如何限制对 Spring MVC 控制器的访问
How to restrict access to the Spring MVC controller
我正在编写一个带有授权和注册表的网络服务。有两种类型的用户:普通用户和管理员。有一个控制器在给定的 URL:
发送到管理页面
@Controller
public class ViewPageController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
}
但是普通用户也可以访问这个页面。只有以管理员身份登录的用户才能进入管理页面。有如何组织的选项?也许在会话中保存登录用户? (最好没有 Spring 安全性)
像这样定义方面和 annotation.some 代码的简单方法
@Inherited
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Authorize {
//
String[] value() default {};
}
AuthorizationAspect.java
@Slf4j
@Aspect
@Component
@RequiredArgsConstructor
public class AuthorizationAspect {
private final AuthorizationService authorizationService;
private final CacheUtil cacheUtil;
private static final String PRE = "AUTH";
@Before("@annotation(com.jin.learn.config.security.Authorize)")
public void checkPermission(JoinPoint joinPoint) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
Long accountId = JWTUtil.getUserIdFromRequest(request);
Set<String> authorization = cacheUtil.getAllSet(PRE + accountId);
if(authorization==null){
authorization = authorizationService.findByAccountId(accountId);
cacheUtil.save(PRE + accountId, authorization);
}
Authorize authorize = ((MethodSignature) joinPoint.getSignature()).getMethod().getAnnotation(Authorize.class);
String[] needAuthorization = authorize.value();
if (needAuthorization.length == 0) return;
if (authorization!=null && !authorization.isEmpty()) {
if (!authorization.containsAll(Arrays.asList(needAuthorization))){
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
} else {
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
}
}
这样使用
@Authorize(value="needRight")
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
此外,还有一些安全框架shiro and spring-security
我正在编写一个带有授权和注册表的网络服务。有两种类型的用户:普通用户和管理员。有一个控制器在给定的 URL:
发送到管理页面@Controller
public class ViewPageController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
}
但是普通用户也可以访问这个页面。只有以管理员身份登录的用户才能进入管理页面。有如何组织的选项?也许在会话中保存登录用户? (最好没有 Spring 安全性)
像这样定义方面和 annotation.some 代码的简单方法
@Inherited
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Authorize {
//
String[] value() default {};
}
AuthorizationAspect.java
@Slf4j
@Aspect
@Component
@RequiredArgsConstructor
public class AuthorizationAspect {
private final AuthorizationService authorizationService;
private final CacheUtil cacheUtil;
private static final String PRE = "AUTH";
@Before("@annotation(com.jin.learn.config.security.Authorize)")
public void checkPermission(JoinPoint joinPoint) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
Long accountId = JWTUtil.getUserIdFromRequest(request);
Set<String> authorization = cacheUtil.getAllSet(PRE + accountId);
if(authorization==null){
authorization = authorizationService.findByAccountId(accountId);
cacheUtil.save(PRE + accountId, authorization);
}
Authorize authorize = ((MethodSignature) joinPoint.getSignature()).getMethod().getAnnotation(Authorize.class);
String[] needAuthorization = authorize.value();
if (needAuthorization.length == 0) return;
if (authorization!=null && !authorization.isEmpty()) {
if (!authorization.containsAll(Arrays.asList(needAuthorization))){
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
} else {
throw new SystemException(ExceptionCode.NO_PERMISSION);
}
}
}
这样使用
@Authorize(value="needRight")
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
return "AdminPage";
}
此外,还有一些安全框架shiro and spring-security