public boolean supports(ConfigAttribute attribute) {
if ("DENY_FOR_SURE".equals(attribute.getAttribute())) {
return true;
} else {
return false;
}
}
@Override
public void decide(
Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if (attributes == null || attributes.isEmpty()) {
return;
}
StringBuilder builder = new StringBuilder();
for (ConfigAttribute attribute : attributes) {
builder.append(attribute.getAttribute()).append(" ");
}
this.logger.debug("检查权限:" + builder.toString());
if (authentication == null) {
this.logger.warn("访问受限:" + builder.toString());
throw new AccessDeniedException("访问受限:" + builder.toString());
}
// 所请求的资源拥有的权限(一个资源对多个权限)
Iterator<ConfigAttribute> iterator = attributes.iterator();
while (iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
// 访问所请求资源所需要的权限
String requestURL = configAttribute.getAttribute();
// 如果未定义的URL,所有登录用户默认拥有权限
if (!this.privilegeProvider.isPrivilegeDefined(requestURL)) {
this.logger.debug("未定义权限的URL,默认所有登录用户拥有访问权限:" + builder.toString());
return;
}
// 用户所拥有的权限authentication
for (GrantedAuthority ga : authentication.getAuthorities()) {
if (requestURL.equals(ga.getAuthority())) {
return;
}
}
}
// 没有权限
this.logger.warn("访问受限:" + builder.toString());
throw new AccessDeniedException("访问受限:" + builder.toString());
}
public void decide(
Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if (configAttributes == null) {
return;
}
// 所请求的资源拥有的权限(一个资源对多个权限)
Iterator<ConfigAttribute> iterator = configAttributes.iterator();
while (iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
// 访问所请求资源所需要的权限
String needPermission = configAttribute.getAttribute();
// 用户所拥有的权限authentication
for (GrantedAuthority ga : authentication.getAuthorities()) {
if (needPermission.equals(ga.getAuthority())) {
return;
}
}
}
// 没有权限
throw new AccessDeniedException(" 没有权限访问! ");
}
/** 初始化系统安全拦截信息 */
@PostConstruct
public void initSecurityConfigInfo() {
String security = PropertyHolder.getProperty("security");
if (security == null || !"true".equals(security.trim())) {
log.info("当前系统禁用安全机制");
return;
}
log.info("开始初始化权限子系统...");
LinkedHashMap<RequestKey, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>();
SecurityConfig manager = new SecurityConfig("ROLE_MANAGER");
SecurityConfig superManager = new SecurityConfig("ROLE_SUPERMANAGER");
Collection<ConfigAttribute> value = new ArrayList<>();
value.add(manager);
value.add(superManager);
Collection<String> urls = new LinkedHashSet<>();
String[] urlFiles = PropertyHolder.getProperty("manager.default.url").split(",");
for (String urlFile : urlFiles) {
Collection<String> url = FileUtils.getClassPathTextFileContent(urlFile);
urls.addAll(url);
}
for (String url : urls) {
if (url.contains("=")) {
String[] attr = url.split("=");
url = attr[0];
String[] roles = attr[1].split(",");
Collection<ConfigAttribute> v = new ArrayList<>();
for (String role : roles) {
v.add(new SecurityConfig(role));
}
// POST
RequestKey key = new RequestKey(url, "POST");
requestMap.put(key, v);
// GET
key = new RequestKey(url, "GET");
requestMap.put(key, v);
} else {
// POST
RequestKey key = new RequestKey(url, "POST");
requestMap.put(key, value);
// GET
key = new RequestKey(url, "GET");
requestMap.put(key, value);
}
}
for (Command command : serviceFacade.query(Command.class).getModels()) {
List<String> paths = ModuleService.getCommandPath(command);
Map<String, String> map = ModuleService.getCommandPathToRole(command);
for (String path : paths) {
RequestKey key = new RequestKey(path.toString().toLowerCase() + ".action*", "POST");
value = new ArrayList<>();
value.add(new SecurityConfig("ROLE_MANAGER" + map.get(path)));
value.add(superManager);
requestMap.put(key, value);
// GET
key = new RequestKey(path.toString().toLowerCase() + ".action*", "GET");
requestMap.put(key, value);
}
}
RequestKey key = new RequestKey("/**", "POST");
value = new ArrayList<>();
value.add(superManager);
requestMap.put(key, value);
// GET
key = new RequestKey("/**", "GET");
requestMap.put(key, value);
DefaultFilterInvocationSecurityMetadataSource source =
new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);
filterSecurityInterceptor.setSecurityMetadataSource(source);
log.debug("system privilege info:\n");
for (Map.Entry<RequestKey, Collection<ConfigAttribute>> entry : requestMap.entrySet()) {
log.debug(entry.getKey().toString());
for (ConfigAttribute att : entry.getValue()) {
log.debug("\t" + att.toString());
}
}
log.info("完成初始化权限子系统...");
}