Jamal的博客

spring自定义注解实现简单权限管控

发表于 | 分类于 |

有时候我们需要在提交请求的时候验证某个用户是否具有某些权限,这些有security等框架可以帮我们做掉,但是有时候只需要简单的权限验证,不需要这么强大的框架帮助,因此就可以借助自定义注解实现一些简单的权限验证功能。

以下是代码:

权限类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
/**
 * describe: 权限注解,在这里定义权限类型
 * auther: jamal-jiang
 * time: 2017-02-07  18:03
 */
@Documented
@Target(ElementType.METHOD)
@Inherited
@Retention(RetentionPolicy.RUNTIME)
public @interface Auth {
    /**
     * 权限类型
     *
     * @return
     */
    String role() default "COMMON_USER";
}
/**
 * describe: 用户权限校验执行类
 * auther: jamal-jiang
 * time: 2017-02-07  18:06
 */
public class ActionInterceptor implements HandlerInterceptor {
    private static final Logger logger = Logger.getLogger(ActionInterceptor.class);
    // 载入配置文件获取service信息
    private static final GenericXmlApplicationContext context = new GenericXmlApplicationContext();
    static {
        context.setValidating(false);
        context.load("classpath*:*.xml");
        context.refresh();
    }
    /**
     * 检验是否是超过规则的
     *
     * @param request
     * @param response
     * @param handler
     * @return
     * @throws Exception
     */
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        HandlerMethod method = (HandlerMethod) handler;
        Auth authType = method.getMethodAnnotation(Auth.class);
        // 获取类信息
        AdminDOMapper adminDOMapper = context.getBean(AdminDOMapper.class);
        System.out.println(adminDOMapper);
        BucSSOUser user = SimpleUserUtil.getBucSSOUser(request);
        AdminDO adminDO = adminDOMapper.selectByNickNameCn(user.getNickNameCn());
        if (adminDO == null || adminDO.getNickNameCn() == null) {
            return false;
        } else {
            String authList = adminDO.getAuthList();
            String[] auths = authList.split(",");
            for (String auth : auths) {
                if (auth.equals(authType.role())) {
                    return true;
                }
            }
        }
        return false;
    }
    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {
    }
    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {
    }
}

spring配置文件

在mvc的配置文件里新加入下面的一部分:

1
2
3
4
5
6
<mvc:interceptors>
        <mvc:interceptor>
            <mvc:mapping path="/common/approveApply.json**"/>  // 定义哪些map规则需要拦截
            <bean class="这里就是上面的ActionInterceptor类所在的路径"/>
        </mvc:interceptor>
    </mvc:interceptors>

代码调用

在controller代码当中调用:

1
2
3
4
5
6
7
8
@Auth(role = "APPROVE_APPLY")
    @ResponseBody
    @RequestMapping("/common/approveApply.json")
    public void approveApply(HttpServletRequest request, Model model,
                               @RequestParam(value = "id", required = false) Integer id,
                               @RequestParam(value = "status", required = false) String status) {
       
    }