接上一篇SpringSecurity认证,新增权限表及中间表:
permission表:
role_permission表:
引入配置:
/**
* 动态权限校验
*/
@Component
public class MyAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
// 路径匹配器,精确匹配
private final AntPathMatcher antPathMatcher = new AntPathMatcher();
@Resource
private PermissionService permissionService;
@Override
public AuthorizationDecision check(Supplier<Authentication> authenticationSupplier, RequestAuthorizationContext object) {
// 请求资源路径
String requestURI = object.getRequest().getRequestURI();
// 登录用户所拥有的权限-角色
Authentication authentication = authenticationSupplier.get();
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
// 遍历角色
for (GrantedAuthority authority : authorities) {
// MyUser构建时存储的是角色名称
String roleName = authority.getAuthority();
// 查询角色的权限
List<Permission> permissions = permissionService.getByRoleName(roleName);
// 遍历角色的权限
for (Permission permission : permissions) {
// 如果匹配到权限,则放行
if (antPathMatcher.match(permission.getPath(), requestURI)) {
return new AuthorizationDecision(true);
}
}
}
// 未匹配到权限,则拒绝访问,403
return new AuthorizationDecision(false);
}
}
完成上述配置后,登录,访问资源,如果登录用户的角色没有对应的资源路径权限,则报403,否则正常访问。