拦截器以及自定义注解的使用

1，设置预处理，设置不需要拦截的请求

@Component
public class MyWebConfig implements WebMvcConfigurer {
  private final UserTokenInterceptor userTokenInterceptor;
  private final SecurityInterceptor securityInterceptor;

  public MyWebConfig(
      UserTokenInterceptor userTokenInterceptor, SecurityInterceptor securityInterceptor) {
    this.userTokenInterceptor = userTokenInterceptor;
    this.securityInterceptor = securityInterceptor;
  }

  @Override
  public void addInterceptors(InterceptorRegistry registry) {
    // 定义排除swagger访问的路径配置
    String[] swaggerExcludes =
        new String[] {"/swagger-ui.html", "/swagger-resources
    if (StrUtil.isNotEmpty(token)) {
      EmpInfo securityEmployee = empInfoService.queryToken(token);
      if(securityEmployee != null){
        // token有效
        String ref = empInfoService.isRef(token);
        if (StrUtil.isNotBlank(ref)) {
          response.setHeader("Access-Control-Expose-Headers", "token");
          response.addHeader("token", ref);
        }
      }else{
        //Authorization为PBE加密数据
        securityEmployee = empInfoService.analyticQueryToken(token,response);
      }
      if (securityEmployee != null) {
        // token有效
        // 将User对象放入到ThreadLocal中
        UserLocal.set(securityEmployee);
        return true;
      }
      return false;
    }
//    String s = JSONUtil.toJsonStr(ResponseResult.error(ErrorCode.TOKEN_ERROR));
//    response.setContentType("text/html;charset=UTF-8");
//    JSONUtil.toJsonStr(s, response.getWriter());
//    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    InterceptorExceptionResolver.interceptorError(response,ErrorCode.TOKEN_ERROR);
    //update 结束
    return false;
  }

  @Override
  public void afterCompletion(
      HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex)
      throws Exception {
    // 响应结束后刪除對象
    UserLocal.remove();
  }
}

@Component
public class SecurityInterceptor implements HandlerInterceptor {
  @Override
  public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
      throws Exception {
    // 校验handler是否是HandlerMethod
    if (!(handler instanceof HandlerMethod)) {
      return true;
    }
    HandlerMethod method = (HandlerMethod) handler;
    // 判断是否包含@NoAuthorization注解，如果包含，直接放行
    if (method.hasMethodAnnotation(NoAuthorization.class)) {
      return true;
    }
    SecurityGrade methodAnnotation = method.getMethodAnnotation(SecurityGrade.class);
    if (methodAnnotation == null) {
      methodAnnotation = method.getMethod().getDeclaringClass().getAnnotation(SecurityGrade.class);
    }
    // 權限等級 用戶對象
    EmpInfo info = UserLocal.get();
    if (info == null) {
      retError(response);
      return false;
    }

    List value = List.of(methodAnnotation.value());
    // 權限等級
    List roles = info.getRoles();
    boolean isRelease = false;
    for (Role role : roles) {
      String permission = role.getRolePermission();
      if (value.contains(permission)) {
        isRelease = true;
        break;
      }
    }
    if (isRelease) {
      return true;
    } else {
      retError(response);
      return false;
    }
  }

  private void retError(HttpServletResponse response) throws IOException {
    String s = JSONUtil.toJsonStr(ResponseResult.error(ErrorCode.ROLE_ERROR));
    response.setContentType("text/html;charset=UTF-8");
    JSONUtil.toJsonStr(s, response.getWriter());
  }
}

3.关于注解的使用

@SecurityGrade({"SUPER_ADMIN", "SYSTEM_ADMIN"})
public class SecurityController {
  private final EmpInfoService empInfoService;

  public SecurityController(EmpInfoService empInfoService) {
    this.empInfoService = empInfoService;
  }

  @GetMapping("getUserInformation")
  @ApiOperation("登陸用户信息")
  @NoAuthorization
  public ResponseResult getUserInformation(@ApiIgnore HttpServletResponse response) {
    return empInfoService.getUserInformation(response);
  }
}

method.getMethodAnnotation(SecurityGrade.class) 获得注解信息，methodAnnotation.value()获得注解内容"SUPER_ADMIN", "SYSTEM_ADMIN"。