施用SPRING MVC+注解方式控制细粒度权限
使用SPRING MVC+注解方式控制细粒度权限
注解类:
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})
public @interface PermissionValidate
{
/**
* 是否必须校验
* @return boolean [返回类型说明]
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
public boolean needCheck() default true;
/**
* 标识被访问者的用户id位于spring控制器方法参数的坐标
* @return String [返回类型说明]
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
public int param();
}
需要控制权限的方法上增加注解:
@PermissionValidate(param = 2)
@RequestMapping(value = "/vistorbaseinfo/{childId}/{parentId}", method = {
RequestMethod.GET, RequestMethod.POST})
public String getvistorbaseinfo(Model model, HttpServletRequest request, @PathVariable("parentId") String parentId,
@PathVariable("childId") String childId)
{
//...
}
权限控制类:
@Aspect
@Component
public class PermissionHelper
{
private Logger log = Logger.getLogger(PermissionHelper.class);
/**
* 捕捉控制器中所有公共方法
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
@Pointcut("execution(public * com.xxx.front.web.controller..*.*(..))")
void logging()
{
}
/**
* @param jointPoint [参数说明]
* 做权限校验
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
@Around(value="logging()")
public Object doPermissionCheck(ProceedingJoinPoint jointPoint)throws Exception
{
HttpServletRequest request = null;
String visitorId = null;
Signature signature = jointPoint.getSignature();
MethodSignature methodSignature = (MethodSignature)signature;
Method method = methodSignature.getMethod();
try
{
if(method.isAnnotationPresent(PermissionValidate.class))
{
PermissionValidate pv = method.getAnnotation(PermissionValidate.class);
//为false则不需要做权限校验
if(!pv.needCheck())
{
return jointPoint.proceed(jointPoint.getArgs());
}
Class<?> [] paramTypeList = method.getParameterTypes();
if(paramTypeList != null && paramTypeList.length > 0)
{
for (int i = 0; i < paramTypeList.length; i ++ )
{
if(paramTypeList[i] == HttpServletRequest.class)
{
request = (HttpServletRequest)jointPoint.getArgs()[i];
break;
}
}
visitorId = (String)jointPoint.getArgs()[pv.param()];
}
if(null != request && null != visitorId)
{
UserLoginInfo userInfo = (UserLoginInfo)SessionUtil.getAttribute(request, UserInfoUtil.USER_SESSION_KEY);
//如果传人的用户id为当前登录用户自身
if(userInfo.getUserId().equals(visitorId))
{
return jointPoint.proceed(jointPoint.getArgs());
}
Boolean hasCheck = SessionUtil.getAttribute(request, visitorId) == null ? false : (Boolean)SessionUtil.getAttribute(request, visitorId);
//已经通过校验
if(hasCheck)
{
return jointPoint.proceed(jointPoint.getArgs());
}
else
{
log.error("user " + userInfo.getUserId() + " has not permission to visitor " + visitorId);
return null;
}
}
}
else
{
return jointPoint.proceed(jointPoint.getArgs());
}
}
catch (Throwable e)
{
log.error(e);
throw new Exception(e);
}
return null;
}
}
注解类:
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})
public @interface PermissionValidate
{
/**
* 是否必须校验
* @return boolean [返回类型说明]
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
public boolean needCheck() default true;
/**
* 标识被访问者的用户id位于spring控制器方法参数的坐标
* @return String [返回类型说明]
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
public int param();
}
需要控制权限的方法上增加注解:
@PermissionValidate(param = 2)
@RequestMapping(value = "/vistorbaseinfo/{childId}/{parentId}", method = {
RequestMethod.GET, RequestMethod.POST})
public String getvistorbaseinfo(Model model, HttpServletRequest request, @PathVariable("parentId") String parentId,
@PathVariable("childId") String childId)
{
//...
}
权限控制类:
@Aspect
@Component
public class PermissionHelper
{
private Logger log = Logger.getLogger(PermissionHelper.class);
/**
* 捕捉控制器中所有公共方法
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
@Pointcut("execution(public * com.xxx.front.web.controller..*.*(..))")
void logging()
{
}
/**
* @param jointPoint [参数说明]
* 做权限校验
* @exception throws [违例类型] [违例说明]
* @see [类、类#方法、类#成员]
*/
@Around(value="logging()")
public Object doPermissionCheck(ProceedingJoinPoint jointPoint)throws Exception
{
HttpServletRequest request = null;
String visitorId = null;
Signature signature = jointPoint.getSignature();
MethodSignature methodSignature = (MethodSignature)signature;
Method method = methodSignature.getMethod();
try
{
if(method.isAnnotationPresent(PermissionValidate.class))
{
PermissionValidate pv = method.getAnnotation(PermissionValidate.class);
//为false则不需要做权限校验
if(!pv.needCheck())
{
return jointPoint.proceed(jointPoint.getArgs());
}
Class<?> [] paramTypeList = method.getParameterTypes();
if(paramTypeList != null && paramTypeList.length > 0)
{
for (int i = 0; i < paramTypeList.length; i ++ )
{
if(paramTypeList[i] == HttpServletRequest.class)
{
request = (HttpServletRequest)jointPoint.getArgs()[i];
break;
}
}
visitorId = (String)jointPoint.getArgs()[pv.param()];
}
if(null != request && null != visitorId)
{
UserLoginInfo userInfo = (UserLoginInfo)SessionUtil.getAttribute(request, UserInfoUtil.USER_SESSION_KEY);
//如果传人的用户id为当前登录用户自身
if(userInfo.getUserId().equals(visitorId))
{
return jointPoint.proceed(jointPoint.getArgs());
}
Boolean hasCheck = SessionUtil.getAttribute(request, visitorId) == null ? false : (Boolean)SessionUtil.getAttribute(request, visitorId);
//已经通过校验
if(hasCheck)
{
return jointPoint.proceed(jointPoint.getArgs());
}
else
{
log.error("user " + userInfo.getUserId() + " has not permission to visitor " + visitorId);
return null;
}
}
}
else
{
return jointPoint.proceed(jointPoint.getArgs());
}
}
catch (Throwable e)
{
log.error(e);
throw new Exception(e);
}
return null;
}
}