java web项目的越权问题是一个普遍存在的问题,将越权功能封装在一个单独的项目中,其它项目需要的时候,直接以starter方式引入相关功能,以便做到统一调用。
1. starter项目配置
1.1 pom.xml
创建项目后,在pom.xml中添加如下的配置。
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.9.RELEASE</version>
</parent>
<dependencies>
<!-- Spring框架基本的核心工具 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
</dependency>
<!-- SpringWeb模块 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
<!-- servlet包 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
</dependency>
<!--常用工具类 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
</dependencies>
1.2 核心功能代码
package com.platform.framework.exceedperm.service;
import com.platform.framework.utils.BusinessException;
import com.platform.framework.utils.ServletUtils;
import com.platform.framework.utils.StringUtils;
import javax.servlet.http.HttpSession;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
public class ExceedPermService {
private String modulePerm;
// 没有指定参数时,设置默认参数
public ExceedPermService() {
this.modulePerm = "modulePerm";
}
public ExceedPermService(String modulePerm) {
if(StringUtils.isEmpty(modulePerm)) {
this.modulePerm = "modulePerm";
}
else {
this.modulePerm = modulePerm;
}
}
public void addCheckData(String modueName, String keyName, HashSet hset) {
// 权限数据
HashMap permMap = new HashMap<String, HashSet>();
permMap.put(keyName, hset);
// 分模块验证数据
HashMap moduleMap = new HashMap<String, HashMap>();
// 设置模块
moduleMap.put(modueName, permMap);
HttpSession session = ServletUtils.getSession();
// session.setAttribute("modulePerm", moduleMap);
// 可以按配置指定属性名
session.setAttribute(modulePerm, moduleMap);
}
public void verifyCheckData(String modueName, String keyName, ArrayList<String> arrayValue) {
HttpSession session = ServletUtils.getSession();
// 可以按配置指定属性名
// HashMap moduleMap = (HashMap) session.getAttribute("modulePerm");
HashMap moduleMap = (HashMap) session.getAttribute(modulePerm);
// 获取模块需要验证的内容
HashMap<String, HashSet<String>> map = (HashMap<String, HashSet<String>>) moduleMap.get(modueName);
if (map != null) {
for (Map.Entry<String, HashSet<String>> entry : map.entrySet()) {
String key = entry.getKey();
HashSet<String> valSet = entry.getValue();
// 指定了key,只验证指定key,其他key跳过当前验证
// 空值表示验证所有规则
if (StringUtils.isNotEmpty(keyName) && !key.equals(keyName)) {
continue;
}
// 这里的id应该在允许的map里面
for (String str : arrayValue) {
if (!valSet.contains(str)) {
// 非法参数
throw new BusinessException("非法参数");
}
}
}
}
else
{
// 非法参数
throw new BusinessException("非法参数");
}
}
}
1.3 自动装配配置
package com.platform.framework.exceedperm.config;
import com.platform.framework.exceedperm.service.ExceedPermService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
@EnableConfigurationProperties(ExceedPermProperties.class)
@ConditionalOnProperty(
prefix = "com.platform.exceedperm",
name = "enable",
havingValue = "true"
)
public class StarterAutoConfig {
// 配置文件中读取的配置
@Autowired
private ExceedPermProperties exceedPermProperties;
@Bean(name = "exceedPermService")
public ExceedPermService exceedPermService(){
String sessionAttrName = exceedPermProperties.getSessionAttrName();
return new ExceedPermService(sessionAttrName);
}
}
1.4 创建配置文件
在resource下创建META-INFO目录,创建spring.factories文件,添加如下内容:
org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.platform.framework.exceedperm.config.StarterAutoConfig
然后将项目打包成exceedperm-spring-boot-starter-1.0.jar,并添加到仓库中,本地测试只需要添加到本地仓库。
2. 应用项目中使用starter
在应用项目中需要使用越权检查时,可以通过引入start的方式进行使用。
2.1 pom.xml引入依赖
<dependency>
<groupId>org.platform</groupId>
<artifactId>exceedperm-spring-boot-starter</artifactId>
<version>1.0</version>
</dependency>
2.2 在application.yml中添加配置
com:
platform:
exceedperm:
sessionAttrName: modulePerm
enable: true
只有配置了com.platform.exceedperm.enable=true,start才会生效。
2.3 通过自动注入服务
@Autowired
private ExceedPermService exceedPermService;
2.4 添加数据和权限检查
public class SysUserController extends BaseController {
private String MODULE_NAME = "sysUser";
private String CHECK_KEY_USERID = "userId";
@Autowired
private ExceedPermService exceedPermService;
public TableDataInfo list(SysUser user) {
List<SysUser> userLists = userMapper.selectByExample(userExample);
TableDataInfo tableDataInfo = getDataTable(list);
// 添加数据
HashSet hset = new HashSet<String>();
for (SysUser tempUser : list) {
Long userId = tempUser.getUserId();
hset.add(userId.toString());
}
exceedPermService.addCheckData(MODULE_NAME, CHECK_KEY_USERID, hset);
}
public AjaxResult editSave(@Validated SysUser user) {
ArrayList<String> arrayList = new ArrayList<String>();
arrayList.add(user.getUserId() + "");
exceedPermService.verifyCheckData(MODULE_NAME, CHECK_KEY_USERID, arrayList);
}
}
以下是下载地址: