- springboot + 拦截器 + 注解 实现自定义权限验证
- 1.1 定义权限常量 PermissionConstants.java
- 1.2 定义权限的注解 RequiredPermission.java
- 1.3 权限拦截器 SecurityInterceptor.java
- 1.4 拦截器注入的配置 MVCConfig.java
- 1.5 ProductController.java
springboot + 拦截器 + 注解 实现自定义权限验证
最近用到一种前端模板技术:jtwig,在权限控制上没有用springSecurity。因此用拦截器和注解结合实现了权限控制。
实现如下:
1.1 定义权限常量 PermissionConstants.java
/*** @author blueriver* @description 权限常量* @date 2017/11/17* @since 1.0*/
public class PermissionConstants {
/*** 管理员-产品列表查询*/public static final String ADMIN_PRODUCT_LIST = "admin_product_list";/*** 管理员-产品详情*/public static final String ADMIN_PRODUCT_DETAIL = "admin_product_detail";}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 权限也可以不定义为常量,看项目情况
1.2 定义权限的注解 RequiredPermission.java
/*** @author blueriver* @description 与拦截器结合使用 验证权限* @date 2017/11/17* @since 1.0*/
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
public @interface RequiredPermission {
String value();
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- ElementType.TYPE,ElementType.METHOD表示注解可以标记类和方法
1.3 权限拦截器 SecurityInterceptor.java
/*** @author blueriver* @description 权限拦截器* @date 2017/11/17* @since 1.0*/
public class SecurityInterceptor implements HandlerInterceptor {
@Autowiredprivate AdminUserService adminUserService;@Overridepublic boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {// 验证权限if (this.hasPermission(handler)) {return true;}// null == request.getHeader("x-requested-with") TODO 暂时用这个来判断是否为ajax请求// 如果没有权限 则抛403异常 springboot会处理,跳转到 /error/403 页面response.sendError(HttpStatus.FORBIDDEN.value(), "无权限");return false;}/*** 是否有权限** @param handler* @return*/private boolean hasPermission(Object handler) {if (handler instanceof HandlerMethod) {HandlerMethod handlerMethod = (HandlerMethod) handler;// 获取方法上的注解RequiredPermission requiredPermission = handlerMethod.getMethod().getAnnotation(RequiredPermission.class);// 如果方法上的注解为空 则获取类的注解if (requiredPermission == ) {requiredPermission = handlerMethod.getMethod().getDeclaringClass().getAnnotation(RequiredPermission.class);}// 如果标记了注解,则判断权限if (requiredPermission != && StringUtils.isNotBlank(requiredPermission.value())) {// redis或数据库 中获取该用户的权限信息 并判断是否有权限Set<String> permissionSet = adminUserService.getPermissionSet();if (CollectionUtils.isEmpty(permissionSet) ){return false;}return permissionSet.contains(requiredPermission.value());}}return true;}@Overridepublic void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {// TODO}@Overridepublic void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {// TODO}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
1.4 拦截器注入的配置 MVCConfig.java
@Configuration
public class MVCConfig extends WebMvcConfigurerAdapter {
@Beanpublic SecurityInterceptor securityInterceptor() {return new SecurityInterceptor();}@Overridepublic void addInterceptors(InterceptorRegistry registry) {registry.addInterceptor(securityInterceptor()).excludePathPatterns("/static/*").excludePathPatterns("/error").addPathPatterns("/**");}}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- springboot中注入拦截器
1.5 ProductController.java
/*** @author blueriver* @description 产品管理* @date 2017/10/25* @since 1.0*/
@Controller
@RequestMapping("/product")
// @PermissionConstants.ADMIN_PRODUCT_MANAGEMENT
public class ProductController {
/*** 产品列表** @return*/@RequestMapping("/list")@RequiredPermission(PermissionConstants.ADMIN_PRODUCT_LIST) // 权限注解public String list() {// 省略产品列表查询逻辑return "/product/list";}/*** 产品详情** @return*/@RequestMapping("/detail")@RequiredPermission(PermissionConstants.ADMIN_PRODUCT_DETAIL) // 权限注解public String detail() {// 省略查询产品详情的逻辑return "/product/edit";}/*** 删除产品** @return*/@RequestMapping("/delete")public String delete() {// 省略删除产品的逻辑return "/product/list";}}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 如果没有标记权限注解,则不会验证该请求的权限,如/product/delete 请求