SpringSecurity实现动态加载权限信息代码方法

本篇文章小编给大家分享一下SpringSecurity实现动态加载权限信息代码方法，文章代码介绍的很详细，小编觉得挺不错的，现在分享给大家供大家参考，有需要的小伙伴们可以来看看。

①数据库中资源与角色对应关系，以及角色和用户对应关系如下图所示：

②实现FilterInvocationSecurityMetadataSource类

(1)List

(2)重写的support方法都返回true

@Configuration
public class MyFilterInvocation implements FilterInvocationSecurityMetadataSource {
 
    @Autowired
    private MenuService menuService;
 
    AntPathMatcher antPathMatcher = new AntPathMatcher();
 
    @Override
    public Collection getAttributes(Object object) throws IllegalArgumentException {
        String requestUrl = ((FilterInvocation) object).getRequestUrl();
        List

③实现AccessDecisionManager类

重写的support方法都返回true

@Configuration
public class MyDecisionManager implements AccessDecisionManager {
 
 
    @Override
    public void decide(Authentication authentication, Object object, Collection configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
        for (ConfigAttribute configAttribute : configAttributes) {
            String needRole = configAttribute.getAttribute();
            if ("ROLE_LOGIN".equals(needRole)) {
                //- 用户登录即可访问,相当于在SecurityConfig中配置了.anyRequest().authenticated()
                if (authentication instanceof AnonymousAuthenticationToken) {
                    throw new AccessDeniedException("尚未登录，请先登录");
                } else {
                    return;
                }
            }
            
            Collection extends GrantedAuthority> authorities = authentication.getAuthorities();
            //这里我写的是只要访问该资源的用户具有`访问该资源所需要角色`的其中一个即可
            for (GrantedAuthority authority : authorities) {
                if (authority.getAuthority().equals(needRole)) {
                    return;
                }
            }
        }
        throw new AccessDeniedException("权限不足，请联系管理员");
    }
 
    @Override
    public boolean supports(ConfigAttribute attribute) {
        return true;
    }
 
    @Override
    public boolean supports(Class> clazz) {
        return true;
    }
}

④到SecurityConfig配置类中完成相应配置

    @Autowired
    private MyDecisionManager myDecisionManager;
    
    @Autowired
    private  MyFilterInvocation myFilterInvocation;
 
     @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .withObjectPostProcessor(new ObjectPostProcessor() {
                    @Override
                    public  O postProcess(O object) {
                        object.setAccessDecisionManager(myDecisionManager);
                        object.setSecurityMetadataSource(myFilterInvocation);
                        return object;
                    }
                });
 
            http.exceptionHandling().accessDeniedHandler(myAccessDeniedHandler());
 
    }
 
 
    @Bean
    MyAccessDeniedHandler myAccessDeniedHandler(){
        return new MyAccessDeniedHandler();
    }

⑤可选，实现AccessDeniedHandler类

public class MyAccessDenied implements AccessDeniedHandler {
 
    @Override
    public void handle(HttpServletRequest req, HttpServletResponse resp, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        resp.setContentType("application/json;charset=utf-8");
        PrintWriter pw = resp.getWriter();
        pw.write(new ObjectMapper().writeValueAsString(RespBean.error("权限不够，请联系管理员")));
        pw.flush();
        pw.close();
    }
}