Spring Auth授权策略

参考代码:lamp

1:定义注解PreAuth

2:定义aspect,通过切片找到controller类上的@PreAuth和方法上的@PreAuth

3:  controller类上的@PreAuth:通常是将要替代方法中{}的

@PreAuth(replace = "vily:user:")
public class VilyPreAuthTestController {

}

4: 方法上@PreAuth: 将通过反射指向具体操作

 @PreAuth("hasAnyPermission('{}update,vue')")
    public R updateTest(){

        return R.success();
    }

5: 当aspect 切片到方法上注解时,将会得到最终的condition:

hasAnyPermission('vily:user:update,vue')

6: 反射:

  @Nullable
    private Boolean invokePermit(ProceedingJoinPoint point, Method method, String condition) {
        StandardEvaluationContext context = new StandardEvaluationContext(verifyAuthFunction);
        Expression expression = SP_EL_PARSER.parseExpression(condition);
        // 方法参数值
        Object[] args = point.getArgs();

        context.setBeanResolver(new BeanFactoryResolver(ac));
        for (int i = 0; i < args.length; i++) {
            MethodParameter mp = new SynthesizingMethodParameter(method, i);
            mp.initParameterNameDiscovery(PARAMETER_NAME_DISCOVERER);
            context.setVariable(mp.getParameterName(), args[i]);
        }
        return expression.getValue(context, Boolean.class);
    }

7: 反射会执行:verifyAuthFunction的hasAnyPermission方法

public boolean hasAnyPermission(String... permit) {
        // 查询当前用户拥有的所有资源
        Set resources = getAllResources();
        // 判断是否包含所需的角色
        return AuthorizingRealm.hasAnyPermission(resources, permit, securityProperties.getCaseSensitive());
    }

8:遍历permit

if (permit != null && permit.length > 0) {

            Arrays.stream(permit).forEach(System.out::println);
        }

9:得到2个注解的资源:'vily:user:update,vue'

你可能感兴趣的:(spring,java,后端)