本篇博客接着上篇博客自定义权限模块3——后端代码实现,并在上篇博客项目的基础上进行改造。
- 目录结构
- 修改SecurityApplication.java
package com.xyc.security;
import com.xyc.security.interceptor.SecurityInterceptor;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.ServletComponentScan;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
@SpringBootApplication
@ServletComponentScan(basePackages = "com.xyc.security.filter")/*扫描过滤器*/
public class SecurityApplication extends WebMvcConfigurerAdapter {
public static void main(String[] args) {
SpringApplication.run(SecurityApplication.class, args);
}
@Override
public void addInterceptors(InterceptorRegistry registry) { //注册权限拦截器
registry.addInterceptor(new SecurityInterceptor());
}
}
- SecurityInterceptor.java
package com.xyc.security.interceptor;
import com.xyc.security.annotation.Module;
import com.xyc.security.annotation.Permission;
import com.xyc.security.bo.LoginUserInfo;
import com.xyc.security.common.Constant;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.List;
/**
* 权限拦截器,用于访问拦截进行权限排查
* Created by xyc on 2017/8/13 0013.
*/
public class SecurityInterceptor extends HandlerInterceptorAdapter {
/**
* 在请求处理之前(Controller方法调用之前)进行调用
*
* @param request
* @param response
* @param handler
* @return 只有返回true才会继续向下执行,返回false取消当前请求
* @throws Exception
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
/**
* 在之前的博客中我们已经接触过HandlerMethod,接下来我们简单介绍一下HandlerMethod,简单来说HandlerMethod包含的信息包括类、方法和参数的一个信息类,
* 通过其两个构造函数我们就可以了解其功能,对应着springMVC的Controller来说就是某个url对应的某个Controller执行的方法。
*/
if (handler.getClass() == HandlerMethod.class) { //判断是否为Controller请求
HandlerMethod handlerMethod = (HandlerMethod) handler;
Class cls = handlerMethod.getBeanType();
if (cls.isAnnotationPresent(Controller.class) || cls.isAnnotationPresent(RestController.class)) { //是否是Controller
Module module = (Module) cls.getAnnotation(Module.class);
if (module != null) { //如果有权限模块注解则进行权限判断
LoginUserInfo loginUserInfo = (LoginUserInfo) request.getSession(true).getAttribute(Constant.LOGIN_USER_INFO); //获取登录用户信息
if (loginUserInfo == null || loginUserInfo.getMpInfoMap() == null || loginUserInfo.getMpInfoMap().isEmpty()) { //如果登录用户或者用户权限为空则取消当前请求
return false;
}
List<String> permissionList = loginUserInfo.getMpInfoMap().get(module.value());
if (permissionList == null || permissionList.isEmpty()) { //登录用户权限模块的权限列表为空则取消当前请求
return false;
}
if (permissionList.contains(handlerMethod.getMethodAnnotation(Permission.class).value())) { //登录用户拥有此权限则继续向下执行
return true;
} else {
return false;
}
}
}
}
return true;
}
}
- 总结
以上就是自定义权限的实现代码了,基本的思想就这些,具体的实现就看大家的喜好了。
- github
https://github.com/xiayongchao/security
- 参考
http://blog.csdn.net/qq924862077/article/details/53789852
http://blog.csdn.net/catoop/article/details/50501696