caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

管理端权限模块校验完善

Browse Source
This commit is contained in:
Chopper 2021-07-25 17:46:24 +08:00
parent e99aeeede5
commit 0514bec994
1 changed files with 23 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
manager-api/src/main/java/cn/lili/security/ManagerAuthenticationFilter.java
View File

@ -4,6 +4,7 @@ import cn.hutool.core.util.StrUtil;
import cn.lili.cache.Cache;
import cn.lili.cache.CachePrefix;
import cn.lili.common.security.AuthUser;
import cn.lili.common.security.enums.PermissionEnum;
import cn.lili.common.security.enums.SecurityEnum;
import cn.lili.common.security.enums.UserEnums;
import cn.lili.common.security.token.SecretKeyUtil;
@ -20,6 +21,8 @@ import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.PatternMatchUtils;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.naming.NoPermissionException;
import javax.servlet.FilterChain;
@ -71,27 +74,28 @@ public class ManagerAuthenticationFilter extends BasicAuthenticationFilter {
*/
private void customAuthentication(HttpServletRequest request, HttpServletResponse response, UsernamePasswordAuthenticationToken authentication) throws NoPermissionException {
AuthUser authUser = (AuthUser) authentication.getDetails();
String requestUrl = request.getRequestURI();
Map<String, List<String>> permission = (Map<String, List<String>>) cache.get(CachePrefix.PERMISSION_LIST.getPrefix(UserEnums.MANAGER) + authUser.getId());
if (authUser.getIsSuper()) {
return;
} else {
//用户是否拥有权限判定œ
//如果不是超级管理员 不做鉴权
if (!authUser.getIsSuper()) {
//获取数据权限
// if (request.getMethod().equals(RequestMethod.GET.name())) {
// if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER).toArray(new String[0]), request.getRequestURI()) ||
// PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.QUERY).toArray(new String[0]), request.getRequestURI())) {
//
// ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限"));
// throw new NoPermissionException("权限不足");
// }
// } else {
// if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER).toArray(new String[0]), request.getRequestURI())) {
//
// ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限"));
// throw new NoPermissionException("权限不足");
// }
// }
return;
if (request.getMethod().equals(RequestMethod.GET.name())) {
//如果用户的超级权限和查阅权限都不包含当前请求的api
if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER.name()).toArray(new String[0]), requestUrl) &&
!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.QUERY.name()).toArray(new String[0]), requestUrl)) {
ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限"));
throw new NoPermissionException("权限不足");
}
}
//非get请求数据操作 判定
else {
if (!PatternMatchUtils.simpleMatch(permission.get(PermissionEnum.SUPER.name()).toArray(new String[0]), request.getRequestURI())) {
ResponseUtil.output(response, ResponseUtil.resultMap(false, 401, "抱歉,您没有访问权限"));
throw new NoPermissionException("权限不足");
}
}
}
}