|
@@ -1,21 +1,17 @@
|
|
|
package com.chelvc.framework.security.interceptor;
|
|
|
|
|
|
import java.lang.reflect.Method;
|
|
|
-import java.util.Collections;
|
|
|
import java.util.List;
|
|
|
import java.util.Set;
|
|
|
-import java.util.stream.Collectors;
|
|
|
-import java.util.stream.Stream;
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
|
|
|
import com.chelvc.framework.base.context.ApplicationContextHolder;
|
|
|
-import com.chelvc.framework.base.context.SessionContextHolder;
|
|
|
import com.chelvc.framework.common.exception.FrameworkException;
|
|
|
import com.chelvc.framework.common.util.AssertUtils;
|
|
|
import com.chelvc.framework.common.util.ObjectUtils;
|
|
|
-import com.chelvc.framework.common.util.StringUtils;
|
|
|
import com.chelvc.framework.security.annotation.Permission;
|
|
|
+import com.chelvc.framework.security.context.SecurityContextHolder;
|
|
|
import com.google.common.collect.Sets;
|
|
|
import lombok.RequiredArgsConstructor;
|
|
|
import org.springframework.aop.framework.AopProxyUtils;
|
|
@@ -52,12 +48,7 @@ public class PermissionValidateInterceptor implements ApplicationRunner, Handler
|
|
|
if (!(handler instanceof HandlerMethod)) {
|
|
|
return null;
|
|
|
}
|
|
|
- HandlerMethod method = (HandlerMethod) handler;
|
|
|
- Permission annotation = method.getMethodAnnotation(Permission.class);
|
|
|
- if (annotation == null) {
|
|
|
- return method.getMethod().getDeclaringClass().getAnnotation(Permission.class);
|
|
|
- }
|
|
|
- return annotation;
|
|
|
+ return ((HandlerMethod) handler).getMethodAnnotation(Permission.class);
|
|
|
}
|
|
|
|
|
|
@Override
|
|
@@ -72,12 +63,13 @@ public class PermissionValidateInterceptor implements ApplicationRunner, Handler
|
|
|
Class<?> clazz = AopProxyUtils.ultimateTargetClass(controller);
|
|
|
for (Method method : clazz.getDeclaredMethods()) {
|
|
|
Permission annotation = method.getAnnotation(Permission.class);
|
|
|
- if ((annotation == null && (annotation = clazz.getAnnotation(Permission.class)) == null)
|
|
|
- || !annotation.enabled()) {
|
|
|
+ if (annotation == null) {
|
|
|
continue;
|
|
|
}
|
|
|
- String id = StringUtils.ifEmpty(annotation.id(), method::getName);
|
|
|
- AssertUtils.check(permissions.add(id), () -> "Permission id duplicated: " + id);
|
|
|
+ String value = annotation.value(), group = annotation.group();
|
|
|
+ AssertUtils.nonempty(value, () -> "Permission value must not be empty: " + method);
|
|
|
+ AssertUtils.nonempty(group, () -> "Permission group must not be empty: " + method);
|
|
|
+ AssertUtils.check(permissions.add(value), () -> "Permission value duplicated: " + value);
|
|
|
}
|
|
|
});
|
|
|
}
|
|
@@ -87,17 +79,8 @@ public class PermissionValidateInterceptor implements ApplicationRunner, Handler
|
|
|
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
|
|
|
throws Exception {
|
|
|
Permission annotation = this.getPermissionAnnotation(handler);
|
|
|
- if (annotation == null || !annotation.enabled()) {
|
|
|
- return true;
|
|
|
- }
|
|
|
- Set<String> authorities = SessionContextHolder.getSession().getAuthorities();
|
|
|
- Set<String> permissions = ObjectUtils.isEmpty(authorities) ? Collections.emptySet() :
|
|
|
- authorities.stream().flatMap(authority -> {
|
|
|
- List<String> ids = ApplicationContextHolder.getSafeProperty(authority, List.class);
|
|
|
- return ObjectUtils.isEmpty(ids) ? Stream.empty() : ids.stream();
|
|
|
- }).collect(Collectors.toSet());
|
|
|
- String id = StringUtils.ifEmpty(annotation.id(), () -> ((HandlerMethod) handler).getMethod().getName());
|
|
|
- if (ObjectUtils.isEmpty(permissions) || !permissions.contains(id)) {
|
|
|
+ if (annotation != null &&
|
|
|
+ !SecurityContextHolder.hashAnyPermission(annotation.value(), annotation.group())) {
|
|
|
throw new FrameworkException(HttpStatus.FORBIDDEN.name(), null,
|
|
|
ApplicationContextHolder.getMessage("Forbidden"));
|
|
|
}
|