开发中遇到一个接口对应多个权限配置问题,要求权限配置中存在对应的url关系,就可以放行,一开始以为在perms数组里面直接添加一个新的权限就可以,测试发现并不成立,追踪到源码。
看源码
public boolean isPermittedAll(PrincipalCollection principals, String... permissions) {
this.assertRealmsConfigured();
if (permissions != null && permissions.length > 0) {
String[] var3 = permissions;
int var4 = permissions.length;
for(int var5 = 0; var5 < var4; ++var5) {
String perm = var3[var5];
if (!this.isPermitted(principals, perm)) {
return false;
}
}
}
return true;
}
通过源码可以看出来,接口请求的url和配置的多权限是逻辑与的关系,和以为的逻辑或关系相反,直接重写了权限校检方法,代码如下
@Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
Subject subject = this.getSubject(request, response);
String[] perms = (String[])mappedValue;
boolean isPermitted = true;
if (perms != null && perms.length > 0) {
if (perms.length == 1) {
if (!subject.isPermitted(perms[0])) {
isPermitted = false;
}
} else {
for (int i = 0; i < perms.length; i++) {
if(subject.isPermitted(perms[i])){
isPermitted = true;
break;
}else {
isPermitted = false;
}
}
}
}
return isPermitted;
}