeecg/jeecg-boot-starter) |
+| `SpringBoot3+JDK17`    | [BranchSourceCode](https://github.com/jeecgboot/jeecg-boot/tree/springboot3)  [UpgradeBlog](https://blog.csdn.net/zhangdaiscott/article/details/134805602)        |
 | `More` | [Download more source code](http://jeecg.com/download) |
 
 
 
 
-
 For the project
 -----------------------------------
 Jeecg-Boot low code development platform can be applied in the development of any J2EE project, especially for SAAS projects, enterprise information management system (MIS), internal office system (OA), enterprise resource planning system (ERP), customer relationship management system (CRM), etc. Its semi-intelligent manual Merge development method, Can significantly improve the development efficiency of more than 70%, greatly reduce the development cost.
@@ -89,14 +87,20 @@ Technical documentation
 - Doc：  [http://help.jeecg.com](http://help.jeecg.com)
 - Newbie guide： [Quick start](http://www.jeecg.com/doc/quickstart)  |  [video](https://space.bilibili.com/454617261/channel/series) |   [Q&A ](http://www.jeecg.com/doc/qa)  |   [help](http://jeecg.com/doc/help) |  [1 minute experience](https://my.oschina.net/jeecg/blog/3083313)
 - Microservice Development：  [Monomer upgrade to microservice](https://help.jeecg.com/java/springcloud/switchcloud/monomer.html)
-- QQ group ： ⑦791696430、⑥730954414、683903138、⑤860162132(full)、④774126647(full)、③816531124(full)、②769925425(full)、①284271917(full)
+- QQ group ： ⑧825232878、⑦791696430、⑥730954414(full)、683903138(full)、⑤860162132(full)、④774126647(full)、③816531124(full)、②769925425(full)、①284271917(full)
 - Demo ： [Vue3](http://boot3.jeecg.com) | [Vue2](http://boot.jeecg.com)  | [APP](http://jeecg.com/appIndex)
 > [please click obtain account password to obtain](http://jeecg.com/doc/demo) 
 
 
 
+Thinking
+-----------------------------------
+> We are pursuing the goal of implementing complex business systems without writing code! That has been done so far
+- https://www.qiaoqiaoyun.com
 
-##### Star charts
+
+Star charts
+-----------------------------------
 
 [![Star History Chart](https://api.star-history.com/svg?repos=jeecgboot/jeecg-boot&type=Date)](https://star-history.com/#jeecgboot/jeecg-boot)
 

README.md

@@ -7,13 +7,13 @@
 JEECG BOOT 低代码开发平台
 ===============
 
-当前最新版本： 3.5.5（发布日期：2023-09-22） 
+当前最新版本： 3.6.1（发布日期：2023-12-11） 
 
 
 [![AUR](https://img.shields.io/badge/license-Apache%20License%202.0-blue.svg)](https://github.com/zhangdaiscott/jeecg-boot/blob/master/LICENSE)
-[![](https://img.shields.io/badge/Author-北京敲敲云科技-orange.svg)](http://www.jeecg.com)
+[![](https://img.shields.io/badge/Author-北京国炬软件-orange.svg)](http://jeecg.com/aboutusIndex)
 [![](https://img.shields.io/badge/Blog-官方博客-blue.svg)](https://jeecg.blog.csdn.net)
-[![](https://img.shields.io/badge/version-3.5.5-brightgreen.svg)](https://github.com/zhangdaiscott/jeecg-boot)
+[![](https://img.shields.io/badge/version-3.6.1-brightgreen.svg)](https://github.com/zhangdaiscott/jeecg-boot)
 [![GitHub stars](https://img.shields.io/github/stars/zhangdaiscott/jeecg-boot.svg?style=social&label=Stars)](https://github.com/zhangdaiscott/jeecg-boot)
 [![GitHub forks](https://img.shields.io/github/forks/zhangdaiscott/jeecg-boot.svg?style=social&label=Fork)](https://github.com/zhangdaiscott/jeecg-boot)
 
@@ -44,22 +44,22 @@ Jeecg-Boot低代码开发平台，可以应用在任何J2EE项目的开发中，
 
 项目源码
 -----------------------------------
-| 仓库 |前端 Vue3版 | 前端 Vue2版 | 后端源码 |
-|-|-|-|-|
-| Github | [jeecgboot-vue3](https://github.com/jeecgboot/jeecgboot-vue3)  | [ant-design-vue-jeecg](https://github.com/jeecgboot/ant-design-vue-jeecg) | [jeecg-boot](https://github.com/jeecgboot/jeecg-boot) |
-| 码云 | [jeecgboot-vue3](https://gitee.com/jeecg/jeecgboot-vue3)  | [ant-design-vue-jeecg](https://gitee.com/jeecg/ant-design-vue-jeecg)  | [jeecg-boot](https://gitee.com/jeecg/jeecg-boot) |
+| 仓库 |前端源码 Vue3版 | 后端JAVA源码 |
+|-|-|-|
+| Github | [jeecgboot-vue3](https://github.com/jeecgboot/jeecgboot-vue3)   | [jeecg-boot](https://github.com/jeecgboot/jeecg-boot) |
+| 码云 | [jeecgboot-vue3](https://gitee.com/jeecg/jeecgboot-vue3)   | [jeecg-boot](https://gitee.com/jeecg/jeecg-boot) |
 
 
 #### 项目说明
 
 | 项目名                | 说明                     | 
 |--------------------|------------------------|
-| `jeecg-boot`    | SpringBoot后台源码（支持微服务）        |
-| `jeecgboot-vue3` | Vue3+TS 新版前端源码 |
-| `ant-design-vue-jeecg`  |Vue2版前端源码     |
+| `jeecgboot-vue3` | 前端源码 (Vue3版本) |
+| `jeecg-boot`    | 后端JAVA源码（支持微服务）        |
 | `jeecg-uniapp` | [APP开发框架，一份代码多终端适配，同时支持APP、小程序、H5](https://github.com/jeecgboot/jeecg-uniapp) |
-| `jeecg-boot-starter` | [Stater依赖项目单独维护，点击下载](https://gitee.com/jeecg/jeecg-boot-starter) |
-| `更多开源项目` | [更多源码下载](http://jeecg.com/download) |
+| `SpringBoot3+JDK17 后端分支`    | [分支源码](https://github.com/jeecgboot/jeecg-boot/tree/springboot3)  [升级博客](https://blog.csdn.net/zhangdaiscott/article/details/134805602)        |
+| `更多开源项目` | [更多底层源码下载](http://jeecg.com/download) |
+
 
 
 快速搭建开发环境
@@ -86,13 +86,19 @@ Docker快速启动项目
 - 开发文档：  [http://help.jeecg.com](http://help.jeecg.com)
 - 新手指南： [快速入门](http://www.jeecg.com/doc/quickstart)  |   [常见问题 ](http://www.jeecg.com/doc/qa) |  [视频教程](https://space.bilibili.com/454617261/channel/series)  |  [1分钟低代码体验](https://my.oschina.net/jeecg/blog/3083313) 
 
-- 在线演示 ：  [Vue3演示](http://boot3.jeecg.com)  |  [Vue2演示](http://boot3.jeecg.com) | [APP演示](http://jeecg.com/appIndex)
+- 在线演示 ：  [Vue3演示](http://boot3.jeecg.com)   | [APP演示](http://jeecg.com/appIndex) |  [敲敲云零代码](https://qiaoqiaoyun.com)
 > 演示系统的登录账号密码，请点击 [获取账号密码](http://jeecg.com/doc/demo) 获取 
 >
-- QQ交流群 ： ⑦791696430、⑥730954414、VUE3群683903138、⑤860162132(满)、④774126647(满)、③816531124(满)、②769925425(满)、①284271917(满)
+- QQ交流群 ： ⑧825232878、⑦791696430(满)、⑥730954414(满)、683903138(满)、⑤860162132(满)、④774126647(满)、③816531124(满)、②769925425(满)、①284271917(满)
 > ` 提醒：【QQ群是自助服务群，建议给帮助您解决问题的同学发送指定红包，表示感谢！】 `
 
 
+大龄码农的思考
+-----------------------------------
+> 作为码农年纪大了写不动代码了怎么办？？哎！！
+所以我们团队在追求不写代码也可实现复杂业务系统！目前已经做到了，不信你到敲敲云零代码试试（通过流程串联修改业务数据）
+
+- https://www.qiaoqiaoyun.com
 
 
 技术支持
@@ -105,17 +111,17 @@ Docker快速启动项目
 
 
 
-=======【VUE2版本专题介绍】============================================
-
 VUE2版本专题介绍
 -----------------------------------
 #### 项目介绍 
 - 项目名称：ant-design-vue-jeecg
 - 说明：JeecgBoot前端提供两套解决方案，一套VUE2和一套VUE3版本，目前vue2版本最新代码只支持到jeecgboot 3.4.3版本，一定注意。
-- 更多介绍：[Vue2版演示](http://boot.jeecg.com) |[开发文档](http://doc.jeecg.com) 
-- [快速启动——Vue2前端](http://doc.jeecg.com/2678320)
-- [Docker启动——Vue2前端](http://doc.jeecg.com/3043612)
 
+#### 源码下载
+| 源码                | 源码地址                     | 
+|--------------------|------------------------|
+| 后端JAVA源码 `Vue2版`  |https://gitee.com/jeecg/jeecg-boot/tree/v3.4.3last    |
+| 前端vue2源码 `Vue2版`  |https://gitee.com/jeecg/ant-design-vue-jeecg    |
 
 #### Vue2与Vue3版本区别
 > - VUE3版本彻底抛弃IE兼容，不兼容IE和低版本浏览器，只适配高版本谷歌和Edge
@@ -123,21 +129,14 @@ VUE2版本专题介绍
 > - 所以如果对浏览器有要求的项目，请选择VUE2版本。
 > - VUE3版是全新的技术栈，紧跟主流（前端重写），各个功能都做了优化，拥有更好的体验效果
 
-
-#### 源码下载
-| 源码                | 源码地址                     | 
-|--------------------|------------------------|
-| 后端源码 `Vue2版`  |https://gitee.com/jeecg/jeecg-boot/tree/v3.4.3last    |
-| 前端源码 `Vue2版`  |https://gitee.com/jeecg/ant-design-vue-jeecg    |
-
-=========【VUE2版本专题介绍】=========================================
+#### 技术文档
+- 在线演示：[Vue2版演示](http://boot.jeecg.com) 
+- 开发文档：| [开发文档](http://doc.jeecg.com)  | [Vue2前端快速启动](http://doc.jeecg.com/2678320) |  [Vue2前端采用Docker启动](http://doc.jeecg.com/3043612)
 
 
 
-
-
-
-##### Star走势图
+Star走势图
+-----------------------------------
 
 [![Star History Chart](https://api.star-history.com/svg?repos=jeecgboot/jeecg-boot&type=Date)](https://star-history.com/#jeecgboot/jeecg-boot)
 
@@ -468,8 +467,11 @@ VUE2版本专题介绍
    
 ```
 
+### 流程引擎推荐
 
+JeecgBoot企业版本默认集成了activiti和flowable两套方案，大家在使用本开源项目时，如果想进一步集成流程引擎，推荐结合贺波老师的书 [《深入Activiti流程引擎：核心原理与高阶实战》](https://item.m.jd.com/product/13928958.html?gx=RnAomTM2bmCImZxDqYAkVCoIHuIYVqc)
 
+<img src="https://jeecgos.oss-cn-beijing.aliyuncs.com/files/tuijian20231220161656.png" width="25%" height="auto">
 
 
 ### 系统效果

db/其他数据库/oracle11g_dmp说明.txt

@@ -1,5 +0,0 @@
-oracle导出编码：  export NLS_LANG=AMERICAN_AMERICA.ZHS16GBK
-
-导出用户：  jeecgboot
-
-导入命令：  imp scott/tiger@orcl file=jeecgboot-oracle11g.dmp

db/增量SQL/3.5.3升级到3.5.5升级脚本.sql

@@ -1,49 +0,0 @@
--- 产品包升级sql
-INSERT INTO sys_permission(id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1609123240547344385', '1280350452934307841', '产品包分页列表查询', NULL, NULL, 0, NULL, NULL, 2, 'system:tenant:packList', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2022-12-31 17:44:11', NULL, NULL, 0, 0, '1', 0);
-INSERT INTO sys_permission(id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1609123437247619074', '1280350452934307841', '创建租户产品包', NULL, NULL, 0, NULL, NULL, 2, 'system:tenant:add:pack', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2022-12-31 17:44:58', 'admin', '2022-12-31 20:27:56', 0, 0, '1', 0);
-INSERT INTO sys_permission(id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1609164542165012482', '1280350452934307841', '编辑租户产品包', NULL, NULL, 0, NULL, NULL, 2, 'system:tenant:edit:pack', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2022-12-31 20:28:18', NULL, NULL, 0, 0, '1', 0);
-INSERT INTO sys_permission(id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1609164635442139138', '1280350452934307841', '批量删除租户产品包', NULL, NULL, 0, NULL, NULL, 2, 'system:tenant:delete:pack', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2022-12-31 20:28:41', NULL, NULL, 0, 0, '1', 0);
-
--- 新增部门默认是叶子节点，即没有子节点
-ALTER TABLE sys_depart
-MODIFY COLUMN iz_leaf tinyint(1) NULL DEFAULT 1 COMMENT '是否有叶子节点: 1是0否' AFTER tenant_id;
-
-
--- 部门数据错了修复---
-update sys_depart set iz_leaf = 0 where id in ( select a.parent_id from (select parent_id from sys_depart where parent_id!='' and parent_id is not null) as a);
-update sys_depart set iz_leaf = 1 where id not in ( select a.parent_id from (select parent_id from sys_depart where parent_id!='' and parent_id is not null) as a);
-
-
--- 日志接口类，没有加权限注解
--- vue2
-UPDATE sys_permission_v2 SET is_leaf = 0 WHERE id = '58857ff846e61794c69208e9d3a85466';
-INSERT INTO sys_permission_v2(id, parent_id, name, url, component, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_route, is_leaf, keep_alive, hidden, hide_tab, description, status, del_flag, rule_flag, create_by, create_time, update_by, update_time, internal_or_external) VALUES ('1660568280725127169', '58857ff846e61794c69208e9d3a85466', '日志列表', NULL, NULL, NULL, NULL, 2, 'system:log:list', '1', NULL, 0, NULL, 1, 1, 0, 0, 0, NULL, '1', 0, 0, 'admin', '2023-05-22 16:48:25', NULL, NULL, 0);
-INSERT INTO sys_permission_v2(id, parent_id, name, url, component, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_route, is_leaf, keep_alive, hidden, hide_tab, description, status, del_flag, rule_flag, create_by, create_time, update_by, update_time, internal_or_external) VALUES ('1660568368558047234', '58857ff846e61794c69208e9d3a85466', '日志删除', NULL, NULL, NULL, NULL, 2, 'system:log:delete', '1', NULL, 0, NULL, 1, 1, 0, 0, 0, NULL, '1', 0, 0, 'admin', '2023-05-22 16:48:46', NULL, NULL, 0);
-INSERT INTO sys_permission_v2(id, parent_id, name, url, component, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_route, is_leaf, keep_alive, hidden, hide_tab, description, status, del_flag, rule_flag, create_by, create_time, update_by, update_time, internal_or_external) VALUES ('1660568426632380417', '58857ff846e61794c69208e9d3a85466', '日志批量删除', NULL, NULL, NULL, NULL, 2, 'system:log:deleteBatch', '1', NULL, 0, NULL, 1, 1, 0, 0, 0, NULL, '1', 0, 0, 'admin', '2023-05-22 16:48:59', NULL, NULL, 0);
-
--- vue3
-UPDATE sys_permission SET is_leaf = 0 WHERE id = '1439533711676973057';
-INSERT INTO sys_permission(id, parent_id, name, url, component, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_route, is_leaf, keep_alive, hidden, hide_tab, description, status, del_flag, rule_flag, create_by, create_time, update_by, update_time, internal_or_external) VALUES ('1660568280725127169', '1439533711676973057', '日志列表', NULL, NULL, NULL, NULL, 2, 'system:log:list', '1', NULL, 0, NULL, 1, 1, 0, 0, 0, NULL, '1', 0, 0, 'admin', '2023-05-22 16:48:25', NULL, NULL, 0);
-INSERT INTO sys_permission(id, parent_id, name, url, component, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_route, is_leaf, keep_alive, hidden, hide_tab, description, status, del_flag, rule_flag, create_by, create_time, update_by, update_time, internal_or_external) VALUES ('1660568368558047234', '1439533711676973057', '日志删除', NULL, NULL, NULL, NULL, 2, 'system:log:delete', '1', NULL, 0, NULL, 1, 1, 0, 0, 0, NULL, '1', 0, 0, 'admin', '2023-05-22 16:48:46', NULL, NULL, 0);
-INSERT INTO sys_permission(id, parent_id, name, url, component, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_route, is_leaf, keep_alive, hidden, hide_tab, description, status, del_flag, rule_flag, create_by, create_time, update_by, update_time, internal_or_external) VALUES ('1660568426632380417', '1439533711676973057', '日志批量删除', NULL, NULL, NULL, NULL, 2, 'system:log:deleteBatch', '1', NULL, 0, NULL, 1, 1, 0, 0, 0, NULL, '1', 0, 0, 'admin', '2023-05-22 16:48:59', NULL, NULL, 0);
-
--- 字段长度不够 ---
-ALTER TABLE sys_data_log
-MODIFY COLUMN `data_table` varchar(200) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '表名' AFTER `update_time`;
-
--- 系统通知卡顿问题性能优化 ---
-ALTER TABLE `sys_announcement_send` 
-ADD INDEX `idx_sacm_annt_id`(`annt_id`),
-ADD INDEX `idx_sacm_user_id`(`user_id`),
-ADD INDEX `idx_sacm_read_flag`(`read_flag`),
-ADD INDEX `idx_sacm_star_flag`(`star_flag`);
-
-ALTER TABLE `sys_announcement` 
-ADD INDEX `idx_sanno_endtime`(`end_time`),
-ADD INDEX `idx_sanno_start_time`(`start_time`),
-ADD INDEX `idx_sanno_msg_type`(`msg_type`),
-ADD INDEX `idx_sanno_send_status`(`send_status`),
-ADD INDEX `idx_sanno_del_flag`(`del_flag`),
-ADD INDEX `idx_sanno_tenant_id`(`tenant_id`),
-ADD INDEX `idx_sanno_sender`(`sender`),
-ADD INDEX `idx_sanno_create_time`(`create_time`);

db/增量SQL/3.6.0升级到3.6.1升级脚本.sql

@@ -0,0 +1,11 @@
+-- 新增风格一对多内嵌和Tab风格
+INSERT INTO sys_permission (id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external)
+ VALUES ('1691031996d5931315212', '1455100420297859074', 'AUTO在线一对多内嵌', '/online/cgformInnerTableList/:id', 'super/online/cgform/auto/innerTable/OnlCgformInnerTableList', 1, '', NULL, 1, NULL, '0', 1.00, 0, NULL, 1, 0, 1, 0, NULL, 'admin', '2023-08-14 18:20:20', 'admin', '2023-08-14 18:46:18', 0, 0, NULL, 0);
+INSERT INTO sys_permission (id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external)
+ VALUES ('1691031996d5931315213', '1455100420297859074', 'AUTO在线Tab风格', '/online/cgformTabList/:id', 'super/online/cgform/auto/tab/OnlCgformTabList', 1, '', NULL, 1, NULL, '0', 1.00, 0, NULL, 1, 0, 1, 0, NULL, 'admin', '2023-08-14 18:20:20', 'admin', '2023-08-14 18:46:18', 0, 0, NULL, 0);
+
+-- 【安全】online敏感接口，加权限注解（sql解析接口、同步数据库接口、导入表接口）
+INSERT INTO sys_permission (id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1699374704168534017', '1460888189937176577', 'SQL解析', NULL, NULL, 0, NULL, NULL, 2, 'online:report:parseSql', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2023-09-06 18:51:17', NULL, NULL, 0, 0, '1', 0);
+INSERT INTO sys_permission (id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1699374509749960705', '1455101470794850305', '查询数据库表名', NULL, NULL, 0, NULL, NULL, 2, 'online:form:queryTables', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2023-09-06 18:50:31', NULL, NULL, 0, 0, '1', 0);
+INSERT INTO sys_permission (id, parent_id, name, url, component, is_route, component_name, redirect, menu_type, perms, perms_type, sort_no, always_show, icon, is_leaf, keep_alive, hidden, hide_tab, description, create_by, create_time, update_by, update_time, del_flag, rule_flag, status, internal_or_external) VALUES ('1699374269152100354', '1455101470794850305', '同步数据库', NULL, NULL, 0, NULL, NULL, 2, 'online:form:syncDb', '1', NULL, 0, NULL, 1, 0, 0, 0, NULL, 'admin', '2023-09-06 18:49:33', NULL, NULL, 0, 0, '1', 0);
+update sys_permission set is_leaf=0 where id in ('1460888189937176577','1455101470794850305');

db/增量SQL/sas升级脚本.sql

@@ -0,0 +1,45 @@
+CREATE TABLE `oauth2_registered_client` (
+  `id` varchar(100) NOT NULL,
+  `client_id` varchar(100) NOT NULL,
+  `client_id_issued_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `client_secret` varchar(200) DEFAULT NULL,
+  `client_secret_expires_at` timestamp NULL DEFAULT NULL,
+  `client_name` varchar(200) NOT NULL,
+  `client_authentication_methods` varchar(1000) NOT NULL,
+  `authorization_grant_types` varchar(1000) NOT NULL,
+  `redirect_uris` varchar(1000) DEFAULT NULL,
+  `post_logout_redirect_uris` varchar(1000) DEFAULT NULL,
+  `scopes` varchar(1000) NOT NULL,
+  `client_settings` varchar(2000) NOT NULL,
+  `token_settings` varchar(2000) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
+
+INSERT INTO `oauth2_registered_client`
+(`id`,
+`client_id`,
+`client_id_issued_at`,
+`client_secret`,
+`client_secret_expires_at`,
+`client_name`,
+`client_authentication_methods`,
+`authorization_grant_types`,
+`redirect_uris`,
+`post_logout_redirect_uris`,
+`scopes`,
+`client_settings`,
+`token_settings`)
+VALUES
+('3eacac0e-0de9-4727-9a64-6bdd4be2ee1f',
+'jeecg-client',
+now(),
+'secret',
+null,
+'3eacac0e-0de9-4727-9a64-6bdd4be2ee1f',
+'client_secret_basic',
+'refresh_token,authorization_code,password,app,phone,social',
+'http://127.0.0.1:8080/jeecg-',
+'http://127.0.0.1:8080/',
+'*',
+'{"@class":"java.util.Collections$UnmodifiableMap","settings.client.require-proof-key":false,"settings.client.require-authorization-consent":true}',
+'{"@class":"java.util.Collections$UnmodifiableMap","settings.token.reuse-refresh-tokens":true,"settings.token.id-token-signature-algorithm":["org.springframework.security.oauth2.jose.jws.SignatureAlgorithm","RS256"],"settings.token.access-token-time-to-live":["java.time.Duration",300000.000000000],"settings.token.access-token-format":{"@class":"org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat","value":"self-contained"},"settings.token.refresh-token-time-to-live":["java.time.Duration",3600.000000000],"settings.token.authorization-code-time-to-live":["java.time.Duration",300000.000000000],"settings.token.device-code-time-to-live":["java.time.Duration",300000.000000000]}');

db/增量SQL/版本升级说明.txt

@@ -2,9 +2,9 @@
 
   JeecgBoot属于平台级产品，每次升级改动内容较多，目前做不到平滑升级。
 
-  这里给用户的升级建议是这样的：
-  1.代码升级  => 本地版本通过svn或者git做好主干，在分支上做业务开发，jeecg每次版本发布，可以手工覆盖主干的代码，对比代码进行提交；
-  2.数据库升级 => 针对数据库我们每次发布会提供增量升级SQL，可以通过增量SQL实现数据库的升级。
+  升级方案建议：
+  1.代码升级  => 本地版本通过svn或者git做好主干，在分支上做业务开发，jeecg每次版本发布，可以手工覆盖主干的代码，对比合并代码；
+  2.数据库升级 => 针对数据库我们每次发布会提供增量升级SQL，可以通过执行增量SQL实现数据库的升级。
   3.兼容问题 => 每次版本发布会针对不兼容地方标注说明，需要手工修改不兼容的代码。
 
   注意： 升级sql目前只提供mysql版本，执行完脚步后，新菜单需要手工进行角色授权，刷新首页才会出现。

docker-compose.yml

@@ -19,6 +19,8 @@ services:
       --default-authentication-plugin=caching_sha2_password
     ports:
       - 3306:3306
+    networks:
+      - jeecg-boot
 
   jeecg-boot-redis:
     image: redis:5.0
@@ -27,6 +29,8 @@ services:
     restart: always
     hostname: jeecg-boot-redis
     container_name: jeecg-boot-redis
+    networks:
+      - jeecg-boot
 
   jeecg-boot-system:
     build:
@@ -39,4 +43,10 @@ services:
     image: jeecg-boot-system
     hostname: jeecg-boot-system
     ports:
-      - 8080:8080
+      - 8080:8080
+    networks:
+      - jeecg-boot
+
+networks:
+  jeecg-boot:
+    name: jeecg_boot

jeecg-boot-base-core/pom.xml

@@ -4,11 +4,15 @@
 	<parent>
 		<groupId>org.jeecgframework.boot</groupId>
 		<artifactId>jeecg-boot-parent</artifactId>
-		<version>3.5.5</version>
+		<version>3.6.1</version>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>jeecg-boot-base-core</artifactId>
 
+	<properties>
+		<spring-boot.version>3.1.5</spring-boot.version>
+	</properties>
+
 	<repositories>
 		<repository>
 			<id>aliyun</id>
@@ -43,12 +47,22 @@
 		<!--jeecg-tools-->
 		<dependency>
 			<groupId>org.jeecgframework.boot</groupId>
-			<artifactId>jeecg-boot-common</artifactId>
+			<artifactId>jeecg-boot-common3</artifactId>
 		</dependency>
 		<!--集成springmvc框架并实现自动配置 -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-tomcat</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-undertow</artifactId>
 		</dependency>
 		<!-- websocket -->
 		<dependency>
@@ -105,14 +119,14 @@
 		<!-- druid -->
 		<dependency>
 			<groupId>com.alibaba</groupId>
-			<artifactId>druid-spring-boot-starter</artifactId>
+			<artifactId>druid-spring-boot-3-starter</artifactId>
 			<version>${druid.version}</version>
 		</dependency>
 
 		<!-- 动态数据源 -->
 		<dependency>
 			<groupId>com.baomidou</groupId>
-			<artifactId>dynamic-datasource-spring-boot-starter</artifactId>
+			<artifactId>dynamic-datasource-spring-boot3-starter</artifactId>
 			<version>${dynamic-datasource-spring-boot-starter.version}</version>
 		</dependency>
 
@@ -159,29 +173,25 @@
 			<version>${java-jwt.version}</version>
 		</dependency>
 
-		<!--shiro-->
+
 		<dependency>
-			<groupId>org.apache.shiro</groupId>
-			<artifactId>shiro-spring-boot-starter</artifactId>
-			<version>${shiro.version}</version>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-authorization-server</artifactId>
 		</dependency>
-		<!-- shiro-redis -->
 		<dependency>
-			<groupId>org.crazycake</groupId>
-			<artifactId>shiro-redis</artifactId>
-			<version>${shiro-redis.version}</version>
-			<exclusions>
-				<exclusion>
-					<groupId>org.apache.shiro</groupId>
-					<artifactId>shiro-core</artifactId>
-				</exclusion>
-			</exclusions>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
+		<!-- 添加spring security cas支持 -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-cas</artifactId>
 		</dependency>
 
 		<!-- knife4j -->
 		<dependency>
 			<groupId>com.github.xiaoymin</groupId>
-			<artifactId>knife4j-spring-boot-starter</artifactId>
+			<artifactId>knife4j-openapi3-jakarta-spring-boot-starter</artifactId>
 			<version>${knife4j-spring-boot-starter.version}</version>
 		</dependency>
 
@@ -195,7 +205,7 @@
 
 		<!-- AutoPoi Excel工具类-->
 		<dependency>
-			<groupId>org.jeecgframework</groupId>
+			<groupId>org.jeecgframework.boot3</groupId>
 			<artifactId>autopoi-web</artifactId>
 			<version>${autopoi-web.version}</version>
 			<exclusions>
@@ -238,6 +248,16 @@
 		<dependency>
 			<groupId>com.xkcoding.justauth</groupId>
 			<artifactId>justauth-spring-boot-starter</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-autoconfigure</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-configuration-processor</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>com.squareup.okhttp3</groupId>
@@ -252,6 +272,15 @@
 			<groupId>commons-fileupload</groupId>
 			<artifactId>commons-fileupload</artifactId>
 		</dependency>
+		<!--加载hutool-->
+		<dependency>
+			<groupId>cn.hutool</groupId>
+			<artifactId>hutool-core</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>cn.hutool</groupId>
+			<artifactId>hutool-crypto</artifactId>
+		</dependency>
 	</dependencies>
 
 </project>

jeecg-boot-base-core/src/main/java/org/apache/shiro/SecurityUtils.java

@@ -0,0 +1,21 @@
+package org.apache.shiro;
+
+import org.apache.shiro.subject.Subject;
+
+/**
+ * 兼容处理Online功能使用处理，请勿修改
+ * @author eightmonth@qq.com
+ * @date 2024/4/29 14:05
+ */
+public class SecurityUtils {
+
+
+    public static Subject getSubject() {
+        return new Subject() {
+            @Override
+            public Object getPrincipal() {
+                return Subject.super.getPrincipal();
+            }
+        };
+    }
+}

jeecg-boot-base-core/src/main/java/org/apache/shiro/subject/Subject.java

@@ -0,0 +1,14 @@
+package org.apache.shiro.subject;
+
+import org.jeecg.config.security.utils.SecureUtil;
+
+/**
+ * 兼容处理Online功能使用处理，请勿修改
+ * @author eightmonth@qq.com
+ * @date 2024/4/29 14:18
+ */
+public interface Subject {
+    default Object getPrincipal() {
+        return SecureUtil.currentUser();
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/api/CommonAPI.java

@@ -1,5 +1,6 @@
 package org.jeecg.common.api;
 
+import com.alibaba.fastjson.JSONObject;
 import org.jeecg.common.system.vo.*;
 
 import java.util.List;
@@ -50,6 +51,13 @@ public interface CommonAPI {
      */
     public LoginUser getUserByName(String username);
 
+    /**
+     * 5根据用户手机号查询用户信息
+     * @param username
+     * @return
+     */
+    public LoginUser getUserByPhone(String phone);
+
 
     /**
      * 6字典表的 翻译
@@ -102,12 +110,12 @@ public interface CommonAPI {
 
     /**
      * 13获取表数据字典
-     * @param table
+     * @param tableFilterSql
      * @param text
      * @param code
      * @return
      */
-    List<DictModel> queryTableDictItemsByCode(String table, String text, String code);
+    List<DictModel> queryTableDictItemsByCode(String tableFilterSql, String text, String code);
 
     /**
      * 14 普通字典的翻译，根据多个dictCode和多条数据，多个以逗号分割
@@ -127,4 +135,31 @@ public interface CommonAPI {
      */
     List<DictModel> translateDictFromTableByKeys(String table, String text, String code, String keys);
 
+    /**
+     * 登录加载系统字典
+     * @return
+     */
+    Map<String,List<DictModel>> queryAllDictItems();
+
+    /**
+     * 查询SysDepart集合
+     * @param userId
+     * @return
+     */
+    List<SysDepartModel> queryUserDeparts(String userId);
+
+    /**
+     * 根据用户名设置部门ID
+     * @param username
+     * @param orgCode
+     */
+    void updateUserDepart(String username,String orgCode,Integer loginTenantId);
+
+    /**
+     * 设置登录租户
+     * @param username
+     * @return
+     */
+    JSONObject setLoginTenant(String username);
+
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/api/dto/FileDownDTO.java

@@ -2,7 +2,7 @@ package org.jeecg.common.api.dto;
 
 import lombok.Data;
 
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.Serializable;
 
 /**

jeecg-boot-base-core/src/main/java/org/jeecg/common/api/dto/message/MessageDTO.java

@@ -4,7 +4,7 @@ import lombok.Data;
 import org.jeecg.common.constant.CommonConstant;
 
 import java.io.Serializable;
-import java.util.Map;
+import java.util.*;
 
 /**
  * 普通消息
@@ -43,14 +43,7 @@ public class MessageDTO implements Serializable {
      * 消息类型 1:消息  2:系统消息
      */
     protected String category;
-
-    //-----------------------------------------------------------------------
-    //update-begin---author:taoyan ---date:20220705  for：支持自定义推送类型，邮件、钉钉、企业微信、系统消息-----------
-
-    /**
-     * 模板消息对应的模板编码
-     */
-    protected String templateCode;
+    
     /**
      * 消息类型：org.jeecg.common.constant.enums.MessageTypeEnum
      *  XT("system",  "系统消息")
@@ -60,23 +53,38 @@ public class MessageDTO implements Serializable {
      */
     protected String type;
     
+
+    //---【推送模板相关参数】-------------------------------------------------------------
     /**
      * 是否发送Markdown格式的消息
      */
     protected boolean isMarkdown;
-
+    /**
+     * 模板消息对应的模板编码
+     */
+    protected String templateCode;
     /**
      * 解析模板内容 对应的数据
      */
     protected Map<String, Object> data;
-    //update-end---author:taoyan ---date::20220705  for：支持自定义推送类型，邮件、钉钉、企业微信、系统消息-----------
-    //-----------------------------------------------------------------------
-
+    //---【推送模板相关参数】-------------------------------------------------------------
 
+    //---【邮件相关参数】-------------------------------------------------------------
     /**
-     * 抄送人
+     * 邮件抄送人
      */
     private String copyToUser;
+
+    /**
+     * 邮件推送地址
+     */
+    protected Set<String> toEmailList;
+
+    /**
+     * 邮件抄送地址
+     */
+    protected Set<String> ccEmailList;
+    //---【邮件相关参数】-------------------------------------------------------------
     
     public MessageDTO(){
     }

jeecg-boot-base-core/src/main/java/org/jeecg/common/api/vo/Result.java

@@ -1,8 +1,7 @@
 package org.jeecg.common.api.vo;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
-import io.swagger.annotations.ApiModel;
-import io.swagger.annotations.ApiModelProperty;
+import io.swagger.v3.oas.annotations.media.Schema;
 import lombok.Data;
 import org.jeecg.common.constant.CommonConstant;
 
@@ -15,7 +14,7 @@ import java.io.Serializable;
  * @date  2019年1月19日
  */
 @Data
-@ApiModel(value="接口返回对象", description="接口返回对象")
+@Schema(description="接口返回对象")
 public class Result<T> implements Serializable {
 
 	private static final long serialVersionUID = 1L;
@@ -23,31 +22,31 @@ public class Result<T> implements Serializable {
 	/**
 	 * 成功标志
 	 */
-	@ApiModelProperty(value = "成功标志")
+	@Schema(description = "成功标志")
 	private boolean success = true;
 
 	/**
 	 * 返回处理消息
 	 */
-	@ApiModelProperty(value = "返回处理消息")
+	@Schema(description = "返回处理消息")
 	private String message = "";
 
 	/**
 	 * 返回代码
 	 */
-	@ApiModelProperty(value = "返回代码")
+	@Schema(description = "返回代码")
 	private Integer code = 0;
 	
 	/**
 	 * 返回数据对象 data
 	 */
-	@ApiModelProperty(value = "返回数据对象")
+	@Schema(description = "返回数据对象")
 	private T result;
 	
 	/**
 	 * 时间戳
 	 */
-	@ApiModelProperty(value = "时间戳")
+	@Schema(description = "时间戳")
 	private long timestamp = System.currentTimeMillis();
 
 	public Result() {

jeecg-boot-base-core/src/main/java/org/jeecg/common/aspect/AutoLogAspect.java

@@ -1,8 +1,8 @@
 package org.jeecg.common.aspect;
 
+import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONObject;
 import com.alibaba.fastjson.serializer.PropertyFilter;
-import org.apache.shiro.SecurityUtils;
 import org.aspectj.lang.JoinPoint;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
@@ -15,19 +15,21 @@ import org.jeecg.common.aspect.annotation.AutoLog;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.enums.ModuleType;
 import org.jeecg.common.constant.enums.OperateTypeEnum;
+import org.jeecg.config.security.utils.SecureUtil;
 import org.jeecg.modules.base.service.BaseCommonService;
 import org.jeecg.common.system.vo.LoginUser;
 import org.jeecg.common.util.IpUtils;
 import org.jeecg.common.util.SpringContextUtils;
 import org.jeecg.common.util.oConvertUtils;
 import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.multipart.MultipartFile;
-import javax.annotation.Resource;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.annotation.Resource;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
 import java.lang.reflect.Method;
 import java.util.Date;
 
@@ -100,7 +102,7 @@ public class AutoLogAspect {
         //设置IP地址
         dto.setIp(IpUtils.getIpAddr(request));
         //获取登录用户信息
-        LoginUser sysUser = (LoginUser) SecurityUtils.getSubject().getPrincipal();
+        LoginUser sysUser = SecureUtil.currentUser();
         if(sysUser!=null){
             dto.setUserid(sysUser.getUsername());
             dto.setUsername(sysUser.getRealname());
@@ -158,6 +160,9 @@ public class AutoLogAspect {
                     if(value!=null && value.toString().length()>length){
                         return false;
                     }
+                    if(value instanceof MultipartFile){
+                        return false;
+                    }
                     return true;
                 }
             };

jeecg-boot-base-core/src/main/java/org/jeecg/common/aspect/PermissionDataAspect.java

@@ -21,7 +21,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.stereotype.Component;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.lang.reflect.Method;
 import java.util.List;
 

jeecg-boot-base-core/src/main/java/org/jeecg/common/aspect/annotation/AutoLowApp.java

@@ -1,33 +0,0 @@
-package org.jeecg.common.aspect.annotation;
-
-import java.lang.annotation.*;
-
-import org.jeecg.common.constant.enums.LowAppAopEnum;
-
-/**
- * 自动注入low_app_id
- * 
- * @Author scott
- * @email jeecgos@163.com
- * @Date 2022年01月05日
- */
-@Target(ElementType.METHOD)
-@Retention(RetentionPolicy.RUNTIME)
-@Documented
-public @interface AutoLowApp {
-
-	/**
-	 * 切面类型（add、delete、db_import等其他操作）
-	 *
-	 * @return
-	 */
-	LowAppAopEnum action();
-
-	/**
-	 * 业务类型（cgform等）
-	 *
-	 * @return
-	 */
-	String bizType();
-
-}

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/CommonConstant.java

@@ -78,7 +78,7 @@ public interface CommonConstant {
     /** 登录用户Shiro权限缓存KEY前缀 */
     public static String PREFIX_USER_SHIRO_CACHE  = "shiro:cache:org.jeecg.config.shiro.ShiroRealm.authorizationCache:";
     /** 登录用户Token令牌缓存KEY前缀 */
-    String PREFIX_USER_TOKEN  = "prefix_user_token:";
+    String PREFIX_USER_TOKEN  = "token::jeecg-client::";
 //    /** Token缓存时间：3600秒即一小时 */
 //    int  TOKEN_EXPIRE_TIME  = 3600;
 
@@ -112,8 +112,8 @@ public interface CommonConstant {
     String HAS_CANCLE  = "2";
     
     /**阅读状态（0未读，1已读）*/
-    String HAS_READ_FLAG  = "1";
-    String NO_READ_FLAG  = "0";
+    Integer HAS_READ_FLAG  = 1;
+    Integer NO_READ_FLAG  = 0;
     
     /**优先级（L低，M中，H高）*/
     String PRIORITY_L  = "L";
@@ -160,6 +160,8 @@ public interface CommonConstant {
     
     /**字典翻译文本后缀*/
     String DICT_TEXT_SUFFIX = "_dictText";
+    /**字典翻译颜色后缀*/
+    String DICT_COLOR_SUFFIX = "_dictColor";
 
     /**
      * 表单设计器主表类型
@@ -315,6 +317,8 @@ public interface CommonConstant {
     String X_TIMESTAMP = "X-TIMESTAMP";
     /** 租户请求头 更名为：X-Tenant-Id */
     String TENANT_ID = "X-Tenant-Id";
+    /** 简流接口请求头，用于排除不支持的控件字段  */
+    String X_MiniFlowExclusionFieldMode = "X-Miniflowexclusionfieldmode";
     /**===============================================================================================*/
 
     String TOKEN_IS_INVALID_MSG = "Token失效，请重新登录!";
@@ -388,6 +392,7 @@ public interface CommonConstant {
     /** 部门表唯一key，orgCode */
     String DEPART_KEY_ORG_CODE = "orgCode";
 
+    /**======【消息推送相关】==============================================================================*/
     /**
      * 发消息 会传递一些信息到map
      */
@@ -398,6 +403,11 @@ public interface CommonConstant {
      */
     String NOTICE_MSG_BUS_ID = "NOTICE_MSG_BUS_ID";
 
+   /**
+    * 发消息 消息业务类型
+    */
+   String NOTICE_MSG_BUS_TYPE = "NOTICE_MSG_BUS_TYPE";
+
     /**
      * 邮箱消息中地址登录时地址后携带的token,需要替换成真实的token值
      */
@@ -420,6 +430,7 @@ public interface CommonConstant {
 
     /** 消息模板：markdown */
     String MSG_TEMPLATE_TYPE_MD = "5";
+    /**========【消息推送相关】==========================================================================*/
 
     /**
      * 短信验证码redis-key的前缀
@@ -481,6 +492,11 @@ public interface CommonConstant {
     */
    String USER_TENANT_REFUSE = "4";
 
+   /**
+    * 用户租户状态(邀请)
+    */
+   String USER_TENANT_INVITE = "5";
+   
    /**
     * 不是叶子节点
     */
@@ -490,4 +506,71 @@ public interface CommonConstant {
     * 是叶子节点
     */
    Integer IS_LEAF = 1;
+
+   /**
+    * 钉钉
+    */
+   String DINGTALK = "DINGTALK";
+
+   /**
+    * 企业微信
+    */
+   String WECHAT_ENTERPRISE = "WECHAT_ENTERPRISE";
+
+  /**
+   * 系统默认租户id 0
+   */
+  Integer TENANT_ID_DEFAULT_VALUE = 0;
+
+ /**
+  * 【low-app用】 应用级别的复制
+  */
+ String COPY_LEVEL_APP = "app";
+
+ /**
+  * 【low-app用】 菜单级别的复制
+  */
+ String COPY_LEVEL_MENU = "menu";
+
+
+ /**
+  * 【low-app用】 应用备份
+  */
+ String COPY_LEVEL_BAK = "backup";
+
+ /**
+  * 【low-app用】 从备份还原
+  */
+ String COPY_LEVEL_COVER = "cover";
+
+ /** 【QQYUN-6034】关联字段变更历史值，缓存半个小时 */
+ String CACHE_REL_FIELD_OLD_VAL = "sys:cache:desform:relFieldOldVal:";
+
+    /**
+     * 排序类型：升序
+     */
+    String ORDER_TYPE_ASC = "ASC";
+    /**
+     * 排序类型：降序
+     */
+    String ORDER_TYPE_DESC = "DESC";
+
+
+   //update-begin---author:scott ---date:2023-09-10  for：积木报表常量----
+   /**
+    * 报表允许设计开发的角色
+    */
+   public static String[] allowDevRoles = new String[]{"lowdeveloper", "admin"};
+   /**
+    * 【对应积木报表的常量】
+    * 数据隔离模式： 按照创建人隔离
+    */
+   public static final String SAAS_MODE_CREATED = "created";
+   /**
+    * 【对应积木报表的常量】
+    * 数据隔离模式： 按照租户隔离
+    */
+   public static final String SAAS_MODE_TENANT = "tenant";
+   //update-end---author:scott ---date::2023-09-10  for：积木报表常量----
+ 
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/CommonSendStatus.java

@@ -28,12 +28,21 @@ public interface CommonSendStatus {
 	public static final String  APP_SESSION_SUFFIX = "_app";
 
 
+	/**-----【流程相关通知模板code】------------------------------------------------------------*/
 	/**流程催办——系统通知消息模板*/
 	public static final String TZMB_BPM_CUIBAN = "bpm_cuiban";
+	/**流程抄送——系统通知消息模板*/
+	public static final String TZMB_BPM_CC = "bpm_cc";
 	/**流程催办——邮件通知消息模板*/
 	public static final String TZMB_BPM_CUIBAN_EMAIL = "bpm_cuiban_email";
 	/**标准模板—系统消息通知*/
 	public static final String TZMB_SYS_TS_NOTE = "sys_ts_note";
 	/**流程超时提醒——系统通知消息模板*/
 	public static final String TZMB_BPM_CHAOSHI_TIP = "bpm_chaoshi_tip";
+	/**-----【流程相关通知模板code】-----------------------------------------------------------*/
+
+	/**
+	 * 系统通知拓展参数（比如：用于流程抄送和催办通知，这里额外传递流程跳转页面所需要的路由参数）
+	 */
+	public static final String MSG_ABSTRACT_JSON = "msg_abstract";
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/SymbolConstant.java

@@ -116,4 +116,8 @@ public class SymbolConstant {
      */
     public static final String SQUARE_BRACKETS_RIGHT = "]";
 
+    /**
+     * 拼接字符串符号 分号 ;
+     */
+    public static final String SEMICOLON = ";";
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/CgformEnum.java

@@ -28,7 +28,7 @@ public enum CgformEnum {
     /**
      * 多表 (erp风格)
      */
-    ERP(2, "erp", "/jeecg/code-template-online", "erp.onetomany", "ERP风格" ,new String[]{"vue3","vue"}),
+    ERP(2, "erp", "/jeecg/code-template-online", "erp.onetomany", "ERP风格" ,new String[]{"vue3","vue","vue3Native"}),
     /**
      * 多表（内嵌子表风格）
      */

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/DySmsEnum.java

@@ -1,4 +1,4 @@
-package org.jeecg.common.util;
+package org.jeecg.common.constant.enums;
 
 import org.apache.commons.lang3.StringUtils;
 
@@ -17,7 +17,11 @@ public enum DySmsEnum {
 	/**会议通知*/
 	MEET_NOTICE_TEMPLATE_CODE("SMS_201480469","JEECG","username,title,minute,time"),
 	/**我的计划通知*/
-	PLAN_NOTICE_TEMPLATE_CODE("SMS_201470515","JEECG","username,title,time");
+	PLAN_NOTICE_TEMPLATE_CODE("SMS_201470515","JEECG","username,title,time"),
+	/**支付成功短信通知*/
+	PAY_SUCCESS_NOTICE_CODE("SMS_461735163","敲敲云","realname,money,endTime"),
+	/**会员到期通知提醒*/
+	VIP_EXPIRE_NOTICE_CODE("SMS_461885023","敲敲云","realname,endTime");
 
 	/**
 	 * 短信模板编码

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/EmailTemplateEnum.java

@@ -0,0 +1,66 @@
+package org.jeecg.common.constant.enums;
+
+import org.jeecg.common.util.oConvertUtils;
+
+/**
+ * 邮件html模板配置地址美剧
+ *
+ * @author: liusq
+ * @Date: 2023-10-13
+ */
+public enum EmailTemplateEnum {
+    /**
+     * 流程催办
+     */
+    BPM_CUIBAN_EMAIL("bpm_cuiban_email", "/templates/email/bpm_cuiban_email.ftl"),
+    /**
+     * 流程新任务
+     */
+    BPM_NEW_TASK_EMAIL("bpm_new_task_email", "/templates/email/bpm_new_task_email.ftl"),
+    /**
+     * 表单新增记录
+     */
+    DESFORM_NEW_DATA_EMAIL("desform_new_data_email", "/templates/email/desform_new_data_email.ftl");
+
+    /**
+     * 模板名称
+     */
+    private String name;
+    /**
+     * 模板地址
+     */
+    private String url;
+
+    EmailTemplateEnum(String name, String url) {
+        this.name = name;
+        this.url = url;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public static EmailTemplateEnum getByName(String name) {
+        if (oConvertUtils.isEmpty(name)) {
+            return null;
+        }
+        for (EmailTemplateEnum val : values()) {
+            if (val.getName().equals(name)) {
+                return val;
+            }
+        }
+        return null;
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/FileTypeEnum.java

@@ -6,7 +6,7 @@ import org.jeecg.common.util.oConvertUtils;
  * 文件类型
  */
 public enum FileTypeEnum {
-    //    文档类型（folder:文件夹 excel:excel doc:word pp:ppt image:图片  archive:其他文档 video:视频）
+    //    文档类型（folder:文件夹 excel:excel doc:word pp:ppt image:图片  archive:其他文档 video:视频 voice:语音）
 //    FOLDER
     xls(".xls","excel","excel"),
     xlsx(".xlsx","excel","excel"),
@@ -26,7 +26,8 @@ public enum FileTypeEnum {
     flv(".flv","video","视频"),
     mp4(".mp4","video","视频"),
     zip(".zip","zip","压缩包"),
-    pdf(".pdf","pdf","pdf");
+    pdf(".pdf","pdf","pdf"),
+    mp3(".mp3","mp3","语音");
 
     private String type;
     private String value;

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/LowAppAopEnum.java

@@ -1,30 +0,0 @@
-package org.jeecg.common.constant.enums;
-
-/**
- * LowApp 切面注解枚举
- * @date 2022-1-5
- * @author: jeecg-boot
- */
-public enum LowAppAopEnum {
-
-    /**
-     * 新增方法
-     */
-    ADD,
-    /**
-     * 删除方法（包含单个和批量删除）
-     */
-    DELETE,
-    /** 复制表单操作 */
-    COPY,
-
-    /**
-     * Online表单专用：数据库表转Online表单
-     */
-    CGFORM_DB_IMPORT,
-
-    /**
-     * 表单设计器专用：子表转工作表
-     */
-    DESFORM_SUB2WORK
-}

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/SysAnnmentTypeEnum.java

@@ -1,4 +1,6 @@
-package org.jeecg.common.util;
+package org.jeecg.common.constant.enums;
+
+import org.jeecg.common.util.oConvertUtils;
 
 /**
  * 系统公告自定义跳转方式
@@ -12,7 +14,16 @@ public enum SysAnnmentTypeEnum {
     /**
      * 流程跳转到我的任务
      */
-    BPM("bpm", "url", "/bpm/task/MyTaskList");
+    BPM("bpm", "url", "/bpm/task/MyTaskList"),
+    
+    /**
+     * 流程抄送任务
+     */
+    BPM_VIEW("bpm_cc", "url", "/bpm/task/MyTaskList"),
+    /**
+     * 邀请用户跳转到个人设置
+     */
+    TENANT_INVITE("tenant_invite", "url", "/system/usersetting");
 
     /**
      * 业务类型(email:邮件 bpm:流程)

jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/enums/Vue3MessageHrefEnum.java

@@ -1,4 +1,4 @@
-package org.jeecg.modules.message.enums;
+package org.jeecg.common.constant.enums;
 
 import org.jeecg.common.system.annotation.EnumDict;
 import org.jeecg.common.system.vo.DictModel;
@@ -18,6 +18,16 @@ public enum Vue3MessageHrefEnum {
      * 流程催办
      */
     BPM("bpm", "/task/myHandleTaskInfo"),
+    
+    /**
+     * 系统消息通知
+     */
+    BPM_SYSTEM_MSG("bpm_msg_node", ""),
+    
+    /**
+     * 流程抄送任务
+     */
+    BPM_VIEW("bpm_cc", "/task/myHandleTaskInfo"),
 
     /**
      * 节点通知

jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgBootExceptionHandler.java

@@ -2,16 +2,17 @@ package org.jeecg.common.exception;
 
 import cn.hutool.core.util.ObjectUtil;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.shiro.authz.AuthorizationException;
-import org.apache.shiro.authz.UnauthorizedException;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.enums.SentinelErrorInfoEnum;
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.data.redis.connection.PoolException;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.web.HttpRequestMethodNotSupportedException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import org.springframework.web.multipart.MaxUploadSizeExceededException;
@@ -27,6 +28,24 @@ import org.springframework.web.servlet.NoHandlerFoundException;
 @Slf4j
 public class JeecgBootExceptionHandler {
 
+	/**
+	 * 验证码错误异常
+	 */
+
+	@ExceptionHandler(JeecgCaptchaException.class)
+	@ResponseStatus(HttpStatus.OK)
+	public Result<?> handleJeecgCaptchaException(JeecgCaptchaException e) {
+		log.error(e.getMessage(), e);
+		return Result.error(e.getCode(), e.getMessage());
+	}
+
+	@ExceptionHandler(AuthenticationException.class)
+	@ResponseStatus(HttpStatus.OK)
+	public Result<?> handleJeecgCaptchaException(AuthenticationException e) {
+		log.error(e.getMessage(), e);
+		return Result.error(401, e.getMessage());
+	}
+
 	/**
 	 * 处理自定义异常
 	 */
@@ -67,9 +86,8 @@ public class JeecgBootExceptionHandler {
 		return Result.error("数据库中已存在该记录");
 	}
 
-	@ExceptionHandler({UnauthorizedException.class, AuthorizationException.class})
-	public Result<?> handleAuthorizationException(AuthorizationException e){
-		log.error(e.getMessage(), e);
+	@ExceptionHandler(AccessDeniedException.class)
+	public Result<?> handleAuthorizationException(AccessDeniedException e){
 		return Result.noauth("没有权限，请联系管理员授权");
 	}
 

jeecg-boot-base-core/src/main/java/org/jeecg/common/exception/JeecgCaptchaException.java

@@ -0,0 +1,28 @@
+package org.jeecg.common.exception;
+
+import lombok.Data;
+
+/**
+ * @author kezhijie@wuhandsj.com
+ * @date 2024/1/2 11:38
+ */
+@Data
+public class JeecgCaptchaException extends RuntimeException{
+
+    private Integer code;
+
+    private static final long serialVersionUID = -9093410345065209053L;
+
+    public JeecgCaptchaException(Integer code, String message) {
+        super(message);
+        this.code = code;
+    }
+
+    public JeecgCaptchaException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public JeecgCaptchaException(Throwable cause) {
+        super(cause);
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/base/controller/JeecgController.java

@@ -1,17 +1,18 @@
 package org.jeecg.common.system.base.controller;
 
+import com.alibaba.fastjson.JSON;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
 import com.baomidou.mybatisplus.extension.service.IService;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.beanutils.PropertyUtils;
-import org.apache.shiro.SecurityUtils;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.system.query.QueryGenerator;
 import org.jeecg.common.system.vo.LoginUser;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.config.JeecgBaseConfig;
+import org.jeecg.config.security.utils.SecureUtil;
 import org.jeecgframework.poi.excel.ExcelImportUtil;
 import org.jeecgframework.poi.excel.def.NormalExcelConstants;
 import org.jeecgframework.poi.excel.entity.ExportParams;
@@ -19,17 +20,16 @@ import org.jeecgframework.poi.excel.entity.ImportParams;
 import org.jeecgframework.poi.excel.entity.enmus.ExcelType;
 import org.jeecgframework.poi.excel.view.JeecgEntityExcelView;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.MultipartHttpServletRequest;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.annotation.Resource;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.*;
-import java.util.stream.Collectors;
 
 /**
  * @Description: Controller基类
@@ -53,7 +53,7 @@ public class JeecgController<T, S extends IService<T>> {
     protected ModelAndView exportXls(HttpServletRequest request, T object, Class<T> clazz, String title) {
         // Step.1 组装查询条件
         QueryWrapper<T> queryWrapper = QueryGenerator.initQueryWrapper(object, request.getParameterMap());
-        LoginUser sysUser = (LoginUser) SecurityUtils.getSubject().getPrincipal();
+        LoginUser sysUser = SecureUtil.currentUser();
 
         // 过滤选中数据
         String selections = request.getParameter("selections");
@@ -70,7 +70,7 @@ public class JeecgController<T, S extends IService<T>> {
         mv.addObject(NormalExcelConstants.FILE_NAME, title);
         mv.addObject(NormalExcelConstants.CLASS, clazz);
         //update-begin--Author:liusq  Date:20210126 for：图片导出报错，ImageBasePath未设置--------------------
-        ExportParams  exportParams=new ExportParams(title + "报表", "导出人:" + sysUser.getRealname(), title);
+        ExportParams exportParams=new ExportParams(title + "报表", "导出人:" + sysUser.getRealname(), title);
         exportParams.setImageBasePath(jeecgBaseConfig.getPath().getUpload());
         //update-end--Author:liusq  Date:20210126 for：图片导出报错，ImageBasePath未设置----------------------
         mv.addObject(NormalExcelConstants.PARAMS,exportParams);
@@ -91,7 +91,7 @@ public class JeecgController<T, S extends IService<T>> {
     protected ModelAndView exportXlsSheet(HttpServletRequest request, T object, Class<T> clazz, String title,String exportFields,Integer pageNum) {
         // Step.1 组装查询条件
         QueryWrapper<T> queryWrapper = QueryGenerator.initQueryWrapper(object, request.getParameterMap());
-        LoginUser sysUser = (LoginUser) SecurityUtils.getSubject().getPrincipal();
+        LoginUser sysUser = SecureUtil.currentUser();
         // Step.2 计算分页sheet数据
         double total = service.count();
         int count = (int)Math.ceil(total/pageNum);
@@ -110,7 +110,7 @@ public class JeecgController<T, S extends IService<T>> {
             IPage<T> pageList = service.page(page, queryWrapper);
             List<T> exportList = pageList.getRecords();
             Map<String, Object> map = new HashMap<>(5);
-            ExportParams  exportParams=new ExportParams(title + "报表", "导出人:" + sysUser.getRealname(), title+i,jeecgBaseConfig.getPath().getUpload());
+            ExportParams exportParams=new ExportParams(title + "报表", "导出人:" + sysUser.getRealname(), title+i,jeecgBaseConfig.getPath().getUpload());
             exportParams.setType(ExcelType.XSSF);
             //map.put("title",exportParams);
             //表格Title

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/base/entity/JeecgEntity.java

@@ -9,10 +9,10 @@ import com.baomidou.mybatisplus.annotation.IdType;
 import com.baomidou.mybatisplus.annotation.TableId;
 import com.fasterxml.jackson.annotation.JsonFormat;
 
-import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 import lombok.experimental.Accessors;
+import io.swagger.v3.oas.annotations.media.Schema;
 
 /**
  * @Description: Entity基类
@@ -30,20 +30,20 @@ public class JeecgEntity implements Serializable {
      * ID
      */
     @TableId(type = IdType.ASSIGN_ID)
-    @ApiModelProperty(value = "ID")
+    @Schema(description = "ID")
     private java.lang.String id;
 
     /**
      * 创建人
      */
-    @ApiModelProperty(value = "创建人")
+    @Schema(description = "创建人")
     @Excel(name = "创建人", width = 15)
     private java.lang.String createBy;
 
     /**
      * 创建时间
      */
-    @ApiModelProperty(value = "创建时间")
+    @Schema(description = "创建时间")
     @Excel(name = "创建时间", width = 20, format = "yyyy-MM-dd HH:mm:ss")
     @JsonFormat(timezone = "GMT+8", pattern = "yyyy-MM-dd HH:mm:ss")
     @DateTimeFormat(pattern = "yyyy-MM-dd HH:mm:ss")
@@ -52,14 +52,14 @@ public class JeecgEntity implements Serializable {
     /**
      * 更新人
      */
-    @ApiModelProperty(value = "更新人")
+    @Schema(description = "更新人")
     @Excel(name = "更新人", width = 15)
     private java.lang.String updateBy;
 
     /**
      * 更新时间
      */
-    @ApiModelProperty(value = "更新时间")
+    @Schema(description = "更新时间")
     @Excel(name = "更新时间", width = 20, format = "yyyy-MM-dd HH:mm:ss")
     @JsonFormat(timezone = "GMT+8", pattern = "yyyy-MM-dd HH:mm:ss")
     @DateTimeFormat(pattern = "yyyy-MM-dd HH:mm:ss")

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryCondition.java

@@ -20,6 +20,14 @@ public class QueryCondition implements Serializable {
 	private String dbType;
 	private String rule;
 	private String val;
+
+	public QueryCondition(String field, String type, String dbType, String rule, String val) {
+		this.field = field;
+		this.type = type;
+		this.dbType = dbType;
+		this.rule = rule;
+		this.val = val;
+	}
 	
 	public String getField() {
 		return field;

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryGenerator.java

@@ -19,11 +19,9 @@ import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.util.JeecgDataAutorUtils;
 import org.jeecg.common.system.util.JwtUtil;
+import org.jeecg.common.system.util.SqlConcatUtil;
 import org.jeecg.common.system.vo.SysPermissionDataRuleModel;
-import org.jeecg.common.util.CommonUtils;
-import org.jeecg.common.util.DateUtils;
-import org.jeecg.common.util.SqlInjectionUtil;
-import org.jeecg.common.util.oConvertUtils;
+import org.jeecg.common.util.*;
 import org.springframework.util.NumberUtils;
 
 import com.alibaba.fastjson.JSON;
@@ -143,7 +141,7 @@ public class QueryGenerator {
 				}
 
 				Object value = PropertyUtils.getSimpleProperty(searchObj, name);
-				column = getTableFieldName(searchObj.getClass(), name);
+				column = ReflectHelper.getTableFieldName(searchObj.getClass(), name);
 				if(column==null){
 					//column为null只有一种情况 那就是 添加了注解@TableField(exist = false) 后续都不用处理了
 					continue;
@@ -283,15 +281,9 @@ public class QueryGenerator {
 			// 将现有排序 _ 前端传递排序条件{....,column: 'column1,column2',order: 'desc'} 翻译成sql "column1,column2 desc"
 			// 修改为 _ 前端传递排序条件{....,column: 'column1,column2',order: 'desc'} 翻译成sql "column1 desc,column2 desc"
 			if (order.toUpperCase().indexOf(ORDER_TYPE_ASC)>=0) {
-				//queryWrapper.orderByAsc(oConvertUtils.camelToUnderline(column));
-				String columnStr = oConvertUtils.camelToUnderline(column);
-				String[] columnArray = columnStr.split(",");
-				queryWrapper.orderByAsc(Arrays.asList(columnArray));
+				queryWrapper.orderByAsc(SqlInjectionUtil.getSqlInjectSortFields(column.split(",")));
 			} else {
-				//queryWrapper.orderByDesc(oConvertUtils.camelToUnderline(column));
-				String columnStr = oConvertUtils.camelToUnderline(column);
-				String[] columnArray = columnStr.split(",");
-				queryWrapper.orderByDesc(Arrays.asList(columnArray));
+				queryWrapper.orderByDesc(SqlInjectionUtil.getSqlInjectSortFields(column.split(",")));
 			}
 			//update-end--Author:scott  Date:20210531 for：36 多条件排序无效问题修正-------
 		}
@@ -347,7 +339,7 @@ public class QueryGenerator {
 					return;
 				}
 				// update-end-author:sunjianlei date:20220119 for: 【JTC-573】 过滤空条件查询，防止 sql 拼接多余的 and
-                log.info("---高级查询参数-->" + filterConditions);
+                log.debug("---高级查询参数-->" + filterConditions);
 
                 queryWrapper.and(andWrapper -> {
                     for (int i = 0; i < filterConditions.size(); i++) {
@@ -641,11 +633,11 @@ public class QueryGenerator {
 	 * @param value        查询条件值
 	 */
 	public static void addEasyQuery(QueryWrapper<?> queryWrapper, String name, QueryRuleEnum rule, Object value) {
-		if (value == null || rule == null || oConvertUtils.isEmpty(value)) {
+		if (name==null || value == null || rule == null || oConvertUtils.isEmpty(value)) {
 			return;
 		}
 		name = oConvertUtils.camelToUnderline(name);
-		log.info("---查询过滤器，Query规则---field:{}, rule:{}, value:{}",name,rule.getValue(),value);
+		log.debug("---高级查询 Query规则---field:{} , rule:{} , value:{}",name,rule.getValue(),value);
 		switch (rule) {
 		case GT:
 			queryWrapper.gt(name, value);
@@ -713,7 +705,14 @@ public class QueryGenerator {
 	 */
 	public static Map<String, SysPermissionDataRuleModel> getRuleMap() {
 		Map<String, SysPermissionDataRuleModel> ruleMap = new HashMap<>(5);
-		List<SysPermissionDataRuleModel> list =JeecgDataAutorUtils.loadDataSearchConditon();
+		List<SysPermissionDataRuleModel> list = null;
+		//update-begin-author:taoyan date:2023-6-1 for:QQYUN-5441 【简流】获取多个用户/部门/角色 设置部门查询 报错
+		try {
+			list = JeecgDataAutorUtils.loadDataSearchConditon();
+		}catch (Exception e){
+			log.error("根据request对象获取权限数据失败，可能是定时任务中执行的。", e);
+		}
+		//update-end-author:taoyan date:2023-6-1 for:QQYUN-5441 【简流】获取多个用户/部门/角色 设置部门查询 报错
 		if(list != null&&list.size()>0){
 			if(list.get(0)==null){
 				return ruleMap;
@@ -821,223 +820,7 @@ public class QueryGenerator {
 	 * @return
 	 */
 	public static String getSingleQueryConditionSql(String field,String alias,Object value,boolean isString) {
-		return getSingleQueryConditionSql(field, alias, value, isString,null);
-	}
-
-	/**
-	 * 报表获取查询条件 支持多数据源
-	 * @param field
-	 * @param alias
-	 * @param value
-	 * @param isString
-	 * @param dataBaseType
-	 * @return
-	 */
-	public static String getSingleQueryConditionSql(String field,String alias,Object value,boolean isString, String dataBaseType) {
-		if (value == null) {
-			return "";
-		}
-		field =  alias+oConvertUtils.camelToUnderline(field);
-		QueryRuleEnum rule = QueryGenerator.convert2Rule(value);
-		return getSingleSqlByRule(rule, field, value, isString, dataBaseType);
-	}
-
-	/**
-	 * 获取单个查询条件的值
-	 * @param rule
-	 * @param field
-	 * @param value
-	 * @param isString
-	 * @param dataBaseType
-	 * @return
-	 */
-	private static String getSingleSqlByRule(QueryRuleEnum rule,String field,Object value,boolean isString, String dataBaseType) {
-		String res = "";
-		switch (rule) {
-		case GT:
-			res =field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case GE:
-			res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case LT:
-			res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case LE:
-			res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case EQ:
-			res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case EQ_WITH_ADD:
-			res = field+" = "+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case NE:
-			res = field+" <> "+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		case IN:
-			res = field + " in "+getInConditionValue(value, isString);
-			break;
-		case LIKE:
-			res = field + " like "+getLikeConditionValue(value, QueryRuleEnum.LIKE);
-			break;
-		case LEFT_LIKE:
-			res = field + " like "+getLikeConditionValue(value, QueryRuleEnum.LEFT_LIKE);
-			break;
-		case RIGHT_LIKE:
-			res = field + " like "+getLikeConditionValue(value, QueryRuleEnum.RIGHT_LIKE);
-			break;
-		default:
-			res = field+" = "+getFieldConditionValue(value, isString, dataBaseType);
-			break;
-		}
-		return res;
-	}
-
-
-	/**
-	 * 获取单个查询条件的值
-	 * @param rule
-	 * @param field
-	 * @param value
-	 * @param isString
-	 * @return
-	 */
-	private static String getSingleSqlByRule(QueryRuleEnum rule,String field,Object value,boolean isString) {
-		return getSingleSqlByRule(rule, field, value, isString, null);
-	}
-
-	/**
-	 * 获取查询条件的值
-	 * @param value
-	 * @param isString
-	 * @param dataBaseType
-	 * @return
-	 */
-	private static String getFieldConditionValue(Object value,boolean isString, String dataBaseType) {
-		String str = value.toString().trim();
-		if(str.startsWith(SymbolConstant.EXCLAMATORY_MARK)) {
-			str = str.substring(1);
-		}else if(str.startsWith(QueryRuleEnum.GE.getValue())) {
-			str = str.substring(2);
-		}else if(str.startsWith(QueryRuleEnum.LE.getValue())) {
-			str = str.substring(2);
-		}else if(str.startsWith(QueryRuleEnum.GT.getValue())) {
-			str = str.substring(1);
-		}else if(str.startsWith(QueryRuleEnum.LT.getValue())) {
-			str = str.substring(1);
-		}else if(str.indexOf(QUERY_COMMA_ESCAPE)>0) {
-			str = str.replaceAll("\\+\\+", COMMA);
-		}
-		if(dataBaseType==null){
-			dataBaseType = getDbType();
-		}
-		if(isString) {
-			if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(dataBaseType)){
-				return " N'"+str+"' ";
-			}else{
-				return " '"+str+"' ";
-			}
-		}else {
-			// 如果不是字符串 有一种特殊情况 popup调用都走这个逻辑 参数传递的可能是“‘admin’”这种格式的
-			if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(dataBaseType) && str.endsWith(SymbolConstant.SINGLE_QUOTATION_MARK) && str.startsWith(SymbolConstant.SINGLE_QUOTATION_MARK)){
-				return " N"+str;
-			}
-			return value.toString();
-		}
-	}
-
-	private static String getInConditionValue(Object value,boolean isString) {
-		//update-begin-author:taoyan date:20210628 for: 查询条件如果输入,导致sql报错
-		String[] temp = value.toString().split(",");
-		if(temp.length==0){
-			return "('')";
-		}
-		if(isString) {
-			List<String> res = new ArrayList<>();
-			for (String string : temp) {
-				if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
-					res.add("N'"+string+"'");
-				}else{
-					res.add("'"+string+"'");
-				}
-			}
-			return "("+String.join("," ,res)+")";
-		}else {
-			return "("+value.toString()+")";
-		}
-		//update-end-author:taoyan date:20210628 for: 查询条件如果输入,导致sql报错
-	}
-
-	/**
-	 * 先根据值判断 走左模糊还是右模糊
-	 * 最后如果值不带任何标识(*或者%)，则再根据ruleEnum判断
-	 * @param value
-	 * @param ruleEnum
-	 * @return
-	 */
-	private static String getLikeConditionValue(Object value, QueryRuleEnum ruleEnum) {
-		String str = value.toString().trim();
-		if(str.startsWith(SymbolConstant.ASTERISK) && str.endsWith(SymbolConstant.ASTERISK)) {
-			if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
-				return "N'%"+str.substring(1,str.length()-1)+"%'";
-			}else{
-				return "'%"+str.substring(1,str.length()-1)+"%'";
-			}
-		}else if(str.startsWith(SymbolConstant.ASTERISK)) {
-			if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
-				return "N'%"+str.substring(1)+"'";
-			}else{
-				return "'%"+str.substring(1)+"'";
-			}
-		}else if(str.endsWith(SymbolConstant.ASTERISK)) {
-			if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
-				return "N'"+str.substring(0,str.length()-1)+"%'";
-			}else{
-				return "'"+str.substring(0,str.length()-1)+"%'";
-			}
-		}else {
-			if(str.indexOf(SymbolConstant.PERCENT_SIGN)>=0) {
-				if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
-					if(str.startsWith(SymbolConstant.SINGLE_QUOTATION_MARK) && str.endsWith(SymbolConstant.SINGLE_QUOTATION_MARK)){
-						return "N"+str;
-					}else{
-						return "N"+"'"+str+"'";
-					}
-				}else{
-					if(str.startsWith(SymbolConstant.SINGLE_QUOTATION_MARK) && str.endsWith(SymbolConstant.SINGLE_QUOTATION_MARK)){
-						return str;
-					}else{
-						return "'"+str+"'";
-					}
-				}
-			}else {
-
-				//update-begin-author:taoyan date:2022-6-30 for: issues/3810 数据权限规则问题
-				// 走到这里说明 value不带有任何模糊查询的标识(*或者%)
-				if (ruleEnum == QueryRuleEnum.LEFT_LIKE) {
-					if (DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())) {
-						return "N'%" + str + "'";
-					} else {
-						return "'%" + str + "'";
-					}
-				} else if (ruleEnum == QueryRuleEnum.RIGHT_LIKE) {
-					if (DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())) {
-						return "N'" + str + "%'";
-					} else {
-						return "'" + str + "%'";
-					}
-				} else {
-					if (DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())) {
-						return "N'%" + str + "%'";
-					} else {
-						return "'%" + str + "%'";
-					}
-				}
-				//update-end-author:taoyan date:2022-6-30 for: issues/3810 数据权限规则问题
-
-			}
-		}
+		return SqlConcatUtil.getSingleQueryConditionSql(field, alias, value, isString,null);
 	}
 	
 	/**
@@ -1064,7 +847,7 @@ public class QueryGenerator {
 				continue;
 			}
 			if(ruleMap.containsKey(name)) {
-				column = getTableFieldName(clazz, name);
+				column = ReflectHelper.getTableFieldName(clazz, name);
 				if(column==null){
 					continue;
 				}
@@ -1078,7 +861,7 @@ public class QueryGenerator {
 				}else {
 					value = NumberUtils.parseNumber(dataRule.getRuleValue(),propType);
 				}
-				String filedSql = getSingleSqlByRule(rule, oConvertUtils.camelToUnderline(column), value,isString);
+				String filedSql = SqlConcatUtil.getSingleSqlByRule(rule, oConvertUtils.camelToUnderline(column), value,isString);
 				sb.append(sqlAnd+filedSql);
 			}
 		}
@@ -1107,7 +890,7 @@ public class QueryGenerator {
 			if (judgedIsUselessField(name)) {
 				continue;
 			}
-			column = getTableFieldName(clazz, name);
+			column = ReflectHelper.getTableFieldName(clazz, name);
 			if(column==null){
 				continue;
 			}
@@ -1126,42 +909,6 @@ public class QueryGenerator {
 		return getSqlRuleValue(sql);
 	}
 
-	/**
-	 * 获取所有配置的权限 返回sql字符串 不受字段限制 配置什么就拿到什么
-	 * @return
-	 */
-	public static String getAllConfigAuth() {
-		StringBuffer sb = new StringBuffer();
-		//权限查询
-		Map<String,SysPermissionDataRuleModel> ruleMap = getRuleMap();
-		String sqlAnd = " and ";
-		for (String c : ruleMap.keySet()) {
-			SysPermissionDataRuleModel dataRule = ruleMap.get(c);
-			String ruleValue = dataRule.getRuleValue();
-			if(oConvertUtils.isEmpty(ruleValue)){
-				continue;
-			}
-			if(oConvertUtils.isNotEmpty(c) && c.startsWith(SQL_RULES_COLUMN)){
-				sb.append(sqlAnd+getSqlRuleValue(ruleValue));
-			}else{
-				boolean isString  = false;
-				ruleValue = ruleValue.trim();
-				if(ruleValue.startsWith("'") && ruleValue.endsWith("'")){
-					isString = true;
-					ruleValue = ruleValue.substring(1,ruleValue.length()-1);
-				}
-				QueryRuleEnum rule = QueryRuleEnum.getByValue(dataRule.getRuleConditions());
-				String value = converRuleValue(ruleValue);
-				String filedSql = getSingleSqlByRule(rule, c, value,isString);
-				sb.append(sqlAnd+filedSql);
-			}
-		}
-		log.info("query auth sql is = "+sb.toString());
-		return sb.toString();
-	}
-
-
-
 	/**
 	 * 获取系统数据库类型
 	 */
@@ -1169,71 +916,6 @@ public class QueryGenerator {
 		return CommonUtils.getDatabaseType();
 	}
 
-
-	/**
-	 * 获取class的 包括父类的
-	 * @param clazz
-	 * @return
-	 */
-	private static List<Field> getClassFields(Class<?> clazz) {
-		List<Field> list = new ArrayList<Field>();
-		Field[] fields;
-		do{
-			fields = clazz.getDeclaredFields();
-			for(int i = 0;i<fields.length;i++){
-				list.add(fields[i]);
-			}
-			clazz = clazz.getSuperclass();
-		}while(clazz!= Object.class&&clazz!=null);
-		return list;
-	}
-
-	/**
-	 * 获取表字段名
-	 * @param clazz
-	 * @param name
-	 * @return
-	 */
-	private static String getTableFieldName(Class<?> clazz, String name) {
-		try {
-			//如果字段加注解了@TableField(exist = false),不走DB查询
-			Field field = null;
-			try {
-				field = clazz.getDeclaredField(name);
-			} catch (NoSuchFieldException e) {
-				//e.printStackTrace();
-			}
-
-			//如果为空，则去父类查找字段
-			if (field == null) {
-				List<Field> allFields = getClassFields(clazz);
-				List<Field> searchFields = allFields.stream().filter(a -> a.getName().equals(name)).collect(Collectors.toList());
-				if(searchFields!=null && searchFields.size()>0){
-					field = searchFields.get(0);
-				}
-			}
-
-			if (field != null) {
-				TableField tableField = field.getAnnotation(TableField.class);
-				if (tableField != null){
-					if(tableField.exist() == false){
-						//如果设置了TableField false 这个字段不需要处理
-						return null;
-					}else{
-						String column = tableField.value();
-						//如果设置了TableField value 这个字段是实体字段
-						if(!"".equals(column)){
-							return column;
-						}
-					}
-				}
-			}
-		} catch (Exception e) {
-			e.printStackTrace();
-		}
-		return name;
-	}
-
 	/**
 	 * mysql 模糊查询之特殊字符下划线 （_、\）
 	 *

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/query/QueryRuleEnum.java

@@ -25,12 +25,19 @@ public enum QueryRuleEnum {
     IN("IN","in","包含"),
     /**查询规则 全模糊*/
     LIKE("LIKE","like","全模糊"),
+    /**查询规则 不模糊包含*/
+    NOT_LIKE("NOT_LIKE","not_like","不模糊包含"),
     /**查询规则 左模糊*/
     LEFT_LIKE("LEFT_LIKE","left_like","左模糊"),
     /**查询规则 右模糊*/
     RIGHT_LIKE("RIGHT_LIKE","right_like","右模糊"),
     /**查询规则 带加号等于*/
     EQ_WITH_ADD("EQWITHADD","eq_with_add","带加号等于"),
+    /**查询规则 多词模糊匹配*/
+    LIKE_WITH_AND("LIKEWITHAND","like_with_and","多词模糊匹配————暂时未用上"),
+    /**查询规则 自定义SQL片段*/
+    SQL_RULES("USE_SQL_RULES","ext","自定义SQL片段"),
+    
     // ------- 当前表单设计器内专用 -------
     /** 值为空 */
     EMPTY("EMPTY","empty","值为空"),
@@ -38,15 +45,12 @@ public enum QueryRuleEnum {
     NOT_EMPTY("NOT_EMPTY","not_empty","值不为空"),
     /**查询规则 不包含*/
     NOT_IN("NOT_IN","not_in","不包含"),
-    // ------- 当前表单设计器内专用 -------
-    /**查询规则 多词模糊匹配*/
-    LIKE_WITH_AND("LIKEWITHAND","like_with_and","多词模糊匹配————暂时未用上"),
-    /**查询规则 自定义SQL片段*/
-    SQL_RULES("USE_SQL_RULES","ext","自定义SQL片段"),
     /**查询规则 多词匹配*/
     ELE_MATCH("ELE_MATCH","elemMatch","多词匹配"),
     /**查询规则 范围查询*/
-    RANGE("RANGE","range","范围查询");
+    RANGE("RANGE","range","范围查询"),
+    NOT_RANGE("NOT_RANGE","not_range","不在范围查询");
+    // ------- 当前表单设计器内专用 -------
 
     private String value;
     
@@ -89,7 +93,7 @@ public enum QueryRuleEnum {
     		return null;
     	}
         for(QueryRuleEnum val :values()){
-            if (val.getValue().equals(value) || val.getCondition().equals(value)){
+            if (val.getValue().equals(value) || val.getCondition().equalsIgnoreCase(value)){
                 return val;
             }
         }

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/util/JeecgDataAutorUtils.java

@@ -5,7 +5,7 @@ import org.jeecg.common.system.vo.SysUserCacheInfo;
 import org.jeecg.common.util.SpringContextUtils;
 import org.springframework.util.StringUtils;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
 

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/util/JwtUtil.java

@@ -1,5 +1,7 @@
 package org.jeecg.common.system.util;
 
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson2.JSONObject;
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.JWTVerifier;
 import com.auth0.jwt.algorithms.Algorithm;
@@ -10,13 +12,17 @@ import com.google.common.base.Joiner;
 
 import java.io.IOException;
 import java.io.OutputStream;
-import java.util.Date;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
+import java.util.*;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
-import org.apache.shiro.SecurityUtils;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
+
+import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.DataBaseConstant;
@@ -28,18 +34,37 @@ import org.jeecg.common.system.vo.SysUserCacheInfo;
 import org.jeecg.common.util.DateUtils;
 import org.jeecg.common.util.SpringContextUtils;
 import org.jeecg.common.util.oConvertUtils;
+import org.jeecg.config.security.self.SelfAuthenticationProvider;
+import org.jeecg.config.security.self.SelfAuthenticationToken;
+import org.jeecg.config.security.utils.SecureUtil;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.*;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
+import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 
 /**
  * @Author Scott
  * @Date 2018-07-12 14:23
  * @Desc JWT工具类
  **/
+@Slf4j
 public class JwtUtil {
 
 	/**Token有效期为7天（Token在reids中缓存时间为两倍）*/
 	public static final long EXPIRE_TIME = (7 * 12) * 60 * 60 * 1000;
 	static final String WELL_NUMBER = SymbolConstant.WELL_NUMBER + SymbolConstant.LEFT_CURLY_BRACKET;
 
+	public static final String DEFAULT_CLIENT = "jeecg-client";
+
     /**
      *
      * @param response
@@ -75,10 +100,9 @@ public class JwtUtil {
 	public static boolean verify(String token, String username, String secret) {
 		try {
 			// 根据密码生成JWT效验器
-			Algorithm algorithm = Algorithm.HMAC256(secret);
-			JWTVerifier verifier = JWT.require(algorithm).withClaim("username", username).build();
+			JwtDecoder jwtDecoder = SpringContextUtils.getBean(JwtDecoder.class);
 			// 效验TOKEN
-			DecodedJWT jwt = verifier.verify(token);
+			jwtDecoder.decode(token);
 			return true;
 		} catch (Exception exception) {
 			return false;
@@ -93,24 +117,33 @@ public class JwtUtil {
 	public static String getUsername(String token) {
 		try {
 			DecodedJWT jwt = JWT.decode(token);
-			return jwt.getClaim("username").asString();
+			LoginUser loginUser = JSONObject.parseObject(jwt.getClaim("sub").asString(), LoginUser.class);
+			return loginUser.getUsername();
 		} catch (JWTDecodeException e) {
 			return null;
 		}
 	}
 
 	/**
-	 * 生成签名,5min后过期
+	 * 生成token
 	 *
 	 * @param username 用户名
 	 * @param secret   用户的密码
 	 * @return 加密的token
 	 */
 	public static String sign(String username, String secret) {
-		Date date = new Date(System.currentTimeMillis() + EXPIRE_TIME);
-		Algorithm algorithm = Algorithm.HMAC256(secret);
-		// 附带username信息
-		return JWT.create().withClaim("username", username).withExpiresAt(date).sign(algorithm);
+		Map<String, Object> additionalParameter = new HashMap<>();
+		additionalParameter.put("username", username);
+
+		RegisteredClientRepository registeredClientRepository = SpringContextUtils.getBean(RegisteredClientRepository.class);
+		SelfAuthenticationProvider selfAuthenticationProvider = SpringContextUtils.getBean(SelfAuthenticationProvider.class);
+
+		OAuth2ClientAuthenticationToken client = new OAuth2ClientAuthenticationToken(Objects.requireNonNull(registeredClientRepository.findByClientId("jeecg-client")), ClientAuthenticationMethod.CLIENT_SECRET_BASIC, null);
+		client.setAuthenticated(true);
+		SelfAuthenticationToken selfAuthenticationToken = new SelfAuthenticationToken(client, additionalParameter);
+		selfAuthenticationToken.setAuthenticated(true);
+		OAuth2AccessTokenAuthenticationToken accessToken = (OAuth2AccessTokenAuthenticationToken) selfAuthenticationProvider.authenticate(selfAuthenticationToken);
+		return accessToken.getAccessToken().getTokenValue();
 
 	}
 
@@ -163,15 +196,24 @@ public class JwtUtil {
 	 * @param user
 	 * @return
 	 */
-	public static String getUserSystemData(String key,SysUserCacheInfo user) {
+	public static String getUserSystemData(String key, SysUserCacheInfo user) {
+		//1.优先获取 SysUserCacheInfo
 		if(user==null) {
-			user = JeecgDataAutorUtils.loadUserInfo();
+			try {
+				user = JeecgDataAutorUtils.loadUserInfo();
+			} catch (Exception e) {
+				log.warn("获取用户信息异常：" + e.getMessage());
+			}
 		}
+		//2.通过shiro获取登录用户信息
+		LoginUser sysUser = null;
+		try {
+			sysUser = SecureUtil.currentUser();
+		} catch (Exception e) {
+			log.warn("SecurityUtils.getSubject() 获取用户信息异常：" + e.getMessage());
+		}
+
 		//#{sys_user_code}%
-		
-		// 获取登录用户信息
-		LoginUser sysUser = (LoginUser) SecurityUtils.getSubject().getPrincipal();
-		
 		String moshi = "";
         String wellNumber = WELL_NUMBER;
 		if(key.indexOf(SymbolConstant.RIGHT_CURLY_BRACKET)!=-1){
@@ -184,6 +226,24 @@ public class JwtUtil {
 		} else {
 			key = key;
 		}
+		//替换为当前系统时间(年月日)
+		if (key.equals(DataBaseConstant.SYS_DATE)|| key.toLowerCase().equals(DataBaseConstant.SYS_DATE_TABLE)) {
+			returnValue = DateUtils.formatDate();
+		}
+		//替换为当前系统时间（年月日时分秒）
+		else if (key.equals(DataBaseConstant.SYS_TIME)|| key.toLowerCase().equals(DataBaseConstant.SYS_TIME_TABLE)) {
+			returnValue = DateUtils.now();
+		}
+		//流程状态默认值（默认未发起）
+		else if (key.equals(DataBaseConstant.BPM_STATUS)|| key.toLowerCase().equals(DataBaseConstant.BPM_STATUS_TABLE)) {
+			returnValue = "1";
+		}
+
+		//后台任务获取用户信息异常，导致程序中断
+		if(sysUser==null && user==null){
+			return null;
+		}
+		
 		//替换为系统登录用户帐号
 		if (key.equals(DataBaseConstant.SYS_USER_CODE)|| key.toLowerCase().equals(DataBaseConstant.SYS_USER_CODE_TABLE)) {
 			if(user==null) {
@@ -222,21 +282,13 @@ public class JwtUtil {
 				}
 			}
 		}
-		//替换为当前系统时间(年月日)
-		else if (key.equals(DataBaseConstant.SYS_DATE)|| key.toLowerCase().equals(DataBaseConstant.SYS_DATE_TABLE)) {
-			returnValue = DateUtils.formatDate();
-		}
-		//替换为当前系统时间（年月日时分秒）
-		else if (key.equals(DataBaseConstant.SYS_TIME)|| key.toLowerCase().equals(DataBaseConstant.SYS_TIME_TABLE)) {
-			returnValue = DateUtils.now();
-		}
-		//流程状态默认值（默认未发起）
-		else if (key.equals(DataBaseConstant.BPM_STATUS)|| key.toLowerCase().equals(DataBaseConstant.BPM_STATUS_TABLE)) {
-			returnValue = "1";
-		}
 		//update-begin-author:taoyan date:20210330 for:多租户ID作为系统变量
 		else if (key.equals(TenantConstant.TENANT_ID) || key.toLowerCase().equals(TenantConstant.TENANT_ID_TABLE)){
-			returnValue = SpringContextUtils.getHttpServletRequest().getHeader(CommonConstant.TENANT_ID);
+			try {
+				returnValue = SpringContextUtils.getHttpServletRequest().getHeader(CommonConstant.TENANT_ID);
+			} catch (Exception e) {
+				log.warn("获取系统租户异常：" + e.getMessage());
+			}
 		}
 		//update-end-author:taoyan date:20210330 for:多租户ID作为系统变量
 		if(returnValue!=null){returnValue = returnValue + moshi;}

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/util/SqlConcatUtil.java

@@ -0,0 +1,243 @@
+package org.jeecg.common.system.util;
+
+import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.constant.DataBaseConstant;
+import org.jeecg.common.constant.SymbolConstant;
+import org.jeecg.common.system.query.QueryGenerator;
+import org.jeecg.common.system.query.QueryRuleEnum;
+import org.jeecg.common.util.CommonUtils;
+import org.jeecg.common.util.oConvertUtils;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @Description: 查询过滤器，SQL拼接写法拆成独立工具类
+ * @author:qinfeng
+ * @date 20230904
+ */
+@Slf4j
+public class SqlConcatUtil {
+
+    /**
+     * 获取单个查询条件的值
+     * @param rule
+     * @param field
+     * @param value
+     * @param isString
+     * @return
+     */
+    public static String getSingleSqlByRule(QueryRuleEnum rule,String field,Object value,boolean isString) {
+        return getSingleSqlByRule(rule, field, value, isString, null);
+    }
+    
+    /**
+     * 报表获取查询条件 支持多数据源
+     * @param field
+     * @param alias
+     * @param value
+     * @param isString
+     * @param dataBaseType
+     * @return
+     */
+    public static String getSingleQueryConditionSql(String field,String alias,Object value,boolean isString, String dataBaseType) {
+        if (value == null) {
+            return "";
+        }
+        field =  alias+oConvertUtils.camelToUnderline(field);
+        QueryRuleEnum rule = QueryGenerator.convert2Rule(value);
+        return getSingleSqlByRule(rule, field, value, isString, dataBaseType);
+    }
+
+    /**
+     * 获取单个查询条件的值
+     * @param rule
+     * @param field
+     * @param value
+     * @param isString
+     * @param dataBaseType
+     * @return
+     */
+    private static String getSingleSqlByRule(QueryRuleEnum rule,String field,Object value,boolean isString, String dataBaseType) {
+        String res = "";
+        switch (rule) {
+            case GT:
+                res =field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case GE:
+                res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case LT:
+                res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case LE:
+                res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case EQ:
+                res = field+rule.getValue()+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case EQ_WITH_ADD:
+                res = field+" = "+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case NE:
+                res = field+" <> "+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+            case IN:
+                res = field + " in "+getInConditionValue(value, isString);
+                break;
+            case LIKE:
+                res = field + " like "+getLikeConditionValue(value, QueryRuleEnum.LIKE);
+                break;
+            case LEFT_LIKE:
+                res = field + " like "+getLikeConditionValue(value, QueryRuleEnum.LEFT_LIKE);
+                break;
+            case RIGHT_LIKE:
+                res = field + " like "+getLikeConditionValue(value, QueryRuleEnum.RIGHT_LIKE);
+                break;
+            default:
+                res = field+" = "+getFieldConditionValue(value, isString, dataBaseType);
+                break;
+        }
+        return res;
+    }
+
+    /**
+     * 获取查询条件的值
+     * @param value
+     * @param isString
+     * @param dataBaseType
+     * @return
+     */
+    private static String getFieldConditionValue(Object value,boolean isString, String dataBaseType) {
+        String str = value.toString().trim();
+        if(str.startsWith(SymbolConstant.EXCLAMATORY_MARK)) {
+            str = str.substring(1);
+        }else if(str.startsWith(QueryRuleEnum.GE.getValue())) {
+            str = str.substring(2);
+        }else if(str.startsWith(QueryRuleEnum.LE.getValue())) {
+            str = str.substring(2);
+        }else if(str.startsWith(QueryRuleEnum.GT.getValue())) {
+            str = str.substring(1);
+        }else if(str.startsWith(QueryRuleEnum.LT.getValue())) {
+            str = str.substring(1);
+        }else if(str.indexOf(QueryGenerator.QUERY_COMMA_ESCAPE)>0) {
+            str = str.replaceAll("\\+\\+", SymbolConstant.COMMA);
+        }
+        if(dataBaseType==null){
+            dataBaseType = getDbType();
+        }
+        if(isString) {
+            if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(dataBaseType)){
+                return " N'"+str+"' ";
+            }else{
+                return " '"+str+"' ";
+            }
+        }else {
+            // 如果不是字符串 有一种特殊情况 popup调用都走这个逻辑 参数传递的可能是“‘admin’”这种格式的
+            if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(dataBaseType) && str.endsWith(SymbolConstant.SINGLE_QUOTATION_MARK) && str.startsWith(SymbolConstant.SINGLE_QUOTATION_MARK)){
+                return " N"+str;
+            }
+            return value.toString();
+        }
+    }
+
+    private static String getInConditionValue(Object value,boolean isString) {
+        //update-begin-author:taoyan date:20210628 for: 查询条件如果输入,导致sql报错
+        String[] temp = value.toString().split(",");
+        if(temp.length==0){
+            return "('')";
+        }
+        if(isString) {
+            List<String> res = new ArrayList<>();
+            for (String string : temp) {
+                if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
+                    res.add("N'"+string+"'");
+                }else{
+                    res.add("'"+string+"'");
+                }
+            }
+            return "("+String.join("," ,res)+")";
+        }else {
+            return "("+value.toString()+")";
+        }
+        //update-end-author:taoyan date:20210628 for: 查询条件如果输入,导致sql报错
+    }
+
+    /**
+     * 先根据值判断 走左模糊还是右模糊
+     * 最后如果值不带任何标识(*或者%)，则再根据ruleEnum判断
+     * @param value
+     * @param ruleEnum
+     * @return
+     */
+    private static String getLikeConditionValue(Object value, QueryRuleEnum ruleEnum) {
+        String str = value.toString().trim();
+        if(str.startsWith(SymbolConstant.ASTERISK) && str.endsWith(SymbolConstant.ASTERISK)) {
+            if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
+                return "N'%"+str.substring(1,str.length()-1)+"%'";
+            }else{
+                return "'%"+str.substring(1,str.length()-1)+"%'";
+            }
+        }else if(str.startsWith(SymbolConstant.ASTERISK)) {
+            if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
+                return "N'%"+str.substring(1)+"'";
+            }else{
+                return "'%"+str.substring(1)+"'";
+            }
+        }else if(str.endsWith(SymbolConstant.ASTERISK)) {
+            if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
+                return "N'"+str.substring(0,str.length()-1)+"%'";
+            }else{
+                return "'"+str.substring(0,str.length()-1)+"%'";
+            }
+        }else {
+            if(str.indexOf(SymbolConstant.PERCENT_SIGN)>=0) {
+                if(DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())){
+                    if(str.startsWith(SymbolConstant.SINGLE_QUOTATION_MARK) && str.endsWith(SymbolConstant.SINGLE_QUOTATION_MARK)){
+                        return "N"+str;
+                    }else{
+                        return "N"+"'"+str+"'";
+                    }
+                }else{
+                    if(str.startsWith(SymbolConstant.SINGLE_QUOTATION_MARK) && str.endsWith(SymbolConstant.SINGLE_QUOTATION_MARK)){
+                        return str;
+                    }else{
+                        return "'"+str+"'";
+                    }
+                }
+            }else {
+
+                //update-begin-author:taoyan date:2022-6-30 for: issues/3810 数据权限规则问题
+                // 走到这里说明 value不带有任何模糊查询的标识(*或者%)
+                if (ruleEnum == QueryRuleEnum.LEFT_LIKE) {
+                    if (DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())) {
+                        return "N'%" + str + "'";
+                    } else {
+                        return "'%" + str + "'";
+                    }
+                } else if (ruleEnum == QueryRuleEnum.RIGHT_LIKE) {
+                    if (DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())) {
+                        return "N'" + str + "%'";
+                    } else {
+                        return "'" + str + "%'";
+                    }
+                } else {
+                    if (DataBaseConstant.DB_TYPE_SQLSERVER.equals(getDbType())) {
+                        return "N'%" + str + "%'";
+                    } else {
+                        return "'%" + str + "%'";
+                    }
+                }
+                //update-end-author:taoyan date:2022-6-30 for: issues/3810 数据权限规则问题
+
+            }
+        }
+    }
+
+    /**
+     * 获取系统数据库类型
+     */
+    private static String getDbType() {
+        return CommonUtils.getDatabaseType();
+    }
+    
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/vo/DictModel.java

@@ -2,6 +2,7 @@ package org.jeecg.common.system.vo;
 
 import java.io.Serializable;
 
+import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 
 import lombok.Data;
@@ -26,7 +27,13 @@ public class DictModel implements Serializable{
 		this.value = value;
 		this.text = text;
 	}
-	
+
+	public DictModel(String value, String text, String color) {
+		this.value = value;
+		this.text = text;
+		this.color = color;
+	}
+
 	/**
 	 * 字典value
 	 */
@@ -35,6 +42,10 @@ public class DictModel implements Serializable{
 	 * 字典文本
 	 */
 	private String text;
+	/**
+	 * 字典颜色
+	 */
+	private String color;
 
 	/**
 	 * 特殊用途： JgEditableTable
@@ -50,4 +61,11 @@ public class DictModel implements Serializable{
 		return this.text;
 	}
 
+
+	/**
+	 * 用于表单设计器 关联记录表数据存储
+	 * QQYUN-5595【表单设计器】他表字段 导入没有翻译
+	 */
+	private JSONObject jsonObject;
+
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/vo/LoginUser.java

@@ -1,15 +1,18 @@
 package org.jeecg.common.system.vo;
 
-import java.util.Date;
-
-import org.jeecg.common.desensitization.annotation.SensitiveField;
-import org.springframework.format.annotation.DateTimeFormat;
-
+import com.alibaba.fastjson2.JSON;
 import com.fasterxml.jackson.annotation.JsonFormat;
-
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 import lombok.experimental.Accessors;
+import org.jeecg.common.desensitization.annotation.SensitiveField;
+import org.springframework.format.annotation.DateTimeFormat;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.io.Serializable;
+import java.util.Date;
+import java.util.Set;
 
 /**
  * <p>
@@ -22,8 +25,10 @@ import lombok.experimental.Accessors;
 @Data
 @EqualsAndHashCode(callSuper = false)
 @Accessors(chain = true)
-public class LoginUser {
+public class LoginUser implements Serializable {
 
+
+	private static final long serialVersionUID = -7143159031677245866L;
 	/**
 	 * 登录人id
 	 */
@@ -51,6 +56,7 @@ public class LoginUser {
      /**
       * 当前登录部门code
       */
+	@SensitiveField
     private String orgCode;
 	/**
 	 * 头像
@@ -61,7 +67,6 @@ public class LoginUser {
 	/**
 	 * 生日
 	 */
-	@SensitiveField
 	@JsonFormat(timezone = "GMT+8", pattern = "yyyy-MM-dd")
 	@DateTimeFormat(pattern = "yyyy-MM-dd")
 	private Date birthday;
@@ -107,6 +112,7 @@ public class LoginUser {
 	/**
 	 * 管理部门ids
 	 */
+	@SensitiveField
 	private String departIds;
 
 	/**
@@ -122,9 +128,35 @@ public class LoginUser {
 	private String telephone;
 
 	/** 多租户ids临时用，不持久化数据库(数据库字段不存在) */
+	@SensitiveField
 	private String relTenantIds;
 
 	/**设备id uniapp推送用*/
 	private String clientId;
 
+	@SensitiveField
+	private String salt;
+
+	@Override
+	public String toString() {
+		// 重新构建对象过滤一些敏感字段
+		LoginUser loginUser = new LoginUser();
+		loginUser.setId(id);
+		loginUser.setUsername(username);
+		loginUser.setRealname(realname);
+		loginUser.setOrgCode(orgCode);
+		loginUser.setSex(sex);
+		loginUser.setEmail(email);
+		loginUser.setPhone(phone);
+		loginUser.setDelFlag(delFlag);
+		loginUser.setStatus(status);
+		loginUser.setActivitiSync(activitiSync);
+		loginUser.setUserIdentity(userIdentity);
+		loginUser.setDepartIds(departIds);
+		loginUser.setPost(post);
+		loginUser.setTelephone(telephone);
+		loginUser.setRelTenantIds(relTenantIds);
+		loginUser.setClientId(clientId);
+		return JSON.toJSONString(loginUser);
+	}
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/system/vo/UserAccountInfo.java

@@ -0,0 +1,61 @@
+package org.jeecg.common.system.vo;
+
+import com.fasterxml.jackson.annotation.JsonFormat;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.experimental.Accessors;
+import org.jeecg.common.desensitization.annotation.SensitiveField;
+import org.springframework.format.annotation.DateTimeFormat;
+
+import java.util.Date;
+
+/**
+ * <p>
+ * 在线用户信息
+ * </p>
+ *
+ * @Author scott
+ * @since 2023-08-16
+ */
+@Data
+@EqualsAndHashCode(callSuper = false)
+@Accessors(chain = true)
+public class UserAccountInfo {
+
+    /**
+     * 登录人id
+     */
+    private String id;
+
+    /**
+     * 登录人账号
+     */
+    private String username;
+
+    /**
+     * 登录人名字
+     */
+    private String realname;
+
+    /**
+     * 电子邮件
+     */
+    private String email;
+
+    /**
+     * 头像
+     */
+    @SensitiveField
+    private String avatar;
+
+    /**
+     * 同步工作流引擎1同步0不同步
+     */
+    private Integer activitiSync;
+
+    /**
+     * 电话
+     */
+    @SensitiveField
+    private String phone;
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/BrowserUtils.java

@@ -5,7 +5,7 @@ import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 /**
  * 

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/CommonUtils.java

@@ -1,7 +1,7 @@
 package org.jeecg.common.util;
 
 import com.alibaba.fastjson.JSONObject;
-import com.baomidou.dynamic.datasource.spring.boot.autoconfigure.DataSourceProperty;
+import com.baomidou.dynamic.datasource.creator.DataSourceProperty;
 import com.baomidou.dynamic.datasource.spring.boot.autoconfigure.DynamicDataSourceProperties;
 import com.baomidou.mybatisplus.annotation.DbType;
 import com.baomidou.mybatisplus.extension.toolkit.JdbcUtils;
@@ -11,14 +11,15 @@ import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.DataBaseConstant;
 import org.jeecg.common.constant.ServiceNameConstants;
 import org.jeecg.common.constant.SymbolConstant;
-import org.jeecg.common.util.filter.FileTypeFilter;
+import org.jeecg.common.exception.JeecgBootException;
+import org.jeecg.common.util.filter.SsrfFileTypeFilter;
 import org.jeecg.common.util.oss.OssBootUtil;
 import org.jeecgframework.poi.util.PoiPublicUtil;
 import org.springframework.jdbc.datasource.DriverManagerDataSource;
 import org.springframework.util.FileCopyUtils;
 import org.springframework.web.multipart.MultipartFile;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import javax.sql.DataSource;
 import java.io.ByteArrayInputStream;
 import java.io.File;
@@ -27,8 +28,7 @@ import java.io.InputStream;
 import java.sql.Connection;
 import java.sql.DatabaseMetaData;
 import java.sql.SQLException;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -138,6 +138,7 @@ public class CommonUtils {
             }
         } catch (Exception e) {
             log.error(e.getMessage(), e);
+            throw new JeecgBootException(e.getMessage());
         }
         return url;
     }
@@ -147,10 +148,10 @@ public class CommonUtils {
      * @param bizPath  自定义路径
      * @return
      */
-    public static String uploadLocal(MultipartFile mf, String bizPath, String uploadpath){
+    public static String uploadLocal(MultipartFile mf,String bizPath,String uploadpath){
         try {
             //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
-            FileTypeFilter.fileTypeFilter(mf);
+            SsrfFileTypeFilter.checkUploadFileType(mf);
             //update-end-author:liusq date:20210809 for: 过滤上传文件类型
             String fileName = null;
             File file = new File(uploadpath + File.separator + bizPath + File.separator );
@@ -274,7 +275,7 @@ public class CommonUtils {
         if(db==null){
             return null;
         }
-        DriverManagerDataSource ds = new DriverManagerDataSource();
+        DriverManagerDataSource ds = new DriverManagerDataSource ();
         ds.setDriverClassName(db.getDriverClassName());
         ds.setUrl(db.getUrl());
         ds.setUsername(db.getUsername());
@@ -414,6 +415,10 @@ public class CommonUtils {
      * @return name = '1212'
      */
     public static String getFilterSqlByTableSql(String tableSql) {
+        if(oConvertUtils.isEmpty(tableSql)){
+            return null;
+        }
+        
         if (tableSql.toLowerCase().indexOf(DataBaseConstant.SQL_WHERE) > 0) {
             String[] arr = tableSql.split(" (?i)where ");
             if (arr != null && oConvertUtils.isNotEmpty(arr[1])) {
@@ -430,6 +435,10 @@ public class CommonUtils {
      * @return sys_user
      */
     public static String getTableNameByTableSql(String tableSql) {
+        if(oConvertUtils.isEmpty(tableSql)){
+            return null;
+        }
+        
         if (tableSql.toLowerCase().indexOf(DataBaseConstant.SQL_WHERE) > 0) {
             String[] arr = tableSql.split(" (?i)where ");
             return arr[0].trim();
@@ -437,4 +446,25 @@ public class CommonUtils {
             return tableSql;
         }
     }
+
+    /**
+     * 判断两个数组是否存在交集
+     * @param set1
+     * @param arr2
+     * @return
+     */
+    public static boolean hasIntersection(Set<String> set1, String[] arr2) {
+        if (set1 == null) {
+            return false;
+        }
+        
+        if(set1.size()>0){
+            for (String str : arr2) {
+                if (set1.contains(str)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/DySmsHelper.java

@@ -1,9 +1,5 @@
 package org.jeecg.common.util;
 
-import org.jeecg.config.StaticConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import com.alibaba.fastjson.JSONObject;
 import com.aliyuncs.DefaultAcsClient;
 import com.aliyuncs.IAcsClient;
@@ -12,6 +8,10 @@ import com.aliyuncs.dysmsapi.model.v20170525.SendSmsResponse;
 import com.aliyuncs.exceptions.ClientException;
 import com.aliyuncs.profile.DefaultProfile;
 import com.aliyuncs.profile.IClientProfile;
+import org.jeecg.common.constant.enums.DySmsEnum;
+import org.jeecg.config.StaticConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Created on 17/6/7.
@@ -55,7 +55,7 @@ public class DySmsHelper {
     }
     
     
-    public static boolean sendSms(String phone,JSONObject templateParamJson,DySmsEnum dySmsEnum) throws ClientException {
+    public static boolean sendSms(String phone, JSONObject templateParamJson, DySmsEnum dySmsEnum) throws ClientException {
     	//可自助调整超时时间
         System.setProperty("sun.net.client.defaultConnectTimeout", "10000");
         System.setProperty("sun.net.client.defaultReadTimeout", "10000");

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/IpUtils.java

@@ -1,6 +1,6 @@
 package org.jeecg.common.util;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 import org.apache.commons.lang3.StringUtils;
 import org.jeecg.common.constant.CommonConstant;

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/MinioUtil.java

@@ -4,7 +4,7 @@ import io.minio.*;
 import io.minio.http.Method;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.constant.SymbolConstant;
-import org.jeecg.common.util.filter.FileTypeFilter;
+import org.jeecg.common.util.filter.SsrfFileTypeFilter;
 import org.jeecg.common.util.filter.StrAttackFilter;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -60,7 +60,7 @@ public class MinioUtil {
         //update-end-author:wangshuai date:20201012 for: 过滤上传文件夹名特殊字符，防止攻击
 
         //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
-        FileTypeFilter.fileTypeFilter(file);
+        SsrfFileTypeFilter.checkUploadFileType(file);
         //update-end-author:liusq date:20210809 for: 过滤上传文件类型
 
         String newBucket = bucketName;

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/ReflectHelper.java

@@ -1,5 +1,6 @@
 package org.jeecg.common.util;
 
+import com.baomidou.mybatisplus.annotation.TableField;
 import lombok.extern.slf4j.Slf4j;
 
 import java.lang.reflect.Field;
@@ -7,6 +8,7 @@ import java.lang.reflect.Method;
 import java.util.*;
 import java.util.Map.Entry;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
 
 /**
  * @author 张代浩
@@ -252,4 +254,86 @@ public class ReflectHelper {
         return value;
     }
 
+    /**
+     * 判断给定的字段是不是类中的属性
+     * @param field 字段名
+     * @param clazz 类对象
+     * @return
+     */
+    public static boolean isClassField(String field, Class clazz){
+        Field[] fields = clazz.getDeclaredFields();
+        for(int i=0;i<fields.length;i++){
+            String fieldName = fields[i].getName();
+            String tableColumnName = oConvertUtils.camelToUnderline(fieldName);
+            if(fieldName.equalsIgnoreCase(field) || tableColumnName.equalsIgnoreCase(field)){
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * 获取class的 包括父类的
+     * @param clazz
+     * @return
+     */
+    public static List<Field> getClassFields(Class<?> clazz) {
+        List<Field> list = new ArrayList<Field>();
+        Field[] fields;
+        do{
+            fields = clazz.getDeclaredFields();
+            for(int i = 0;i<fields.length;i++){
+                list.add(fields[i]);
+            }
+            clazz = clazz.getSuperclass();
+        }while(clazz!= Object.class&&clazz!=null);
+        return list;
+    }
+
+    /**
+     * 获取表字段名
+     * @param clazz
+     * @param name
+     * @return
+     */
+    public static String getTableFieldName(Class<?> clazz, String name) {
+        try {
+            //如果字段加注解了@TableField(exist = false),不走DB查询
+            Field field = null;
+            try {
+                field = clazz.getDeclaredField(name);
+            } catch (NoSuchFieldException e) {
+                //e.printStackTrace();
+            }
+
+            //如果为空，则去父类查找字段
+            if (field == null) {
+                List<Field> allFields = getClassFields(clazz);
+                List<Field> searchFields = allFields.stream().filter(a -> a.getName().equals(name)).collect(Collectors.toList());
+                if(searchFields!=null && searchFields.size()>0){
+                    field = searchFields.get(0);
+                }
+            }
+
+            if (field != null) {
+                TableField tableField = field.getAnnotation(TableField.class);
+                if (tableField != null){
+                    if(tableField.exist() == false){
+                        //如果设置了TableField false 这个字段不需要处理
+                        return null;
+                    }else{
+                        String column = tableField.value();
+                        //如果设置了TableField value 这个字段是实体字段
+                        if(!"".equals(column)){
+                            return column;
+                        }
+                    }
+                }
+            }
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return name;
+    }
+
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SpringContextUtils.java

@@ -1,7 +1,7 @@
 package org.jeecg.common.util;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.ServiceNameConstants;

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java

@@ -1,14 +1,12 @@
 package org.jeecg.common.util;
 
-import cn.hutool.crypto.SecureUtil;
+import cn.hutool.core.util.ReUtil;
 import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
-import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.exception.JeecgSqlInjectionException;
-
-import javax.servlet.http.HttpServletRequest;
-import java.lang.reflect.Field;
-import java.util.Set;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -18,50 +16,243 @@ import java.util.regex.Pattern;
  * @author zhoujf
  */
 @Slf4j
-public class SqlInjectionUtil {
+public class SqlInjectionUtil {	
 	/**
-	 * sign 用于表字典加签的盐值【SQL漏洞】
-	 * （上线修改值 20200501，同步修改前端的盐值）
+	 * 默认—sql注入关键词
 	 */
-	private final static String TABLE_DICT_SIGN_SALT = "20200501";
-	private final static String XSS_STR = "and |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";
-
+	private final static String XSS_STR = "and |exec |peformance_schema|information_schema|extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|--";
 	/**
-	 * 正则 user() 匹配更严谨
+	 * online报表专用—sql注入关键词
 	 */
-	private final static String REGULAR_EXPRE_USER = "user[\\s]*\\([\\s]*\\)";
-    /**正则 show tables*/
-	private final static String SHOW_TABLES = "show\\s+tables";
-
+	private static String specialReportXssStr = "exec |peformance_schema|information_schema|extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|insert |alter |delete |grant |update |drop |master |truncate |declare |--";
 	/**
-	 * sleep函数
+	 * 字典专用—sql注入关键词
 	 */
-	private final static Pattern FUN_SLEEP = Pattern.compile("sleep\\(.*\\)", Pattern.CASE_INSENSITIVE);
-
+	private static String specialDictSqlXssStr = "exec |peformance_schema|information_schema|extractvalue|updatexml|geohash|gtid_subset|gtid_subtract|insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|+|--";
+	/**
+	 * sql注入风险的 正则关键字
+	 *
+	 * 函数匹配，需要用正则模式
+	 */
+	private final static String[] XSS_REGULAR_STR_ARRAY = new String[]{
+			"chr\\s*\\(",
+			"mid\\s*\\(",
+			" char\\s*\\(",
+			"sleep\\s*\\(",
+			"user\\s*\\(",
+			"show\\s+tables",
+			"user[\\s]*\\([\\s]*\\)",
+			"show\\s+databases",
+			"sleep\\(\\d*\\)",
+			"sleep\\(.*\\)",
+	};
 	/**
 	 * sql注释的正则
 	 */
 	private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*[\\s\\S]*\\*/");
+	/**
+	 * sql注入提示语
+	 */
+	private final static String SQL_INJECTION_KEYWORD_TIP = "请注意，存在SQL注入关键词---> {}";
+	private final static String SQL_INJECTION_TIP = "请注意，值可能存在SQL注入风险!--->";
+	private final static String SQL_INJECTION_TIP_VARIABLE = "请注意，值可能存在SQL注入风险!---> {}";
+	
 
 	/**
-	 * 针对表字典进行额外的sign签名校验（增加安全机制）
-	 * @param dictCode:
-	 * @param sign:
-	 * @param request:
-	 * @Return: void
+	 * sql注入过滤处理，遇到注入关键字抛异常
+	 * @param values
 	 */
-	private static void checkDictTableSign(String dictCode, String sign, HttpServletRequest request) {
-		//表字典SQL注入漏洞,签名校验
-		String accessToken = request.getHeader("X-Access-Token");
-		String signStr = dictCode + SqlInjectionUtil.TABLE_DICT_SIGN_SALT + accessToken;
-		String javaSign = SecureUtil.md5(signStr);
-		if (!javaSign.equals(sign)) {
-			log.error("表字典，SQL注入漏洞签名校验失败 ：" + sign + "!=" + javaSign+ ",dictCode=" + dictCode);
-			throw new JeecgBootException("无权限访问！");
-		}
-		log.info(" 表字典，SQL注入漏洞签名校验成功！sign=" + sign + ",dictCode=" + dictCode);
+	public static void filterContent(String... values) {
+		filterContent(values, null);
 	}
 
+	/**
+	 * 校验比较严格
+	 * 
+	 * sql注入过滤处理，遇到注入关键字抛异常
+	 *
+	 * @param value
+	 * @return
+	 */
+	public static void filterContent(String value, String customXssString) {
+		if (value == null || "".equals(value)) {
+			return;
+		}
+		// 一、校验sql注释 不允许有sql注释
+		checkSqlAnnotation(value);
+		// 转为小写进行后续比较
+		value = value.toLowerCase().trim();
+		
+		// 二、SQL注入检测存在绕过风险 (普通文本校验)
+		//https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
+		String[] xssArr = XSS_STR.split("\\|");
+		for (int i = 0; i < xssArr.length; i++) {
+			if (value.indexOf(xssArr[i]) > -1) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, xssArr[i]);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}
+		// 三、SQL注入检测存在绕过风险 (自定义传入普通文本校验)
+		if (customXssString != null) {
+			String[] xssArr2 = customXssString.split("\\|");
+			for (int i = 0; i < xssArr2.length; i++) {
+				if (value.indexOf(xssArr2[i]) > -1) {
+					log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, xssArr2[i]);
+					log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+					throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+				}
+			}
+		}
+
+		// 四、SQL注入检测存在绕过风险 (正则校验)
+		for (String regularOriginal : XSS_REGULAR_STR_ARRAY) {
+			String regular = ".*" + regularOriginal + ".*";
+			if (Pattern.matches(regular, value)) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, regularOriginal);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}
+		return;
+	}
+
+	/**
+	 * 判断是否存在SQL注入关键词字符串
+	 *
+	 * @param keyword
+	 * @return
+	 */
+	@SuppressWarnings("AlibabaUndefineMagicConstant")
+	private static boolean isExistSqlInjectKeyword(String sql, String keyword) {
+		if (sql.startsWith(keyword.trim())) {
+			return true;
+		} else if (sql.contains(keyword)) {
+			if (sql.contains(" " + keyword)) {
+				return true;
+			} else {
+				String regularStr = "\\s+\\S+" + keyword;
+				List<String> resultFindAll = ReUtil.findAll(regularStr, sql, 0, new ArrayList<String>());
+				for (String res : resultFindAll) {
+					log.info("isExistSqlInjectKeyword —- 匹配到的SQL注入关键词：{}", res);
+					/**
+					 * SQL注入中可以替换空格的字符(%09  %0A  %0D  +都可以替代空格)
+					 * http://blog.chinaunix.net/uid-12501104-id-2932639.html
+					 * https://www.cnblogs.com/Vinson404/p/7253255.html
+					 * */
+					if (res.contains("%") || res.contains("+") || res.contains("#") || res.contains("/") || res.contains(")")) {
+						return true;
+					}
+				}
+			}
+		}
+		return false;
+	}
+	
+	/**
+	 * sql注入过滤处理，遇到注入关键字抛异常
+	 * 
+	 * @param values
+	 * @return
+	 */
+	public static void filterContent(String[] values, String customXssString) {
+		for (String val : values) {
+			if (oConvertUtils.isEmpty(val)) {
+				return;
+			}
+			filterContent(val, customXssString);
+		}
+		return;
+	}
+
+	/**
+	 * 【提醒：不通用】
+	 * 仅用于字典条件SQL参数，注入过滤
+	 *
+	 * @param value
+	 * @return
+	 */
+	public static void specialFilterContentForDictSql(String value) {
+		String[] xssArr = specialDictSqlXssStr.split("\\|");
+		if (value == null || "".equals(value)) {
+			return;
+		}
+		// 一、校验sql注释 不允许有sql注释
+		checkSqlAnnotation(value);
+		value = value.toLowerCase().trim();
+		
+		// 二、SQL注入检测存在绕过风险 (普通文本校验)
+		for (int i = 0; i < xssArr.length; i++) {
+			if (isExistSqlInjectKeyword(value, xssArr[i])) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, xssArr[i]);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}
+
+		// 三、SQL注入检测存在绕过风险 (正则校验)
+		for (String regularOriginal : XSS_REGULAR_STR_ARRAY) {
+			String regular = ".*" + regularOriginal + ".*";
+			if (Pattern.matches(regular, value)) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, regularOriginal);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}
+		return;
+	}
+
+    /**
+	 * 【提醒：不通用】
+     *  仅用于Online报表SQL解析，注入过滤
+     * @param value
+     * @return
+     */
+	public static void specialFilterContentForOnlineReport(String value) {
+		String[] xssArr = specialReportXssStr.split("\\|");
+		if (value == null || "".equals(value)) {
+			return;
+		}
+		// 一、校验sql注释 不允许有sql注释
+		checkSqlAnnotation(value);
+		value = value.toLowerCase().trim();
+		
+		// 二、SQL注入检测存在绕过风险 (普通文本校验)
+		for (int i = 0; i < xssArr.length; i++) {
+			if (isExistSqlInjectKeyword(value, xssArr[i])) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, xssArr[i]);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}
+
+		// 三、SQL注入检测存在绕过风险 (正则校验)
+		for (String regularOriginal : XSS_REGULAR_STR_ARRAY) {
+			String regular = ".*" + regularOriginal + ".*";
+			if (Pattern.matches(regular, value)) {
+				log.error(SqlInjectionUtil.SQL_INJECTION_KEYWORD_TIP, regularOriginal);
+				log.error(SqlInjectionUtil.SQL_INJECTION_TIP_VARIABLE, value);
+				throw new JeecgSqlInjectionException(SqlInjectionUtil.SQL_INJECTION_TIP + value);
+			}
+		}
+		return;
+	}
+
+
+	/**
+	 * 校验是否有sql注释 
+	 * @return
+	 */
+	public static void checkSqlAnnotation(String str){
+		Matcher matcher = SQL_ANNOTATION.matcher(str);
+		if(matcher.find()){
+			String error = "请注意，值可能存在SQL注入风险---> \\*.*\\";
+			log.error(error);
+			throw new JeecgSqlInjectionException(error);
+		}
+	}
+
+
 	/**
 	 * 返回查询表名
 	 * <p>
@@ -71,6 +262,10 @@ public class SqlInjectionUtil {
 	 */
 	private static Pattern tableNamePattern = Pattern.compile("^[a-zA-Z][a-zA-Z0-9_]{0,63}$");
 	public static String getSqlInjectTableName(String table) {
+		if(oConvertUtils.isEmpty(table)){
+			return table;
+		}
+		
 		table = table.trim();
 		/**
 		 * 检验表名是否合法
@@ -102,7 +297,7 @@ public class SqlInjectionUtil {
 	static final Pattern fieldPattern = Pattern.compile("^[a-zA-Z0-9_]+$");
 	public static String getSqlInjectField(String field) {
 		if(oConvertUtils.isEmpty(field)){
-			return null;
+			return field;
 		}
 		
 		field = field.trim();
@@ -110,7 +305,7 @@ public class SqlInjectionUtil {
 		if (field.contains(SymbolConstant.COMMA)) {
 			return getSqlInjectField(field.split(SymbolConstant.COMMA));
 		}
-		
+
 		/**
 		 * 校验表字段是否有效
 		 *
@@ -128,6 +323,13 @@ public class SqlInjectionUtil {
 		return field;
 	}
 
+	/**
+	 * 获取多个字段
+	 * 返回: 逗号拼接
+	 *
+	 * @param fields
+	 * @return
+	 */
 	public static String getSqlInjectField(String... fields) {
 		for (String s : fields) {
 			getSqlInjectField(s);
@@ -135,233 +337,58 @@ public class SqlInjectionUtil {
 		return String.join(SymbolConstant.COMMA, fields);
 	}
 
-	/**
-	 * sql注入过滤处理，遇到注入关键字抛异常
-	 * 
-	 * @param value
-	 * @return
-	 */
-	public static void filterContent(String value, String customXssString) {
-		if (value == null || "".equals(value)) {
-			return;
-		}
-		// 校验sql注释 不允许有sql注释
-		checkSqlAnnotation(value);
-		// 统一转为小写
-		value = value.toLowerCase();
-		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-		//value = value.replaceAll("/\\*.*\\*/","");
-
-		String[] xssArr = XSS_STR.split("\\|");
-		for (int i = 0; i < xssArr.length; i++) {
-			if (value.indexOf(xssArr[i]) > -1) {
-				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
-				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
-				throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-			}
-		}
-		//update-begin-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的，还需要额外的校验比如 单引号
-		if (customXssString != null) {
-			String[] xssArr2 = customXssString.split("\\|");
-			for (int i = 0; i < xssArr2.length; i++) {
-				if (value.indexOf(xssArr2[i]) > -1) {
-					log.error("请注意，存在SQL注入关键词---> {}", xssArr2[i]);
-					log.error("请注意，值可能存在SQL注入风险!---> {}", value);
-					throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-				}
-			}
-		}
-		//update-end-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的，还需要额外的校验比如 单引号
-		if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
-			throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-		}
-		return;
-	}
 
 	/**
-	 * sql注入过滤处理，遇到注入关键字抛异常
-	 * @param values
-	 */
-	public static void filterContent(String... values) {
-		filterContent(values, null);
-	}
-
-	/**
-	 * sql注入过滤处理，遇到注入关键字抛异常
-	 * 
-	 * @param values
-	 * @return
-	 */
-	public static void filterContent(String[] values, String customXssString) {
-		String[] xssArr = XSS_STR.split("\\|");
-		for (String value : values) {
-			if (value == null || "".equals(value)) {
-				return;
-			}
-			// 校验sql注释 不允许有sql注释
-			checkSqlAnnotation(value);
-			// 统一转为小写
-			value = value.toLowerCase();
-			//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-			//value = value.replaceAll("/\\*.*\\*/","");
-
-			for (int i = 0; i < xssArr.length; i++) {
-				if (value.indexOf(xssArr[i]) > -1) {
-					log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
-					log.error("请注意，值可能存在SQL注入风险!---> {}", value);
-					throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-				}
-			}
-			//update-begin-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的，还需要额外的校验比如 单引号
-			if (customXssString != null) {
-				String[] xssArr2 = customXssString.split("\\|");
-				for (int i = 0; i < xssArr2.length; i++) {
-					if (value.indexOf(xssArr2[i]) > -1) {
-						log.error("请注意，存在SQL注入关键词---> {}", xssArr2[i]);
-						log.error("请注意，值可能存在SQL注入风险!---> {}", value);
-						throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-					}
-				}
-			}
-			//update-end-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的，还需要额外的校验比如 单引号
-			if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
-				throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-			}
-		}
-		return;
-	}
-
-	/**
-	 * 【提醒：不通用】
-	 * 仅用于字典条件SQL参数，注入过滤
+	 * 获取排序字段
+	 * 返回：字符串
 	 *
-	 * @param value
+	 * 1.将驼峰命名转化成下划线 
+	 * 2.限制sql注入
+	 * @param sortField  排序字段
 	 * @return
 	 */
-	//@Deprecated
-	public static void specialFilterContentForDictSql(String value) {
-		String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | select | delete | update | drop | count | chr | mid | master | truncate | char | declare |;|+|user()";
-		String[] xssArr = specialXssStr.split("\\|");
-		if (value == null || "".equals(value)) {
-			return;
-		}
-		// 校验sql注释 不允许有sql注释
-		checkSqlAnnotation(value);
-		// 统一转为小写
-		value = value.toLowerCase();
-		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-		//value = value.replaceAll("/\\*.*\\*/","");
-
-		for (int i = 0; i < xssArr.length; i++) {
-			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
-				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
-				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
-				throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-			}
-		}
-		if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
-			throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-		}
-		return;
-	}
-
-
-    /**
-	 * 【提醒：不通用】
-     *  仅用于Online报表SQL解析，注入过滤
-     * @param value
-     * @return
-     */
-	//@Deprecated
-	public static void specialFilterContentForOnlineReport(String value) {
-		String specialXssStr = " exec |extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | delete | update | drop | chr | mid | master | truncate | char | declare |user()";
-		String[] xssArr = specialXssStr.split("\\|");
-		if (value == null || "".equals(value)) {
-			return;
-		}
-		// 校验sql注释 不允许有sql注释
-		checkSqlAnnotation(value);
-		// 统一转为小写
-		value = value.toLowerCase();
-		//SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE
-		//value = value.replaceAll("/\\*.*\\*/"," ");
-
-		for (int i = 0; i < xssArr.length; i++) {
-			if (value.indexOf(xssArr[i]) > -1 || value.startsWith(xssArr[i].trim())) {
-				log.error("请注意，存在SQL注入关键词---> {}", xssArr[i]);
-				log.error("请注意，值可能存在SQL注入风险!---> {}", value);
-				throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-			}
-		}
-
-		if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){
-			throw new JeecgSqlInjectionException("请注意，值可能存在SQL注入风险!--->" + value);
-		}
-		return;
-	}
-
-
-	/**
-	 * 判断给定的字段是不是类中的属性
-	 * @param field 字段名
-	 * @param clazz 类对象
-	 * @return
-	 */
-	public static boolean isClassField(String field, Class clazz){
-		Field[] fields = clazz.getDeclaredFields();
-		for(int i=0;i<fields.length;i++){
-			String fieldName = fields[i].getName();
-			String tableColumnName = oConvertUtils.camelToUnderline(fieldName);
-			if(fieldName.equalsIgnoreCase(field) || tableColumnName.equalsIgnoreCase(field)){
-				return true;
-			}
-		}
-		return false;
+	public static String getSqlInjectSortField(String sortField) {
+		String field = SqlInjectionUtil.getSqlInjectField(oConvertUtils.camelToUnderline(sortField));
+		return field;
 	}
 
 	/**
-	 * 判断给定的多个字段是不是类中的属性
-	 * @param fieldSet 字段名set
-	 * @param clazz 类对象
+	 * 获取多个排序字段
+	 * 返回：数组
+	 *
+	 * 1.将驼峰命名转化成下划线 
+	 * 2.限制sql注入
+	 * @param sortFields 多个排序字段
 	 * @return
 	 */
-	public static boolean isClassField(Set<String> fieldSet, Class clazz){
-		Field[] fields = clazz.getDeclaredFields();
-		for(String field: fieldSet){
-			boolean exist = false;
-			for(int i=0;i<fields.length;i++){
-				String fieldName = fields[i].getName();
-				String tableColumnName = oConvertUtils.camelToUnderline(fieldName);
-				if(fieldName.equalsIgnoreCase(field) || tableColumnName.equalsIgnoreCase(field)){
-					exist = true;
-					break;
-				}
-			}
-			if(!exist){
-				return false;
-			}
+	public static List getSqlInjectSortFields(String... sortFields) {
+		List list = new ArrayList<String>();
+		for (String sortField : sortFields) {
+			list.add(getSqlInjectSortField(sortField));
 		}
-		return true;
+		return list;
 	}
 
 	/**
-	 * 校验是否有sql注释 
+	 * 获取 orderBy type
+	 * 返回：字符串
+	 * <p>
+	 * 1.检测是否为 asc 或 desc 其中的一个
+	 * 2.限制sql注入
+	 *
+	 * @param orderType
 	 * @return
 	 */
-	public static void checkSqlAnnotation(String str){
-		Matcher matcher = SQL_ANNOTATION.matcher(str);
-		if(matcher.find()){
-			String error = "请注意，值可能存在SQL注入风险---> \\*.*\\";
-			log.error(error);
-			throw new JeecgSqlInjectionException(error);
+	public static String getSqlInjectOrderType(String orderType) {
+		if (orderType == null) {
+			return null;
 		}
-		
-		// issues/4737 sys/duplicate/check SQL注入 #4737
-		Matcher sleepMatcher = FUN_SLEEP.matcher(str);
-		if(sleepMatcher.find()){
-			String error = "请注意，值可能存在SQL注入风险---> sleep";
-			log.error(error);
-			throw new JeecgSqlInjectionException(error);
+		orderType = orderType.trim();
+		if (CommonConstant.ORDER_TYPE_ASC.equalsIgnoreCase(orderType)) {
+			return CommonConstant.ORDER_TYPE_ASC;
+		} else {
+			return CommonConstant.ORDER_TYPE_DESC;
 		}
 	}
+
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/TokenUtils.java

@@ -11,7 +11,13 @@ import org.jeecg.common.exception.JeecgBoot401Exception;
 import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.system.vo.LoginUser;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
+import org.jeecg.config.security.JeecgRedisOAuth2AuthorizationService;
+import org.springframework.data.redis.serializer.SerializationException;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+
+import java.util.Objects;
 
 /**
  * @Author scott
@@ -34,6 +40,21 @@ public class TokenUtils {
         }
         return token;
     }
+    
+    /**
+     * 获取 request 里传递的 token
+     * @return
+     */
+    public static String getTokenByRequest() {
+        String token = null;
+        try {
+            HttpServletRequest request = SpringContextUtils.getHttpServletRequest();
+            token = TokenUtils.getTokenByRequest(request);
+        } catch (Exception e) {
+            //e.printStackTrace();
+        }
+        return token;
+    }
 
     /**
      * 获取 request 里传递的 tenantId (租户ID)
@@ -97,7 +118,7 @@ public class TokenUtils {
             throw new JeecgBoot401Exception("账号已被锁定,请联系管理员!");
         }
         // 校验token是否超时失效 & 或者账号密码是否错误
-        if (!jwtTokenRefresh(token, username, user.getPassword(), redisUtil)) {
+        if (!jwtTokenRefresh(token, username, user.getPassword())) {
             throw new JeecgBoot401Exception(CommonConstant.TOKEN_IS_INVALID_MSG);
         }
         return true;
@@ -126,6 +147,15 @@ public class TokenUtils {
         return false;
     }
 
+    private static boolean jwtTokenRefresh(String token, String userName, String passWord) {
+        JeecgRedisOAuth2AuthorizationService authRedis = SpringContextUtils.getBean(JeecgRedisOAuth2AuthorizationService.class);
+        OAuth2Authorization authorization = authRedis.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+        if (Objects.nonNull(authorization) && JwtUtil.verify(token, userName, passWord)) {
+            return true;
+        }
+        return false;
+    }
+
     /**
      * 获取登录用户
      *

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/dynamic/db/FreemarkerParseFactory.java

@@ -169,7 +169,7 @@ public class FreemarkerParseFactory {
         //"where and"
         String whereAnd = DataBaseConstant.SQL_WHERE+" and";
         //", where"
-        String commaWhere = SymbolConstant.COMMA+" "+ DataBaseConstant.SQL_WHERE;
+        String commaWhere = SymbolConstant.COMMA+" "+DataBaseConstant.SQL_WHERE;
         //", "
         String commaSpace = SymbolConstant.COMMA + " ";
         if (sql.endsWith(DataBaseConstant.SQL_WHERE) || sql.endsWith(whereSpace)) {

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/encryption/AesEncryptUtil.java

@@ -1,10 +1,9 @@
 package org.jeecg.common.util.encryption;
 
-import org.apache.shiro.codec.Base64;
-
 import javax.crypto.Cipher;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
+import java.util.Base64;
 
 /**
  * @Description: AES 加密
@@ -49,7 +48,7 @@ public class AesEncryptUtil {
             cipher.init(Cipher.ENCRYPT_MODE, keyspec, ivspec);
             byte[] encrypted = cipher.doFinal(plaintext);
 
-            return Base64.encodeToString(encrypted);
+            return Base64.getEncoder().encodeToString(encrypted);
 
         } catch (Exception e) {
             e.printStackTrace();
@@ -67,7 +66,7 @@ public class AesEncryptUtil {
      */
     public static String desEncrypt(String data, String key, String iv) throws Exception {
         //update-begin-author:taoyan date:2022-5-23 for:VUEN-1084 【vue3】online表单测试发现的新问题 6、解密报错 ---解码失败应该把异常抛出去，在外面处理
-        byte[] encrypted1 = Base64.decode(data);
+        byte[] encrypted1 = Base64.getDecoder().decode(data);
 
         Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
         SecretKeySpec keyspec = new SecretKeySpec(key.getBytes(), "AES");

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/filter/SsrfFileTypeFilter.java

@@ -4,27 +4,68 @@ import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.multipart.MultipartFile;
 
+import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Iterator;
+import java.util.List;
 
 /**
- * @Description: 校验上传文件敏感后缀
+ * @Description: 校验文件敏感后缀
  * @author: lsq
- * @date: 2021年08月09日 15:29
+ * @date: 2023年09月12日 15:29
  */
 @Slf4j
-public class FileTypeFilter {
-
-    /**文件后缀*/
-    private static String[] forbidType = {"jsp","php"};
+public class SsrfFileTypeFilter {
 
+    /**
+     * 允许操作文件类型白名单
+     */
+    private final static List<String> FILE_TYPE_WHITE_LIST = new ArrayList<>();
     /**初始化文件头类型，不够的自行补充*/
     final static HashMap<String, String> FILE_TYPE_MAP = new HashMap<>();
-
     static {
+        //图片文件
+        FILE_TYPE_WHITE_LIST.add("jpg");
+        FILE_TYPE_WHITE_LIST.add("jpeg");
+        FILE_TYPE_WHITE_LIST.add("png");
+        FILE_TYPE_WHITE_LIST.add("gif");
+        FILE_TYPE_WHITE_LIST.add("bmp");
+        FILE_TYPE_WHITE_LIST.add("svg");
+        FILE_TYPE_WHITE_LIST.add("ico");
+
+        //文本文件
+        FILE_TYPE_WHITE_LIST.add("txt");
+        FILE_TYPE_WHITE_LIST.add("doc");
+        FILE_TYPE_WHITE_LIST.add("docx");
+        FILE_TYPE_WHITE_LIST.add("pdf");
+        FILE_TYPE_WHITE_LIST.add("csv");
+//        FILE_TYPE_WHITE_LIST.add("xml");
+
+        //音视频文件
+        FILE_TYPE_WHITE_LIST.add("mp4");
+        FILE_TYPE_WHITE_LIST.add("avi");
+        FILE_TYPE_WHITE_LIST.add("mov");
+        FILE_TYPE_WHITE_LIST.add("wmv");
+        FILE_TYPE_WHITE_LIST.add("mp3");
+        FILE_TYPE_WHITE_LIST.add("wav");
+
+        //表格文件
+        FILE_TYPE_WHITE_LIST.add("xls");
+        FILE_TYPE_WHITE_LIST.add("xlsx");
+
+        //压缩文件
+        FILE_TYPE_WHITE_LIST.add("zip");
+        FILE_TYPE_WHITE_LIST.add("rar");
+        FILE_TYPE_WHITE_LIST.add("7z");
+        FILE_TYPE_WHITE_LIST.add("tar");
+
+        //设置禁止文件的头部标记
         FILE_TYPE_MAP.put("3c25402070616765206c", "jsp");
         FILE_TYPE_MAP.put("3c3f7068700a0a2f2a2a0a202a205048", "php");
+        FILE_TYPE_MAP.put("cafebabe0000002e0041", "class");
+        FILE_TYPE_MAP.put("494e5345525420494e54", "sql");
        /* fileTypeMap.put("ffd8ffe000104a464946", "jpg");
         fileTypeMap.put("89504e470d0a1a0a0000", "png");
         fileTypeMap.put("47494638396126026f01", "gif");
@@ -89,17 +130,38 @@ public class FileTypeFilter {
         return fileName.substring(fileName.lastIndexOf(".") + 1, fileName.length());
     }
 
+
     /**
-     * 文件类型过滤
+     * 下载文件类型过滤
+     *
+     * @param filePath
+     */
+    public static void checkDownloadFileType(String filePath) throws IOException {
+        //文件后缀
+        String suffix = getFileTypeBySuffix(filePath);
+        log.info("suffix:{}", suffix);
+        boolean isAllowExtension = FILE_TYPE_WHITE_LIST.contains(suffix.toLowerCase());
+        //是否允许下载的文件
+        if (!isAllowExtension) {
+            throw new IOException("下载失败，存在非法文件类型：" + suffix);
+        }
+    }
+
+
+    /**
+     * 上传文件类型过滤
      *
      * @param file
      */
-    public static void fileTypeFilter(MultipartFile file) throws Exception {
+    public static void checkUploadFileType(MultipartFile file) throws Exception {
+        //获取文件真是后缀
         String suffix = getFileType(file);
-        for (String type : forbidType) {
-            if (type.contains(suffix)) {
-                throw new Exception("上传失败，非法文件类型：" + suffix);
-            }
+
+        log.info("suffix:{}", suffix);
+        boolean isAllowExtension = FILE_TYPE_WHITE_LIST.contains(suffix.toLowerCase());
+        //是否允许下载的文件
+        if (!isAllowExtension) {
+            throw new Exception("上传失败，存在非法文件类型：" + suffix);
         }
     }
 

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/oConvertUtils.java

@@ -7,7 +7,7 @@ import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.springframework.beans.BeanUtils;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
@@ -168,6 +168,17 @@ public class oConvertUtils {
 		}
 	}
 	
+	public static Integer getInteger(Object object, Integer defval) {
+		if (isEmpty(object)) {
+			return (defval);
+		}
+		try {
+			return (Integer.parseInt(object.toString()));
+		} catch (NumberFormatException e) {
+			return (defval);
+		}
+	}
+	
 	public static Integer getInt(Object object) {
 		if (isEmpty(object)) {
 			return null;
@@ -402,7 +413,7 @@ public class oConvertUtils {
 			return false;
 		}
 
-		String[] childs = childArray.toArray(new String[]{});
+		String[] childs = (String[]) childArray.toArray();
 		for (String v : childs) {
 			if (!isIn(v, all)) {
 				return false;
@@ -702,9 +713,20 @@ public class oConvertUtils {
 			if (isArray(oldVal)) {
 				return equalityOfArrays((Object[]) oldVal, (Object[]) newVal);
 			}else if(oldVal instanceof JSONArray){
-				return equalityOfJSONArray((JSONArray) oldVal, (JSONArray) newVal);
+				if(newVal instanceof JSONArray){
+					return equalityOfJSONArray((JSONArray) oldVal, (JSONArray) newVal);
+				}else{
+					if (isEmpty(newVal) && (oldVal == null || ((JSONArray) oldVal).size() == 0)) {
+						return true;
+					}
+					List<Object> arrayStr = Arrays.asList(newVal.toString().split(","));
+					JSONArray newValArray = new JSONArray(arrayStr);
+					return equalityOfJSONArray((JSONArray) oldVal, newValArray);
+				}
+			}else{
+				return oldVal.equals(newVal);
 			}
-			return oldVal.equals(newVal);
+			
 		} else {
 			if (oldVal == null && newVal == null) {
 				return true;
@@ -742,7 +764,7 @@ public class oConvertUtils {
 			Object[] newValArray = newVal.toArray();
 			return equalityOfArrays(oldValArray,newValArray);
 		} else {
-			if (oldVal == null && newVal == null) {
+			if ((oldVal == null || oldVal.size() == 0) && (newVal == null || newVal.size() == 0)) {
 				return true;
 			} else {
 				return false;
@@ -750,6 +772,38 @@ public class oConvertUtils {
 		}
 	}
 
+	/**
+	 * 比较带逗号的字符串
+	 * QQYUN-5212【简流】按日期触发 多选 人员组件 选择顺序不一致时 不触发，应该是统一问题 包括多选部门组件
+	 * @param oldVal
+	 * @param newVal
+	 * @return
+	 */
+	public static boolean equalityOfStringArrays(String oldVal, String newVal) {
+		if(oldVal.equals(newVal)){
+			return true;
+		}
+		if(oldVal.indexOf(",")>=0 && newVal.indexOf(",")>=0){
+			String[] arr1 = oldVal.split(",");
+			String[] arr2 = newVal.split(",");
+			if(arr1.length == arr2.length){
+				boolean flag = true;
+				Map<String, Integer> map = new HashMap<>();
+				for(String s1: arr1){
+					map.put(s1, 1);
+				}
+				for(String s2: arr2){
+					if(map.get(s2) == null){
+						flag = false;
+						break;
+					}
+				}
+				return flag;
+			}
+		}
+		return false;
+	}
+	
 	/**
 	 * 判断两个数组是否相等（数组元素不分顺序）
 	 *
@@ -763,7 +817,7 @@ public class oConvertUtils {
 			Arrays.sort(newVal);
 			return Arrays.equals(oldVal, newVal);
 		} else {
-			if (oldVal == null && newVal == null) {
+			if ((oldVal == null || oldVal.length == 0) && (newVal == null || newVal.length == 0)) {
 				return true;
 			} else {
 				return false;
@@ -807,4 +861,85 @@ public class oConvertUtils {
 		}
 		return json;
 	}
+
+	/**
+	 * 将List 转成 JSONArray
+	 * @return
+	 */
+	public static JSONArray list2JSONArray(List<String> list){
+		if(list==null || list.size()==0){
+			return null;
+		}
+		JSONArray array = new JSONArray();
+		for(String str: list){
+			array.add(str);
+		}
+		return array;
+	}
+
+	/**
+	 * 判断两个list中的元素是否完全一致
+	 * QQYUN-5326【简流】获取组织人员 单/多 筛选条件 没有部门筛选
+	 * @return
+	 */
+	public static boolean isEqList(List<String> list1, List<String> list2){
+		if(list1.size() != list2.size()){
+			return false;
+		}
+		for(String str1: list1){
+			boolean flag = false;
+			for(String str2: list2){
+				if(str1.equals(str2)){
+					flag = true;
+					break;
+				}
+			}
+			if(!flag){
+				return false;
+			}
+		}
+		return true;
+	}
+
+
+	/**
+	 * 判断 list1中的元素是否在list2中出现
+	 * QQYUN-5326【简流】获取组织人员 单/多 筛选条件 没有部门筛选
+	 * @param list1
+	 * @param list2
+	 * @return
+	 */
+	public static boolean isInList(List<String> list1, List<String> list2){
+		for(String str1: list1){
+			boolean flag = false;
+			for(String str2: list2){
+				if(str1.equals(str2)){
+					flag = true;
+					break;
+				}
+			}
+			if(flag){
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * 计算文件大小转成MB
+	 * @param uploadCount
+	 * @return
+	 */
+	public static Double calculateFileSizeToMb(Long uploadCount){
+		double count = 0.0;
+		if(uploadCount>0) {
+			BigDecimal bigDecimal = new BigDecimal(uploadCount);
+			//换算成MB
+			BigDecimal divide = bigDecimal.divide(new BigDecimal(1048576));
+			count = divide.setScale(2, BigDecimal.ROUND_HALF_UP).doubleValue();
+			return count;
+		}
+		return count;
+	}
+	
 }

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/oss/OssBootUtil.java

@@ -11,7 +11,7 @@ import org.apache.commons.fileupload.FileItemStream;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.SymbolConstant;
 import org.jeecg.common.util.CommonUtils;
-import org.jeecg.common.util.filter.FileTypeFilter;
+import org.jeecg.common.util.filter.SsrfFileTypeFilter;
 import org.jeecg.common.util.filter.StrAttackFilter;
 import org.jeecg.common.util.oConvertUtils;
 import org.springframework.web.multipart.MultipartFile;
@@ -98,7 +98,7 @@ public class OssBootUtil {
      */
     public static String upload(MultipartFile file, String fileDir,String customBucket) throws Exception {
         //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
-        FileTypeFilter.fileTypeFilter(file);
+        SsrfFileTypeFilter.checkUploadFileType(file);
         //update-end-author:liusq date:20210809 for: 过滤上传文件类型
 
         String filePath = null;

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlInjection/InjectionAstNodeVisitor.java

@@ -0,0 +1,33 @@
+package org.jeecg.common.util.sqlInjection;
+
+import net.sf.jsqlparser.parser.CCJSqlParserDefaultVisitor;
+import net.sf.jsqlparser.parser.SimpleNode;
+import net.sf.jsqlparser.statement.select.UnionOp;
+import org.jeecg.common.exception.JeecgSqlInjectionException;
+
+/**
+ * 基于抽象语法树(AST)的注入攻击分析实现
+ *
+ * @author guyadong
+ */
+public class InjectionAstNodeVisitor extends CCJSqlParserDefaultVisitor {
+    public InjectionAstNodeVisitor() {
+    }
+
+    /**
+     * 处理禁止联合查询
+     *
+     * @param node
+     * @param data
+     * @return
+     */
+    @Override
+    public Object visit(SimpleNode node, Object data) {
+        Object value = node.jjtGetValue();
+        if (value instanceof UnionOp) {
+            throw new JeecgSqlInjectionException("DISABLE UNION");
+        }
+        return super.visit(node, data);
+    }
+}
+

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlInjection/InjectionSyntaxObjectAnalyzer.java

@@ -0,0 +1,172 @@
+package org.jeecg.common.util.sqlInjection;
+
+
+import net.sf.jsqlparser.expression.BinaryExpression;
+import net.sf.jsqlparser.expression.Expression;
+import net.sf.jsqlparser.expression.Function;
+import net.sf.jsqlparser.expression.operators.conditional.AndExpression;
+import net.sf.jsqlparser.expression.operators.conditional.OrExpression;
+import net.sf.jsqlparser.expression.operators.relational.ComparisonOperator;
+import net.sf.jsqlparser.schema.Column;
+import net.sf.jsqlparser.statement.select.Join;
+import net.sf.jsqlparser.statement.select.OrderByElement;
+import net.sf.jsqlparser.statement.select.PlainSelect;
+import net.sf.jsqlparser.statement.select.SelectItem;
+import net.sf.jsqlparser.statement.select.SubSelect;
+import net.sf.jsqlparser.statement.select.WithItem;
+import net.sf.jsqlparser.util.TablesNamesFinder;
+import org.jeecg.common.exception.JeecgSqlInjectionException;
+import org.jeecg.common.util.sqlInjection.parse.ConstAnalyzer;
+import org.jeecg.common.util.sqlInjection.parse.ParserSupport;
+
+/**
+ * 基于SQL语法对象的SQL注入攻击分析实现
+ *
+ * @author guyadong
+ */
+public class InjectionSyntaxObjectAnalyzer extends TablesNamesFinder {
+    /**
+     * 危险函数名
+     */
+    private static final String DANGROUS_FUNCTIONS = "(sleep|benchmark|extractvalue|updatexml|ST_LatFromGeoHash|ST_LongFromGeoHash|GTID_SUBSET|GTID_SUBTRACT|floor|ST_Pointfromgeohash"
+            + "|geometrycollection|multipoint|polygon|multipolygon|linestring|multilinestring)";
+
+    private static ThreadLocal<Boolean> disableSubselect = new ThreadLocal<Boolean>() {
+        @Override
+        protected Boolean initialValue() {
+            return true;
+        }
+    };
+    private ConstAnalyzer constAnalyzer = new ConstAnalyzer();
+
+    public InjectionSyntaxObjectAnalyzer() {
+        super();
+        init(true);
+
+    }
+
+    @Override
+    public void visitBinaryExpression(BinaryExpression binaryExpression) {
+        if (binaryExpression instanceof ComparisonOperator) {
+            if (isConst(binaryExpression.getLeftExpression()) && isConst(binaryExpression.getRightExpression())) {
+                /** 禁用恒等式 */
+                throw new JeecgSqlInjectionException("DISABLE IDENTICAL EQUATION " + binaryExpression);
+            }
+        }
+        super.visitBinaryExpression(binaryExpression);
+    }
+
+    @Override
+    public void visit(AndExpression andExpression) {
+        super.visit(andExpression);
+        checkConstExpress(andExpression.getLeftExpression());
+        checkConstExpress(andExpression.getRightExpression());
+    }
+
+    @Override
+    public void visit(OrExpression orExpression) {
+        super.visit(orExpression);
+        checkConstExpress(orExpression.getLeftExpression());
+        checkConstExpress(orExpression.getRightExpression());
+    }
+
+    @Override
+    public void visit(Function function) {
+        if (function.getName().matches(DANGROUS_FUNCTIONS)) {
+            /** 禁用危险函数 */
+            throw new JeecgSqlInjectionException("DANGROUS FUNCTION: " + function.getName());
+        }
+        super.visit(function);
+    }
+
+    @Override
+    public void visit(WithItem withItem) {
+        try {
+            /** 允许 WITH 语句中的子查询 */
+            disableSubselect.set(false);
+            super.visit(withItem);
+        } finally {
+            disableSubselect.set(true);
+        }
+    }
+
+    @Override
+    public void visit(SubSelect subSelect) {
+        try {
+            /** 允许语句中的子查询 */
+            disableSubselect.set(false);
+            super.visit(subSelect);
+        } finally {
+            disableSubselect.set(true);
+        }
+//        if (disableSubselect.get()) {
+//            // 禁用子查询
+//            throw new JeecgSqlInjectionException("DISABLE subselect " + subSelect);
+//        }
+    }
+
+    @Override
+    public void visit(Column tableColumn) {
+        if (ParserSupport.isBoolean(tableColumn)) {
+            throw new JeecgSqlInjectionException("DISABLE CONST BOOL " + tableColumn);
+        }
+        super.visit(tableColumn);
+    }
+
+    @Override
+    public void visit(PlainSelect plainSelect) {
+        if (plainSelect.getSelectItems() != null) {
+            for (SelectItem item : plainSelect.getSelectItems()) {
+                item.accept(this);
+            }
+        }
+
+        if (plainSelect.getFromItem() != null) {
+            plainSelect.getFromItem().accept(this);
+        }
+
+        if (plainSelect.getJoins() != null) {
+            for (Join join : plainSelect.getJoins()) {
+                join.getRightItem().accept(this);
+                for (Expression e : join.getOnExpressions()) {
+                    e.accept(this);
+                }
+            }
+        }
+        if (plainSelect.getWhere() != null) {
+            plainSelect.getWhere().accept(this);
+            checkConstExpress(plainSelect.getWhere());
+        }
+
+        if (plainSelect.getHaving() != null) {
+            plainSelect.getHaving().accept(this);
+        }
+
+        if (plainSelect.getOracleHierarchical() != null) {
+            plainSelect.getOracleHierarchical().accept(this);
+        }
+        if (plainSelect.getOrderByElements() != null) {
+            for (OrderByElement orderByElement : plainSelect.getOrderByElements()) {
+                orderByElement.getExpression().accept(this);
+            }
+        }
+        if (plainSelect.getGroupBy() != null) {
+            for (Expression expression : plainSelect.getGroupBy().getGroupByExpressionList().getExpressions()) {
+                expression.accept(this);
+            }
+        }
+    }
+
+    private boolean isConst(Expression expression) {
+        return constAnalyzer.isConstExpression(expression);
+    }
+
+    private void checkConstExpress(Expression expression) {
+        if (constAnalyzer.isConstExpression(expression)) {
+            /** 禁用常量表达式 */
+            throw new JeecgSqlInjectionException("DISABLE CONST EXPRESSION " + expression);
+        }
+    }
+}
+
+

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlInjection/SqlInjectionAnalyzer.java

@@ -0,0 +1,65 @@
+package org.jeecg.common.util.sqlInjection;
+
+import org.jeecg.common.exception.JeecgSqlInjectionException;
+import org.jeecg.common.util.sqlInjection.parse.ParserSupport;
+;
+
+/**
+ * SQL注入攻击分析器
+ *
+ * @author guyadong
+ * 参考:
+ * https://blog.csdn.net/10km/article/details/127767358
+ * https://gitee.com/l0km/sql2java/tree/dev/sql2java-manager/src/main/java/gu/sql2java/parser
+ */
+public class SqlInjectionAnalyzer {
+
+    //启用/关闭注入攻击检查
+    private boolean injectCheckEnable = true;
+    //防止SQL注入攻击分析实现
+    private final InjectionSyntaxObjectAnalyzer injectionChecker;
+    private final InjectionAstNodeVisitor injectionVisitor;
+
+    public SqlInjectionAnalyzer() {
+        this.injectionChecker = new InjectionSyntaxObjectAnalyzer();
+        this.injectionVisitor = new InjectionAstNodeVisitor();
+    }
+
+    /**
+     * 启用/关闭注入攻击检查,默认启动
+     *
+     * @param enable
+     * @return
+     */
+    public SqlInjectionAnalyzer injectCheckEnable(boolean enable) {
+        injectCheckEnable = enable;
+        return this;
+    }
+
+    /**
+     * 对解析后的SQL对象执行注入攻击分析，有注入攻击的危险则抛出异常{@link JeecgSqlInjectionException}
+     *
+     * @param sqlParserInfo
+     * @throws JeecgSqlInjectionException
+     */
+    public ParserSupport.SqlParserInfo injectAnalyse(ParserSupport.SqlParserInfo sqlParserInfo) throws JeecgSqlInjectionException {
+        if (null != sqlParserInfo && injectCheckEnable) {
+            /** SQL注入攻击检查 */
+            sqlParserInfo.statement.accept(injectionChecker);
+            sqlParserInfo.simpleNode.jjtAccept(injectionVisitor, null);
+        }
+        return sqlParserInfo;
+    }
+
+    /**
+     * sql校验
+     */
+    public static void checkSql(String sql,boolean check){
+        SqlInjectionAnalyzer sqlInjectionAnalyzer = new SqlInjectionAnalyzer();
+        sqlInjectionAnalyzer.injectCheckEnable(check);
+        ParserSupport.SqlParserInfo sqlParserInfo = ParserSupport.parse0(sql, null,null);
+        sqlInjectionAnalyzer.injectAnalyse(sqlParserInfo);
+    }
+}
+
+

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlInjection/parse/ConstAnalyzer.java

@@ -0,0 +1,601 @@
+package org.jeecg.common.util.sqlInjection.parse;
+
+import net.sf.jsqlparser.expression.AllValue;
+import net.sf.jsqlparser.expression.AnalyticExpression;
+import net.sf.jsqlparser.expression.AnyComparisonExpression;
+import net.sf.jsqlparser.expression.ArrayConstructor;
+import net.sf.jsqlparser.expression.ArrayExpression;
+import net.sf.jsqlparser.expression.BinaryExpression;
+import net.sf.jsqlparser.expression.CaseExpression;
+import net.sf.jsqlparser.expression.CastExpression;
+import net.sf.jsqlparser.expression.CollateExpression;
+import net.sf.jsqlparser.expression.ConnectByRootOperator;
+import net.sf.jsqlparser.expression.DateTimeLiteralExpression;
+import net.sf.jsqlparser.expression.DateValue;
+import net.sf.jsqlparser.expression.DoubleValue;
+import net.sf.jsqlparser.expression.Expression;
+import net.sf.jsqlparser.expression.ExpressionVisitor;
+import net.sf.jsqlparser.expression.ExtractExpression;
+import net.sf.jsqlparser.expression.Function;
+import net.sf.jsqlparser.expression.HexValue;
+import net.sf.jsqlparser.expression.IntervalExpression;
+import net.sf.jsqlparser.expression.JdbcNamedParameter;
+import net.sf.jsqlparser.expression.JdbcParameter;
+import net.sf.jsqlparser.expression.JsonAggregateFunction;
+import net.sf.jsqlparser.expression.JsonExpression;
+import net.sf.jsqlparser.expression.JsonFunction;
+import net.sf.jsqlparser.expression.JsonFunctionExpression;
+import net.sf.jsqlparser.expression.KeepExpression;
+import net.sf.jsqlparser.expression.LongValue;
+import net.sf.jsqlparser.expression.MySQLGroupConcat;
+import net.sf.jsqlparser.expression.NextValExpression;
+import net.sf.jsqlparser.expression.NotExpression;
+import net.sf.jsqlparser.expression.NullValue;
+import net.sf.jsqlparser.expression.NumericBind;
+import net.sf.jsqlparser.expression.OracleHierarchicalExpression;
+import net.sf.jsqlparser.expression.OracleHint;
+import net.sf.jsqlparser.expression.OracleNamedFunctionParameter;
+import net.sf.jsqlparser.expression.Parenthesis;
+import net.sf.jsqlparser.expression.RowConstructor;
+import net.sf.jsqlparser.expression.RowGetExpression;
+import net.sf.jsqlparser.expression.SignedExpression;
+import net.sf.jsqlparser.expression.StringValue;
+import net.sf.jsqlparser.expression.TimeKeyExpression;
+import net.sf.jsqlparser.expression.TimeValue;
+import net.sf.jsqlparser.expression.TimestampValue;
+import net.sf.jsqlparser.expression.TimezoneExpression;
+import net.sf.jsqlparser.expression.TryCastExpression;
+import net.sf.jsqlparser.expression.UserVariable;
+import net.sf.jsqlparser.expression.ValueListExpression;
+import net.sf.jsqlparser.expression.VariableAssignment;
+import net.sf.jsqlparser.expression.WhenClause;
+import net.sf.jsqlparser.expression.XMLSerializeExpr;
+import net.sf.jsqlparser.expression.operators.arithmetic.Addition;
+import net.sf.jsqlparser.expression.operators.arithmetic.BitwiseAnd;
+import net.sf.jsqlparser.expression.operators.arithmetic.BitwiseLeftShift;
+import net.sf.jsqlparser.expression.operators.arithmetic.BitwiseOr;
+import net.sf.jsqlparser.expression.operators.arithmetic.BitwiseRightShift;
+import net.sf.jsqlparser.expression.operators.arithmetic.BitwiseXor;
+import net.sf.jsqlparser.expression.operators.arithmetic.Concat;
+import net.sf.jsqlparser.expression.operators.arithmetic.Division;
+import net.sf.jsqlparser.expression.operators.arithmetic.IntegerDivision;
+import net.sf.jsqlparser.expression.operators.arithmetic.Modulo;
+import net.sf.jsqlparser.expression.operators.arithmetic.Multiplication;
+import net.sf.jsqlparser.expression.operators.arithmetic.Subtraction;
+import net.sf.jsqlparser.expression.operators.conditional.AndExpression;
+import net.sf.jsqlparser.expression.operators.conditional.OrExpression;
+import net.sf.jsqlparser.expression.operators.conditional.XorExpression;
+import net.sf.jsqlparser.expression.operators.relational.Between;
+import net.sf.jsqlparser.expression.operators.relational.EqualsTo;
+import net.sf.jsqlparser.expression.operators.relational.ExistsExpression;
+import net.sf.jsqlparser.expression.operators.relational.ExpressionList;
+import net.sf.jsqlparser.expression.operators.relational.FullTextSearch;
+import net.sf.jsqlparser.expression.operators.relational.GeometryDistance;
+import net.sf.jsqlparser.expression.operators.relational.GreaterThan;
+import net.sf.jsqlparser.expression.operators.relational.GreaterThanEquals;
+import net.sf.jsqlparser.expression.operators.relational.InExpression;
+import net.sf.jsqlparser.expression.operators.relational.IsBooleanExpression;
+import net.sf.jsqlparser.expression.operators.relational.IsDistinctExpression;
+import net.sf.jsqlparser.expression.operators.relational.IsNullExpression;
+import net.sf.jsqlparser.expression.operators.relational.ItemsListVisitor;
+import net.sf.jsqlparser.expression.operators.relational.JsonOperator;
+import net.sf.jsqlparser.expression.operators.relational.LikeExpression;
+import net.sf.jsqlparser.expression.operators.relational.Matches;
+import net.sf.jsqlparser.expression.operators.relational.MinorThan;
+import net.sf.jsqlparser.expression.operators.relational.MinorThanEquals;
+import net.sf.jsqlparser.expression.operators.relational.MultiExpressionList;
+import net.sf.jsqlparser.expression.operators.relational.NamedExpressionList;
+import net.sf.jsqlparser.expression.operators.relational.NotEqualsTo;
+import net.sf.jsqlparser.expression.operators.relational.RegExpMatchOperator;
+import net.sf.jsqlparser.expression.operators.relational.RegExpMySQLOperator;
+import net.sf.jsqlparser.expression.operators.relational.SimilarToExpression;
+import net.sf.jsqlparser.schema.Column;
+import net.sf.jsqlparser.statement.select.AllColumns;
+import net.sf.jsqlparser.statement.select.AllTableColumns;
+import net.sf.jsqlparser.statement.select.OrderByElement;
+import net.sf.jsqlparser.statement.select.SubSelect;
+
+/**
+ * 判断表达是否为常量的分析器
+ *
+ * @author guyadong
+ */
+public class ConstAnalyzer implements ExpressionVisitor, ItemsListVisitor {
+
+    private static ThreadLocal<Boolean> constFlag = new ThreadLocal<Boolean>() {
+        @Override
+        protected Boolean initialValue() {
+            return true;
+        }
+    };
+
+    @Override
+    public void visit(NullValue value) {
+    }
+
+    @Override
+    public void visit(Function function) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(SignedExpression expr) {
+        expr.getExpression().accept(this);
+    }
+
+    @Override
+    public void visit(JdbcParameter parameter) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(JdbcNamedParameter parameter) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(DoubleValue value) {
+
+    }
+
+    @Override
+    public void visit(LongValue value) {
+
+    }
+
+    @Override
+    public void visit(DateValue value) {
+
+    }
+
+    @Override
+    public void visit(TimeValue value) {
+
+    }
+
+    @Override
+    public void visit(TimestampValue value) {
+
+    }
+
+    @Override
+    public void visit(Parenthesis parenthesis) {
+        parenthesis.getExpression().accept(this);
+    }
+
+    @Override
+    public void visit(StringValue value) {
+
+    }
+
+    @Override
+    public void visit(Addition expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(Division expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(IntegerDivision expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(Multiplication expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(Subtraction expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(AndExpression expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(OrExpression expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(XorExpression expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(Between expr) {
+        expr.getLeftExpression().accept(this);
+        expr.getBetweenExpressionStart().accept(this);
+        expr.getBetweenExpressionEnd().accept(this);
+    }
+
+    @Override
+    public void visit(EqualsTo expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(GreaterThan expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(GreaterThanEquals expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(InExpression expr) {
+        if (expr.getLeftExpression() != null) {
+            expr.getLeftExpression().accept(this);
+        }
+    }
+
+    @Override
+    public void visit(IsNullExpression expr) {
+        expr.getLeftExpression().accept(this);
+    }
+
+    @Override
+    public void visit(FullTextSearch expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(IsBooleanExpression expr) {
+        expr.getLeftExpression().accept(this);
+    }
+
+    @Override
+    public void visit(LikeExpression expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(MinorThan expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(MinorThanEquals expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(NotEqualsTo expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(Column column) {
+        if (!ParserSupport.isBoolean(column)) {
+            constFlag.set(false);
+        }
+    }
+
+    @Override
+    public void visit(SubSelect subSelect) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(CaseExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(WhenClause expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(ExistsExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(AnyComparisonExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(Concat expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(Matches expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(BitwiseAnd expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(BitwiseOr expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(BitwiseXor expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(CastExpression expr) {
+        expr.getLeftExpression().accept(this);
+    }
+
+    @Override
+    public void visit(TryCastExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(Modulo expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(AnalyticExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(ExtractExpression expr) {
+        expr.getExpression().accept(this);
+    }
+
+    @Override
+    public void visit(IntervalExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(OracleHierarchicalExpression expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(RegExpMatchOperator expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(ExpressionList expressionList) {
+        for (Expression expr : expressionList.getExpressions()) {
+            expr.accept(this);
+        }
+    }
+
+    @Override
+    public void visit(NamedExpressionList namedExpressionList) {
+        for (Expression expr : namedExpressionList.getExpressions()) {
+            expr.accept(this);
+        }
+    }
+
+    @Override
+    public void visit(MultiExpressionList multiExprList) {
+        for (ExpressionList list : multiExprList.getExpressionLists()) {
+            visit(list);
+        }
+    }
+
+    @Override
+    public void visit(NotExpression notExpr) {
+        notExpr.getExpression().accept(this);
+    }
+
+    @Override
+    public void visit(BitwiseRightShift expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(BitwiseLeftShift expr) {
+        visitBinaryExpression(expr);
+    }
+
+    protected void visitBinaryExpression(BinaryExpression expr) {
+        expr.getLeftExpression().accept(this);
+        expr.getRightExpression().accept(this);
+    }
+
+    @Override
+    public void visit(JsonExpression jsonExpr) {
+        jsonExpr.getExpression().accept(this);
+    }
+
+    @Override
+    public void visit(JsonOperator expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(RegExpMySQLOperator expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(UserVariable var) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(NumericBind bind) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(KeepExpression expr) {
+        for (OrderByElement element : expr.getOrderByElements()) {
+            element.getExpression().accept(this);
+        }
+    }
+
+    @Override
+    public void visit(MySQLGroupConcat groupConcat) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(ValueListExpression valueListExpression) {
+        for (Expression expr : valueListExpression.getExpressionList().getExpressions()) {
+            expr.accept(this);
+        }
+    }
+
+    @Override
+    public void visit(AllColumns allColumns) {
+
+    }
+
+    @Override
+    public void visit(AllTableColumns allTableColumns) {
+
+    }
+
+    @Override
+    public void visit(AllValue allValue) {
+
+    }
+
+    @Override
+    public void visit(IsDistinctExpression isDistinctExpression) {
+        visitBinaryExpression(isDistinctExpression);
+    }
+
+    @Override
+    public void visit(RowGetExpression rowGetExpression) {
+        rowGetExpression.getExpression().accept(this);
+    }
+
+    @Override
+    public void visit(HexValue hexValue) {
+
+    }
+
+    @Override
+    public void visit(OracleHint hint) {
+
+    }
+
+    @Override
+    public void visit(TimeKeyExpression timeKeyExpression) {
+
+    }
+
+    @Override
+    public void visit(DateTimeLiteralExpression literal) {
+    }
+
+    @Override
+    public void visit(NextValExpression nextVal) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(CollateExpression col) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(SimilarToExpression expr) {
+        visitBinaryExpression(expr);
+    }
+
+    @Override
+    public void visit(ArrayExpression array) {
+        array.getObjExpression().accept(this);
+        if (array.getIndexExpression() != null) {
+            array.getIndexExpression().accept(this);
+        }
+        if (array.getStartIndexExpression() != null) {
+            array.getStartIndexExpression().accept(this);
+        }
+        if (array.getStopIndexExpression() != null) {
+            array.getStopIndexExpression().accept(this);
+        }
+    }
+
+    @Override
+    public void visit(ArrayConstructor aThis) {
+        for (Expression expression : aThis.getExpressions()) {
+            expression.accept(this);
+        }
+    }
+
+    @Override
+    public void visit(VariableAssignment var) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(XMLSerializeExpr expr) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(TimezoneExpression expr) {
+        expr.getLeftExpression().accept(this);
+    }
+
+    @Override
+    public void visit(JsonAggregateFunction expression) {
+        Expression expr = expression.getExpression();
+        if (expr != null) {
+            expr.accept(this);
+        }
+
+        expr = expression.getFilterExpression();
+        if (expr != null) {
+            expr.accept(this);
+        }
+    }
+
+    @Override
+    public void visit(JsonFunction expression) {
+        for (JsonFunctionExpression expr : expression.getExpressions()) {
+            expr.getExpression().accept(this);
+        }
+    }
+
+    @Override
+    public void visit(ConnectByRootOperator connectByRootOperator) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(OracleNamedFunctionParameter oracleNamedFunctionParameter) {
+        constFlag.set(false);
+    }
+
+    @Override
+    public void visit(GeometryDistance geometryDistance) {
+        visitBinaryExpression(geometryDistance);
+    }
+
+    @Override
+    public void visit(RowConstructor rowConstructor) {
+        constFlag.set(false);
+    }
+
+    public boolean isConstExpression(Expression expression) {
+        if (null != expression) {
+            constFlag.set(true);
+            expression.accept(this);
+            return constFlag.get();
+        }
+        return false;
+    }
+}
+

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlInjection/parse/ParserSupport.java

@@ -0,0 +1,177 @@
+package org.jeecg.common.util.sqlInjection.parse;
+
+import lombok.extern.slf4j.Slf4j;
+import net.sf.jsqlparser.JSQLParserException;
+import net.sf.jsqlparser.parser.*;
+import net.sf.jsqlparser.schema.Column;
+import net.sf.jsqlparser.statement.Statement;
+import net.sf.jsqlparser.statement.select.PlainSelect;
+import net.sf.jsqlparser.statement.select.Select;
+import net.sf.jsqlparser.statement.select.SelectBody;
+
+import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkNotNull;
+
+import java.lang.reflect.InvocationTargetException;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import com.google.common.base.Throwables;
+import org.jeecg.common.exception.JeecgBootException;
+import org.jeecg.common.exception.JeecgSqlInjectionException;
+
+/**
+ * 解析sql支持
+ */
+@Slf4j
+public class ParserSupport {
+    /**
+     * 解析SELECT SQL语句,解析失败或非SELECT语句则抛出异常
+     *
+     * @param sql
+     * @return
+     */
+    public static Select parseSelect(String sql) {
+        Statement stmt;
+        try {
+            stmt = CCJSqlParserUtil.parse(checkNotNull(sql, "sql is null"));
+        } catch (JSQLParserException e) {
+            throw new JeecgBootException(e);
+        }
+        checkArgument(stmt instanceof Select, "%s is not  SELECT statment", sql);
+        Select select = (Select) stmt;
+        SelectBody selectBody = select.getSelectBody();
+        // 暂时只支持简单的SELECT xxxx FROM ....语句不支持复杂语句如WITH
+        checkArgument(selectBody instanceof PlainSelect, "ONLY SUPPORT plain select statement %s", sql);
+        return (Select) stmt;
+    }
+
+    /**
+     * 解析SELECT SQL语句,解析失败或非SELECT语句则
+     *
+     * @param sql
+     * @return
+     */
+    public static Select parseSelectUnchecked(String sql) {
+        try {
+            return parseSelect(sql);
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    /**
+     * 实现SQL语句解析,解析成功则返回解析后的{@link Statement}，
+     * 并通过{@code visitor}参数提供基于AST(抽象语法树)的遍历所有节点的能力。
+     *
+     * @param sql                 SQL语句
+     * @param visitor             遍历所有节点的{@link SimpleNodeVisitor}接口实例，为{@code null}忽略
+     * @param sqlSyntaxNormalizer SQL语句分析转换器，为{@code null}忽略
+     * @throws JSQLParserException 输入的SQL语句有语法错误
+     * @see #parse0(String, CCJSqlParserVisitor, SqlSyntaxNormalizer)
+     */
+    public static Statement parse(String sql, CCJSqlParserVisitor visitor, SqlSyntaxNormalizer sqlSyntaxNormalizer) throws JSQLParserException {
+        return parse0(sql, visitor, sqlSyntaxNormalizer).statement;
+    }
+
+    /**
+     * 参照{@link CCJSqlParserUtil#parseAST(String)}和{@link CCJSqlParserUtil#parse(String)}实现SQL语句解析,
+     * 解析成功则返回解析后的{@link SqlParserInfo}对象，
+     * 并通过{@code visitor}参数提供基于AST(抽象语法树)的遍历所有节点的能力。
+     *
+     * @param sql               SQL语句
+     * @param visitor           遍历所有节点的{@link SimpleNodeVisitor}接口实例，为{@code null}忽略
+     * @param sqlSyntaxAnalyzer SQL语句分析转换器，为{@code null}忽略
+     * @throws JSQLParserException 输入的SQL语句有语法错误
+     * @see net.sf.jsqlparser.parser.Node#jjtAccept(SimpleNodeVisitor, Object)
+     */
+    public static SqlParserInfo parse0(String sql, CCJSqlParserVisitor visitor, SqlSyntaxNormalizer sqlSyntaxAnalyzer) throws JeecgSqlInjectionException {
+
+        //检查是否非select开头，暂不支持
+        if(!sql.toLowerCase().trim().startsWith("select ")) {
+            log.warn("传入sql 非select开头，不支持非select开头的语句解析！");
+            return null;
+        }
+
+        //检查是否存储过程，暂不支持
+        if(sql.toLowerCase().trim().startsWith("call ")){
+            log.warn("传入call 开头存储过程，不支持存储过程解析！");
+            return null;
+        }
+
+        //检查特殊语义的特殊字符，目前检查冒号、$、#三种特殊语义字符
+        String specialCharacters = "[:$#]";
+        Pattern pattern = Pattern.compile(specialCharacters);
+        Matcher matcher = pattern.matcher(sql);
+        if (matcher.find()) {
+            sql = sql.replaceAll("[:$#]", "@");
+        }
+
+        checkArgument(null != sql, "sql is null");
+        boolean allowComplexParsing = CCJSqlParserUtil.getNestingDepth(sql) <= CCJSqlParserUtil.ALLOWED_NESTING_DEPTH;
+
+        CCJSqlParser parser = CCJSqlParserUtil.newParser(sql).withAllowComplexParsing(allowComplexParsing);
+        Statement stmt;
+        try {
+            stmt = parser.Statement();
+        } catch (Exception ex) {
+            log.error("请注意，SQL语法可能存在问题---> {}", ex.getMessage());
+            throw new JeecgSqlInjectionException("请注意，SQL语法可能存在问题:"+sql);
+        }
+        if (null != visitor) {
+            parser.getASTRoot().jjtAccept(visitor, null);
+        }
+        if (null != sqlSyntaxAnalyzer) {
+            stmt.accept(sqlSyntaxAnalyzer.resetChanged());
+        }
+        return new SqlParserInfo(stmt.toString(), stmt, (SimpleNode) parser.getASTRoot());
+    }
+
+    /**
+     * 调用{@link CCJSqlParser}解析SQL语句部件返回解析生成的对象,如{@code 'ORDER BY id DESC'}
+     *
+     * @param <T>
+     * @param input
+     * @param method     指定调用的{@link CCJSqlParser}解析方法
+     * @param targetType 返回的解析对象类型
+     * @return
+     * @since 3.18.3
+     */
+    public static <T> T parseComponent(String input, String method, Class<T> targetType) {
+        try {
+            CCJSqlParser parser = new CCJSqlParser(new StringProvider(input));
+            try {
+                return checkNotNull(targetType, "targetType is null").cast(parser.getClass().getMethod(method).invoke(parser));
+            } catch (InvocationTargetException e) {
+                Throwables.throwIfUnchecked(e.getTargetException());
+                throw new RuntimeException(e.getTargetException());
+            }
+        } catch (IllegalAccessException | NoSuchMethodException | SecurityException e) {
+            Throwables.throwIfUnchecked(e);
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * 如果{@link Column}没有定义table,且字段名为true/false(不区分大小写)则视为布尔常量
+     *
+     * @param column
+     */
+    public static boolean isBoolean(Column column) {
+        return null != column && null == column.getTable() &&
+                Pattern.compile("(true|false)", Pattern.CASE_INSENSITIVE).matcher(column.getColumnName()).matches();
+    }
+
+    public static class SqlParserInfo {
+        public String nativeSql;
+        public Statement statement;
+        public SimpleNode simpleNode;
+
+        SqlParserInfo(String nativeSql, Statement statement, SimpleNode simpleNode) {
+            this.nativeSql = nativeSql;
+            this.statement = statement;
+            this.simpleNode = simpleNode;
+        }
+    }
+}
+

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlInjection/parse/SqlSyntaxNormalizer.java

@@ -0,0 +1,37 @@
+package org.jeecg.common.util.sqlInjection.parse;
+
+import net.sf.jsqlparser.util.TablesNamesFinder;
+
+/**
+ *  SQL语句分析转换器基类<br>
+ * 基于SQL语法对象实现对SQL的修改
+ * （暂时用不到）
+ *
+ * @author guyadong
+ * @since 3.17.0
+ */
+public class SqlSyntaxNormalizer extends TablesNamesFinder {
+    protected static final ThreadLocal<Boolean> changed = new ThreadLocal<>();
+
+    public SqlSyntaxNormalizer() {
+        super();
+        init(true);
+
+    }
+
+    /**
+     * 语句改变返回{@code true},否则返回{@code false}
+     */
+    public boolean changed() {
+        return Boolean.TRUE.equals(changed.get());
+    }
+
+    /**
+     * 复位线程局部变量{@link #changed}状态
+     */
+    public SqlSyntaxNormalizer resetChanged() {
+        changed.remove();
+        return this;
+    }
+}
+

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlparse/JSqlParserAllTableManager.java

@@ -0,0 +1,255 @@
+package org.jeecg.common.util.sqlparse;
+
+import lombok.extern.slf4j.Slf4j;
+import net.sf.jsqlparser.JSQLParserException;
+import net.sf.jsqlparser.expression.*;
+import net.sf.jsqlparser.parser.CCJSqlParserManager;
+import net.sf.jsqlparser.schema.Column;
+import net.sf.jsqlparser.schema.Table;
+import net.sf.jsqlparser.statement.Statement;
+import net.sf.jsqlparser.statement.select.*;
+import org.jeecg.common.exception.JeecgBootException;
+import org.jeecg.common.util.sqlparse.vo.SelectSqlInfo;
+
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * 解析所有表名和字段的类
+ */
+@Slf4j
+public class JSqlParserAllTableManager {
+
+    private final String sql;
+    private final Map<String, SelectSqlInfo> allTableMap = new HashMap<>();
+    /**
+     * 别名对应实际表名
+     */
+    private final Map<String, String> tableAliasMap = new HashMap<>();
+
+    /**
+     * 解析后的sql
+     */
+    private String parsedSql = null;
+
+    JSqlParserAllTableManager(String selectSql) {
+        this.sql = selectSql;
+    }
+
+    /**
+     * 开始解析
+     *
+     * @return
+     * @throws JSQLParserException
+     */
+    public Map<String, SelectSqlInfo> parse() throws JSQLParserException {
+        // 1. 创建解析器
+        CCJSqlParserManager mgr = new CCJSqlParserManager();
+        // 2. 使用解析器解析sql生成具有层次结构的java类
+        Statement stmt = mgr.parse(new StringReader(this.sql));
+        if (stmt instanceof Select) {
+            Select selectStatement = (Select) stmt;
+            SelectBody selectBody = selectStatement.getSelectBody();
+            this.parsedSql = selectBody.toString();
+            // 3. 解析select查询sql的信息
+            if (selectBody instanceof PlainSelect) {
+                PlainSelect plainSelect = (PlainSelect) selectBody;
+                // 4. 合并 fromItems
+                List<FromItem> fromItems = new ArrayList<>();
+                fromItems.add(plainSelect.getFromItem());
+                // 4.1 处理join的表
+                List<Join> joins = plainSelect.getJoins();
+                if (joins != null) {
+                    joins.forEach(join -> fromItems.add(join.getRightItem()));
+                }
+                // 5. 处理 fromItems
+                for (FromItem fromItem : fromItems) {
+                    // 5.1 通过表名的方式from
+                    if (fromItem instanceof Table) {
+                        this.addSqlInfoByTable((Table) fromItem);
+                    }
+                    // 5.2 通过子查询的方式from
+                    else if (fromItem instanceof SubSelect) {
+                        this.handleSubSelect((SubSelect) fromItem);
+                    }
+                }
+                // 6. 解析 selectFields
+                List<SelectItem> selectItems = plainSelect.getSelectItems();
+                for (SelectItem selectItem : selectItems) {
+                    // 6.1 查询的是全部字段
+                    if (selectItem instanceof AllColumns) {
+                        // 当 selectItem 为 AllColumns 时，fromItem 必定为 Table
+                        String tableName = plainSelect.getFromItem(Table.class).getName();
+                        // 此处必定不为空，因为在解析 fromItem 时，已经将表名添加到 allTableMap 中
+                        SelectSqlInfo sqlInfo = this.allTableMap.get(tableName);
+                        assert sqlInfo != null;
+                        // 设置为查询全部字段
+                        sqlInfo.setSelectAll(true);
+                        sqlInfo.setSelectFields(null);
+                        sqlInfo.setRealSelectFields(null);
+                    }
+                    // 6.2 查询的是带表别名（ u.* )的全部字段
+                    else if (selectItem instanceof AllTableColumns) {
+                        AllTableColumns allTableColumns = (AllTableColumns) selectItem;
+                        String aliasName = allTableColumns.getTable().getName();
+                        // 通过别名获取表名
+                        String tableName = this.tableAliasMap.get(aliasName);
+                        if (tableName == null) {
+                            tableName = aliasName;
+                        }
+                        SelectSqlInfo sqlInfo = this.allTableMap.get(tableName);
+                        // 如果此处为空，则说明该字段是通过子查询获取的，所以可以不处理，只有实际表才需要处理
+                        if (sqlInfo != null) {
+                            // 设置为查询全部字段
+                            sqlInfo.setSelectAll(true);
+                            sqlInfo.setSelectFields(null);
+                            sqlInfo.setRealSelectFields(null);
+                        }
+                    }
+                    // 6.3 各种字段表达式处理
+                    else if (selectItem instanceof SelectExpressionItem) {
+                        SelectExpressionItem selectExpressionItem = (SelectExpressionItem) selectItem;
+                        Expression expression = selectExpressionItem.getExpression();
+                        Alias alias = selectExpressionItem.getAlias();
+                        this.handleExpression(expression, alias, plainSelect.getFromItem());
+                    }
+                }
+            } else {
+                log.warn("暂时尚未处理该类型的 SelectBody: {}", selectBody.getClass().getName());
+                throw new JeecgBootException("暂时尚未处理该类型的 SelectBody");
+            }
+        } else {
+            // 非 select 查询sql，不做处理
+            throw new JeecgBootException("非 select 查询sql，不做处理");
+        }
+        return this.allTableMap;
+    }
+
+    /**
+     * 处理子查询
+     *
+     * @param subSelect
+     */
+    private void handleSubSelect(SubSelect subSelect) {
+        try {
+            String subSelectSql = subSelect.getSelectBody().toString();
+            // 递归调用解析
+            Map<String, SelectSqlInfo> map = JSqlParserUtils.parseAllSelectTable(subSelectSql);
+            if (map != null) {
+                this.assignMap(map);
+            }
+        } catch (Exception e) {
+            log.error("解析子查询出错", e);
+        }
+    }
+
+    /**
+     * 处理查询字段表达式
+     *
+     * @param expression
+     */
+    private void handleExpression(Expression expression, Alias alias, FromItem fromItem) {
+        // 处理函数式字段  CONCAT(name,'(',age,')')
+        if (expression instanceof Function) {
+            Function functionExp = (Function) expression;
+            List<Expression> expressions = functionExp.getParameters().getExpressions();
+            for (Expression expItem : expressions) {
+                this.handleExpression(expItem, null, fromItem);
+            }
+            return;
+        }
+        // 处理字段上的子查询
+        if (expression instanceof SubSelect) {
+            this.handleSubSelect((SubSelect) expression);
+            return;
+        }
+        // 不处理字面量
+        if (expression instanceof StringValue ||
+                expression instanceof NullValue ||
+                expression instanceof LongValue ||
+                expression instanceof DoubleValue ||
+                expression instanceof HexValue ||
+                expression instanceof DateValue ||
+                expression instanceof TimestampValue ||
+                expression instanceof TimeValue
+        ) {
+            return;
+        }
+
+        // 处理字段
+        if (expression instanceof Column) {
+            Column column = (Column) expression;
+            // 查询字段名
+            String fieldName = column.getColumnName();
+            String aliasName = fieldName;
+            if (alias != null) {
+                aliasName = alias.getName();
+            }
+            String tableName;
+            if (column.getTable() != null) {
+                // 通过列的表名获取 sqlInfo
+                // 例如 user.name，这里的 tableName 就是 user
+                tableName = column.getTable().getName();
+                // 有可能是别名，需要转换为真实表名
+                if (this.tableAliasMap.get(tableName) != null) {
+                    tableName = this.tableAliasMap.get(tableName);
+                }
+            } else {
+                // 当column的table为空时，说明是 fromItem 中的字段
+                tableName = ((Table) fromItem).getName();
+            }
+            SelectSqlInfo $sqlInfo = this.allTableMap.get(tableName);
+            if ($sqlInfo != null) {
+                $sqlInfo.addSelectField(aliasName, fieldName);
+            } else {
+                log.warn("发生意外情况，未找到表名为 {} 的 SelectSqlInfo", tableName);
+            }
+        }
+    }
+
+    /**
+     * 根据表名添加sqlInfo
+     *
+     * @param table
+     */
+    private void addSqlInfoByTable(Table table) {
+        String tableName = table.getName();
+        // 解析 aliasName
+        if (table.getAlias() != null) {
+            this.tableAliasMap.put(table.getAlias().getName(), tableName);
+        }
+        SelectSqlInfo sqlInfo = new SelectSqlInfo(this.parsedSql);
+        sqlInfo.setFromTableName(table.getName());
+        this.allTableMap.put(sqlInfo.getFromTableName(), sqlInfo);
+    }
+
+    /**
+     * 合并map
+     *
+     * @param source
+     */
+    private void assignMap(Map<String, SelectSqlInfo> source) {
+        for (Map.Entry<String, SelectSqlInfo> entry : source.entrySet()) {
+            SelectSqlInfo sqlInfo = this.allTableMap.get(entry.getKey());
+            if (sqlInfo == null) {
+                this.allTableMap.put(entry.getKey(), entry.getValue());
+            } else {
+                // 合并
+                if (sqlInfo.getSelectFields() == null) {
+                    sqlInfo.setSelectFields(entry.getValue().getSelectFields());
+                } else {
+                    sqlInfo.getSelectFields().addAll(entry.getValue().getSelectFields());
+                }
+                if (sqlInfo.getRealSelectFields() == null) {
+                    sqlInfo.setRealSelectFields(entry.getValue().getRealSelectFields());
+                } else {
+                    sqlInfo.getRealSelectFields().addAll(entry.getValue().getRealSelectFields());
+                }
+            }
+        }
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlparse/JSqlParserUtils.java

@@ -0,0 +1,184 @@
+package org.jeecg.common.util.sqlparse;
+
+import lombok.extern.slf4j.Slf4j;
+import net.sf.jsqlparser.JSQLParserException;
+import net.sf.jsqlparser.expression.*;
+import net.sf.jsqlparser.parser.CCJSqlParserManager;
+import net.sf.jsqlparser.schema.Column;
+import net.sf.jsqlparser.schema.Table;
+import net.sf.jsqlparser.statement.Statement;
+import net.sf.jsqlparser.statement.select.*;
+import org.jeecg.common.exception.JeecgBootException;
+import org.jeecg.common.util.oConvertUtils;
+import org.jeecg.common.util.sqlparse.vo.SelectSqlInfo;
+
+import java.io.StringReader;
+import java.util.List;
+import java.util.Map;
+
+@Slf4j
+public class JSqlParserUtils {
+
+    /**
+     * 解析 查询（select）sql的信息，
+     * 此方法会展开所有子查询到一个map里，
+     * key只存真实的表名，如果查询的没有真实的表名，则会被忽略。
+     * value只存真实的字段名，如果查询的没有真实的字段名，则会被忽略。
+     * <p>
+     * 例如：SELECT a.*,d.age,(SELECT count(1) FROM sys_depart) AS count FROM (SELECT username AS foo, realname FROM sys_user) a, demo d
+     * 解析后的结果为：{sys_user=[username, realname], demo=[age], sys_depart=[]}
+     *
+     * @param selectSql
+     * @return
+     */
+    public static Map<String, SelectSqlInfo> parseAllSelectTable(String selectSql) throws JSQLParserException {
+        if (oConvertUtils.isEmpty(selectSql)) {
+            return null;
+        }
+        // log.info("解析查询Sql：{}", selectSql);
+        JSqlParserAllTableManager allTableManager = new JSqlParserAllTableManager(selectSql);
+        return allTableManager.parse();
+    }
+
+    /**
+     * 解析 查询（select）sql的信息，子查询嵌套
+     *
+     * @param selectSql
+     * @return
+     */
+    public static SelectSqlInfo parseSelectSqlInfo(String selectSql) throws JSQLParserException {
+        if (oConvertUtils.isEmpty(selectSql)) {
+            return null;
+        }
+        // log.info("解析查询Sql：{}", selectSql);
+        // 使用 JSqlParer 解析sql
+        // 1、创建解析器
+        CCJSqlParserManager mgr = new CCJSqlParserManager();
+        // 2、使用解析器解析sql生成具有层次结构的java类
+        Statement stmt = mgr.parse(new StringReader(selectSql));
+        if (stmt instanceof Select) {
+            Select selectStatement = (Select) stmt;
+            // 3、解析select查询sql的信息
+            return JSqlParserUtils.parseBySelectBody(selectStatement.getSelectBody());
+        } else {
+            // 非 select 查询sql，不做处理
+            throw new JeecgBootException("非 select 查询sql，不做处理");
+        }
+    }
+
+    /**
+     * 解析 select 查询sql的信息
+     *
+     * @param selectBody
+     * @return
+     */
+    private static SelectSqlInfo parseBySelectBody(SelectBody selectBody) {
+        // 简单的select查询
+        if (selectBody instanceof PlainSelect) {
+            SelectSqlInfo sqlInfo = new SelectSqlInfo(selectBody);
+            PlainSelect plainSelect = (PlainSelect) selectBody;
+            FromItem fromItem = plainSelect.getFromItem();
+            // 解析 aliasName
+            if (fromItem.getAlias() != null) {
+                sqlInfo.setFromTableAliasName(fromItem.getAlias().getName());
+            }
+            // 解析 表名
+            if (fromItem instanceof Table) {
+                // 通过表名的方式from
+                Table fromTable = (Table) fromItem;
+                sqlInfo.setFromTableName(fromTable.getName());
+            } else if (fromItem instanceof SubSelect) {
+                // 通过子查询的方式from
+                SubSelect fromSubSelect = (SubSelect) fromItem;
+                SelectSqlInfo subSqlInfo = JSqlParserUtils.parseBySelectBody(fromSubSelect.getSelectBody());
+                sqlInfo.setFromSubSelect(subSqlInfo);
+            }
+            // 解析 selectFields
+            List<SelectItem> selectItems = plainSelect.getSelectItems();
+            for (SelectItem selectItem : selectItems) {
+                if (selectItem instanceof AllColumns || selectItem instanceof AllTableColumns) {
+                    // 全部字段
+                    sqlInfo.setSelectAll(true);
+                    sqlInfo.setSelectFields(null);
+                    sqlInfo.setRealSelectFields(null);
+                    break;
+                } else if (selectItem instanceof SelectExpressionItem) {
+                    // 获取单个查询字段名
+                    SelectExpressionItem selectExpressionItem = (SelectExpressionItem) selectItem;
+                    Expression expression = selectExpressionItem.getExpression();
+                    Alias alias = selectExpressionItem.getAlias();
+                    JSqlParserUtils.handleExpression(sqlInfo, expression, alias);
+                }
+            }
+            return sqlInfo;
+        } else {
+            log.warn("暂时尚未处理该类型的 SelectBody: {}", selectBody.getClass().getName());
+            throw new JeecgBootException("暂时尚未处理该类型的 SelectBody");
+        }
+    }
+
+    /**
+     * 处理查询字段表达式
+     *
+     * @param sqlInfo
+     * @param expression
+     * @param alias      是否有别名，无传null
+     */
+    private static void handleExpression(SelectSqlInfo sqlInfo, Expression expression, Alias alias) {
+        // 处理函数式字段  CONCAT(name,'(',age,')')
+        if (expression instanceof Function) {
+            JSqlParserUtils.handleFunctionExpression((Function) expression, sqlInfo);
+            return;
+        }
+        // 处理字段上的子查询
+        if (expression instanceof SubSelect) {
+            SubSelect subSelect = (SubSelect) expression;
+            SelectSqlInfo subSqlInfo = JSqlParserUtils.parseBySelectBody(subSelect.getSelectBody());
+            // 注：字段上的子查询，必须只查询一个字段，否则会报错，所以可以放心合并
+            sqlInfo.getSelectFields().addAll(subSqlInfo.getSelectFields());
+            sqlInfo.getRealSelectFields().addAll(subSqlInfo.getAllRealSelectFields());
+            return;
+        }
+        // 不处理字面量
+        if (expression instanceof StringValue ||
+                expression instanceof NullValue ||
+                expression instanceof LongValue ||
+                expression instanceof DoubleValue ||
+                expression instanceof HexValue ||
+                expression instanceof DateValue ||
+                expression instanceof TimestampValue ||
+                expression instanceof TimeValue
+        ) {
+            return;
+        }
+
+        // 查询字段名
+        String selectField = expression.toString();
+        // 实际查询字段名
+        String realSelectField = selectField;
+        // 判断是否有别名
+        if (alias != null) {
+            selectField = alias.getName();
+        }
+        // 获取真实字段名
+        if (expression instanceof Column) {
+            Column column = (Column) expression;
+            realSelectField = column.getColumnName();
+        }
+        sqlInfo.addSelectField(selectField, realSelectField);
+    }
+
+    /**
+     * 处理函数式字段
+     *
+     * @param functionExp
+     * @param sqlInfo
+     */
+    private static void handleFunctionExpression(Function functionExp, SelectSqlInfo sqlInfo) {
+        List<Expression> expressions = functionExp.getParameters().getExpressions();
+        for (Expression expression : expressions) {
+            JSqlParserUtils.handleExpression(sqlInfo, expression, null);
+        }
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/common/util/sqlparse/vo/SelectSqlInfo.java

@@ -0,0 +1,101 @@
+package org.jeecg.common.util.sqlparse.vo;
+
+import lombok.Data;
+import net.sf.jsqlparser.statement.select.SelectBody;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * select 查询 sql 的信息
+ */
+@Data
+public class SelectSqlInfo {
+
+    /**
+     * 查询的表名，如果是子查询，则此处为null
+     */
+    private String fromTableName;
+    /**
+     * 表别名
+     */
+    private String fromTableAliasName;
+    /**
+     * 通过子查询获取的表信息，例如：select name from (select * from user) u
+     * 如果不是子查询，则为null
+     */
+    private SelectSqlInfo fromSubSelect;
+    /**
+     * 查询的字段集合，如果是 * 则为null，如果设了别名则为别名
+     */
+    private Set<String> selectFields;
+    /**
+     * 真实的查询字段集合，如果是 * 则为null，如果设了别名则为原始字段名
+     */
+    private Set<String> realSelectFields;
+    /**
+     * 是否是查询所有字段
+     */
+    private boolean selectAll;
+
+    /**
+     * 解析之后的 SQL （关键字都是大写）
+     */
+    private final String parsedSql;
+
+    public SelectSqlInfo(String parsedSql) {
+        this.parsedSql = parsedSql;
+    }
+
+    public SelectSqlInfo(SelectBody selectBody) {
+        this.parsedSql = selectBody.toString();
+    }
+
+    public void addSelectField(String selectField, String realSelectField) {
+        if (this.selectFields == null) {
+            this.selectFields = new HashSet<>();
+        }
+        if (this.realSelectFields == null) {
+            this.realSelectFields = new HashSet<>();
+        }
+        this.selectFields.add(selectField);
+        this.realSelectFields.add(realSelectField);
+    }
+
+    /**
+     * 获取所有字段，包括子查询里的。
+     *
+     * @return
+     */
+    public Set<String> getAllRealSelectFields() {
+        Set<String> fields = new HashSet<>();
+        // 递归获取所有字段，起个直观的方法名为：
+        this.recursiveGetAllFields(this, fields);
+        return fields;
+    }
+
+    /**
+     * 递归获取所有字段
+     */
+    private void recursiveGetAllFields(SelectSqlInfo sqlInfo, Set<String> fields) {
+        if (!sqlInfo.isSelectAll() && sqlInfo.getRealSelectFields() != null) {
+            fields.addAll(sqlInfo.getRealSelectFields());
+        }
+        if (sqlInfo.getFromSubSelect() != null) {
+            recursiveGetAllFields(sqlInfo.getFromSubSelect(), fields);
+        }
+    }
+
+    @Override
+    public String toString() {
+        return "SelectSqlInfo{" +
+                "fromTableName='" + fromTableName + '\'' +
+                ", fromSubSelect=" + fromSubSelect +
+                ", aliasName='" + fromTableAliasName + '\'' +
+                ", selectFields=" + selectFields +
+                ", realSelectFields=" + realSelectFields +
+                ", selectAll=" + selectAll +
+                "}";
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/AutoPoiDictConfig.java

@@ -3,7 +3,7 @@ package org.jeecg.config;
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.annotation.Resource;
+import jakarta.annotation.Resource;
 
 import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.system.vo.DictModel;
@@ -59,7 +59,9 @@ public class AutoPoiDictConfig implements AutoPoiDictServiceI {
 
 
 		for (DictModel t : dictList) {
-			if(t!=null){
+			//update-begin---author:liusq   Date:20230517  for：[issues/4917]excel 导出异常---
+			if(t!=null && t.getText()!=null && t.getValue()!=null){
+			//update-end---author:liusq     Date:20230517  for：[issues/4917]excel 导出异常---
 				//update-begin---author:scott   Date:20211220  for：[issues/I4MBB3]@Excel dicText字段的值有下划线时，导入功能不能正确解析---
 				if(t.getValue().contains(EXCEL_SPLIT_TAG)){
 					String val = t.getValue().replace(EXCEL_SPLIT_TAG,TEMP_EXCEL_SPLIT_TAG);

jeecg-boot-base-core/src/main/java/org/jeecg/config/DruidConfig.java

@@ -2,7 +2,9 @@ package org.jeecg.config;
 
 import java.io.IOException;
 
-import javax.servlet.*;
+import com.alibaba.druid.spring.boot3.autoconfigure.DruidDataSourceAutoConfigure;
+import com.alibaba.druid.spring.boot3.autoconfigure.properties.DruidStatProperties;
+import jakarta.servlet.*;
 
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -11,8 +13,6 @@ import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
-import com.alibaba.druid.spring.boot.autoconfigure.DruidDataSourceAutoConfigure;
-import com.alibaba.druid.spring.boot.autoconfigure.properties.DruidStatProperties;
 import com.alibaba.druid.util.Utils;
 
 /**

jeecg-boot-base-core/src/main/java/org/jeecg/config/DruidWallConfigRegister.java

@@ -0,0 +1,47 @@
+package org.jeecg.config;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.SpringApplicationRunListener;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.core.env.ConfigurableEnvironment;
+import org.springframework.core.env.MapPropertySource;
+import org.springframework.core.env.MutablePropertySources;
+import org.springframework.core.env.PropertySource;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * @author eightmonth@qq.com
+ * @date 2024/4/8 11:37
+ */
+public class DruidWallConfigRegister implements SpringApplicationRunListener {
+
+    public SpringApplication application;
+
+    private String[] args;
+
+
+    /**
+     * 必备，否则启动报错
+     * @param application
+     * @param args
+     */
+    public DruidWallConfigRegister(SpringApplication application, String[] args) {
+        this.application = application;
+        this.args = args;
+    }
+
+    @Override
+    public void contextLoaded(ConfigurableApplicationContext context) {
+        ConfigurableEnvironment env = context.getEnvironment();
+        Map<String, Object> props = new HashMap<>();
+        props.put("spring.datasource.dynamic.druid.wall.selectWhereAlwayTrueCheck", false);
+
+        MutablePropertySources propertySources = env.getPropertySources();
+
+        PropertySource<Map<String, Object>> propertySource = new MapPropertySource("jeecg-datasource-config", props);
+
+        propertySources.addLast(propertySource);
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/JeecgBaseConfig.java

@@ -1,9 +1,6 @@
 package org.jeecg.config;
 
-import org.jeecg.config.vo.DomainUrl;
-import org.jeecg.config.vo.Elasticsearch;
-import org.jeecg.config.vo.Path;
-import org.jeecg.config.vo.Shiro;
+import org.jeecg.config.vo.*;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
@@ -29,14 +26,12 @@ public class JeecgBaseConfig {
      * 本地：local\Minio：minio\阿里云：alioss
      */
     private String uploadType;
+    
     /**
-     * 是否启用安全模式
+     * 平台安全模式配置
      */
-    private Boolean safeMode = false;
-    /**
-     * shiro拦截排除
-     */
-    private Shiro shiro;
+    private Firewall firewall;
+    
     /**
      * 上传文件配置
      */
@@ -58,6 +53,13 @@ public class JeecgBaseConfig {
      */
     private Elasticsearch elasticsearch;
 
+    /**
+     * 微信支付
+     * @return
+     */
+    private WeiXinPay weiXinPay;
+    
+    
     public Elasticsearch getElasticsearch() {
         return elasticsearch;
     }
@@ -66,12 +68,12 @@ public class JeecgBaseConfig {
         this.elasticsearch = elasticsearch;
     }
 
-    public Boolean getSafeMode() {
-        return safeMode;
+    public Firewall getFirewall() {
+        return firewall;
     }
 
-    public void setSafeMode(Boolean safeMode) {
-        this.safeMode = safeMode;
+    public void setFirewall(Firewall firewall) {
+        this.firewall = firewall;
     }
 
     public String getSignatureSecret() {
@@ -82,14 +84,6 @@ public class JeecgBaseConfig {
         this.signatureSecret = signatureSecret;
     }
 
-    public Shiro getShiro() {
-        return shiro;
-    }
-
-    public void setShiro(Shiro shiro) {
-        this.shiro = shiro;
-    }
-
     public Path getPath() {
         return path;
     }
@@ -129,4 +123,13 @@ public class JeecgBaseConfig {
     public void setUploadType(String uploadType) {
         this.uploadType = uploadType;
     }
+
+    public WeiXinPay getWeiXinPay() {
+        return weiXinPay;
+    }
+
+    public void setWeiXinPay(WeiXinPay weiXinPay) {
+        this.weiXinPay = weiXinPay;
+    }
+    
 }

jeecg-boot-base-core/src/main/java/org/jeecg/config/Swagger2Config.java

@@ -1,183 +1,183 @@
-package org.jeecg.config;
-
-
-import com.github.xiaoymin.knife4j.spring.annotations.EnableKnife4j;
-import io.swagger.annotations.ApiOperation;
-import org.jeecg.common.constant.CommonConstant;
-import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.config.BeanPostProcessor;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
-import org.springframework.util.ReflectionUtils;
-import org.springframework.web.bind.annotation.RestController;
-import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping;
-import springfox.bean.validators.configuration.BeanValidatorPluginsConfiguration;
-import springfox.documentation.builders.ApiInfoBuilder;
-import springfox.documentation.builders.ParameterBuilder;
-import springfox.documentation.builders.PathSelectors;
-import springfox.documentation.builders.RequestHandlerSelectors;
-import springfox.documentation.oas.annotations.EnableOpenApi;
-import springfox.documentation.schema.ModelRef;
-import springfox.documentation.service.*;
-import springfox.documentation.spi.DocumentationType;
-import springfox.documentation.spi.service.contexts.SecurityContext;
-import springfox.documentation.spring.web.plugins.Docket;
-import springfox.documentation.spring.web.plugins.WebFluxRequestHandlerProvider;
-import springfox.documentation.spring.web.plugins.WebMvcRequestHandlerProvider;
-import springfox.documentation.swagger2.annotations.EnableSwagger2;
-
-import java.lang.reflect.Field;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-import java.util.stream.Collectors;
-
-/**
- * @Author scott
- */
-@Configuration
-@EnableSwagger2    //开启 Swagger2
-@EnableKnife4j     //开启 knife4j，可以不写
-@Import(BeanValidatorPluginsConfiguration.class)
-public class Swagger2Config implements WebMvcConfigurer {
-
-    /**
-     *
-     * 显示swagger-ui.html文档展示页，还必须注入swagger资源：
-     *
-     * @param registry
-     */
-    @Override
-    public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
-        registry.addResourceHandler("doc.html").addResourceLocations("classpath:/META-INF/resources/");
-        registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
-    }
-
-    /**
-     * swagger2的配置文件，这里可以配置swagger2的一些基本的内容，比如扫描的包等等
-     *
-     * @return Docket
-     */
-    @Bean(value = "defaultApi2")
-    public Docket defaultApi2() {
-        return new Docket(DocumentationType.SWAGGER_2)
-                .apiInfo(apiInfo())
-                .select()
-                //此包路径下的类，才生成接口文档
-                .apis(RequestHandlerSelectors.basePackage("org.jeecg"))
-                //加了ApiOperation注解的类，才生成接口文档
-                .apis(RequestHandlerSelectors.withClassAnnotation(RestController.class))
-                .apis(RequestHandlerSelectors.withMethodAnnotation(ApiOperation.class))
-                .paths(PathSelectors.any())
-                .build()
-                .securitySchemes(Collections.singletonList(securityScheme()))
-                .securityContexts(securityContexts())
-                .globalOperationParameters(setHeaderToken());
-    }
-
-    /***
-     * oauth2配置
-     * 需要增加swagger授权回调地址
-     * http://localhost:8888/webjars/springfox-swagger-ui/o2c.html
-     * @return
-     */
-    @Bean
-    SecurityScheme securityScheme() {
-        return new ApiKey(CommonConstant.X_ACCESS_TOKEN, CommonConstant.X_ACCESS_TOKEN, "header");
-    }
-    /**
-     * JWT token
-     * @return
-     */
-    private List<Parameter> setHeaderToken() {
-        ParameterBuilder tokenPar = new ParameterBuilder();
-        List<Parameter> pars = new ArrayList<>();
-        tokenPar.name(CommonConstant.X_ACCESS_TOKEN).description("token").modelRef(new ModelRef("string")).parameterType("header").required(false).build();
-        pars.add(tokenPar.build());
-        return pars;
-    }
-
-    /**
-     * api文档的详细信息函数,注意这里的注解引用的是哪个
-     *
-     * @return
-     */
-    private ApiInfo apiInfo() {
-        return new ApiInfoBuilder()
-                // //大标题
-                .title("JeecgBoot 后台服务API接口文档")
-                // 版本号
-                .version("1.0")
-//				.termsOfServiceUrl("NO terms of service")
-                // 描述
-                .description("后台API接口")
-                // 作者
-                .contact(new Contact("北京敲敲云科技有限公司","www.jeccg.com","jeecgos@163.com"))
-                .license("The Apache License, Version 2.0")
-                .licenseUrl("http://www.apache.org/licenses/LICENSE-2.0.html")
-                .build();
-    }
-
-    /**
-     * 新增 securityContexts 保持登录状态
-     */
-    private List<SecurityContext> securityContexts() {
-        return new ArrayList(
-                Collections.singleton(SecurityContext.builder()
-                        .securityReferences(defaultAuth())
-                        .forPaths(PathSelectors.regex("^(?!auth).*$"))
-                        .build())
-        );
-    }
-
-    private List<SecurityReference> defaultAuth() {
-        AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
-        AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
-        authorizationScopes[0] = authorizationScope;
-        return new ArrayList(
-                Collections.singleton(new SecurityReference(CommonConstant.X_ACCESS_TOKEN, authorizationScopes)));
-    }
-
-    /**
-     * 解决springboot2.6 和springfox不兼容问题
-     * @return
-     */
-    @Bean
-    public static BeanPostProcessor springfoxHandlerProviderBeanPostProcessor() {
-        return new BeanPostProcessor() {
-
-            @Override
-            public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
-                if (bean instanceof WebMvcRequestHandlerProvider || bean instanceof WebFluxRequestHandlerProvider) {
-                    customizeSpringfoxHandlerMappings(getHandlerMappings(bean));
-                }
-                return bean;
-            }
-
-            private <T extends RequestMappingInfoHandlerMapping> void customizeSpringfoxHandlerMappings(List<T> mappings) {
-                List<T> copy = mappings.stream()
-                        .filter(mapping -> mapping.getPatternParser() == null)
-                        .collect(Collectors.toList());
-                mappings.clear();
-                mappings.addAll(copy);
-            }
-
-            @SuppressWarnings("unchecked")
-            private List<RequestMappingInfoHandlerMapping> getHandlerMappings(Object bean) {
-                try {
-                    Field field = ReflectionUtils.findField(bean.getClass(), "handlerMappings");
-                    field.setAccessible(true);
-                    return (List<RequestMappingInfoHandlerMapping>) field.get(bean);
-                } catch (IllegalArgumentException | IllegalAccessException e) {
-                    throw new IllegalStateException(e);
-                }
-            }
-        };
-    }
-
-
-}
+//package org.jeecg.config;
+//
+// 已使用swagger3config平替
+//import com.github.xiaoymin.knife4j.spring.annotations.EnableKnife4j;
+//import io.swagger.annotations.ApiOperation;
+//import org.jeecg.common.constant.CommonConstant;
+//import org.springframework.beans.BeansException;
+//import org.springframework.beans.factory.config.BeanPostProcessor;
+//import org.springframework.context.annotation.Bean;
+//import org.springframework.context.annotation.Configuration;
+//import org.springframework.context.annotation.Import;
+//import org.springframework.util.ReflectionUtils;
+//import org.springframework.web.bind.annotation.RestController;
+//import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
+//import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+//import org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping;
+//import springfox.bean.validators.configuration.BeanValidatorPluginsConfiguration;
+//import springfox.documentation.builders.ApiInfoBuilder;
+//import springfox.documentation.builders.ParameterBuilder;
+//import springfox.documentation.builders.PathSelectors;
+//import springfox.documentation.builders.RequestHandlerSelectors;
+//import springfox.documentation.oas.annotations.EnableOpenApi;
+//import springfox.documentation.schema.ModelRef;
+//import springfox.documentation.service.*;
+//import springfox.documentation.spi.DocumentationType;
+//import springfox.documentation.spi.service.contexts.SecurityContext;
+//import springfox.documentation.spring.web.plugins.Docket;
+//import springfox.documentation.spring.web.plugins.WebFluxRequestHandlerProvider;
+//import springfox.documentation.spring.web.plugins.WebMvcRequestHandlerProvider;
+//import springfox.documentation.swagger2.annotations.EnableSwagger2;
+//
+//import java.lang.reflect.Field;
+//import java.util.ArrayList;
+//import java.util.Collections;
+//import java.util.List;
+//import java.util.stream.Collectors;
+//
+///**
+// * @Author scott
+// */
+//@Configuration
+//@EnableSwagger2    //开启 Swagger2
+//@EnableKnife4j     //开启 knife4j，可以不写
+//@Import(BeanValidatorPluginsConfiguration.class)
+//public class Swagger2Config implements WebMvcConfigurer {
+//
+//    /**
+//     *
+//     * 显示swagger-ui.html文档展示页，还必须注入swagger资源：
+//     *
+//     * @param registry
+//     */
+//    @Override
+//    public void addResourceHandlers(ResourceHandlerRegistry registry) {
+//        registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
+//        registry.addResourceHandler("doc.html").addResourceLocations("classpath:/META-INF/resources/");
+//        registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
+//    }
+//
+//    /**
+//     * swagger2的配置文件，这里可以配置swagger2的一些基本的内容，比如扫描的包等等
+//     *
+//     * @return Docket
+//     */
+//    @Bean(value = "defaultApi2")
+//    public Docket defaultApi2() {
+//        return new Docket(DocumentationType.SWAGGER_2)
+//                .apiInfo(apiInfo())
+//                .select()
+//                //此包路径下的类，才生成接口文档
+//                .apis(RequestHandlerSelectors.basePackage("org.jeecg"))
+//                //加了ApiOperation注解的类，才生成接口文档
+//                .apis(RequestHandlerSelectors.withClassAnnotation(RestController.class))
+//                .apis(RequestHandlerSelectors.withMethodAnnotation(ApiOperation.class))
+//                .paths(PathSelectors.any())
+//                .build()
+//                .securitySchemes(Collections.singletonList(securityScheme()))
+//                .securityContexts(securityContexts())
+//                .globalOperationParameters(setHeaderToken());
+//    }
+//
+//    /***
+//     * oauth2配置
+//     * 需要增加swagger授权回调地址
+//     * http://localhost:8888/webjars/springfox-swagger-ui/o2c.html
+//     * @return
+//     */
+//    @Bean
+//    SecurityScheme securityScheme() {
+//        return new ApiKey(CommonConstant.X_ACCESS_TOKEN, CommonConstant.X_ACCESS_TOKEN, "header");
+//    }
+//    /**
+//     * JWT token
+//     * @return
+//     */
+//    private List<Parameter> setHeaderToken() {
+//        ParameterBuilder tokenPar = new ParameterBuilder();
+//        List<Parameter> pars = new ArrayList<>();
+//        tokenPar.name(CommonConstant.X_ACCESS_TOKEN).description("token").modelRef(new ModelRef("string")).parameterType("header").required(false).build();
+//        pars.add(tokenPar.build());
+//        return pars;
+//    }
+//
+//    /**
+//     * api文档的详细信息函数,注意这里的注解引用的是哪个
+//     *
+//     * @return
+//     */
+//    private ApiInfo apiInfo() {
+//        return new ApiInfoBuilder()
+//                // //大标题
+//                .title("JeecgBoot 后台服务API接口文档")
+//                // 版本号
+//                .version("1.0")
+////				.termsOfServiceUrl("NO terms of service")
+//                // 描述
+//                .description("后台API接口")
+//                // 作者
+//                .contact(new Contact("北京国炬信息技术有限公司","www.jeccg.com","jeecgos@163.com"))
+//                .license("The Apache License, Version 2.0")
+//                .licenseUrl("http://www.apache.org/licenses/LICENSE-2.0.html")
+//                .build();
+//    }
+//
+//    /**
+//     * 新增 securityContexts 保持登录状态
+//     */
+//    private List<SecurityContext> securityContexts() {
+//        return new ArrayList(
+//                Collections.singleton(SecurityContext.builder()
+//                        .securityReferences(defaultAuth())
+//                        .forPaths(PathSelectors.regex("^(?!auth).*$"))
+//                        .build())
+//        );
+//    }
+//
+//    private List<SecurityReference> defaultAuth() {
+//        AuthorizationScope authorizationScope = new AuthorizationScope("global", "accessEverything");
+//        AuthorizationScope[] authorizationScopes = new AuthorizationScope[1];
+//        authorizationScopes[0] = authorizationScope;
+//        return new ArrayList(
+//                Collections.singleton(new SecurityReference(CommonConstant.X_ACCESS_TOKEN, authorizationScopes)));
+//    }
+//
+//    /**
+//     * 解决springboot2.6 和springfox不兼容问题
+//     * @return
+//     */
+//    @Bean
+//    public static BeanPostProcessor springfoxHandlerProviderBeanPostProcessor() {
+//        return new BeanPostProcessor() {
+//
+//            @Override
+//            public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+//                if (bean instanceof WebMvcRequestHandlerProvider || bean instanceof WebFluxRequestHandlerProvider) {
+//                    customizeSpringfoxHandlerMappings(getHandlerMappings(bean));
+//                }
+//                return bean;
+//            }
+//
+//            private <T extends RequestMappingInfoHandlerMapping> void customizeSpringfoxHandlerMappings(List<T> mappings) {
+//                List<T> copy = mappings.stream()
+//                        .filter(mapping -> mapping.getPatternParser() == null)
+//                        .collect(Collectors.toList());
+//                mappings.clear();
+//                mappings.addAll(copy);
+//            }
+//
+//            @SuppressWarnings("unchecked")
+//            private List<RequestMappingInfoHandlerMapping> getHandlerMappings(Object bean) {
+//                try {
+//                    Field field = ReflectionUtils.findField(bean.getClass(), "handlerMappings");
+//                    field.setAccessible(true);
+//                    return (List<RequestMappingInfoHandlerMapping>) field.get(bean);
+//                } catch (IllegalArgumentException | IllegalAccessException e) {
+//                    throw new IllegalStateException(e);
+//                }
+//            }
+//        };
+//    }
+//
+//
+//}

jeecg-boot-base-core/src/main/java/org/jeecg/config/Swagger3Config.java

@@ -0,0 +1,59 @@
+package org.jeecg.config;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.models.Components;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.Paths;
+import io.swagger.v3.oas.models.info.Contact;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.info.License;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import io.swagger.v3.oas.models.security.SecurityScheme;
+import org.jeecg.common.constant.CommonConstant;
+import org.springdoc.core.models.GroupedOpenApi;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class Swagger3Config implements WebMvcConfigurer {
+        /**
+     *
+     * 显示swagger-ui.html文档展示页，还必须注入swagger资源：
+     *
+     * @param registry
+     */
+    @Override
+    public void addResourceHandlers(ResourceHandlerRegistry registry) {
+        registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
+        registry.addResourceHandler("doc.html").addResourceLocations("classpath:/META-INF/resources/");
+        registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
+    }
+
+    @Bean
+    public GroupedOpenApi swaggerOpenApi() {
+        return GroupedOpenApi.builder()
+                .group("default")
+                .packagesToScan("org.jeecg")
+                // 剔除以下几个包路径的接口生成文档
+                .packagesToExclude("org.jeecg.modules.drag", "org.jeecg.modules.online", "org.jeecg.modules.jmreport")
+                // 加了Operation注解的方法，才生成接口文档
+                .addOpenApiMethodFilter(method -> method.isAnnotationPresent(Operation.class))
+                .build();
+    }
+
+    @Bean
+    public OpenAPI customOpenAPI() {
+        return new OpenAPI()
+                .info(new Info()
+                        .title("JeecgBoot 后台服务API接口文档")
+                        .version("1.0")
+                        .contact(new Contact().name("北京国炬信息技术有限公司").url("www.jeccg.com").email("jeecgos@163.com"))
+                        .description( "后台API接口")
+                        .termsOfService("NO terms of service")
+                        .license(new License().name("Apache 2.0").url("http://www.apache.org/licenses/LICENSE-2.0.html"))
+                );
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/UndertowCustomizer.java

@@ -0,0 +1,19 @@
+package org.jeecg.config;
+
+import io.undertow.server.DefaultByteBufferPool;
+import io.undertow.websockets.jsr.WebSocketDeploymentInfo;
+import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
+import org.springframework.boot.web.server.WebServerFactoryCustomizer;
+import org.springframework.stereotype.Component;
+
+@Component
+public class UndertowCustomizer implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {
+    @Override
+    public void customize(UndertowServletWebServerFactory factory) {
+        factory.addDeploymentInfoCustomizers(deploymentInfo -> {
+            WebSocketDeploymentInfo webSocketDeploymentInfo = new WebSocketDeploymentInfo();
+            webSocketDeploymentInfo.setBuffers(new DefaultByteBufferPool(false, 1024));
+            deploymentInfo.addServletContextAttribute("io.undertow.websockets.jsr.WebSocketDeploymentInfo", webSocketDeploymentInfo);
+        });
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/WebMvcConfiguration.java

@@ -10,12 +10,15 @@ import com.fasterxml.jackson.datatype.jsr310.deser.LocalTimeDeserializer;
 import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateSerializer;
 import com.fasterxml.jackson.datatype.jsr310.ser.LocalDateTimeSerializer;
 import com.fasterxml.jackson.datatype.jsr310.ser.LocalTimeSerializer;
+import io.micrometer.core.instrument.MeterRegistry;
 import io.micrometer.prometheus.PrometheusMeterRegistry;
+import jakarta.annotation.Resource;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.beans.factory.config.BeanPostProcessor;
-import org.springframework.boot.actuate.trace.http.InMemoryHttpTraceRepository;
+import org.springframework.boot.actuate.autoconfigure.metrics.MeterRegistryCustomizer;
+import org.springframework.boot.actuate.web.exchanges.InMemoryHttpExchangeRepository;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
@@ -30,7 +33,6 @@ import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
-import javax.annotation.Resource;
 import java.text.SimpleDateFormat;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
@@ -133,8 +135,11 @@ public class WebMvcConfiguration implements WebMvcConfigurer {
      * https://blog.csdn.net/u013810234/article/details/110097201
      */
     @Bean
-    public InMemoryHttpTraceRepository getInMemoryHttpTrace(){
-        return new InMemoryHttpTraceRepository();
+    public InMemoryHttpExchangeRepository getInMemoryHttpTrace(){
+        InMemoryHttpExchangeRepository repository = new InMemoryHttpExchangeRepository();
+        // 默认保存1000条http请求记录
+        repository.setCapacity(1000);
+        return repository;
     }
 
 

jeecg-boot-base-core/src/main/java/org/jeecg/config/filter/RequestBodyReserveFilter.java

@@ -3,8 +3,8 @@ package org.jeecg.config.filter;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.config.sign.util.BodyReaderHttpServletRequestWrapper;
 
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 /**

jeecg-boot-base-core/src/main/java/org/jeecg/config/filter/WebsocketFilter.java

@@ -7,9 +7,9 @@ import org.jeecg.common.util.SpringContextUtils;
 import org.jeecg.common.util.TokenUtils;
 import org.jeecg.common.util.oConvertUtils;
 
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**

jeecg-boot-base-core/src/main/java/org/jeecg/config/firewall/SqlInjection/IDictTableWhiteListHandler.java

@@ -0,0 +1,38 @@
+package org.jeecg.config.firewall.SqlInjection;
+
+/**
+ * 字典表查询 :: 白名单配置
+ *
+ * @Author taoYan
+ * @Date 2022/3/17 11:21
+ **/
+public interface IDictTableWhiteListHandler {
+
+    /**
+     * 校验【表名】【字段】是否合法允许查询，允许则返回 true
+     *
+     * @param sql
+     * @return
+     */
+    boolean isPassBySql(String sql);
+
+    /**
+     * 校验字典是否通过
+     *
+     * @param dictCodeString 字典表配置
+     * @return
+     */
+    boolean isPassByDict(String dictCodeString);
+
+    boolean isPassByDict(String tableName, String... fields);
+
+    /**
+     * 清空缓存，使更改生效
+     *
+     * @return
+     */
+    boolean clear();
+
+    String getErrorMsg();
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/firewall/SqlInjection/SysDictTableWhite.java

@@ -0,0 +1,102 @@
+package org.jeecg.config.firewall.SqlInjection;
+
+import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.util.oConvertUtils;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * 查询的表的信息
+ */
+@Slf4j
+public class SysDictTableWhite {
+    //表名
+    private String name;
+    //表的别名
+    private String alias;
+    // 字段名集合
+    private Set<String> fields;
+    // 是否查询所有字段
+    private boolean all;
+
+    public SysDictTableWhite() {
+        
+    }
+
+    public SysDictTableWhite(String name, String alias) {
+        this.name = name;
+        this.alias = alias;
+        this.all = false;
+        this.fields = new HashSet<>();
+    }
+
+    public void addField(String field) {
+        this.fields.add(field);
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public Set<String> getFields() {
+        return new HashSet<>(fields);
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public void setFields(Set<String> fields) {
+        this.fields = fields;
+    }
+
+    public String getAlias() {
+        return alias;
+    }
+
+    public void setAlias(String alias) {
+        this.alias = alias;
+    }
+
+    public boolean isAll() {
+        return all;
+    }
+
+    public void setAll(boolean all) {
+        this.all = all;
+    }
+
+    /**
+     * 判断是否有相同字段
+     *
+     * @param fieldControlString
+     * @return
+     */
+    public boolean isAllFieldsValid(String fieldControlString) {
+        //如果白名单中没有配置字段，则返回false
+        String[] controlFields = fieldControlString.split(",");
+        if (oConvertUtils.isEmpty(fieldControlString)) {
+            return false;
+        }
+
+        for (String queryField : fields) {
+            if (oConvertUtils.isIn(queryField, controlFields)) {
+                log.warn("字典表白名单校验，表【" + name + "】中字段【" + queryField + "】无权限查询");
+                return false;
+            }
+        }
+
+        return true;
+    }
+    
+
+    @Override
+    public String toString() {
+        return "QueryTable{" +
+                "name='" + name + '\'' +
+                ", alias='" + alias + '\'' +
+                ", fields=" + fields +
+                ", all=" + all +
+                '}';
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/firewall/interceptor/LowCodeModeConfiguration.java

@@ -0,0 +1,19 @@
+package org.jeecg.config.firewall.interceptor;
+
+import org.jeecg.config.firewall.interceptor.enums.LowCodeUrlsEnum;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class LowCodeModeConfiguration implements WebMvcConfigurer {
+
+    public LowCodeModeInterceptor payInterceptor() {
+        return new LowCodeModeInterceptor();
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(payInterceptor()).addPathPatterns(LowCodeUrlsEnum.getLowCodeInterceptUrls());
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/firewall/interceptor/LowCodeModeInterceptor.java

@@ -0,0 +1,110 @@
+package org.jeecg.config.firewall.interceptor;
+
+import com.alibaba.fastjson.JSON;
+import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.api.CommonAPI;
+import org.jeecg.common.api.vo.Result;
+import org.jeecg.common.constant.CommonConstant;
+import org.jeecg.common.system.util.JwtUtil;
+import org.jeecg.common.system.vo.LoginUser;
+import org.jeecg.common.util.CommonUtils;
+import org.jeecg.common.util.SpringContextUtils;
+import org.jeecg.config.JeecgBaseConfig;
+import org.jeecg.config.security.utils.SecureUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+import jakarta.annotation.Resource;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Set;
+
+/**
+ * 低代码模式（dev:开发模式，prod:发布模式——关闭所有在线开发配置能力）
+ * <p>
+ * prod开启后会关闭以下功能，只保留功能测试（拥有admin角色账号，可以使用配置能力）
+ * 1.online表单的所有配置功能，代码生成和导入表功能
+ * 2.online报表的所有配置功能，和sql解析
+ * 3.online图表的所有配置功能，和sql解析
+ * 4.仪表盘的在线配置功能，和sql解析
+ * 5.大屏的在线配置功能，和sql解析
+ * 
+ * 积木的逻辑单独处理
+ * 1.积木报表的在线配置功能，和sql解析
+ *
+ * @author qinfeng
+ * @date 20230904
+ */
+@Slf4j
+public class LowCodeModeInterceptor implements HandlerInterceptor {
+    /**
+     * 低代码开发模式
+     */
+    public static final String LOW_CODE_MODE_DEV = "dev";
+    public static final String LOW_CODE_MODE_PROD = "prod";
+
+    @Resource
+    private JeecgBaseConfig jeecgBaseConfig;
+    @Autowired
+    private CommonAPI commonAPI;
+
+    /**
+     * 在请求处理之前进行调用
+     */
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        //1、验证是否开启低代码开发模式控制
+        if (jeecgBaseConfig == null) {
+            jeecgBaseConfig = SpringContextUtils.getBean(JeecgBaseConfig.class);
+        }
+
+        if (jeecgBaseConfig.getFirewall()!=null && LowCodeModeInterceptor.LOW_CODE_MODE_PROD.equals(jeecgBaseConfig.getFirewall().getLowCodeMode())) {
+            String requestURI = request.getRequestURI().substring(request.getContextPath().length());
+            log.info("低代码模式，拦截请求路径：" + requestURI);
+            LoginUser loginUser = SecureUtil.currentUser();
+            Set<String> hasRoles = null;
+            if (loginUser == null) {
+                loginUser = commonAPI.getUserByName(JwtUtil.getUserNameByToken(SpringContextUtils.getHttpServletRequest()));
+                //当前登录人拥有的角色
+                hasRoles = commonAPI.queryUserRoles(loginUser.getUsername());
+            }
+            
+            log.info("get loginUser info: {}", loginUser);
+            log.info("get loginRoles info: {}", hasRoles != null ? hasRoles.toArray() : "空");
+            
+            //拥有的角色 和 允许开发角色存在交集
+            boolean hasIntersection = CommonUtils.hasIntersection(hasRoles, CommonConstant.allowDevRoles);
+            //如果是超级管理员 或者 允许开发的角色，则不做限制
+            if (loginUser!=null && ("admin".equals(loginUser.getUsername()) || hasIntersection)) {
+                return true;
+            }
+            
+            this.returnErrorMessage(response);
+            return false;
+        }
+        return true;
+    }
+
+
+    /**
+     * 返回结果
+     *
+     * @param response
+     */
+    private void returnErrorMessage(HttpServletResponse response) {
+        //校验失败返回前端
+        response.setCharacterEncoding("UTF-8");
+        response.setContentType("application/json; charset=utf-8");
+        PrintWriter out = null;
+        try {
+            out = response.getWriter();
+            Result<?> result = Result.error("低代码开发模式为发布模式，不允许使用在线配置！！");
+            out.print(JSON.toJSON(result));
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+}
+

jeecg-boot-base-core/src/main/java/org/jeecg/config/firewall/interceptor/enums/LowCodeUrlsEnum.java

@@ -0,0 +1,104 @@
+package org.jeecg.config.firewall.interceptor.enums;
+
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * 
+ * @author: qinfeng
+ * @date: 2023/09/04 11:44
+ */
+public enum LowCodeUrlsEnum {
+    /**
+     * online表单配置请求 TODO 增改删
+     */
+    NEW_LOW_APP_ADD_URL("/online/cgform/api/addAll", "添加online表单"),
+    NEW_LOW_APP_EDIT_URL("/online/cgform/api/editAll", "编辑online表单"),
+    ONLINE_DB_SYNC("/online/cgform/api/doDbSynch/**/**", "online表单同步数据库"),
+    ONLINE_DEL_BATCH("/online/cgform/head/deleteBatch", "online表单批量删除"),
+    ONLINE_DELETE("/online/cgform/head/delete", "online表单删除"),
+    ONLINE_REMOVE("/online/cgform/head/removeRecord", "online表单移除"),
+    ONLINE_COPY("/online/cgform/head/copyOnline", "online表单生成视图"),
+    ONLINE_TABLE("/online/cgform/head/copyOnlineTable", "online表单复制表"),
+    ONLINE_BUTTON_AI_TEST("/online/cgform/button/aitest", "online表单自定义按钮生成数据"),
+    ONLINE_BUTTON_ADD("/online/cgform/button/add", "online表单自定义按钮新增"),
+    ONLINE_BUTTON_EDIT("/online/cgform/button/edit", "online表单自定义按钮编辑"),
+    ONLINE_BUTTON_DEL("/online/cgform/button/deleteBatch", "online表单自定义按钮删除"),
+    ONLINE_ENHANCE_JS("/online/cgform/head/enhanceJs/**", "online表单JS增强"),
+    ONLINE_ENHANCE_JAVA("/online/cgform/head/enhanceJava/**", "online表单JAVA增强"),
+    /**
+     * online报表配置请求
+     */
+    ONLINE_CG_REPORT_ADD("/online/cgreport/head/add", "online报表新增"),
+    ONLINE_CG_REPORT_EDIT("/online/cgreport/head/editAll", "online报表编辑"),
+    ONLINE_CG_REPORT_DEL("/online/cgreport/head/delete", "online报表删除"),
+    ONLINE_CG_REPORT_PARSE_SQL("/online/cgreport/head/parseSql", "online报表SQL解析"),
+    /**
+     * online图表配置请求
+     */
+    ONLINE_GRAPH_REPORT_ADD("/online/graphreport/head/add", "online图表新增"),
+    ONLINE_GRAPH_REPORT_EDIT("/online/graphreport/head/edit", "online图表编辑"),
+    ONLINE_GRAPH_REPORT_DEL("/online/graphreport/head/deleteBatch", "online图表删除"),
+    ONLINE_GRAPH_REPORT_PARSE_SQL("/online/cgreport/head/parseSql", "online图表解析SQL"),
+
+    /**
+     * 大屏配置请求
+     */
+    BIG_SCREEN_DB_ADD("/bigscreen/bigScreenDb/add", "大屏数据源新增"),
+    BIG_SCREEN_DB_EDIT("/bigscreen/bigScreenDb/edit", "大屏数据源编辑"),
+    BIG_SCREEN_DB_DEL("/bigscreen/bigScreenDb/delete", "大屏数据源删除"),
+    BIG_SCREEN_DB_TEST_CONNECTION("/bigscreen/bigScreenDb/testConnection", "大屏数据源连接测试"),
+//    BIG_SCREEN_SAVE("/bigscreen/visual/save", "大屏新增"),
+//    BIG_SCREEN_EDIT("/bigscreen/visual/update", "大屏编辑"),
+//    BIG_SCREEN_COPY("/bigscreen/visual/copy", "大屏复制"),
+//    BIG_SCREEN_REMOVE("/bigscreen/visual/remove", "大屏移除"),
+//    BIG_SCREEN_DEL("/bigscreen/visual/deleteById", "大屏删除"),
+
+    /**
+     * 仪表盘配置请求
+     */
+    DRAG_DB_ADD("/drag/onlDragDataSource/add", "仪表盘数据源新增"),
+    DRAG_DB_TEST_CONNECTION("/drag/onlDragDataSource/testConnection", "仪表盘数据源连接测试"),
+    DRAG_PARSE_SQL("/drag/onlDragDatasetHead/queryFieldBySql", "仪表盘数据集SQL解析"),
+    DRAG_DATASET_ADD("/drag/onlDragDatasetHead/add", "仪表盘数据集新增");
+
+    /**
+     * 其他配置请求
+     */
+
+    private String url;
+    private String title;
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public String getTitle() {
+        return title;
+    }
+
+    public void setTitle(String title) {
+        this.title = title;
+    }
+
+    LowCodeUrlsEnum(String url, String title) {
+        this.url = url;
+        this.title = title;
+    }
+
+    /**
+     * 根据code获取可用的数量
+     *
+     * @return
+     */
+    public static List<String> getLowCodeInterceptUrls() {
+        return Arrays.stream(LowCodeUrlsEnum.values()).map(LowCodeUrlsEnum::getUrl).collect(Collectors.toList());
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/mybatis/MybatisInterceptor.java

@@ -6,11 +6,11 @@ import org.apache.ibatis.executor.Executor;
 import org.apache.ibatis.mapping.MappedStatement;
 import org.apache.ibatis.mapping.SqlCommandType;
 import org.apache.ibatis.plugin.*;
-import org.apache.shiro.SecurityUtils;
 import org.jeecg.common.config.TenantContext;
 import org.jeecg.common.constant.TenantConstant;
 import org.jeecg.common.system.vo.LoginUser;
 import org.jeecg.common.util.oConvertUtils;
+import org.jeecg.config.security.utils.SecureUtil;
 import org.springframework.stereotype.Component;
 
 import java.lang.reflect.Field;
@@ -173,7 +173,7 @@ public class MybatisInterceptor implements Interceptor {
 	private LoginUser getLoginUser() {
 		LoginUser sysUser = null;
 		try {
-			sysUser = SecurityUtils.getSubject().getPrincipal() != null ? (LoginUser) SecurityUtils.getSubject().getPrincipal() : null;
+			sysUser = SecureUtil.currentUser() != null ? SecureUtil.currentUser() : null;
 		} catch (Exception e) {
 			//e.printStackTrace();
 			sysUser = null;

jeecg-boot-base-core/src/main/java/org/jeecg/config/mybatis/aspect/DynamicTableAspect.java

@@ -11,7 +11,7 @@ import org.jeecg.common.util.SpringContextUtils;
 import org.jeecg.config.mybatis.ThreadLocalDataHelper;
 import org.springframework.stereotype.Component;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import java.lang.reflect.Method;
 
 /**

jeecg-boot-base-core/src/main/java/org/jeecg/config/mybatis/interceptor/DynamicDatasourceInterceptor.java

@@ -6,8 +6,8 @@ import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.ModelAndView;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 /**
  * 动态数据源切换拦截器

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/ClientService.java

@@ -0,0 +1,90 @@
+package org.jeecg.config.security;
+
+import lombok.AllArgsConstructor;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
+import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
+import org.springframework.stereotype.Component;
+
+import java.time.Duration;
+import java.util.Set;
+
+/**
+ * spring authorization server 注册客户端便捷工具类
+ * @author eightmonth@qq.com
+ * @date 2024/3/7 11:22
+ */
+@Component
+@AllArgsConstructor
+public class ClientService {
+
+    private RegisteredClientRepository registeredClientRepository;
+
+    /**
+     * 修改客户端token有效期
+     * 认证码、设备码有效期与accessToken有效期保持一致
+     */
+    public void updateTokenValidation(String clientId, Long accessTokenValidation, Long refreshTokenValidation){
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        TokenSettings tokenSettings = TokenSettings.builder()
+                .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
+                .accessTokenTimeToLive(Duration.ofSeconds(accessTokenValidation))
+                .accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED)
+                .reuseRefreshTokens(true)
+                .refreshTokenTimeToLive(Duration.ofSeconds(refreshTokenValidation))
+                .authorizationCodeTimeToLive(Duration.ofSeconds(accessTokenValidation))
+                .deviceCodeTimeToLive(Duration.ofSeconds(accessTokenValidation))
+                .build();
+        builder.tokenSettings(tokenSettings);
+        registeredClientRepository.save(builder.build());
+    }
+
+    /**
+     * 修改客户端授权类型
+     * @param clientId
+     * @param grantTypes
+     */
+    public void updateGrantType(String clientId, Set<AuthorizationGrantType> grantTypes) {
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        for (AuthorizationGrantType grantType : grantTypes) {
+            builder.authorizationGrantType(grantType);
+        }
+        registeredClientRepository.save(builder.build());
+    }
+
+    /**
+     * 修改客户端重定向uri
+     * @param clientId
+     * @param redirectUris
+     */
+    public void updateRedirectUris(String clientId, String redirectUris) {
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        builder.redirectUri(redirectUris);
+        registeredClientRepository.save(builder.build());
+    }
+
+    /**
+     * 修改客户端授权范围
+     * @param clientId
+     * @param scopes
+     */
+    public void updateScopes(String clientId, Set<String> scopes) {
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        for (String scope : scopes) {
+            builder.scope(scope);
+        }
+        registeredClientRepository.save(builder.build());
+    }
+
+    public RegisteredClient findByClientId(String clientId) {
+        return registeredClientRepository.findByClientId(clientId);
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgPermissionService.java

@@ -0,0 +1,100 @@
+package org.jeecg.config.security;
+
+import cn.hutool.core.util.ArrayUtil;
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.api.CommonAPI;
+import org.jeecg.common.system.vo.LoginUser;
+import org.jeecg.common.util.RedisUtil;
+import org.jeecg.config.security.utils.SecureUtil;
+import org.springframework.stereotype.Service;
+import org.springframework.util.PatternMatchUtils;
+import org.springframework.util.StringUtils;
+
+import java.util.Arrays;
+import java.util.Objects;
+import java.util.Set;
+
+/**
+ * spring authorization server自定义权限处理，根据@PreAuthorize注解，判断当前用户是否具备权限
+ * @author EightMonth
+ * @date 2024/1/10 17:00
+ */
+@Service("jps")
+@AllArgsConstructor
+@Slf4j
+public class JeecgPermissionService {
+    private final String SPLIT = "::";
+    private final String PERM_PREFIX = "jps" + SPLIT;
+
+    private final CommonAPI commonAPI;
+    private final RedisUtil redisUtil;
+
+    /**
+     * 判断接口是否有任意xxx，xxx权限
+     * @param permissions 权限
+     * @return {boolean}
+     */
+    public boolean requiresPermissions(String... permissions) {
+        if (ArrayUtil.isEmpty(permissions)) {
+            return false;
+        }
+        LoginUser loginUser = SecureUtil.currentUser();
+
+        Object cache = redisUtil.get(buildKey("permission", loginUser.getUsername()));
+        Set<String> permissionList;
+        if (Objects.nonNull(cache)) {
+            permissionList = (Set<String>) cache;
+        } else {
+            permissionList = commonAPI.queryUserAuths(loginUser.getUsername());
+            redisUtil.set(buildKey("permission", loginUser.getUsername()), permissionList);
+        }
+
+        boolean pass = permissionList.stream().filter(StringUtils::hasText)
+                .anyMatch(x -> PatternMatchUtils.simpleMatch(permissions, x));
+        if (!pass) {
+            log.error("权限不足，缺少权限："+ Arrays.toString(permissions));
+        }
+        return pass;
+    }
+
+    /**
+     * 判断接口是否有任意xxx，xxx角色
+     * @param roles 角色
+     * @return {boolean}
+     */
+    public boolean requiresRoles(String... roles) {
+        if (ArrayUtil.isEmpty(roles)) {
+            return false;
+        }
+        LoginUser loginUser = SecureUtil.currentUser();
+
+        Object cache = redisUtil.get(buildKey("role", loginUser.getUsername()));
+        Set<String> roleList;
+        if (Objects.nonNull(cache)) {
+            roleList = (Set<String>) cache;
+        } else {
+            roleList = commonAPI.queryUserRoles(loginUser.getUsername());
+            redisUtil.set(buildKey("role", loginUser.getUsername()), roleList);
+        }
+
+        boolean pass = roleList.stream().filter(StringUtils::hasText)
+                .anyMatch(x -> PatternMatchUtils.simpleMatch(roles, x));
+        if (!pass) {
+            log.error("权限不足，缺少角色：" + Arrays.toString(roles));
+        }
+        return pass;
+    }
+
+    /**
+     * 由于缓存key是以人的维度，角色列表、权限列表在值中，jeecg是以权限列表绑定在角色上，形成的权限集合
+     * 权限发生变更时，需要清理全部人的权限缓存
+     */
+    public void clearCache() {
+        redisUtil.removeAll(PERM_PREFIX);
+    }
+
+    private String buildKey(String type, String username) {
+        return PERM_PREFIX + type + SPLIT + username;
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgRedisOAuth2AuthorizationConsentService.java

@@ -0,0 +1,54 @@
+package org.jeecg.config.security;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
+import org.springframework.stereotype.Component;
+import org.springframework.util.Assert;
+
+import java.util.concurrent.TimeUnit;
+
+/**
+ * spring authorization server 自定义redis保存授权范围信息
+ */
+@Component
+@RequiredArgsConstructor
+public class JeecgRedisOAuth2AuthorizationConsentService implements OAuth2AuthorizationConsentService {
+
+	private final RedisTemplate<String, Object> redisTemplate;
+
+	private final static Long TIMEOUT = 10L;
+
+	@Override
+	public void save(OAuth2AuthorizationConsent authorizationConsent) {
+		Assert.notNull(authorizationConsent, "authorizationConsent cannot be null");
+
+		redisTemplate.opsForValue().set(buildKey(authorizationConsent), authorizationConsent, TIMEOUT,
+				TimeUnit.MINUTES);
+
+	}
+
+	@Override
+	public void remove(OAuth2AuthorizationConsent authorizationConsent) {
+		Assert.notNull(authorizationConsent, "authorizationConsent cannot be null");
+		redisTemplate.delete(buildKey(authorizationConsent));
+	}
+
+	@Override
+	public OAuth2AuthorizationConsent findById(String registeredClientId, String principalName) {
+		Assert.hasText(registeredClientId, "registeredClientId cannot be empty");
+		Assert.hasText(principalName, "principalName cannot be empty");
+		return (OAuth2AuthorizationConsent) redisTemplate.opsForValue()
+				.get(buildKey(registeredClientId, principalName));
+	}
+
+	private static String buildKey(String registeredClientId, String principalName) {
+		return "token:consent:" + registeredClientId + ":" + principalName;
+	}
+
+	private static String buildKey(OAuth2AuthorizationConsent authorizationConsent) {
+		return buildKey(authorizationConsent.getRegisteredClientId(), authorizationConsent.getPrincipalName());
+	}
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgRedisOAuth2AuthorizationService.java

@@ -0,0 +1,181 @@
+package org.jeecg.config.security;
+
+import cn.hutool.core.collection.CollUtil;
+import lombok.RequiredArgsConstructor;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.data.redis.serializer.RedisSerializer;
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2RefreshToken;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.stereotype.Component;
+import org.springframework.util.Assert;
+
+import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * spring authorization server自定义redis保存认证信息
+ * @author EightMonth
+ */
+@Component
+@RequiredArgsConstructor
+public class JeecgRedisOAuth2AuthorizationService implements OAuth2AuthorizationService {
+
+	private final static Long TIMEOUT = 10L;
+
+	private static final String AUTHORIZATION = "token";
+
+	private final RedisTemplate<String, Object> redisTemplate;
+
+	@Override
+	public void save(OAuth2Authorization authorization) {
+		Assert.notNull(authorization, "authorization cannot be null");
+
+		if (isState(authorization)) {
+			String token = authorization.getAttribute("state");
+			redisTemplate.setValueSerializer(RedisSerializer.java());
+			redisTemplate.opsForValue().set(buildKey(OAuth2ParameterNames.STATE, token), authorization, TIMEOUT,
+					TimeUnit.MINUTES);
+		}
+
+		if (isCode(authorization)) {
+			OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = authorization
+					.getToken(OAuth2AuthorizationCode.class);
+			OAuth2AuthorizationCode authorizationCodeToken = authorizationCode.getToken();
+			long between = ChronoUnit.MINUTES.between(authorizationCodeToken.getIssuedAt(),
+					authorizationCodeToken.getExpiresAt());
+			redisTemplate.setValueSerializer(RedisSerializer.java());
+			redisTemplate.opsForValue().set(buildKey(OAuth2ParameterNames.CODE, authorizationCodeToken.getTokenValue()),
+					authorization, between, TimeUnit.MINUTES);
+		}
+
+		if (isRefreshToken(authorization)) {
+			OAuth2RefreshToken refreshToken = authorization.getRefreshToken().getToken();
+			long between = ChronoUnit.SECONDS.between(refreshToken.getIssuedAt(), refreshToken.getExpiresAt());
+			redisTemplate.setValueSerializer(RedisSerializer.java());
+			redisTemplate.opsForValue().set(buildKey(OAuth2ParameterNames.REFRESH_TOKEN, refreshToken.getTokenValue()),
+					authorization, between, TimeUnit.SECONDS);
+		}
+
+		if (isAccessToken(authorization)) {
+			OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
+			long between = ChronoUnit.SECONDS.between(accessToken.getIssuedAt(), accessToken.getExpiresAt());
+			redisTemplate.setValueSerializer(RedisSerializer.java());
+			redisTemplate.opsForValue().set(buildKey(OAuth2ParameterNames.ACCESS_TOKEN, accessToken.getTokenValue()),
+					authorization, between, TimeUnit.SECONDS);
+
+			// 扩展记录 access-token 、username 的关系 1::token::username::admin::xxx
+			String tokenUsername = String.format("%s::%s::%s", AUTHORIZATION, authorization.getPrincipalName(), accessToken.getTokenValue());
+			redisTemplate.opsForValue().set(tokenUsername, accessToken.getTokenValue(), between, TimeUnit.SECONDS);
+		}
+	}
+
+	@Override
+	public void remove(OAuth2Authorization authorization) {
+		Assert.notNull(authorization, "authorization cannot be null");
+
+		List<String> keys = new ArrayList<>();
+		if (isState(authorization)) {
+			String token = authorization.getAttribute("state");
+			keys.add(buildKey(OAuth2ParameterNames.STATE, token));
+		}
+
+		if (isCode(authorization)) {
+			OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = authorization
+					.getToken(OAuth2AuthorizationCode.class);
+			OAuth2AuthorizationCode authorizationCodeToken = authorizationCode.getToken();
+			keys.add(buildKey(OAuth2ParameterNames.CODE, authorizationCodeToken.getTokenValue()));
+		}
+
+		if (isRefreshToken(authorization)) {
+			OAuth2RefreshToken refreshToken = authorization.getRefreshToken().getToken();
+			keys.add(buildKey(OAuth2ParameterNames.REFRESH_TOKEN, refreshToken.getTokenValue()));
+		}
+
+		if (isAccessToken(authorization)) {
+			OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
+			keys.add(buildKey(OAuth2ParameterNames.ACCESS_TOKEN, accessToken.getTokenValue()));
+
+			// 扩展记录 access-token 、username 的关系 1::token::username::admin::xxx
+			String key = String.format("%s::%s::%s", AUTHORIZATION, authorization.getPrincipalName(), accessToken.getTokenValue());
+			keys.add(key);
+		}
+
+		redisTemplate.delete(keys);
+	}
+
+	@Override
+	@Nullable
+	public OAuth2Authorization findById(String id) {
+		throw new UnsupportedOperationException();
+	}
+
+	@Override
+	@Nullable
+	public OAuth2Authorization findByToken(String token, @Nullable OAuth2TokenType tokenType) {
+		Assert.hasText(token, "token cannot be empty");
+		Assert.notNull(tokenType, "tokenType cannot be empty");
+		redisTemplate.setValueSerializer(RedisSerializer.java());
+		return (OAuth2Authorization) redisTemplate.opsForValue().get(buildKey(tokenType.getValue(), token));
+	}
+
+	private String buildKey(String type, String id) {
+		return String.format("%s::%s::%s", AUTHORIZATION, type, id);
+	}
+
+	private static boolean isState(OAuth2Authorization authorization) {
+		return Objects.nonNull(authorization.getAttribute("state"));
+	}
+
+	private static boolean isCode(OAuth2Authorization authorization) {
+		OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = authorization
+				.getToken(OAuth2AuthorizationCode.class);
+		return Objects.nonNull(authorizationCode);
+	}
+
+	private static boolean isRefreshToken(OAuth2Authorization authorization) {
+		return Objects.nonNull(authorization.getRefreshToken());
+	}
+
+	private static boolean isAccessToken(OAuth2Authorization authorization) {
+		return Objects.nonNull(authorization.getAccessToken());
+	}
+
+	/**
+	 * 扩展方法根据 username 查询是否存在存储的
+	 * @param authentication
+	 * @return
+	 */
+	public void removeByUsername(Authentication authentication) {
+		// 根据 username查询对应access-token
+		String authenticationName = authentication.getName();
+
+		// 扩展记录 access-token 、username 的关系 1::token::username::admin::xxx
+		String tokenUsernameKey = String.format("%s::%s::*", AUTHORIZATION, authenticationName);
+		Set<String> keys = redisTemplate.keys(tokenUsernameKey);
+		if (CollUtil.isEmpty(keys)) {
+			return;
+		}
+
+		List<Object> tokenList = redisTemplate.opsForValue().multiGet(keys);
+
+		for (Object token : tokenList) {
+			// 根据token 查询存储的 OAuth2Authorization
+			OAuth2Authorization authorization = this.findByToken((String) token, OAuth2TokenType.ACCESS_TOKEN);
+			// 根据 OAuth2Authorization 删除相关令牌
+			this.remove(authorization);
+		}
+
+	}
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/LoginType.java

@@ -0,0 +1,38 @@
+package org.jeecg.config.security;
+
+/**
+ * 登录模式
+ * @author EightMonth
+ * @date 2024/1/10 17:43
+ */
+public class LoginType {
+
+    /**
+     * 密码模式
+     */
+    public static final String PASSWORD = "password";
+
+
+    /**
+     * 手机号+验证码模式
+     */
+    public static final String PHONE = "phone";
+
+
+    /**
+     * app登录
+     */
+    public static final String APP = "app";
+
+    /**
+     * 扫码登录
+     */
+    public static final String SCAN = "scan";
+
+    /**
+     * 所有联合登录，比如github\钉钉\企业微信\微信
+     */
+    public static final String SOCIAL = "social";
+
+    public static final String SELF = "self";
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/RedisTokenValidationFilter.java

@@ -0,0 +1,49 @@
+package org.jeecg.config.security;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.AllArgsConstructor;
+import org.jeecg.common.system.util.JwtUtil;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
+import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * 当用户被强退时，使客户端token失效
+ * @author eightmonth@qq.com
+ * @date 2024/3/7 17:30
+ */
+@Component
+@AllArgsConstructor
+public class RedisTokenValidationFilter extends OncePerRequestFilter {
+    private OAuth2AuthorizationService authorizationService;
+    private JwtDecoder jwtDecoder;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        // 从请求中获取token
+        DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();
+        String token = defaultBearerTokenResolver.resolve(request);
+
+
+        if (Objects.nonNull(token)) {
+            // 检查认证信息是否已被清除，如果已被清除，则令该token失效
+            OAuth2Authorization oAuth2Authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+            if (Objects.isNull(oAuth2Authorization)) {
+                throw new OAuth2AuthenticationException(BearerTokenErrors.invalidToken("认证信息已失效，请重新登录"));
+            }
+        }
+        filterChain.doFilter(request, response);
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java

@@ -0,0 +1,262 @@
+package org.jeecg.config.security;
+
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
+import lombok.AllArgsConstructor;
+import org.jeecg.config.security.app.AppGrantAuthenticationConvert;
+import org.jeecg.config.security.app.AppGrantAuthenticationProvider;
+import org.jeecg.config.security.password.PasswordGrantAuthenticationConvert;
+import org.jeecg.config.security.password.PasswordGrantAuthenticationProvider;
+import org.jeecg.config.security.phone.PhoneGrantAuthenticationConvert;
+import org.jeecg.config.security.phone.PhoneGrantAuthenticationProvider;
+import org.jeecg.config.security.social.SocialGrantAuthenticationConvert;
+import org.jeecg.config.security.social.SocialGrantAuthenticationProvider;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.http.MediaType;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+import org.springframework.security.oauth2.server.authorization.token.*;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
+import org.springframework.web.cors.CorsConfiguration;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.SecureRandom;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * spring authorization server核心配置
+ * @author eightmonth@qq.com
+ * @date 2024/1/2 9:29
+ */
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity
+@AllArgsConstructor
+public class SecurityConfig {
+
+    private JdbcTemplate jdbcTemplate;
+    private OAuth2AuthorizationService authorizationService;
+
+    @Bean
+    @Order(1)
+    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
+            throws Exception {
+        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+        // 注册自定义登录类型
+        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
+                .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new PasswordGrantAuthenticationConvert())
+                        .authenticationProvider(new PasswordGrantAuthenticationProvider(authorizationService, tokenGenerator())))
+                .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new PhoneGrantAuthenticationConvert())
+                        .authenticationProvider(new PhoneGrantAuthenticationProvider(authorizationService, tokenGenerator())))
+                .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new AppGrantAuthenticationConvert())
+                        .authenticationProvider(new AppGrantAuthenticationProvider(authorizationService, tokenGenerator())))
+                .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new SocialGrantAuthenticationConvert())
+                        .authenticationProvider(new SocialGrantAuthenticationProvider(authorizationService, tokenGenerator())))
+                //开启OpenID Connect 1.0（其中oidc为OpenID Connect的缩写）。 访问 /.well-known/openid-configuration即可获取认证信息
+                .oidc(Customizer.withDefaults());
+        http
+                //将需要认证的请求，重定向到login页面行登录认证。
+                .exceptionHandling((exceptions) -> exceptions
+                        .defaultAuthenticationEntryPointFor(
+                                new LoginUrlAuthenticationEntryPoint("/sys/login"),
+                                new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
+                        )
+                )
+                // 使用jwt处理接收到的access token
+                .oauth2ResourceServer(oauth2ResourceServer ->
+                        oauth2ResourceServer.jwt(Customizer.withDefaults()));
+
+        return http.build();
+    }
+
+    @Bean
+    @Order(2)
+    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
+            throws Exception {
+        http
+                //设置所有请求都需要认证，未认证的请求都被重定向到login页面进行登录
+                .authorizeHttpRequests((authorize) -> authorize
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/cas/client/validateLogin")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/randomImage/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/checkCaptcha")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/login")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/mLogin")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/logout")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/thirdLogin/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/getEncryptedString")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/sms")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/phoneLogin")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/user/checkOnlyUser")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/user/register")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/user/phoneVerification")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/user/passwordChange")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/auth/2step-code")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/common/static/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/common/pdf/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/generic/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/getLoginQrcode/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/getQrcodeToken/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/checkAuth")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/doc.html")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.js")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.css")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.html")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.svg")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.pdf")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.jpg")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.png")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.gif")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.ico")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.ttf")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.woff")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.woff2")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/druid/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/swagger-ui.html")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/swagger**/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/webjars/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/v3/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/WW_verify*")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/sys/annountCement/show/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/jmreport/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.js.map")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/**/*.css.map")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/view")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/page/queryById")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/onlDragDatasetHead/getAllChartData")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/onlDragDatasetHead/getTotalData")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/drag/mock/json/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/test/bigScreen/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/bigscreen/template1/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/bigscreen/template1/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/websocket/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/newsWebsocket/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/vxeSocket/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/test/seata/**")).permitAll()
+                        .requestMatchers(AntPathRequestMatcher.antMatcher("/error")).permitAll()
+                        .anyRequest().authenticated()
+                )
+                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable))
+                .cors(cors -> cors
+                        .configurationSource(req -> {
+                            CorsConfiguration config = new CorsConfiguration();
+                            config.applyPermitDefaultValues();
+                            config.setAllowedMethods(Arrays.asList("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
+                            return config;
+                        }))
+                .csrf(AbstractHttpConfigurer::disable)
+                .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
+        return http.build();
+    }
+
+    /**
+     * 数据库保存注册客户端信息
+     */
+    @Bean
+    public RegisteredClientRepository registeredClientRepository() {
+        return new JdbcRegisteredClientRepository(jdbcTemplate);
+    }
+
+    /**
+     *配置 JWK，为JWT(id_token)提供加密密钥，用于加密/解密或签名/验签
+     * JWK详细见：https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key-41
+     */
+    @Bean
+    public JWKSource<SecurityContext> jwkSource() {
+        KeyPair keyPair = generateRsaKey();
+        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
+        RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
+        RSAKey rsaKey = new RSAKey.Builder(publicKey)
+                .privateKey(privateKey)
+                // 重要！生产环境需要修改！
+                .keyID("jeecg")
+                .build();
+        JWKSet jwkSet = new JWKSet(rsaKey);
+        return new ImmutableJWKSet<>(jwkSet);
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return NoOpPasswordEncoder.getInstance();
+    }
+
+    /**
+     *生成RSA密钥对，给上面jwkSource() 方法的提供密钥对
+     */
+    private static KeyPair generateRsaKey() {
+        KeyPair keyPair;
+        try {
+            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+
+            // 生产环境不应该设置secureRandom，seed如果被泄露，jwt容易被伪造
+            // 如果不设置secureRandom，会存在一个问题，当应用重启后，原有的token将会全部失效，因为重启的keyPair与之前已经不同
+            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+            // 重要！生产环境需要修改！
+            secureRandom.setSeed("jeecg".getBytes());
+            keyPairGenerator.initialize(2048, secureRandom);
+            keyPair = keyPairGenerator.generateKeyPair();
+        }
+        catch (Exception ex) {
+            throw new IllegalStateException(ex);
+        }
+        return keyPair;
+    }
+
+    /**
+     * 配置jwt解析器
+     */
+    @Bean
+    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+    }
+
+    /**
+     *配置认证服务器请求地址
+     */
+    @Bean
+    public AuthorizationServerSettings authorizationServerSettings() {
+        return AuthorizationServerSettings.builder().tokenEndpoint("/sys/login").build();
+    }
+
+    /**
+     *配置token生成器
+     */
+    @Bean
+    OAuth2TokenGenerator<?> tokenGenerator() {
+        JwtGenerator jwtGenerator = new JwtGenerator(new NimbusJwtEncoder(jwkSource()));
+        OAuth2AccessTokenGenerator accessTokenGenerator = new OAuth2AccessTokenGenerator();
+        OAuth2RefreshTokenGenerator refreshTokenGenerator = new OAuth2RefreshTokenGenerator();
+        return new DelegatingOAuth2TokenGenerator(
+                jwtGenerator, accessTokenGenerator, refreshTokenGenerator);
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationConvert.java

@@ -0,0 +1,81 @@
+package org.jeecg.config.security.app;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.jeecg.config.security.LoginType;
+import org.jeecg.config.security.password.PasswordGrantAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * APP模式认证转换器
+ * @author EightMonth
+ * @date 2024/1/1
+ */
+public class AppGrantAuthenticationConvert implements AuthenticationConverter {
+    @Override
+    public Authentication convert(HttpServletRequest request) {
+
+        String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
+        if (!LoginType.APP.equals(grantType)) {
+            return null;
+        }
+
+        Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+
+        //从request中提取请求参数，然后存入MultiValueMap<String, String>
+        MultiValueMap<String, String> parameters = getParameters(request);
+
+        // username (REQUIRED)
+        String username = parameters.getFirst(OAuth2ParameterNames.USERNAME);
+        if (!StringUtils.hasText(username) ||
+                parameters.get(OAuth2ParameterNames.USERNAME).size() != 1) {
+            throw new OAuth2AuthenticationException("无效请求，用户名不能为空！");
+        }
+        String password = parameters.getFirst(OAuth2ParameterNames.PASSWORD);
+        if (!StringUtils.hasText(password) ||
+                parameters.get(OAuth2ParameterNames.PASSWORD).size() != 1) {
+            throw new OAuth2AuthenticationException("无效请求，密码不能为空！");
+        }
+
+        //收集要传入PasswordGrantAuthenticationToken构造方法的参数，
+        //该参数接下来在PasswordGrantAuthenticationProvider中使用
+        Map<String, Object> additionalParameters = new HashMap<>();
+        //遍历从request中提取的参数，排除掉grant_type、client_id、code等字段参数，其他参数收集到additionalParameters中
+        parameters.forEach((key, value) -> {
+            if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
+                    !key.equals(OAuth2ParameterNames.CLIENT_ID) &&
+                    !key.equals(OAuth2ParameterNames.CODE)) {
+                additionalParameters.put(key, value.get(0));
+            }
+        });
+
+        //返回自定义的PasswordGrantAuthenticationToken对象
+        return new PasswordGrantAuthenticationToken(clientPrincipal, additionalParameters);
+
+    }
+
+    /**
+     *从request中提取请求参数，然后存入MultiValueMap<String, String>
+     */
+    private static MultiValueMap<String, String> getParameters(HttpServletRequest request) {
+        Map<String, String[]> parameterMap = request.getParameterMap();
+        MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>(parameterMap.size());
+        parameterMap.forEach((key, values) -> {
+            if (values.length > 0) {
+                for (String value : values) {
+                    parameters.add(key, value);
+                }
+            }
+        });
+        return parameters;
+    }
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationProvider.java

@@ -0,0 +1,318 @@
+package org.jeecg.config.security.app;
+
+import com.alibaba.fastjson.JSONObject;
+import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.api.CommonAPI;
+import org.jeecg.common.constant.CacheConstant;
+import org.jeecg.common.constant.CommonConstant;
+import org.jeecg.common.exception.JeecgBootException;
+import org.jeecg.common.exception.JeecgCaptchaException;
+import org.jeecg.common.system.vo.LoginUser;
+import org.jeecg.common.system.vo.SysDepartModel;
+import org.jeecg.common.util.Md5Util;
+import org.jeecg.common.util.PasswordUtil;
+import org.jeecg.common.util.RedisUtil;
+import org.jeecg.common.util.oConvertUtils;
+import org.jeecg.config.JeecgBaseConfig;
+import org.jeecg.config.security.password.PasswordGrantAuthenticationToken;
+import org.jeecg.modules.base.service.BaseCommonService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.core.*;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
+import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+import java.security.Principal;
+import java.time.Instant;
+import java.util.*;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+/**
+ * APP模式认证处理器，负责处理该认证模式下的核心逻辑
+ * @author EightMonth
+ * @date 2024/1/1
+ */
+@Slf4j
+public class AppGrantAuthenticationProvider implements AuthenticationProvider {
+
+    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
+
+    private final OAuth2AuthorizationService authorizationService;
+    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
+    @Autowired
+    private CommonAPI commonAPI;
+    @Autowired
+    private RedisUtil redisUtil;
+    @Autowired
+    private JeecgBaseConfig jeecgBaseConfig;
+    @Autowired
+    private BaseCommonService baseCommonService;
+
+    public AppGrantAuthenticationProvider(OAuth2AuthorizationService authorizationService, OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator) {
+        Assert.notNull(authorizationService, "authorizationService cannot be null");
+        Assert.notNull(tokenGenerator, "tokenGenerator cannot be null");
+        this.authorizationService = authorizationService;
+        this.tokenGenerator = tokenGenerator;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        AppGrantAuthenticationToken appGrantAuthenticationToken =  (AppGrantAuthenticationToken) authentication;
+        Map<String, Object> additionalParameter = appGrantAuthenticationToken.getAdditionalParameters();
+
+        // 授权类型
+        AuthorizationGrantType authorizationGrantType = appGrantAuthenticationToken.getGrantType();
+        // 用户名
+        String username = (String) additionalParameter.get(OAuth2ParameterNames.USERNAME);
+        // 密码
+        String password = (String) additionalParameter.get(OAuth2ParameterNames.PASSWORD);
+        //请求参数权限范围
+        String requestScopesStr = (String)additionalParameter.getOrDefault(OAuth2ParameterNames.SCOPE, "*");
+        //请求参数权限范围专场集合
+        Set<String> requestScopeSet = Stream.of(requestScopesStr.split(" ")).collect(Collectors.toSet());
+        // 验证码
+        String captcha = (String) additionalParameter.get("captcha");
+        String checkKey = (String) additionalParameter.get("checkKey");
+
+        OAuth2ClientAuthenticationToken clientPrincipal = getAuthenticatedClientElseThrowInvalidClient(appGrantAuthenticationToken);
+        RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
+
+        // 检查登录失败次数
+        if(isLoginFailOvertimes(username)){
+            Map<String, Object> map = new HashMap<>();
+            map.put("message", "该用户登录失败次数过多，请于10分钟后再次登录！");
+            return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+        }
+
+        if(captcha==null){
+            Map<String, Object> map = new HashMap<>();
+            map.put("message", "验证码无效");
+            return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+        }
+        String lowerCaseCaptcha = captcha.toLowerCase();
+        // 加入密钥作为混淆，避免简单的拼接，被外部利用，用户自定义该密钥即可
+        String origin = lowerCaseCaptcha+checkKey+jeecgBaseConfig.getSignatureSecret();
+        String realKey = Md5Util.md5Encode(origin, "utf-8");
+        Object checkCode = redisUtil.get(realKey);
+        //当进入登录页时，有一定几率出现验证码错误 #1714
+        if(checkCode==null || !checkCode.toString().equals(lowerCaseCaptcha)) {
+            Map<String, Object> map = new HashMap<>();
+            map.put("message", "验证码错误");
+            return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+        }
+
+        if (!registeredClient.getAuthorizationGrantTypes().contains(authorizationGrantType)) {
+            Map<String, Object> map = new HashMap<>();
+            map.put("message", "非法登录");
+            return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+        }
+
+        // 通过用户名获取用户信息
+        LoginUser loginUser = commonAPI.getUserByName(username);
+        //update-begin---author:eightmonth ---date:2024-04-30  for：【6168】master分支切sas分支登录发生错误-----------
+        if (Objects.isNull(loginUser) || !StringUtils.hasText(loginUser.getSalt())) {
+            redisUtil.del(CacheConstant.SYS_USERS_CACHE+"::"+username);
+            loginUser = commonAPI.getUserByName(username);
+        }
+        //update-end---author:eightmonth ---date::2024-04-30  for：【6168】master分支切sas分支登录发生错误--------------
+        // 检查用户可行性
+        checkUserIsEffective(loginUser);
+
+        // 不使用spring security passwordEncoder针对密码进行匹配，使用自有加密匹配，针对 spring security使用noop传输
+        password = PasswordUtil.encrypt(username, password, loginUser.getSalt());
+        if (!password.equals(loginUser.getPassword())) {
+            addLoginFailOvertimes(username);
+            Map<String, Object> map = new HashMap<>();
+            map.put("message", "用户名或密码不正确");
+            return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+        }
+
+        //由于在上面已验证过用户名、密码，现在构建一个已认证的对象UsernamePasswordAuthenticationToken
+        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = UsernamePasswordAuthenticationToken.authenticated(loginUser,clientPrincipal,new ArrayList<>());
+
+        DefaultOAuth2TokenContext.Builder tokenContextBuilder = DefaultOAuth2TokenContext.builder()
+                .registeredClient(registeredClient)
+                .principal(usernamePasswordAuthenticationToken)
+                .authorizationServerContext(AuthorizationServerContextHolder.getContext())
+                .authorizationGrantType(authorizationGrantType)
+                .authorizedScopes(requestScopeSet)
+                .authorizationGrant(appGrantAuthenticationToken);
+
+        OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.withRegisteredClient(registeredClient)
+                .principalName(clientPrincipal.getName())
+                .authorizedScopes(requestScopeSet)
+                .attribute(Principal.class.getName(), username)
+                .authorizationGrantType(authorizationGrantType);
+
+
+        // ----- Access token -----
+        OAuth2TokenContext tokenContext = tokenContextBuilder.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
+        OAuth2Token generatedAccessToken = this.tokenGenerator.generate(tokenContext);
+        if (generatedAccessToken == null) {
+            Map<String, Object> map = new HashMap<>();
+            map.put("message", "无法生成访问token，请联系管理系。");
+            return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+        }
+        OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
+                generatedAccessToken.getTokenValue(), generatedAccessToken.getIssuedAt(),
+                generatedAccessToken.getExpiresAt(), tokenContext.getAuthorizedScopes());
+        if (generatedAccessToken instanceof ClaimAccessor) {
+            authorizationBuilder.token(accessToken, (metadata) -> {
+                    metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generatedAccessToken).getClaims());
+            });
+        } else {
+            authorizationBuilder.accessToken(accessToken);
+        }
+
+        // ----- Refresh token -----
+        OAuth2RefreshToken refreshToken = null;
+        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) &&
+                // 不向公共客户端颁发刷新令牌
+                !clientPrincipal.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
+
+            tokenContext = tokenContextBuilder.tokenType(OAuth2TokenType.REFRESH_TOKEN).build();
+            OAuth2Token generatedRefreshToken = this.tokenGenerator.generate(tokenContext);
+            if (!(generatedRefreshToken instanceof OAuth2RefreshToken)) {
+                Map<String, Object> map = new HashMap<>();
+                map.put("message", "无法生成刷新token，请联系管理员。");
+                return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,"fdsafas", Instant.now(), Instant.now().plusNanos(1)), null, map);
+            }
+
+            refreshToken = (OAuth2RefreshToken) generatedRefreshToken;
+            authorizationBuilder.refreshToken(refreshToken);
+        }
+
+        OAuth2Authorization authorization = authorizationBuilder.build();
+
+        // 保存认证信息至redis
+        authorizationService.save(authorization);
+
+        // 登录成功，删除redis中的验证码
+        redisUtil.del(realKey);
+        redisUtil.del(CommonConstant.LOGIN_FAIL + username);
+        baseCommonService.addLog("用户名: " + username + ",登录成功！", CommonConstant.LOG_TYPE_1, null,loginUser);
+
+        JSONObject addition = new JSONObject(new LinkedHashMap<>());
+        addition.put("token", accessToken.getTokenValue());
+        // 设置租户
+        JSONObject jsonObject = commonAPI.setLoginTenant(username);
+        addition.putAll(jsonObject.getInnerMap());
+
+        // 设置登录用户信息
+        addition.put("userInfo", loginUser);
+        addition.put("sysAllDictItems", commonAPI.queryAllDictItems());
+
+        List<SysDepartModel> departs = commonAPI.queryUserDeparts(loginUser.getId());
+        addition.put("departs", departs);
+        if (departs == null || departs.size() == 0) {
+            addition.put("multi_depart", 0);
+        } else if (departs.size() == 1) {
+            commonAPI.updateUserDepart(username, departs.get(0).getOrgCode(),null);
+            addition.put("multi_depart", 1);
+        } else {
+            //查询当前是否有登录部门
+            if(oConvertUtils.isEmpty(loginUser.getOrgCode())){
+                commonAPI.updateUserDepart(username, departs.get(0).getOrgCode(),null);
+            }
+            addition.put("multi_depart", 2);
+        }
+
+        // 兼容原有shiro登录结果处理
+        Map<String, Object> map = new HashMap<>();
+        map.put("result", addition);
+        map.put("code", 200);
+        map.put("success", true);
+        map.put("timestamp", System.currentTimeMillis());
+
+        // 返回access_token、refresh_token以及其它信息给到前端
+        return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken, refreshToken, map);
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return AppGrantAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+
+    private static OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidClient(Authentication authentication) {
+        OAuth2ClientAuthenticationToken clientPrincipal = null;
+        if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication.getPrincipal().getClass())) {
+            clientPrincipal = (OAuth2ClientAuthenticationToken) authentication.getPrincipal();
+        }
+        if (clientPrincipal != null && clientPrincipal.isAuthenticated()) {
+            return clientPrincipal;
+        }
+        throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
+    }
+
+    /**
+     * 登录失败超出次数5 返回true
+     * @param username
+     * @return
+     */
+    private boolean isLoginFailOvertimes(String username){
+        String key = CommonConstant.LOGIN_FAIL + username;
+        Object failTime = redisUtil.get(key);
+        if(failTime!=null){
+            Integer val = Integer.parseInt(failTime.toString());
+            if(val>5){
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * 记录登录失败次数
+     * @param username
+     */
+    private void addLoginFailOvertimes(String username){
+        String key = CommonConstant.LOGIN_FAIL + username;
+        Object failTime = redisUtil.get(key);
+        Integer val = 0;
+        if(failTime!=null){
+            val = Integer.parseInt(failTime.toString());
+        }
+        // 10分钟
+        redisUtil.set(key, ++val, 10);
+    }
+
+    /**
+     * 校验用户是否有效
+     */
+    private void checkUserIsEffective(LoginUser loginUser) {
+        //情况1：根据用户信息查询，该用户不存在
+        if (Objects.isNull(loginUser)) {
+            baseCommonService.addLog("用户登录失败，用户不存在！", CommonConstant.LOG_TYPE_1, null);
+            throw new JeecgBootException("该用户不存在，请注册");
+        }
+        //情况2：根据用户信息查询，该用户已注销
+        //update-begin---author:王帅   Date:20200601  for：if条件永远为falsebug------------
+        if (CommonConstant.DEL_FLAG_1.equals(loginUser.getDelFlag())) {
+            //update-end---author:王帅   Date:20200601  for：if条件永远为falsebug------------
+            baseCommonService.addLog("用户登录失败，用户名:" + loginUser.getUsername() + "已注销！", CommonConstant.LOG_TYPE_1, null);
+            throw new JeecgBootException("该用户已注销");
+        }
+        //情况3：根据用户信息查询，该用户已冻结
+        if (CommonConstant.USER_FREEZE.equals(loginUser.getStatus())) {
+            baseCommonService.addLog("用户登录失败，用户名:" + loginUser.getUsername() + "已冻结！", CommonConstant.LOG_TYPE_1, null);
+            throw new JeecgBootException("该用户已冻结");
+        }
+    }
+
+}

jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationToken.java

@@ -0,0 +1,21 @@
+package org.jeecg.config.security.app;
+
+import org.jeecg.config.security.LoginType;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationGrantAuthenticationToken;
+
+import java.util.Map;
+
+/**
+ * APP模式认证专用token类型，方法spring authorization server进行认证流转，配合convert使用
+ * @author EightMonth
+ * @date 2024/1/1
+ */
+public class AppGrantAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken {
+
+    public AppGrantAuthenticationToken(Authentication clientPrincipal, Map<String, Object> additionalParameters) {
+        super(new AuthorizationGrantType(LoginType.APP), clientPrincipal, additionalParameters);
+    }
+
+}