我重写了hasPermission并用此方法在控制器上校验用户权限
原创实战代码,如有问题和错误留言一起交流学习
话不多说
public class MyPermissionEvaluator implements PermissionEvaluator {
@Resource
private UsersServiceImpl usersService;
@Override
public boolean hasPermission(Authentication authentication,Object targetApplication,Object targetPermissions) {
//获取当前登陆用户
LoginUserDetailsImpl user = (LoginUserDetailsImpl) authentication.getPrincipal();
if(user != null) {
List<Permission> PermissionList = usersService.getPermission(user.getUsername());
//遍历一个用户的所有权限并且进行校验
for (Permission PermissionList1 :PermissionList) {
if (targetPermissions.equals(PermissionList1.getPermission()) & targetApplication.equals(PermissionList1.getApplication())
) {
log.info("The user poccesses this permission!");
return true;
}
}
}
log.info("The user does not have this permission!");
return false;
}
@Override
public boolean hasPermission(Authentication authentication, Serializable serializable, String s, Object o) {
return false;
}
}
security配置
…………
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/index.html","/login.html").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html") // 登录
.loginProcessingUrl("/auth/login")
.failureUrl("/error.html").permitAll()
.defaultSuccessUrl("/")
.failureForwardUrl("/error.html")
.and()
.logout()
.logoutUrl("/auth/logout")
.invalidateHttpSession(true)
.logoutSuccessUrl("/login.html");
http.csrf().disable();
}
//注册我改写过的PermissionEvaluator类
public DefaultWebSecurityExpressionHandler webSecurityExpressionHandler(){
DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
defaultWebSecurityExpressionHandler.setPermissionEvaluator(MyPermissionEvaluator);
return defaultWebSecurityExpressionHandler;
}
public DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler(){
DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler = new DefaultMethodSecurityExpressionHandler();
defaultMethodSecurityExpressionHandler.setPermissionEvaluator(MyPermissionEvaluator);
return defaultMethodSecurityExpressionHandler;
}
关键来了,在Controller控制校验,一个小技巧处理
@RequestMapping(value = "/application/{id}",method = {RequestMethod.DELETE},produces="application/json;charset=UTF-8")
@ResponseBody
@PreAuthorize("hasPermission(#参数名(自己定义的1级权限),自己定义的2级权限)") //这里用#获取参数
public Object deleteApplication(@PathVariable Integer id,@RequestParam("参数名")参数名类型 参数名) {
ApplicationMapper.deleteByPrimaryKey(id);
return GlobalResponse.success();
}
到此就结束了,核心就是控制器中注解参数的获取,纠结了好几天,以为拿不到。