如何为控制器中的许多方法添加权限检查? (过滤器,操作)

时间:2019-07-11 03:26:49

标签: java spring-boot spring-mvc aop dry

在许多方法的开头,我都有以下内容。

    if ((user.privilege & User.Privilege.WRITE) == 0) {
        session.setAttribute("alert", "You do not have permission to save.");
        return new ModelAndView("redirect:/admin/home");
    }

我如何提取它并将其放入一个单独的方法中,该方法在许多其他控制器方法之前被调用,类似于Ruby on Rails before_action :validate_privilege, [:save, :weekly_report, ...]

我在文档中找到了这个,但是没有给出任何示例。

https://docs.spring.io/spring-boot/docs/1.5.19.RELEASE/reference/htmlsingle/#boot-features-embedded-container-servlets-filters-listeners


我发现了一种基于@Deadpool的答案的方法。似乎比简单的注释要复杂得多。

@Bean
public GenericFilterBean beforeAction() {
    String[] actions = new String[]{"/admin/censor", "/admin/weekly-report", "/admin/email-blast-submit"};
    return new GenericFilterBean() {
        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            HttpServletRequest req = (HttpServletRequest) request;
//              System.out.println("requestURI:"+req.getRequestURI());
            boolean found = Arrays.stream(actions).anyMatch(req.getRequestURI()::equals);
            if (found) {
                User user = (User) req.getSession().getAttribute("user");
                if (user != null && (user.privilege & User.Privilege.WRITE) == 0) {
                    req.getSession().setAttribute("alert", "You do not have permission to save.");
                    HttpServletResponse res = (HttpServletResponse) response;
                    res.sendRedirect("/admin/home");
                    return;
                }
            }
            chain.doFilter(request, response);
        }
    };
}

对于使用OAuth2的API,我使用了

@Override
public ResponseEntity<...> delete(Principal principal, @RequestBody ...) throws ApiException {
    isAuthorized(principal, "ROLE_USER");
    ...

/** If not authorized, throw ApiException. */
private void isAuthorized(Principal principal, String role) throws ApiException {
    OauthClientDetail cd = userMapper.getOauthClientDetails(principal.getName());
    if (cd == null || cd.authorities == null || !cd.authorities.equals(role)) {
        throw new ApiException(HttpStatus.UNAUTHORIZED, ...);
    }
}

(ApiException,OauthClientDetail(POJO)和UserMapper(MyBatis)是自定义类。)

2 个答案:

答案 0 :(得分:1)

如果您正在寻找Filter来检查每个授权请求,则可以使用Filter

@Component
public class AuthFilter implements Filter {

@Override
public void doFilter
  ServletRequest request, 
  ServletResponse response, 
  FilterChain chain) throws IOException, ServletException {

    HttpServletRequest req = (HttpServletRequest) request;
    LOG.info(
      "Starting a transaction for req : {}", 
      req.getRequestURI());

    chain.doFilter(request, response);
    LOG.info(
      "Committing a transaction for req : {}", 
      req.getRequestURI());
    }

     // other methods 
  }

GenericFilterBean

public class CustomFilter extends GenericFilterBean {

@Override
public void doFilter(
  ServletRequest request, 
  ServletResponse response,
  FilterChain chain) throws IOException, ServletException {
    chain.doFilter(request, response);
       }
   }

答案 1 :(得分:0)

您应该使用Spring Security

 http.regexMatcher("/*") --> your base path or sth.
            .exceptionHandling()
            .and()
            .csrf()
            .disable();

       http.addFilterAfter(authenticationProcessingFilter(),BasicAuthenticationFilter.class);