1. 程式人生 > >基於SpringMVC攔截器和註解實現controller中訪問權限控制

基於SpringMVC攔截器和註解實現controller中訪問權限控制

pattern efi figure super 設置 復制代碼 check pin system

SpringMVC的攔截器HandlerInterceptorAdapter對應提供了三個preHandle,postHandle,afterCompletion方法。

  1. preHandle在業務處理器處理請求之前被調用;
  2. postHandle在業務處理器處理請求執行完成後,生成視圖之前執行;
  3. afterCompletion在DispatcherServlet完全處理完請求後被調用,可用於清理資源等;

所以要想實現自己的權限管理邏輯,需要繼承HandlerInterceptorAdapter並重寫其三個方法。

一、自定義攔截器配置方法

  1. 在sping的xml配置中可以用<mvc:interceptors>和<mvc:interceptor>來配置攔截器類(實現HandlerInterceptorAdapter)
  2. 在javaConfig中配置通過WebMvcConfiguration的實現類配置攔截器類(實現HandlerInterceptorAdapter)

二、示例

2.1、javaconfig中配置SpringMVC示例

1、新建一個springboot項目auth-demo2

2、權限校驗相關的註解

技術分享圖片
package com.dxz.authdemo2.web.auth;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
public @interface Permission {
    /** 檢查項枚舉 */
    PermissionEnum[] permissionTypes() default {};

    /** 檢查項關系 */
    RelationEnum relation() default RelationEnum.OR;
}

package com.dxz.authdemo2.web.auth;

import java.io.PrintWriter;
import java.lang.annotation.Annotation;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/**
 * 權限檢查攔截器 
 */
@Component
public class PermissionCheckInterceptor extends HandlerInterceptorAdapter {  
    /** 權限檢查服務 */
    @Autowired
    private PermissionCheckProcessor permissionCheckProcessor;  
    @Override  
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {  
        //Class<?> clazz = handler.getClass();  
        Class<?> clazz = ((HandlerMethod)handler).getBeanType();
        System.out.println("PermissionCheckInterceptor.preHandle()" + clazz);
        for(Annotation a : clazz.getAnnotations()){
            System.out.println(a);
        }
        if (clazz.isAnnotationPresent(Permission.class)) { 
            Permission permission = (Permission) clazz.getAnnotation(Permission.class);  
            return permissionCheckProcessor.process(permission, request, response);  
        }  
        return true;  
    }  
    
    public boolean preHandle2(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { 
        System.out.println("SecurityInterceptor:"+request.getContextPath()+","+request.getRequestURI()+","+request.getMethod());
        HttpSession session = request.getSession();
        if (session.getAttribute("uid") == null) {
            System.out.println("AuthorizationException:未登錄!"+request.getMethod());
            if("POST".equalsIgnoreCase(request.getMethod())){
                response.setContentType("text/html; charset=utf-8");  
                PrintWriter out = response.getWriter();   
                out.write("未登錄!");
                out.flush();
                out.close();
            }else{
                response.sendRedirect(request.getContextPath()+"/login"); 
            }
            return false;
        } else {
            return true;
        } 
    }  
}  

package com.dxz.authdemo2.web.auth;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.stereotype.Component;
@Component
public class PermissionCheckProcessor {
    public boolean process(Permission permission, HttpServletRequest request, HttpServletResponse response) {
        PermissionEnum[] permissionTypes = permission.permissionTypes();
        try {
            String uid = request.getParameter("uid");
            if ("duanxz".equals(uid)) {
                System.out.println("認證成功");
                return true;
            } else {
                System.out.println("認證失敗");
                return false;    
            }
        } catch (Exception e) {
            return false;
        }
    }
}

package com.dxz.authdemo2.web.auth;

public enum PermissionEnum {
    DEVELOPER_VALID, DEVELOPER_FREEZE;
}

package com.dxz.authdemo2.web.auth;

public enum RelationEnum {
    OR, AND;
}
技術分享圖片

3、SpringMVC攔截器配置

技術分享圖片
package com.dxz.authdemo2.web.auth;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@Configuration
public class WebMvcConfiguration extends WebMvcConfigurerAdapter {

    @Autowired
    PermissionCheckInterceptor permissionCheckInterceptor;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // addPathPatterns 用於添加攔截規則
        // excludePathPatterns 用戶排除攔截
        // 映射為 user 的控制器下的所有映射
        registry.addInterceptor(permissionCheckInterceptor).addPathPatterns("/admin/*").excludePathPatterns("/index", "/");
        super.addInterceptors(registry);
    }
}
技術分享圖片

4、測試controller

技術分享圖片
package com.dxz.authdemo2.web;

import javax.servlet.http.HttpServletRequest;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

import com.dxz.authdemo2.web.auth.Permission;
import com.dxz.authdemo2.web.auth.PermissionEnum;

@Controller  
@RequestMapping("/admin")  
@Permission(permissionTypes = { PermissionEnum.DEVELOPER_VALID })  
public class AppDetailController {  
    @RequestMapping(value="/appDetail", method = RequestMethod.GET)  
    public String doGet(ModelMap modelMap, HttpServletRequest httpServletRequest) {  
        //1. 業務操作,此處省略  
        System.out.println("appDetail.htm 處理中...");
        return "appDetail";
    }
}  
  
package com.dxz.authdemo2.web;

import javax.servlet.http.HttpServletRequest;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

import com.dxz.authdemo2.web.auth.Permission;
import com.dxz.authdemo2.web.auth.PermissionEnum;

@Controller  
@RequestMapping("index")  
public class IndexController {  
    @RequestMapping(method = RequestMethod.GET)  
    public void doGet(ModelMap modelMap, HttpServletRequest httpServletRequest) {  
        System.out.println("index");
    }  
}  
技術分享圖片

cotroller中的jsp文件appDetail.jsp

<html>
<h1>appDetail</h1>
</html>

啟動類:

技術分享圖片
package com.dxz.authdemo2;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.web.servlet.ViewResolver;
import org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;

@EnableWebMvc
@EnableAutoConfiguration
@SpringBootApplication
public class AuthDemo2Application {

    public static void main(String[] args) {
        SpringApplication.run(AuthDemo2Application.class, args);
    }

    // 配置JSP視圖解析器
    @Bean
    public ViewResolver viewResolver() {
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        resolver.setPrefix("/WEB-INF/views/");
        resolver.setSuffix(".jsp");
        return resolver;
    }
}
技術分享圖片

結果:

訪問:http://localhost:8080/admin/appDetail?uid=duanxz2

技術分享圖片

訪問:http://localhost:8080/admin/appDetail?uid=duanxz

技術分享圖片

2.2、xml中配置SpringMVC示例

首先在springmvc.xml中加入自己定義的攔截器我的實現邏輯PermissionCheckInterceptor,如下:

技術分享圖片
<!--配置攔截器, 多個攔截器,順序執行 -->  
<mvc:interceptors>    
    <mvc:interceptor>    
        <!-- 匹配的是url路徑, 如果不配置或/**,將攔截所有的Controller -->  
        <mvc:mapping path="/" />  
        <mvc:mapping path="/user/**" />  
        <mvc:mapping path="/test/**" />  
        <bean class="com.dxz.authdemo2.web.auth.PermissionCheckInterceptor"></bean>    
    </mvc:interceptor>  
    <!-- 當設置多個攔截器時,先按順序調用preHandle方法,然後逆序調用每個攔截器的postHandle和afterCompletion方法 -->  
</mvc:interceptors> 
技術分享圖片

基於SpringMVC攔截器和註解實現controller中訪問權限控制