1.springmvc配置文件中配置
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd">
<!-- 默认的注解映射的支持 -->
<mvc:annotation-driven />
<!-- 将 springSwaggerConfig加载到spring容器 -->
<bean class="com.mangofactory.swagger.configuration.SpringSwaggerConfig" />
<!-- 将自定义的swagger配置类加载到spring容器 -->
<bean class="com.aisino.qysds.common.util.SwaggerConfig" />
<!-- 静态资源文件,不会被Spring MVC拦截 -->
<mvc:resources mapping="/api-doc/**" location="/api-doc/" />
<mvc:resources mapping="/js/**" location="/js/" />
<!-- 自动扫描的包名 -->
<context:component-scan base-package="com.controller"/>
<!-- 避免IE执行AJAX时,返回JSON出现下载文件 -->
<bean id="mappingJacksonHttpMessageConverter"
class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
<property name="supportedMediaTypes">
<list>
<value>text/html;charset=UTF-8</value>
<value>text/plain;charset=UTF-8</value>
<!-- <value>application/x-www-form-urlencoded;charset=UTF-8</value> -->
</list>
</property>
</bean>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="AuthorityAnnotationInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
<aop:aspectj-autoproxy />
</beans>
2.自定义拦截器,实现HandlerInterceptor接口或继承HandlerInterceptor
import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import com.alibaba.fastjson.JSON; public class AuthorityAnnotationInterceptor extends HandlerInterceptorAdapter { final Logger logger = LoggerFactory.getLogger(getClass()); @SuppressWarnings("unchecked") @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { //开启swagger时,打开 // if (handler instanceof ResourceHttpRequestHandler) { // logger.error("swagger ok"); // return true; // } Authority authority=null; HandlerMethod handler2=(HandlerMethod) handler; Class<?> clazz=handler2.getBeanType(); //类注解 if(clazz.isAnnotationPresent(Authority.class)){ authority=clazz.getAnnotation(Authority.class); } //方法注解 if(handler2.getMethodAnnotation(Authority.class)!=null){ authority = handler2.getMethodAnnotation(Authority.class); } if(null == authority){ //没有声明权限,放行 return true; } logger.debug("fireAuthority", authority.toString()); HttpSession session = request.getSession(); boolean aflag = false; for(AuthorityType at : authority.authorityTypes()){ List<String> role = (List<String>)session.getAttribute("用户权限"); if(role.contains(at.getId())){ aflag = true; if(aflag){ aflag = true; break; } } } if(false == aflag){ response.getWriter().println("没有权限"); } return aflag; } }
3.自定义权限注解
import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; //支持在类和方法上 @Target({ElementType.TYPE,ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface Authority { AuthorityType[] authorityTypes(); }
4.权限枚举
public enum AuthorityType{ ONE("一级", "1"), TWO("二级", "2"), THREE("三级", "3"), ; private String name; private String id; private AuthorityType(String name, String id) { this.name = name; this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public String getId() { return id; } public void setId(String id) { this.id = id; } }
5.控制器Controller
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; @Controller @RequestMapping("/test/allow") @Authority(authorityTypes =AuthorityType.ONE) public class TestController extends BaseController { @ResponseBody @RequestMapping(value = "test", method = RequestMethod.GET) @Authority(authorityTypes =AuthorityType.TWO) public boolean test() { return true; } }
每次请求有权限的接口,都需要验证当前用户是否有该权限,有则通过,反之不通过,最后附上springmvc执行流程