时间戳

首页 > 解决方案 > 如何限制对 Spring MVC 控制器的访问

spring - 如何限制对 Spring MVC 控制器的访问

问题描述

我正在编写带有授权和注册表单的 Web 服务。有两种类型的用户:普通用户和管理员。有一个控制器发送到给定 URL 的管理页面:

@Controller
public class ViewPageController {
    @RequestMapping(value = "/admin", method = RequestMethod.GET)
    public String sendAdminPage(){
        return "AdminPage";
    }
}

但是普通用户也可以访问这个页面。只有那些以管理员身份登录的人才能进入管理页面。有如何组织这方面的选择?也许将登录用户保存在会话中?(最好没有 Spring Security)

标签: springspring-mvcaccess-control

解决方案

定义一个方面和一个注释的简单方法。像这样的一些代码

@Inherited
@Target({ElementType.TYPE, ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Authorize {

//
String[] value() default {};

}

授权方面.java

@Slf4j
@Aspect
@Component
@RequiredArgsConstructor
public class AuthorizationAspect {

private final AuthorizationService authorizationService;

private final CacheUtil cacheUtil;

private static final String PRE = "AUTH";

@Before("@annotation(com.jin.learn.config.security.Authorize)")
public void checkPermission(JoinPoint joinPoint) {
    HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();

    Long accountId = JWTUtil.getUserIdFromRequest(request);
    Set<String> authorization = cacheUtil.getAllSet(PRE + accountId);
    if(authorization==null){
        authorization = authorizationService.findByAccountId(accountId);
        cacheUtil.save(PRE + accountId, authorization);
    }
    Authorize authorize = ((MethodSignature) joinPoint.getSignature()).getMethod().getAnnotation(Authorize.class);
    String[] needAuthorization = authorize.value();
    if (needAuthorization.length == 0)  return;
    if (authorization!=null && !authorization.isEmpty()) {
        if (!authorization.containsAll(Arrays.asList(needAuthorization))){

            throw new SystemException(ExceptionCode.NO_PERMISSION);
        }
    } else {
        throw new SystemException(ExceptionCode.NO_PERMISSION);
    }
 }
}

像这样使用

@Authorize(value="needRight")
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String sendAdminPage(){
    return "AdminPage";
}

此外,还有一些安全框架shirospring-security

推荐阅读