乐趣区

关于spring:小程序的权限拦截

需要:
懒得做登录了, 只用小程序的 openid 来做权限治理, 不援用 spring 的 security;
步骤:

  1. 实现办法注解
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})
public @interface HasRole {String value();
}

简略实现一个注解, 用法

    @HasRole("#deviceOperate.step")
    @PostMapping
    public R insert(@RequestBody DeviceOperate deviceOperate) {return success(this.deviceOperateService.save(deviceOperate));
    }
  1. 实现 HandlerInterceptor 拦截器
    次要用于寄存小程序的 openId, 这边寄存残缺的用户
@Component
public class HasRoleInterceptor implements HandlerInterceptor {

    @Autowired
    private UserService userService;

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {String openId = request.getHeader("open_id");
        if (!StringUtils.hasText(openId)) {throw new SecurityException("未找到 openId");
        }
        User user = userService.getByOpenId(openId);
        if (user == null) {throw new SecurityException("未找到用户");
        }
        UserContext.set(user);
        return true;
    }

}

获取的用户放到上下文中, 实现 UserContext

public class UserContext implements AutoCloseable {static final ThreadLocal<User> ctx = new ThreadLocal<>();

    public static void set(User user) {ctx.set(user);
    }

    public static User currentUser() {return ctx.get();
    }

    @Override
    public void close() {ctx.remove();
    }
}
  1. 实现 Aspect 办法拦截器
    次要因为 HandlerInterceptor 实现参数获取, 太过简单, 应用 aspect 获取更加清晰;
    拦挡 HasRole 注解的, 解析外面 spel, 获取须要的权限。
@Aspect
@Component
public class HasRoleAspect {

    @Autowired
    private UserService userService;

    // Service 层切点
    @Pointcut("@annotation(com.hiklife.server.auth.HasRole)")
    public void servicePointcut() {}

    // 切点办法执行前运行
    @Before(value = "servicePointcut()")
    public void doBefore(JoinPoint joinPoint) throws NoSuchMethodException {
        // 获取以后拜访的 class 类及类名
        Class<?> clazz = joinPoint.getTarget().getClass();

        // 获取拜访的办法名
        String methodName = joinPoint.getSignature().getName();
        // 获取办法所有参数及其类型
        String[] argNames = ((MethodSignature) joinPoint.getSignature()).getParameterNames();
        Object[] args = joinPoint.getArgs();
        // 获取拜访的办法对象
        Method method = clazz.getDeclaredMethod(methodName,
                                                ((MethodSignature) joinPoint.getSignature()).getParameterTypes());

        // 判断以后拜访的办法是否存在指定注解
        if (method.isAnnotationPresent(HasRole.class)) {HasRole annotation = method.getAnnotation(HasRole.class);

            // 获取注解标识值与注解形容
            ExpressionParser parser = new SpelExpressionParser();
            Expression expression = parser.parseExpression(annotation.value());
            EvaluationContext context = new StandardEvaluationContext();
            for (int i = 0; i < argNames.length; i++) {context.setVariable(argNames[i], args[i]);
            }
            String role = String.valueOf(expression.getValue(context));
            User user = UserContext.currentUser();
            if (user == null || !user.getUserRole().contains(role)) {throw new SecurityException("没有权限执行办法");
            }
        }

    }
}

退出移动版