除了阻止一个以外,还有没有基于用户角色的反应性JSON响应过滤方式-在Pojos中使用具有@JsonFilter批注的jackson-databind和重写的SimpleBeanPropertyFilter.serializeAsField?
阻止属性过滤的示例:
SecureFieldFilter.class:
public class SecureFieldFilter extends SimpleBeanPropertyFilter {
@Override
public void serializeAsField(Object pojo, JsonGenerator jgen, SerializerProvider provider, PropertyWriter writer) throws Exception {
SecureField secureField = writer.findAnnotation(SecureField.class);
//TODO: Get user authorities from ReactiveSpringSecurityContext
//TODO: Filter properties which not mention particular roles in SecureField annotation
}
}
}
SecureField批注:
@Target(ElementType.FIELD)
@Retention(RetentionPolicy.RUNTIME)
public @interface SecureField {
UserAuthority[] value();
}
SecureFieldFilterConfiguration:
@Configuration
public class SecureFieldFilterConfiguration {
@Bean
public Jackson2ObjectMapperBuilderCustomizer addFieldFilters() {
return jacksonObjectMapperBuilder -> {
jacksonObjectMapperBuilder.filters(new SimpleFilterProvider().addFilter("securityFilter", new SecureFieldFilter()));
};
}
}
Foo.class:
@JsonFilter("securityFilter")
public class Banner {
private UUID id;
@NotNull
@SecureField(value={UserAuthority.ROLE_AGENT})
private String field1;
@NotNull
@SecureField(value = {UserAuthority.ROLE_PLAYER, UserAuthority.ROLE_AGENT})
private String field2;
...
}
如何以响应方式从REST API响应中基于用户角色过滤某些属性?