管理权限
点击:token生成方法
通过解析 token 来获取员工权限,本文章是从刚做完的一个小项目中总结的,若有不足请指出。
分为三种情况:
- @AdministratorToken 管理员权限
- @UserToken 普通用户权限(管理员自然也可以放行)
- @PassToken 跳过验证(无论你是谁都可以)
步骤
首先定义三种情况的注解,然后编写放行规则,最后在类或者方法中使用。
AdministratorToken
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* 需管理员权限
*
* @author NNroc
* @date 2020/5/14 18:48
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface AdministratorToken {
boolean required() default true;
}
UserToken
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* 需普通用户或管理员权限
*
* @author NNroc
* @date 2020/5/12 14:53
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface UserToken {
boolean required() default true;
}
PassToken
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* 跳过 token 验证
*
* @author NNroc
* @date 2020/5/12 14:51
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface PassToken {
boolean required() default true;
}
AuthenticationInterceptor
一些本项目中的内部导包已删除,主要看过程。
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Method;
/**
* token 验证
*
* @author NNroc
* @date 2020/5/14 17:31
*/
@Slf4j
public class AuthenticationInterceptor implements HandlerInterceptor {
@Autowired
StaffService staffService;
@Autowired
SendMsgUtil sendMsgUtil;
@Override
public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object object) throws Exception {
log.info("______开始处理______");
// 从 http 请求头中取出 token
String token = httpServletRequest.getHeader("token");
log.info("token: " + token);
// 如果不是映射到方法直接通过
if (!(object instanceof HandlerMethod)) {
return true;
}
HandlerMethod handlerMethod = (HandlerMethod) object;
Method method = handlerMethod.getMethod();
// 检查是否有PassToken注释,有则跳过认证
if (method.isAnnotationPresent(PassToken.class)) {
PassToken passToken = method.getAnnotation(PassToken.class);
if (passToken.required()) {
return true;
}
}
// 检查有没有需要普通员工权限的注解
if (method.isAnnotationPresent(UserToken.class)) {
UserToken userLoginToken = method.getAnnotation(UserToken.class);
if (userLoginToken.required()) {
// --------------------------------------------------------------------------------------------
// 执行认证
if (token == null) {
log.info("没有token进行操作");
Result<String> result = new Result<>();
result.setCode(404);
result.setMsg("未找到token");
result.setData("get token null");
sendMsgUtil.sendJsonMessage(httpServletResponse, result);
return false;
}
// 获取 token 中的 staffId 并核对
Staff staff = staffService.getStaffFromToken(token);
if (staff.getStaffId() == null) {
log.info("未找到该员工");
Result<String> result = new Result<>();
result.setCode(404);
result.setMsg("未找到该员工");
result.setData("get staff null");
sendMsgUtil.sendJsonMessage(httpServletResponse, result);
return false;
}
// --------------------------------------------------------------------------------------------
return true;
}
}
// 检查有没有需要管理员权限的注解
if (method.isAnnotationPresent(AdministratorToken.class)) {
AdministratorToken administratorToken = method.getAnnotation(AdministratorToken.class);
if (administratorToken.required()) {
// --------------------------------------------------------------------------------------------
// 执行认证
if (token == null) {
log.info("没有token进行操作");
Result<String> result = new Result<>();
result.setCode(404);
result.setMsg("未找到token");
result.setData("get token null");
sendMsgUtil.sendJsonMessage(httpServletResponse, result);
return false;
}
// 获取 token 中的 staffId 并核对
Staff staff = staffService.getStaffFromToken(token);
if (staff.getStaffId() == null) {
log.info("未找到该员工");
Result<String> result = new Result<>();
result.setCode(404);
result.setMsg("未找到该员工");
result.setData("get staff null");
sendMsgUtil.sendJsonMessage(httpServletResponse, result);
return false;
}
// --------------------------------------------------------------------------------------------
// 获取 token 中的 权重
double weight = staff.getStaffWeight();
if (weight != 4.0) {
log.info("权限不足");
Result<String> result = new Result<>();
result.setCode(404);
result.setMsg("权限不足");
result.setData("stop");
sendMsgUtil.sendJsonMessage(httpServletResponse, result);
return false;
}
return true;
}
}
return true;
}
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
}
@Override
public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
}
}
使用举例
这里运用了管理员权限,用于删除员工。
/**
* 删除人员,delete
*
* @return
*/
@AdministratorToken
@RequestMapping("/del")
public Result del(@RequestParam String staffId) {
if (staffService.deleteByStaffId(staffId) == 1) {
return responseData.write("删除成功", 200, new HashMap<>());
} else {
return responseData.write("删除失败", 400, new HashMap<>());
}
}