本文介绍了Spring Boot 通过AOP和自定义注解实现权限控制,分享给大家,具体如下:
源码:https://github.com/yulc-coding/java-note/tree/master/aop
思路
- 自定义权限注解
- 在需要验证的接口上加上注解,并设置具体权限值
- 数据库权限表中加入对应接口需要的权限
- 用户登录时,获取当前用户的所有权限列表放入Redis缓存中
- 定义AOP,将切入点设置为自定义的权限
- AOP中获取接口注解的权限值,和Redis中的数据校验用户是否存在该权限,如果Redis中没有,则从数据库获取用户权限列表,再校验
pom文件 引入AOP
org.springframework.boot spring-boot-starter-weborg.springframework.boot spring-boot-starter-aop
自定义注解 VisitPermission
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface VisitPermission {
String value() default "";
}
需要设置权限的接口上加入注解 @VisitPermission(value)
@RestController
@RequestMapping("/permission")
public class PermissionController {
@VisitPermission("permission-test")
@GetMapping("/test")
public String test() {
System.out.println("================== step 3: doing ==================");
return "success";
}
}
定义权限AOP
- 设置切入点为@annotation(VisitPermission)
- 获取请求中的token,校验是否token是否过期或合法
- 获取注解中的权限值,校验当前用户是否有访问权限
- MongoDB 记录访问日志(IP、参数、接口、耗时等)
@Aspect
@Component
public class PermissionAspect {
@Pointcut("@annotation(org.ylc.note.aop.annotation.VisitPermission)")
private void permission() {
}
@Before("permission()")
public void doBefore() {
System.out.println("================== step 2: before ==================");
}
@After("permission()")
public void doAfter() {
System.out.println("================== step 4: after ==================");
}
@Around("permission()")
public Object doAround(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
System.out.println("================== step 1: around ==================");
long startTime = System.currentTimeMillis();
ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
HttpServletRequest request = attributes.getRequest();
String token = request.getHeader("token");
if (StringUtils.isEmpty(token)) {
throw new RuntimeException("非法请求,无效token");
}
// 校验token的业务逻辑
// ...
Method method = ((MethodSignature) proceedingJoinPoint.getSignature()).getMethod();
VisitPermission visitPermission = method.getAnnotation(VisitPermission.class);
String value = visitPermission.value();
// 校验权限的业务逻辑
// List
单元测试
package org.ylc.note.aop;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.ylc.note.aop.controller.PermissionController;
@SpringBootTest
class AopApplicationTests {
@Autowired
private PermissionController permissionController;
private MockMvc mvc;
@BeforeEach
void setupMockMvc() {
mvc = MockMvcBuilders.standaloneSetup(permissionController).build();
}
@Test
void apiTest() throws Exception {
MvcResult result = mvc.perform(MockMvcRequestBuilders.get("/permission/test")
.accept(MediaType.APPLICATION_JSON)
.header("token", "9527"))
.andReturn();
System.out.println("api test result : " + result.getResponse().getContentAsString());
}
}
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持考高分网。
