接口权限控制实现

src/main/java/com/welampiot/security/CustomizeAccessDecisionManager.java

@@ -3,6 +3,7 @@ package com.welampiot.security;
 import org.springframework.security.access.AccessDecisionManager;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -24,6 +25,16 @@ public class CustomizeAccessDecisionManager implements AccessDecisionManager {
 //            ConfigAttribute ca = iterator.next();
 //            //当前请求需要的权限
 //            String needRole = ca.getAttribute();
+//            if ("ROLE_LOGIN".equalsIgnoreCase(needRole)) {
+//                //判断是否登录
+//                if (authentication instanceof AnonymousAuthenticationToken) {
+//                    throw new AccessDeniedException("尚未登录，请登录！");
+//                } else {
+//                    return;
+//                }
+//            }else if("ROLE_NO_AUTH".equalsIgnoreCase(needRole)){
+//                throw new AccessDeniedException("未授权可以访问！");
+//            }
 //            //当前用户所具有的权限
 //            Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
 //            for (GrantedAuthority authority : authorities) {

src/main/java/com/welampiot/security/CustomizeFilterInvocationSecurityMetadataSource.java

@@ -7,6 +7,7 @@ import com.welampiot.dto.UserDTO;
 import com.welampiot.service.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.web.FilterInvocation;
@@ -31,27 +32,21 @@ public class CustomizeFilterInvocationSecurityMetadataSource implements FilterIn
     public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
         //获取请求地址
         String requestUrl = ((FilterInvocation) o).getRequestUrl();
-        if(requestUrl.equals("/error")){
-            return null;
-        }
-        Object user = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        /*Object user = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
         if(user instanceof String && user.equals("anonymousUser")){
             //禁止匿名访问(禁止未登录访问)
-//            throw  new BusinessException(ResultEnum.USER_NOT_LOGIN);
             return null;
         }
         User userDetails = (User) user;
         //查询具体某个接口的权限
         List<PathDTO> permissionList = userService.queryUserGrantUrl(userDetails.getUsername());
         if(CollectionUtils.isEmpty(permissionList)){
-            //请求路径没有配置权限，表明该请求接口可以任意访问
-//            return null;
-            throw new BusinessException(ResultEnum.NOT_AUTH);
+            return SecurityConfig.createList("ROLE_NO_AUTH");
         }
         PathDTO path = permissionList.stream().filter(e->e.getUrl().equals(requestUrl)).findFirst().orElse(null);
         if(path==null){
-            throw new BusinessException(ResultEnum.NOT_AUTH);
-        }
+            return SecurityConfig.createList("ROLE_NO_AUTH");
+        }*/
         //表明该请求接口可以访问
         return null;
 //        String[] attributes = new String[permissionList.size()];