1.13 前端用户权限

在用户登陆成功后将用户信息保存到session中,并在后续的访问过程中进行验证以及有针对用户和功能的权限过滤。

  • (1) 用户授权

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36

    @ApiOperation(value = "登录接口", notes = "用户登录接口,登录之后才可访问其他接口")
    @RequestMapping(value = "/login",method = RequestMethod.POST)
    public ResponseData login(UserLoginVo userLoginVo, HttpSession session) {
        String username = userLoginVo.getUsername();
        String password = userLoginVo.getPassword();
        SysUser sysUser = sysUserService.findByKeyword(username);

        if (StringUtils.isBlank(username)) {
            return ResponseData.errorMessage("用户名不能为空");
        } else if (StringUtils.isBlank(password)) {
            return ResponseData.errorMessage("登陆密码不能为空");
        } else if (sysUser == null) {
            return ResponseData.errorMessage("查询不到指定用户");
        } else if (!sysUser.getPassword().equals(MD5Util.encode(password))) {
            return ResponseData.errorMessage("用户名或密码错误");
        } else if (sysUser.getState() != 1) {
            return ResponseData.errorMessage("用户已被冻结,请联系管理员");
        } else {    // LOGIN SUCCESS
            List<SysRole> roles = sysRoleUserService.getRoleListByUserId(sysUser.getId());
            List<SysAcl> acls = sysCoreService.getAclListByUserId(sysUser.getId());
            List<SysAcl> deniedAcls = sysCoreService.getDeniedAclListByUserId(sysUser.getId());
            UserVo userVo = new UserVo();
            BeanUtils.copyProperties(sysUser, userVo);

            userVo.setRoles(roles);
            userVo.setAcls(acls);
            userVo.setDeniedAcls(deniedAcls);

            session.setAttribute("user", userVo);
        }
        Map<String, String> tokenMap = new HashMap<String,String>();
        tokenMap.put("token", session.getId());
        tokenMap.put("userId", sysUser.getId());
        return ResponseData.success(tokenMap);
    }

  • (2) 安全过滤
    SpringBoot使用过滤器验证当前会话是否已经登陆过,并针对要访问的路径进行权限验证。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103

    package com.zone7.admin.config.filter;

    import com.alibaba.fastjson.JSON;
    import com.google.common.collect.Sets;
    import com.zone7.admin.commons.response.ResponseCode;
    import com.zone7.admin.commons.response.ResponseData;
    import com.zone7.admin.sys.common.RequestHolder;
    import com.zone7.admin.sys.pojo.SysAcl;
    import com.zone7.admin.sys.vo.UserVo;

    import javax.servlet.*;
    import javax.servlet.annotation.WebFilter;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import java.io.IOException;
    import java.util.List;
    import java.util.Set;

    /**
     * RequestFilter
     * 请求过滤器
     * 安全认证
     * @author: zone7
     * @time: 2019.02.19
     */
    @WebFilter(filterName = "RequestFilter", urlPatterns = "/*")
    public class RequestFilter implements Filter {

        private static Set<String> URL_WHITE_LIST = Sets.newHashSet();

        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
            //忽略不过旅的路径
            URL_WHITE_LIST.add("/unauth");
            URL_WHITE_LIST.add("/login");
            URL_WHITE_LIST.add("/static");
            URL_WHITE_LIST.add("/actuator");
        }

        private boolean isWhiteUrl(String requestUrl){
            if (URL_WHITE_LIST.contains(requestUrl)){
                return true;
            }
            for(String str:URL_WHITE_LIST){

                if(requestUrl.startsWith(str)){
                    return true;
                }

            }

            return false;
        }

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest request = (HttpServletRequest) servletRequest;
            HttpServletResponse response = (HttpServletResponse) servletResponse;
            String requestUrl = request.getRequestURI();
            if (isWhiteUrl(requestUrl)) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            UserVo userVo = (UserVo) request.getSession().getAttribute("user");
            if (userVo == null) {
                request.getRequestDispatcher("/unauth").forward(request, response);
                return;
            }

            RequestHolder.add(userVo);
            RequestHolder.add(request);

            //如果有配置按钮权限,就验证,没有配置表示可以使用
            //DeniedAcls为禁用的权限列表
            List<SysAcl> acls = userVo.getDeniedAcls();
            boolean hasPower=true;
            for(SysAcl acl:acls){
                if(acl.getUrl().equals(requestUrl) || ("/"+acl.getUrl()).equals(requestUrl)){
                    hasPower = false;
                    break;
                }
            }

            if(!hasPower){
                ResponseData res = ResponseData.error(ResponseCode.ERROR_LOGIN_NOAUTH_ACL);
                String json = JSON.toJSONString(res);
                response.setCharacterEncoding("UTF-8");
                response.setHeader("Content-type","application/json");
                response.getWriter().println(json);
                response.getWriter().flush();
                return;

            }

            filterChain.doFilter(servletRequest, servletResponse);
        }

        @Override
        public void destroy() {

        }
    }