Spring Security+Spring Boot 实现对用户权限控制访问特定权限内容(基于实战项目)

我重写了hasPermission并用此方法在控制器上校验用户权限
原创实战代码,如有问题和错误留言一起交流学习
话不多说

public class MyPermissionEvaluator implements PermissionEvaluator {
    @Resource
    private UsersServiceImpl usersService;
    @Override
    public boolean hasPermission(Authentication authentication,Object targetApplication,Object targetPermissions) {
            //获取当前登陆用户
            LoginUserDetailsImpl user = (LoginUserDetailsImpl) authentication.getPrincipal();
            if(user != null) {
                List PermissionList = usersService.getPermission(user.getUsername());
                //遍历一个用户的所有权限并且进行校验
                for (Permission PermissionList1 :PermissionList) {
                    if (targetPermissions.equals(PermissionList1.getPermission()) & targetApplication.equals(PermissionList1.getApplication())
                    ) {
                        log.info("The user poccesses this permission!");
                        return true;
                    }
                }
            }
        log.info("The user does not have this permission!");
        return false;
    }
    @Override
    public boolean hasPermission(Authentication authentication, Serializable serializable, String s, Object o) {
        return false;
    }
}

security配置

…………
 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/index.html","/login.html").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                .loginPage("/login.html")   // 登录
                .loginProcessingUrl("/auth/login")
                .failureUrl("/error.html").permitAll()
                .defaultSuccessUrl("/")
                .failureForwardUrl("/error.html")
            .and()
                .logout()
                .logoutUrl("/auth/logout")
                .invalidateHttpSession(true)
                .logoutSuccessUrl("/login.html");
        http.csrf().disable();

    }
//注册我改写过的PermissionEvaluator类
    public DefaultWebSecurityExpressionHandler webSecurityExpressionHandler(){
        DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
        defaultWebSecurityExpressionHandler.setPermissionEvaluator(MyPermissionEvaluator);
        return defaultWebSecurityExpressionHandler;
    }
    public DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler(){
        DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler = new DefaultMethodSecurityExpressionHandler();
        defaultMethodSecurityExpressionHandler.setPermissionEvaluator(MyPermissionEvaluator);
        return defaultMethodSecurityExpressionHandler;
    }

关键来了,在Controller控制校验,一个小技巧处理

    @RequestMapping(value = "/application/{id}",method = {RequestMethod.DELETE},produces="application/json;charset=UTF-8")
    @ResponseBody
    @PreAuthorize("hasPermission(#参数名(自己定义的1级权限),自己定义的2级权限)")  //这里用#获取参数
    public Object deleteApplication(@PathVariable Integer id,@RequestParam("参数名")参数名类型 参数名) {
        ApplicationMapper.deleteByPrimaryKey(id);
        return GlobalResponse.success();
    }

到此就结束了,核心就是控制器中注解参数的获取,纠结了好几天,以为拿不到。

你可能感兴趣的:(Spring,Security)