Esempio n. 1
0
  /** 处理分页显示的方法 */
  @SuppressWarnings("unchecked")
  protected boolean handleList(
      HttpServletRequest request,
      Set<SearchFilter> filterSet,
      Method method,
      DataControl dataControl,
      Module module) {
    Logical logical = (Logical) request.getAttribute(SecurityConstants.NEST_DYNAMIC_SEARCH_LOGICAL);
    if (logical.equals(Logical.AND)) {
      Set<SearchFilter> pre =
          (Set<SearchFilter>) request.getAttribute(SecurityConstants.NEST_DYNAMIC_SEARCH);
      if (pre == null) {
        pre = new HashSet<SearchFilter>();
        request.setAttribute(SecurityConstants.NEST_DYNAMIC_SEARCH, pre);
      }

      pre.addAll(filterSet);
    } else {
      request.setAttribute(SecurityConstants.NEST_DYNAMIC_SEARCH, filterSet);
    }

    return true;
  }
Esempio n. 2
0
  /**
   * @param request
   * @param response
   * @param handler
   * @return
   * @throws Exception
   * @see
   *     org.springframework.web.servlet.HandlerInterceptor#preHandle(javax.servlet.http.HttpServletRequest,
   *     javax.servlet.http.HttpServletResponse, java.lang.Object)
   */
  @Override
  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
      throws Exception {
    DynamicSpecifications.putRequest(request);
    if (!(handler instanceof HandlerMethod)) {
      return true;
    }

    final HandlerMethod handlerMethod = (HandlerMethod) handler;
    Method method = handlerMethod.getMethod();

    final RequiresPermissions rps = method.getAnnotation(RequiresPermissions.class);
    if (rps == null) {
      return true;
    }
    Logical logical = rps.logical();
    String[] pv = rps.value();

    // 假如验证逻辑为OR,并且有些权限不需要做数据权限检查的,直接返回true。
    if (logical.equals(Logical.OR)) {
      for (String p : pv) {
        if (p.split(PART_DIVIDER_TOKEN).length < 3) {
          return true;
        }
      }
    }

    boolean firstPermitted = false;
    for (String p : pv) {
      String[] v = p.split(PART_DIVIDER_TOKEN);

      if (v.length == 3) {
        // 进行初次验证,确保shiro中用户的权限被初始化。
        if (!firstPermitted) {
          Subject subject = SecurityUtils.getSubject();
          if (!subject.isPermitted(p)) {
            throw new UnauthorizedException("数据权限验证失败!");
          }
          firstPermitted = true;
        }

        try {
          // 把内部动态查询参数常量,logical放入request
          request.setAttribute(SecurityConstants.NEST_DYNAMIC_SEARCH_LOGICAL, logical);
          boolean checkResult =
              (check(request, response, method, v[0], v[2]) == true) ? true : false;
          if (!checkResult) {
            throw new UnauthorizedException("数据权限验证失败!");
          }

          if (checkResult == true && logical.equals(Logical.OR)) {
            return true;
          }
        } catch (Exception e) {
          logger.error(Exceptions.getStackTraceAsString(e));
          throw new UnauthorizedException("数据权限验证失败!");
        }
      }
    }

    return true;
  }