Пример #1
0
 public boolean supports(ConfigAttribute attribute) {
   if ("DENY_FOR_SURE".equals(attribute.getAttribute())) {
     return true;
   } else {
     return false;
   }
 }
  @Override
  public void decide(
      Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
      throws AccessDeniedException, InsufficientAuthenticationException {
    if (attributes == null || attributes.isEmpty()) {
      return;
    }

    StringBuilder builder = new StringBuilder();
    for (ConfigAttribute attribute : attributes) {
      builder.append(attribute.getAttribute()).append(" ");
    }

    this.logger.debug("检查权限:" + builder.toString());

    if (authentication == null) {
      this.logger.warn("访问受限:" + builder.toString());

      throw new AccessDeniedException("访问受限:" + builder.toString());
    }
    // 所请求的资源拥有的权限(一个资源对多个权限)
    Iterator<ConfigAttribute> iterator = attributes.iterator();
    while (iterator.hasNext()) {
      ConfigAttribute configAttribute = iterator.next();
      // 访问所请求资源所需要的权限
      String requestURL = configAttribute.getAttribute();
      // 如果未定义的URL,所有登录用户默认拥有权限
      if (!this.privilegeProvider.isPrivilegeDefined(requestURL)) {
        this.logger.debug("未定义权限的URL,默认所有登录用户拥有访问权限:" + builder.toString());
        return;
      }
      // 用户所拥有的权限authentication
      for (GrantedAuthority ga : authentication.getAuthorities()) {
        if (requestURL.equals(ga.getAuthority())) {
          return;
        }
      }
    }

    // 没有权限
    this.logger.warn("访问受限:" + builder.toString());
    throw new AccessDeniedException("访问受限:" + builder.toString());
  }
Пример #3
0
 public void decide(
     Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
     throws AccessDeniedException, InsufficientAuthenticationException {
   if (configAttributes == null) {
     return;
   }
   // 所请求的资源拥有的权限(一个资源对多个权限)
   Iterator<ConfigAttribute> iterator = configAttributes.iterator();
   while (iterator.hasNext()) {
     ConfigAttribute configAttribute = iterator.next();
     // 访问所请求资源所需要的权限
     String needPermission = configAttribute.getAttribute();
     // 用户所拥有的权限authentication
     for (GrantedAuthority ga : authentication.getAuthorities()) {
       if (needPermission.equals(ga.getAuthority())) {
         return;
       }
     }
   }
   // 没有权限
   throw new AccessDeniedException(" 没有权限访问! ");
 }
Пример #4
0
  /** 初始化系统安全拦截信息 */
  @PostConstruct
  public void initSecurityConfigInfo() {
    String security = PropertyHolder.getProperty("security");
    if (security == null || !"true".equals(security.trim())) {
      log.info("当前系统禁用安全机制");
      return;
    }
    log.info("开始初始化权限子系统...");
    LinkedHashMap<RequestKey, Collection<ConfigAttribute>> requestMap = new LinkedHashMap<>();

    SecurityConfig manager = new SecurityConfig("ROLE_MANAGER");
    SecurityConfig superManager = new SecurityConfig("ROLE_SUPERMANAGER");
    Collection<ConfigAttribute> value = new ArrayList<>();
    value.add(manager);
    value.add(superManager);
    Collection<String> urls = new LinkedHashSet<>();
    String[] urlFiles = PropertyHolder.getProperty("manager.default.url").split(",");
    for (String urlFile : urlFiles) {
      Collection<String> url = FileUtils.getClassPathTextFileContent(urlFile);
      urls.addAll(url);
    }
    for (String url : urls) {
      if (url.contains("=")) {
        String[] attr = url.split("=");
        url = attr[0];
        String[] roles = attr[1].split(",");
        Collection<ConfigAttribute> v = new ArrayList<>();
        for (String role : roles) {
          v.add(new SecurityConfig(role));
        }
        // POST
        RequestKey key = new RequestKey(url, "POST");
        requestMap.put(key, v);
        // GET
        key = new RequestKey(url, "GET");
        requestMap.put(key, v);
      } else {
        // POST
        RequestKey key = new RequestKey(url, "POST");
        requestMap.put(key, value);
        // GET
        key = new RequestKey(url, "GET");
        requestMap.put(key, value);
      }
    }

    for (Command command : serviceFacade.query(Command.class).getModels()) {
      List<String> paths = ModuleService.getCommandPath(command);
      Map<String, String> map = ModuleService.getCommandPathToRole(command);
      for (String path : paths) {
        RequestKey key = new RequestKey(path.toString().toLowerCase() + ".action*", "POST");
        value = new ArrayList<>();
        value.add(new SecurityConfig("ROLE_MANAGER" + map.get(path)));
        value.add(superManager);
        requestMap.put(key, value);
        // GET
        key = new RequestKey(path.toString().toLowerCase() + ".action*", "GET");
        requestMap.put(key, value);
      }
    }
    RequestKey key = new RequestKey("/**", "POST");
    value = new ArrayList<>();
    value.add(superManager);
    requestMap.put(key, value);
    // GET
    key = new RequestKey("/**", "GET");
    requestMap.put(key, value);

    DefaultFilterInvocationSecurityMetadataSource source =
        new DefaultFilterInvocationSecurityMetadataSource(new AntUrlPathMatcher(), requestMap);

    filterSecurityInterceptor.setSecurityMetadataSource(source);

    log.debug("system privilege info:\n");
    for (Map.Entry<RequestKey, Collection<ConfigAttribute>> entry : requestMap.entrySet()) {
      log.debug(entry.getKey().toString());
      for (ConfigAttribute att : entry.getValue()) {
        log.debug("\t" + att.toString());
      }
    }
    log.info("完成初始化权限子系统...");
  }