@Order @Component public class PcPermissionAuthorizeConfigProvider implements AuthorizeConfigProvider { /** * Config boolean. * * @param config the config * * @return the boolean */ @Override public boolean config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) { config.anyRequest().access("@permissionService.hasPermission(authentication,request)"); return true; } }
@Slf4j @Component("permissionService") public class MucPermissionServiceImpl implements MucPermissionService { private AntPathMatcher antPathMatcher = new AntPathMatcher(); private static final String OAUTH2_CLIENT_PREFIX = "rockysaas-client-"; @Resource private ClientDetailsService clientDetailsService; @Override public boolean hasPermission(Authentication authentication, HttpServletRequest request) { String currentLoginName = SecurityUtils.getCurrentLoginName(); Set<String> currentAuthorityUrl = SecurityUtils.getCurrentAuthorityUrl(); String requestURI = request.getRequestURI(); log.info("验证权限loginName={}, requestURI={}, hasAuthorityUrl={}", currentLoginName, requestURI, Joiner.on(GlobalConstant.Symbol.COMMA).join(currentAuthorityUrl)); // 超级管理员 全部都可以访问 if (StringUtils.equals(currentLoginName, GlobalConstant.Sys.SUPER_MANAGER_LOGIN_NAME)) { return true; } // DEMO项目Feign客户端具有所有权限, 如果需要则在角色权限中控制 if (currentLoginName.contains(OAUTH2_CLIENT_PREFIX)) { ClientDetails clientDetails = clientDetailsService.loadClientByClientId(currentLoginName); return clientDetails != null; } for (final String authority : currentAuthorityUrl) { // DEMO项目放过查询权限 if (requestURI.contains("query") || requestURI.contains("get") || requestURI.contains("check") || requestURI.contains("select")) { return true; } if (antPathMatcher.match(authority, requestURI)) { return true; } } return false; }
@Component public class PcAuthorizeConfigManager implements AuthorizeConfigManager { private final List<AuthorizeConfigProvider> authorizeConfigProviders; /** * Instantiates a new Pc authorize config manager. * * @param authorizeConfigProviders the authorize config providers */ @Autowired public PcAuthorizeConfigManager(List<AuthorizeConfigProvider> authorizeConfigProviders) { this.authorizeConfigProviders = authorizeConfigProviders; } /** * Config. * * @param config the config */ @Override public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) { for (AuthorizeConfigProvider authorizeConfigProvider : authorizeConfigProviders) { authorizeConfigProvider.config(config); } config.anyRequest().authenticated(); } }
请求过来时 permissionService.hasPermission进不去了,原来是PcAuthorizeConfigManager被改坏了,红色部分表示所有url都可以被认证用户访问,代码复原后ok
@Component public class PcAuthorizeConfigManager implements AuthorizeConfigManager { private final List<AuthorizeConfigProvider> authorizeConfigProviders; /** * Instantiates a new Pc authorize config manager. * * @param authorizeConfigProviders the authorize config providers */ @Autowired public PcAuthorizeConfigManager(List<AuthorizeConfigProvider> authorizeConfigProviders) { this.authorizeConfigProviders = authorizeConfigProviders; } /** * Config. * * @param config the config */ @Override public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) { boolean existAnyRequestConfig = false; String existAnyRequestConfigName = null; for (AuthorizeConfigProvider authorizeConfigProvider : authorizeConfigProviders) { boolean currentIsAnyRequestConfig = authorizeConfigProvider.config(config); if (existAnyRequestConfig && currentIsAnyRequestConfig) { throw new RuntimeException("重复的anyRequest配置:" + existAnyRequestConfigName + "," + authorizeConfigProvider.getClass().getSimpleName()); } else if (currentIsAnyRequestConfig) { existAnyRequestConfig = true; existAnyRequestConfigName = authorizeConfigProvider.getClass().getSimpleName(); } } if (!existAnyRequestConfig) { config.anyRequest().authenticated(); } } }