欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

SpringSecurity实现动态加载权限信息的方法

程序员文章站 2022-06-15 11:39:44
①数据库中资源与角色对应关系,以及角色和用户对应关系如下图所示:②实现filterinvocationsecuritymetadatasource类(1)list menus...

①数据库中资源与角色对应关系,以及角色和用户对应关系如下图所示:

SpringSecurity实现动态加载权限信息的方法

 ②实现filterinvocationsecuritymetadatasource类

(1)list<menu> menus = menuservice.getmenuswithroles();这个是你自己的资源对应角色的查询方法。

(2)重写的support方法都返回true

@configuration
public class myfilterinvocation implements filterinvocationsecuritymetadatasource {
 
    @autowired
    private menuservice menuservice;
 
    antpathmatcher antpathmatcher = new antpathmatcher();
 
    @override
    public collection<configattribute> getattributes(object object) throws illegalargumentexception {
        string requesturl = ((filterinvocation) object).getrequesturl();
        list<menu> menus = menuservice.getmenuswithroles();
        //- 遍历数据库的url,看请求路径是否与其匹配
        for (menu menu : menus) {
            //- 如果请求路径和数据库的路径匹配
            if (antpathmatcher.match(menu.geturl(),requesturl)){
                //- 访问该路径需要的角色
                list<role> roles = menu.getroles();
                string[] strs = new string[roles.size()];
                for (int i = 0; i < roles.size(); i++) {
                    strs[i] = roles.get(i).getname();
                }
                return securityconfig.createlist(strs);
            }
        }
        //- 如果请求路径和数据库的所有路径都不匹配,说明这个资源是登录后即可访问的
        //- 用户登录即可访问,相当于在securityconfig中配置了.anyrequest().authenticated()
        return securityconfig.createlist("role_login");
    }
 
    @override
    public collection<configattribute> getallconfigattributes() {
        return null;
    }
 
    @override
    public boolean supports(class<?> clazz) {
        return true;
    }
}

 

 

③实现accessdecisionmanager

重写的support方法都返回true

@configuration
public class mydecisionmanager implements accessdecisionmanager {
 
 
    @override
    public void decide(authentication authentication, object object, collection<configattribute> configattributes) throws accessdeniedexception, insufficientauthenticationexception {
        for (configattribute configattribute : configattributes) {
            string needrole = configattribute.getattribute();
            if ("role_login".equals(needrole)) {
                //- 用户登录即可访问,相当于在securityconfig中配置了.anyrequest().authenticated()
                if (authentication instanceof anonymousauthenticationtoken) {
                    throw new accessdeniedexception("尚未登录,请先登录");
                } else {
                    return;
                }
            }
            
            collection<? extends grantedauthority> authorities = authentication.getauthorities();
            //这里我写的是只要访问该资源的用户具有`访问该资源所需要角色`的其中一个即可
            for (grantedauthority authority : authorities) {
                if (authority.getauthority().equals(needrole)) {
                    return;
                }
            }
        }
        throw new accessdeniedexception("权限不足,请联系管理员");
    }
 
    @override
    public boolean supports(configattribute attribute) {
        return true;
    }
 
    @override
    public boolean supports(class<?> clazz) {
        return true;
    }
}

④到securityconfig配置类中完成相应配置

    @autowired
    private mydecisionmanager mydecisionmanager;
    
    @autowired
    private  myfilterinvocation myfilterinvocation;
 
     @override
    protected void configure(httpsecurity http) throws exception {
        http.authorizerequests()
                .withobjectpostprocessor(new objectpostprocessor<filtersecurityinterceptor>() {
                    @override
                    public <o extends filtersecurityinterceptor> o postprocess(o object) {
                        object.setaccessdecisionmanager(mydecisionmanager);
                        object.setsecuritymetadatasource(myfilterinvocation);
                        return object;
                    }
                });
 
            http.exceptionhandling().accessdeniedhandler(myaccessdeniedhandler());
 
    }
 
 
    @bean
    myaccessdeniedhandler myaccessdeniedhandler(){
        return new myaccessdeniedhandler();
    }

⑤可选,实现accessdeniedhandler

public class myaccessdenied implements accessdeniedhandler {
 
    @override
    public void handle(httpservletrequest req, httpservletresponse resp, accessdeniedexception accessdeniedexception) throws ioexception, servletexception {
        resp.setcontenttype("application/json;charset=utf-8");
        printwriter pw = resp.getwriter();
        pw.write(new objectmapper().writevalueasstring(respbean.error("权限不够,请联系管理员")));
        pw.flush();
        pw.close();
    }
}

到此这篇关于springsecurity实现动态加载权限信息的文章就介绍到这了,更多相关springsecurity动态加载权限内容请搜索以前的文章或继续浏览下面的相关文章希望大家以后多多支持!