Skip to content
项目
群组
代码片段
帮助
正在加载...
帮助
提交反馈
为 GitLab 提交贡献
登录
切换导航
I
ibzuaa
项目
项目
详情
动态
版本
周期分析
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
统计图
议题
0
议题
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
CI / CD
CI / CD
流水线
作业
计划
统计图
Wiki
Wiki
代码片段
代码片段
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
统计图
创建新议题
作业
提交
议题看板
打开侧边栏
ibiz4jteam
ibzuaa
提交
7b7d83fd
提交
7b7d83fd
编写于
4年前
作者:
sq3536
浏览文件
操作
浏览文件
下载
差异文件
Merge remote-tracking branch 'origin/master'
上级
b44fa6f2
9fbf01bd
变更
16
显示空白字符变更
内嵌
并排
正在显示
16 个修改的文件
包含
201 行增加
和
394 行删除
+201
-394
package.json
app_web/package.json
+1
-1
ibiz-group-picker.vue
...eb/src/components/ibiz-group-picker/ibiz-group-picker.vue
+1
-1
ibiz-group-select.vue
...eb/src/components/ibiz-group-select/ibiz-group-select.vue
+11
-1
sys-role-permissioncustom-view.vue
...-permissioncustom-view/sys-role-permissioncustom-view.vue
+29
-7
DevBootSecurityConfig.java
...rc/main/java/cn/ibizlab/config/DevBootSecurityConfig.java
+2
-0
SysStructure.java
...a/cn/ibizlab/core/uaa/extensions/domain/SysStructure.java
+0
-1
systemResource.json
...aa-core/src/main/resources/permission/systemResource.json
+2
-1
apiSecurityConfig.java
...rc/main/java/cn/ibizlab/api/config/apiSecurityConfig.java
+2
-0
SysPSSystemResource.java
...rc/main/java/cn/ibizlab/api/rest/SysPSSystemResource.java
+1
-1
ClientAuthenticationResource.java
...lab/api/rest/extensions/ClientAuthenticationResource.java
+15
-206
IBZUAAFallback.java
.../src/main/java/cn/ibizlab/util/client/IBZUAAFallback.java
+2
-2
IBZUAAFeignClient.java
...c/main/java/cn/ibizlab/util/client/IBZUAAFeignClient.java
+4
-5
PermissionSyncJob.java
.../src/main/java/cn/ibizlab/util/job/PermissionSyncJob.java
+6
-2
AppController.java
...til/src/main/java/cn/ibizlab/util/rest/AppController.java
+22
-13
AuthPermissionEvaluator.java
...ava/cn/ibizlab/util/security/AuthPermissionEvaluator.java
+99
-153
IBZUSERServiceImpl.java
...main/java/cn/ibizlab/util/service/IBZUSERServiceImpl.java
+4
-0
未找到文件。
app_web/package.json
浏览文件 @
7b7d83fd
...
...
@@ -25,7 +25,7 @@
"file-saver"
:
"^2.0.2"
,
"font-awesome"
:
"^4.7.0"
,
"ibiz-gantt-elastic"
:
"^1.0.12"
,
"ibiz-vue-lib"
:
"^0.1.
6
"
,
"ibiz-vue-lib"
:
"^0.1.
7
"
,
"interactjs"
:
"^1.9.4"
,
"moment"
:
"^2.24.0"
,
"path-to-regexp"
:
"^6.1.0"
,
...
...
This diff is collapsed.
Click to expand it.
app_web/src/components/ibiz-group-picker/ibiz-group-picker.vue
浏览文件 @
7b7d83fd
...
...
@@ -159,7 +159,7 @@ export default class IBizGroupPicker extends Vue {
* @memberof IBizGroupPicker
*/
public
loadTree
()
{
let
orgid
=
this
.
viewParam
.
hasfilter
?
this
.
viewParam
.
filtervalue
:
'450000'
;
let
orgid
=
this
.
viewParam
.
filtervalue
?
this
.
viewParam
.
filtervalue
:
"alls"
;
let
get
=
Http
.
getInstance
().
get
(
`/ibzorganizations/
${
orgid
}
/suborg/ibzdepartments/picker`
,
true
);
get
.
then
((
response
:
any
)
=>
{
if
(
response
.
status
===
200
)
{
...
...
This diff is collapsed.
Click to expand it.
app_web/src/components/ibiz-group-select/ibiz-group-select.vue
浏览文件 @
7b7d83fd
...
...
@@ -166,10 +166,20 @@ export default class IBizGroupSelect extends Vue {
title
:
'分组选择'
};
const
context
:
any
=
JSON
.
parse
(
JSON
.
stringify
(
this
.
context
));
let
filtervalue
:
string
=
""
;
if
(
this
.
filter
){
if
(
this
.
data
[
this
.
filter
]){
filtervalue
=
this
.
data
[
this
.
filter
];
}
else
if
(
context
[
this
.
filter
]){
filtervalue
=
context
[
this
.
filter
];
}
else
{
filtervalue
=
context
.
srforgid
;
}
}
const
param
:
any
=
{};
Object
.
assign
(
param
,
{
hasfilter
:
this
.
filter
?
true
:
false
,
filtervalue
:
this
.
filter
?
this
.
data
[
this
.
filter
]
:
''
,
filtervalue
:
filtervalue
,
multiple
:
this
.
multiple
,
selects
:
this
.
selects
});
...
...
This diff is collapsed.
Click to expand it.
app_web/src/pages/uaa/sys-role-permissioncustom-view/sys-role-permissioncustom-view.vue
浏览文件 @
7b7d83fd
...
...
@@ -364,9 +364,13 @@
if
(
this
.
formDruipart
){
this
.
formDruipart
.
subscribe
((
res
:
any
)
=>
{
if
(
Object
.
is
(
res
.
action
,
'load'
)){
// 父数据保存时调用当前视图的
点击确定
事件
// 父数据保存时调用当前视图的事件
if
(
this
.
selectData
.
length
>
0
){
// 选中了数据
this
.
onClickOk
();
}
else
{
// 没选中数据
this
.
onClear
();
}
}
});
...
...
@@ -439,6 +443,10 @@
* @memberof SYS_ROLE_PERMISSIONCustomViewBase
*/
public
beforeDestroy
()
{
// 清空选中数据
this
.
selectData
=
{};
// 清空视图选中数据
this
.
viewSelections
=
[];
this
.
$store
.
commit
(
'viewaction/removeView'
,
this
.
viewtag
);
}
...
...
@@ -473,7 +481,6 @@
if
(
this
.
selectData
&&
this
.
selectData
.
length
>
0
)
{
// 判断选中的数据和初始数据
if
(
JSON
.
stringify
(
this
.
selectData
)
==
JSON
.
stringify
(
this
.
ininselectData
))
{
this
.
$emit
(
'close'
,
null
);
return
;
}
this
.
selectData
.
forEach
((
item
:
any
)
=>
{
...
...
@@ -498,15 +505,30 @@
}
}).
catch
((
e
)
=>
{
});
}
// 清空视图选中数据,避免重复添加
this
.
viewSelections
=
[];
}
/**
* 清除
*/
private
onClear
(){
// 未选中数据,即没有赋予任何权限,需要清除当前角色的所有权限
if
(
this
.
selectData
.
length
==
0
)
{
// 保存选中的权限信息
let
url
=
'/sysroles/'
+
this
.
srfparentkey
+
'/sysrolepermissions/refreshbatch'
;
this
.
$http
.
post
(
url
,[]).
then
((
response
:
any
)
=>
{
if
(
!
(
!
response
||
response
.
status
!==
200
))
{
}
else
{
this
.
$Notice
.
error
({
title
:
'错误'
,
desc
:
'未选中数据!'
});
this
.
$Notice
.
error
({
title
:
'错误'
,
desc
:
response
.
message
});
return
;
}
}).
catch
((
e
)
=>
{
});
}
}
}
</
script
>
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-boot/src/main/java/cn/ibizlab/config/DevBootSecurityConfig.java
浏览文件 @
7b7d83fd
...
...
@@ -102,6 +102,8 @@ public class DevBootSecurityConfig extends WebSecurityConfigurerAdapter {
.
antMatchers
(
HttpMethod
.
POST
,
"/"
+
uaaLoginPath
).
permitAll
()
.
antMatchers
(
HttpMethod
.
POST
,
"/"
+
uaaLoginPath2
).
permitAll
()
.
antMatchers
(
"/syspssystems/**/permissiondata"
).
permitAll
()
//同步系统权限资源
.
antMatchers
(
"/syspssystems/save"
).
permitAll
()
.
antMatchers
(
"/uaa/login"
).
permitAll
()
.
anyRequest
().
authenticated
()
// 防止iframe 造成跨域
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-core/src/main/java/cn/ibizlab/core/uaa/extensions/domain/SysStructure.java
浏览文件 @
7b7d83fd
...
...
@@ -7,7 +7,6 @@ import cn.ibizlab.core.uaa.extensions.domain.Structure.FuncItem;
import
cn.ibizlab.core.uaa.extensions.domain.Structure.UniResNode
;
import
com.alibaba.fastjson.annotation.JSONField
;
import
com.fasterxml.jackson.annotation.JsonProperty
;
import
liquibase.pro.packaged.S
;
import
lombok.Data
;
import
java.sql.Timestamp
;
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-core/src/main/resources/permission/systemResource.json
浏览文件 @
7b7d83fd
{
"systemid"
:
"ibzuaa"
,
"unires"
:[
],
"entities"
:[
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/config/apiSecurityConfig.java
浏览文件 @
7b7d83fd
...
...
@@ -117,6 +117,8 @@ public class apiSecurityConfig extends WebSecurityConfigurerAdapter {
.
antMatchers
(
"/"
+
uploadpath
).
permitAll
()
.
antMatchers
(
"/"
+
previewpath
+
"/**"
).
permitAll
()
.
antMatchers
(
"/syspssystems/**/permissiondata"
).
permitAll
()
//同步系统权限资源
.
antMatchers
(
"/syspssystems/save"
).
permitAll
()
.
antMatchers
(
"/uaa/login"
).
permitAll
()
// 所有请求都需要认证
.
anyRequest
().
authenticated
()
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/rest/SysPSSystemResource.java
浏览文件 @
7b7d83fd
...
...
@@ -105,7 +105,7 @@ public class SysPSSystemResource {
return
ResponseEntity
.
status
(
HttpStatus
.
OK
).
body
(
true
);
}
@PreAuthorize
(
"hasAnyAuthority('ROLE_SUPERADMIN','ibzuaa-SysPSSystem-Save-all')"
)
//
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','ibzuaa-SysPSSystem-Save-all')")
@ApiOperation
(
value
=
"Save"
,
tags
=
{
"SysPSSystem"
},
notes
=
"Save"
)
@RequestMapping
(
method
=
RequestMethod
.
POST
,
value
=
"/syspssystems/save"
)
public
ResponseEntity
<
Boolean
>
save
(
@RequestBody
SysPSSystemDTO
syspssystemdto
)
{
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-provider/ibzuaa-provider-api/src/main/java/cn/ibizlab/api/rest/extensions/ClientAuthenticationResource.java
浏览文件 @
7b7d83fd
package
cn
.
ibizlab
.
api
.
rest
.
extensions
;
import
cn.ibizlab.core.uaa.
service.ISysPermission
Service
;
import
cn.ibizlab.core.uaa.
extensions.service.UAACore
Service
;
import
cn.ibizlab.util.client.IBZOUFeignClient
;
import
cn.ibizlab.util.security.AuthTokenUtil
;
import
cn.ibizlab.util.security.AuthenticationInfo
;
import
cn.ibizlab.util.security.AuthenticationUser
;
import
cn.ibizlab.util.security.AuthorizationLogin
;
import
cn.ibizlab.util.service.AuthenticationUserService
;
import
com.alibaba.fastjson.JSONArray
;
import
com.alibaba.fastjson.JSONObject
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.beans.factory.annotation.Qualifier
;
import
org.springframework.beans.factory.annotation.Value
;
import
org.springframework.http.ResponseEntity
;
import
org.springframework.util.StringUtils
;
import
org.springframework.security.core.GrantedAuthority
;
import
org.springframework.security.core.authority.AuthorityUtils
;
import
org.springframework.validation.annotation.Validated
;
import
org.springframework.web.bind.annotation.*
;
import
java.util.HashMap
;
import
java.util.List
;
import
java.util.Map
;
import
java.util.Set
;
import
java.util.*
;
/**
* 客户端登录认证
...
...
@@ -36,19 +33,6 @@ public class ClientAuthenticationResource
@Autowired
private
AuthTokenUtil
jwtTokenUtil
;
/**
* 实体操作标识
*/
private
String
OPPriTag
=
"OPPRIV"
;
/**
* 统一资源标识
*/
private
String
UniResTag
=
"UNIRES"
;
/**
* 菜单项标识
*/
private
String
AppMenuTag
=
"APPMENU"
;
@Autowired
@Qualifier
(
"IBZUSERService"
)
private
AuthenticationUserService
userDetailsService
;
...
...
@@ -56,9 +40,6 @@ public class ClientAuthenticationResource
@Autowired
private
IBZOUFeignClient
ouFeignClient
;
@Autowired
private
ISysPermissionService
permissionService
;
@PostMapping
(
value
=
"v7/login"
)
public
ResponseEntity
<
AuthenticationInfo
>
login
(
@Validated
@RequestBody
AuthorizationLogin
authorizationLogin
){
userDetailsService
.
resetByUsername
(
authorizationLogin
.
getUsername
());
...
...
@@ -98,197 +79,25 @@ public class ClientAuthenticationResource
return
ResponseEntity
.
ok
().
body
(
user
);
}
@Autowired
UAACoreService
uaaCoreService
;
/**
* 设置用户权限
* 由于GrantedAuthority缺少无参构造,导致无法序列化,暂时通过PermissionList中转
* @param user
* @return
*/
public
void
setUserPermission
(
AuthenticationUser
user
)
{
JSONObject
permissionObj
=
new
JSONObject
();
//数据能力
String
opprivSQL
=
"SELECT\n"
+
"\tT2.pssysmoduleid as sysmodule,\n"
+
"\tT2.psdataentityid as dataentity,\n"
+
"\tT2.pssourceid as pssourceid,\n"
+
"\tT2.pssourcetype as pssourcetype,\n"
+
"\tT2.psdedatarangeid as dedatarange,\n"
+
"\tT1.sys_permissionid as permissionid,\n"
+
"\tT1.sys_permissionname\n"
+
"FROM\n"
+
"\tibzrole_permission T\n"
+
"INNER JOIN ibzpermission T1 ON T.SYS_PERMISSIONID = T1.SYS_PERMISSIONID\n"
+
"INNER JOIN ibzpsdeoppriv T2 on T1.SYS_PERMISSIONID=t2.SYS_PSDEOPPRIVID\n"
+
"WHERE\n"
+
"\tT.SYS_ROLEID IN (\n"
+
"\t SELECT SYS_ROLEID\n"
+
"\t FROM\n"
+
"\t IBZUSER_ROLE t LEFT JOIN IBZUSER t1 ON t.SYS_USERID=T1.USERID\n"
+
"\t WHERE\n"
+
"\t T1.USERID = #{et.param0}\n"
+
"\t)\n"
+
"AND T1.PERMISSIONTYPE = #{et.param1} and t1.enable=1 "
;
//统一资源
String
uniResSQL
=
"SELECT\n"
+
"\tt2.SYS_PSSYSUNIRESID,\n"
+
"\tt2.SYS_PSSYSUNIRESNAME,\n"
+
"\tT2.UNIRESCODE \n"
+
"FROM\n"
+
"\tibzrole_permission T\n"
+
"INNER JOIN ibzpermission T1 ON T.SYS_PERMISSIONID = T1.SYS_PERMISSIONID\n"
+
"INNER JOIN IBZPSSYSUNIRES T2 on T1.SYS_PERMISSIONID=t2.SYS_PSSYSUNIRESID\n"
+
"WHERE\n"
+
"\tT.SYS_ROLEID IN (\n"
+
"\t SELECT SYS_ROLEID\n"
+
"\t FROM\n"
+
"\t IBZUSER_ROLE t LEFT JOIN IBZUSER t1 ON t.SYS_USERID=T1.USERID\n"
+
"\t WHERE\n"
+
"\t T1.USERID = #{et.param0}\n"
+
"\t)\n"
+
"AND T1.PERMISSIONTYPE = #{et.param1} and t1.enable=1"
;
//应用菜单
String
appMenuSQL
=
"SELECT\n"
+
"\tt2.PSAPPMENUITEMID as MENUITEMID,\n"
+
"\tt2.SYS_PSAPPMENUITEMNAME AS MENUITEMNAME \n"
+
"FROM\n"
+
"\tibzrole_permission T\n"
+
"INNER JOIN ibzpermission T1 ON T.SYS_PERMISSIONID = T1.SYS_PERMISSIONID\n"
+
"INNER JOIN ibzpsappmenuitem T2 on T1.SYS_PERMISSIONID=t2.SYS_PSAPPMENUITEMID\n"
+
"WHERE\n"
+
"\tT.SYS_ROLEID IN (\n"
+
"\t SELECT SYS_ROLEID\n"
+
"\t FROM\n"
+
"\t IBZUSER_ROLE t LEFT JOIN IBZUSER t1 ON t.SYS_USERID=T1.USERID\n"
+
"\t WHERE\n"
+
"\t T1.USERID = #{et.param0}\n"
+
"\t)\n"
+
"AND T1.PERMISSIONTYPE = #{et.param1} and t1.enable=1"
;
Map
opprivParam
=
new
HashMap
();
opprivParam
.
put
(
"param0"
,
user
.
getUserid
());
opprivParam
.
put
(
"param1"
,
OPPriTag
);
Map
uniresParam
=
new
HashMap
();
uniresParam
.
put
(
"param0"
,
user
.
getUserid
());
uniresParam
.
put
(
"param1"
,
UniResTag
);
Map
appMenuParam
=
new
HashMap
();
appMenuParam
.
put
(
"param0"
,
user
.
getUserid
());
appMenuParam
.
put
(
"param1"
,
AppMenuTag
);
List
<
JSONObject
>
entitiesList
=
permissionService
.
select
(
opprivSQL
,
opprivParam
);
//查询用户权限下数据能力
List
<
JSONObject
>
uniResList
=
permissionService
.
select
(
uniResSQL
,
uniresParam
);
//查询用户权限下的统一资源
List
<
JSONObject
>
appMenuItemList
=
permissionService
.
select
(
appMenuSQL
,
appMenuParam
);
//查询用户权限下的菜单项
JSONObject
entities
=
getEntitiesList
(
entitiesList
);
JSONArray
uniRes
=
getUniRes
(
uniResList
);
JSONArray
appMenuItem
=
getAppMenuItem
(
appMenuItemList
);
permissionObj
.
put
(
"entities"
,
entities
);
permissionObj
.
put
(
"unires"
,
uniRes
);
permissionObj
.
put
(
"appmenu"
,
appMenuItem
);
permissionObj
.
put
(
"authorities"
,
getAuthoritiesArray
(
user
,
entitiesList
));
user
.
setPermissionList
(
permissionObj
);
}
/**
* 获取用户资源
* @return
*/
private
JSONArray
getAuthoritiesArray
(
AuthenticationUser
user
,
List
<
JSONObject
>
dataRangeArray
)
{
JSONArray
authoritiesArray
=
new
JSONArray
();
if
(
dataRangeArray
.
size
()>
0
){
for
(
int
a
=
0
;
a
<
dataRangeArray
.
size
();
a
++){
JSONObject
dataRangeObj
=
dataRangeArray
.
get
(
a
);
String
dataRangeId
=
dataRangeObj
.
getString
(
"dedatarange"
);
String
permissionId
=
dataRangeObj
.
getString
(
"permissionid"
);
if
(
!
StringUtils
.
isEmpty
(
dataRangeId
)
&&
!
StringUtils
.
isEmpty
(
permissionId
)
&&
dataRangeId
.
equalsIgnoreCase
(
"all"
)
){
authoritiesArray
.
add
(
permissionId
);
}
}
}
Collection
<
GrantedAuthority
>
userAuthorities
=
uaaCoreService
.
getAuthoritiesByUserId
(
user
.
getUserid
());
Set
<
String
>
authorities
=
AuthorityUtils
.
authorityListToSet
(
userAuthorities
);
if
(
user
.
getSuperuser
()==
1
){
authoritiesArray
.
add
(
"ROLE_SUPERADMIN"
);
}
return
authoritiesArray
;
}
/**
* 获取应用菜单
* @param menuItemList
* @return
*/
private
JSONArray
getAppMenuItem
(
List
<
JSONObject
>
menuItemList
)
{
JSONArray
menuItemArr
=
new
JSONArray
();
for
(
int
a
=
0
;
a
<
menuItemList
.
size
();
a
++){
JSONObject
menuItem
=
menuItemList
.
get
(
a
);
JSONObject
newMenuItem
=
new
JSONObject
();
newMenuItem
.
put
(
"appid"
,
menuItem
.
getString
(
"MENUITEMID"
));
newMenuItem
.
put
(
"appmenuid"
,
menuItem
.
getString
(
"MENUITEMNAME"
));
newMenuItem
.
put
(
"menuitemid"
,
menuItem
.
getString
(
"MENUITEMID"
));
newMenuItem
.
put
(
"menuitemname"
,
menuItem
.
getString
(
"MENUITEMNAME"
));
menuItemArr
.
add
(
newMenuItem
);
}
return
menuItemArr
;
}
/**
* 获取统一资源
* @param uniResList
* @return
*/
private
JSONArray
getUniRes
(
List
<
JSONObject
>
uniResList
)
{
JSONArray
uniResArr
=
new
JSONArray
();
for
(
int
a
=
0
;
a
<
uniResList
.
size
();
a
++){
JSONObject
uniRes
=
uniResList
.
get
(
a
);
JSONObject
newUniRes
=
new
JSONObject
();
newUniRes
.
put
(
"unirescode"
,
uniRes
.
getString
(
"UNIRESCODE"
));
newUniRes
.
put
(
"uniresname"
,
uniRes
.
getString
(
"SYS_PSSYSUNIRESNAME"
));
uniResArr
.
add
(
newUniRes
);
}
return
uniResArr
;
}
/**
* 拼接实体行为资源
* @param role_permissions
* @return
*/
private
JSONObject
getEntitiesList
(
List
<
JSONObject
>
role_permissions
)
{
JSONObject
permission_entity
=
new
JSONObject
();
for
(
Map
rolePermission
:
role_permissions
)
{
JSONObject
obj
=
JSONObject
.
parseObject
(
JSONObject
.
toJSON
(
rolePermission
).
toString
());
String
entityName
=
obj
.
getString
(
"dataentity"
);
String
dataRangeName
=
obj
.
getString
(
"dedatarange"
);
String
sourceName
=
obj
.
getString
(
"pssourceid"
);
String
sourceType
=
obj
.
getString
(
"pssourcetype"
);
JSONObject
entity
=
new
JSONObject
();
JSONObject
permission
=
new
JSONObject
();
JSONArray
dataRange
=
new
JSONArray
();
if
(
permission_entity
.
containsKey
(
entityName
))
//实体合并
entity
=
permission_entity
.
getJSONObject
(
entityName
);
if
(
entity
.
containsKey
(
sourceType
))
//数据能力合并
permission
=
entity
.
getJSONObject
(
sourceType
);
if
(
permission
.
containsKey
(
sourceName
))
dataRange
=
permission
.
getJSONArray
(
sourceName
);
dataRange
.
add
(
dataRangeName
);
permission
.
put
(
sourceName
,
dataRange
);
entity
.
put
(
sourceType
,
permission
);
permission_entity
.
put
(
entityName
,
entity
);
authorities
.
add
(
"ROLE_SUPERADMIN"
);
}
return
permission_entity
;
JSONObject
permission
=
new
JSONObject
();
permission
.
put
(
"authorities"
,
authorities
);
user
.
setPermissionList
(
permission
);
}
/**
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-util/src/main/java/cn/ibizlab/util/client/IBZUAAFallback.java
浏览文件 @
7b7d83fd
...
...
@@ -9,8 +9,8 @@ import com.alibaba.fastjson.JSONObject;
public
class
IBZUAAFallback
implements
IBZUAAFeignClient
{
@Override
public
boolean
pushSystemPermissionData
(
String
systemid
,
JSONObject
systemPermissionData
)
{
return
false
;
public
Boolean
syncSysAuthority
(
JSONObject
system
)
{
return
null
;
}
@Override
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-util/src/main/java/cn/ibizlab/util/client/IBZUAAFeignClient.java
浏览文件 @
7b7d83fd
...
...
@@ -10,13 +10,12 @@ import com.alibaba.fastjson.JSONObject;
public
interface
IBZUAAFeignClient
{
/**
* 推送系统权限数据到uaa
* @param systemid
* @param systemPermissionData
* 同步系统资源到uaa
* @param system 系统资源信息
* @return
*/
@PostMapping
(
"/syspssystems/
{systemid}/permissiondata
"
)
boolean
pushSystemPermissionData
(
@PathVariable
(
"systemid"
)
String
systemid
,
@RequestBody
JSONObject
systemPermissionData
);
@PostMapping
(
"/syspssystems/
save
"
)
Boolean
syncSysAuthority
(
@RequestBody
JSONObject
system
);
/**
* 用户登录
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-util/src/main/java/cn/ibizlab/util/job/PermissionSyncJob.java
浏览文件 @
7b7d83fd
...
...
@@ -36,10 +36,14 @@ public class PermissionSyncJob implements ApplicationRunner {
Thread
.
sleep
(
10000
);
InputStream
permission
=
this
.
getClass
().
getResourceAsStream
(
"/permission/systemResource.json"
);
//获取当前系统所有实体资源能力
String
permissionResult
=
IOUtils
.
toString
(
permission
,
"UTF-8"
);
if
(
client
.
pushSystemPermissionData
(
systemId
,
JSONObject
.
parseObject
(
permissionResult
))){
JSONObject
system
=
new
JSONObject
();
system
.
put
(
"pssystemid"
,
systemId
);
system
.
put
(
"pssystemname"
,
systemId
);
system
.
put
(
"sysstructure"
,
JSONObject
.
parseObject
(
permissionResult
));
if
(
client
.
syncSysAuthority
(
system
)){
log
.
info
(
"向[UAA]同步系统资源成功"
);
}
else
{
log
.
info
(
String
.
format
(
"向[UAA]同步系统资源失败"
)
);
log
.
error
(
"向[UAA]同步系统资源失败"
);
}
}
catch
(
Exception
ex
)
{
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-util/src/main/java/cn/ibizlab/util/rest/AppController.java
浏览文件 @
7b7d83fd
package
cn
.
ibizlab
.
util
.
rest
;
import
com.alibaba.fastjson.JSONArray
;
import
com.alibaba.fastjson.JSONObject
;
import
cn.ibizlab.util.security.AuthenticationUser
;
import
cn.ibizlab.util.service.AuthenticationUserService
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.beans.factory.annotation.Value
;
import
org.springframework.http.HttpStatus
;
import
org.springframework.http.ResponseEntity
;
import
org.springframework.
util.ObjectUtils
;
import
org.springframework.
security.core.GrantedAuthority
;
import
org.springframework.web.bind.annotation.RequestMapping
;
import
org.springframework.web.bind.annotation.RequestMethod
;
import
org.springframework.web.bind.annotation.RestController
;
import
org.springframework.beans.factory.annotation.Value
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
cn.ibizlab.util.security.AuthenticationUse
r
;
import
cn.ibizlab.util.service.AuthenticationUserService
;
import
java.util.Collection
;
import
java.util.HashSet
;
import
java.util.Iterato
r
;
import
java.util.Set
;
@RestController
@RequestMapping
(
value
=
""
)
...
...
@@ -27,13 +30,19 @@ public class AppController {
public
ResponseEntity
<
JSONObject
>
getAppData
()
{
JSONObject
appData
=
new
JSONObject
()
;
JSONArray
uniRes
=
new
JSONArray
();
JSONArray
appMenu
=
new
JSONArray
();
Set
<
String
>
appMenu
=
new
HashSet
();
Set
<
String
>
uniRes
=
new
HashSet
();
if
(
enablePermissionValid
){
JSONObject
userPermission
=
AuthenticationUser
.
getAuthenticationUser
().
getPermissionList
();
if
(!
ObjectUtils
.
isEmpty
(
userPermission
)){
uniRes
=
userPermission
.
getJSONArray
(
"unires"
);
appMenu
=
userPermission
.
getJSONArray
(
"appmenu"
);
Collection
<
GrantedAuthority
>
authorities
=
AuthenticationUser
.
getAuthenticationUser
().
getAuthorities
();
Iterator
it
=
authorities
.
iterator
();
while
(
it
.
hasNext
())
{
GrantedAuthority
authority
=
(
GrantedAuthority
)
it
.
next
();
String
strAuthority
=
authority
.
getAuthority
();
if
(
strAuthority
.
startsWith
(
"UNIRES"
))
uniRes
.
add
(
strAuthority
);
else
if
(
strAuthority
.
startsWith
(
"APPMENU"
))
appMenu
.
add
(
strAuthority
);
}
}
appData
.
put
(
"unires"
,
uniRes
);
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-util/src/main/java/cn/ibizlab/util/security/AuthPermissionEvaluator.java
浏览文件 @
7b7d83fd
package
cn
.
ibizlab
.
util
.
security
;
import
com.alibaba.fastjson.JSONArray
;
import
com.alibaba.fastjson.JSONObject
;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.service.impl.ServiceImpl
;
import
com.mongodb.QueryBuilder
;
...
...
@@ -18,6 +16,7 @@ import org.springframework.data.mongodb.core.query.BasicQuery;
import
org.springframework.data.mongodb.core.query.Query
;
import
org.springframework.security.access.PermissionEvaluator
;
import
org.springframework.security.core.Authentication
;
import
org.springframework.security.core.GrantedAuthority
;
import
org.springframework.stereotype.Component
;
import
org.springframework.util.ObjectUtils
;
import
org.springframework.util.StringUtils
;
...
...
@@ -35,10 +34,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value
(
"${ibiz.enablePermissionValid:false}"
)
boolean
enablePermissionValid
;
//是否开启权限校验
/**
* 实体行为操作标识
*/
private
String
DEActionType
=
"DEACTION"
;
/**
*实体主键标识
*/
...
...
@@ -67,9 +62,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
List
<
String
>
ids
=
null
;
EntityBase
entity
;
List
<
EntityBase
>
entityList
=
null
;
JSONObject
userPermission
=
AuthenticationUser
.
getAuthenticationUser
().
getPermissionList
();
if
(
userPermission
==
null
)
return
false
;
MappingBase
mappingBase
=
(
MappingBase
)
paramList
.
get
(
1
);
//参数准备
if
(
action
.
equalsIgnoreCase
(
"remove"
)){
...
...
@@ -86,26 +78,19 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if
(
entity
==
null
)
return
false
;
JSONObject
permissionList
=
userPermission
.
getJSONObject
(
"entities"
);
String
entityName
=
entity
.
getClass
().
getSimpleName
();
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
entity
.
getClass
().
getSimpleName
(),
action
);
if
(
entityDataRange
.
size
()==
0
)
return
false
;
//拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
entityName
,
action
,
permissionList
)){
if
(
isAllData
(
action
,
entityDataRange
)){
return
true
;
}
//检查是否有操作权限[create.update.delete.read]
if
(!
validDEActionHasPermission
(
entityName
,
action
,
permissionList
)){
return
false
;
}
JSONArray
dataRangeList
=
getDataRange
(
entityName
,
action
,
permissionList
);
if
(
dataRangeList
.
size
()==
0
)
return
false
;
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createBatchActionPermissionValid
(
entityList
,
dataRangeList
);
return
createBatchActionPermissionValid
(
entityList
,
entityDataRange
);
}
else
if
(
action
.
equalsIgnoreCase
(
"save"
)){
return
saveBatchActionPermissionValid
(
deStorageMode
,
entityList
,
dataRangeList
);
return
saveBatchActionPermissionValid
(
deStorageMode
,
entityList
,
entityDataRange
);
}
else
{
if
(!
action
.
equalsIgnoreCase
(
"remove"
)){
...
...
@@ -113,7 +98,7 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
}
if
(
ids
.
size
()==
0
)
return
false
;
return
otherBatchActionPermissionValidRouter
(
deStorageMode
,
entity
,
ids
,
dataRangeList
);
return
otherBatchActionPermissionValidRouter
(
deStorageMode
,
entity
,
ids
,
entityDataRange
);
}
}
...
...
@@ -142,23 +127,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
if
(
StringUtils
.
isEmpty
(
entity
))
return
false
;
JSONObject
userPermission
=
AuthenticationUser
.
getAuthenticationUser
().
getPermissionList
();
if
(
userPermission
==
null
)
Set
<
String
>
entityDataRange
=
getAuthorities
(
authentication
,
entity
.
getClass
().
getSimpleName
(),
action
);
if
(
entityDataRange
.
size
()==
0
)
return
false
;
JSONObject
permissionList
=
userPermission
.
getJSONObject
(
"entities"
);
String
entityName
=
entity
.
getClass
().
getSimpleName
();
//拥有全部数据访问权限时,则跳过权限检查
if
(
isAllData
(
entityName
,
action
,
permissionList
)){
if
(
isAllData
(
action
,
entityDataRange
)){
return
true
;
}
//检查是否有操作权限[create.update.delete.read]
if
(!
validDEActionHasPermission
(
entityName
,
action
,
permissionList
)){
return
false
;
}
JSONArray
dataRangeList
=
getDataRange
(
entityName
,
action
,
permissionList
);
if
(
dataRangeList
.
size
()==
0
)
return
false
;
if
(
action
.
equalsIgnoreCase
(
"save"
)){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
...
...
@@ -170,21 +147,41 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
action
=
"update"
;
}
if
(
action
.
equalsIgnoreCase
(
"create"
)){
return
createActionPermissionValid
(
entity
,
dataRangeList
);
return
createActionPermissionValid
(
entity
,
entityDataRange
);
}
else
{
return
otherActionPermissionValidRouter
(
deStorageMode
,
entity
,
id
,
dataRangeList
);
return
otherActionPermissionValidRouter
(
deStorageMode
,
entity
,
id
,
entityDataRange
);
}
}
/**
* 获取用户权限资源
* @param authentication
* @param entityName
* @param action
* @return
*/
private
Set
<
String
>
getAuthorities
(
Authentication
authentication
,
String
entityName
,
String
action
){
Collection
authorities
=
authentication
.
getAuthorities
();
Set
<
String
>
entityDataRange
=
new
HashSet
();
Iterator
var2
=
authorities
.
iterator
();
while
(
var2
.
hasNext
())
{
GrantedAuthority
authority
=
(
GrantedAuthority
)
var2
.
next
();
if
(
authority
.
getAuthority
().
contains
(
String
.
format
(
"%s-%s-"
,
entityName
,
action
)))
entityDataRange
.
add
(
authority
.
getAuthority
());
}
return
entityDataRange
;
}
/**
* 批save校验
* @param deStorageMode
* @param entityList
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
saveBatchActionPermissionValid
(
String
deStorageMode
,
List
<
EntityBase
>
entityList
,
JSONArray
dataRangeList
)
{
private
boolean
saveBatchActionPermissionValid
(
String
deStorageMode
,
List
<
EntityBase
>
entityList
,
Set
<
String
>
entityDataRange
)
{
if
(
entityList
==
null
||
entityList
.
size
()==
0
)
return
false
;
...
...
@@ -202,12 +199,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
updateList
.
add
(
String
.
valueOf
(
id
));
}
if
(
updateList
.
size
()>
0
){
boolean
isUpdate
=
otherBatchActionPermissionValidRouter
(
deStorageMode
,
tempEntity
,
updateList
,
dataRangeList
);
boolean
isUpdate
=
otherBatchActionPermissionValidRouter
(
deStorageMode
,
tempEntity
,
updateList
,
entityDataRange
);
if
(!
isUpdate
)
return
false
;
}
if
(
createList
.
size
()>
0
){
boolean
isCreate
=
createBatchActionPermissionValid
(
entityList
,
dataRangeList
);
boolean
isCreate
=
createBatchActionPermissionValid
(
entityList
,
entityDataRange
);
if
(!
isCreate
)
return
false
;
}
...
...
@@ -217,12 +214,12 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 批处理新建权限校验
* @param entityList
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
createBatchActionPermissionValid
(
List
<
EntityBase
>
entityList
,
JSONArray
dataRangeList
){
private
boolean
createBatchActionPermissionValid
(
List
<
EntityBase
>
entityList
,
Set
<
String
>
entityDataRange
){
for
(
EntityBase
entity
:
entityList
){
boolean
isCreate
=
createActionPermissionValid
(
entity
,
dataRangeList
);
boolean
isCreate
=
createActionPermissionValid
(
entity
,
entityDataRange
);
if
(!
isCreate
){
return
false
;
}
...
...
@@ -235,16 +232,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode
* @param entity
* @param ids
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
otherBatchActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
List
<
String
>
ids
,
JSONArray
dataRangeList
){
private
boolean
otherBatchActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlBatchPermissionValid
(
entity
,
ids
,
dataRangeList
);
return
sqlBatchPermissionValid
(
entity
,
ids
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){
return
noSqlBatchPermissionValid
(
entity
,
ids
,
dataRangeList
);
return
noSqlBatchPermissionValid
(
entity
,
ids
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){
return
true
;
...
...
@@ -258,16 +255,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* SQL批处理权限校验
* @param entity
* @param ids
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
sqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
JSONArray
dataRangeList
){
private
boolean
sqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityDataRange
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
ServiceImpl
service
=
SpringContextHolder
.
getBean
(
String
.
format
(
"%s%s"
,
entity
.
getClass
().
getSimpleName
(),
"ServiceImpl"
));
//获取实体service对象
//通过权限表达式来获取sql
String
permissionSQL
=
String
.
format
(
" (%s) AND ( %s in (%s) ) "
,
getPermissionSQL
(
entity
,
dataRangeList
),
keyFieldName
,
getEntityKeyCond
(
ids
));
//拼接权限条件-编辑
String
permissionSQL
=
String
.
format
(
" (%s) AND ( %s in (%s) ) "
,
getPermissionSQL
(
entity
,
entityDataRange
),
keyFieldName
,
getEntityKeyCond
(
ids
));
//拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper
permissionWrapper
=
getPermissionWrapper
(
permissionSQL
);
//构造权限条件
List
list
=
service
.
list
(
permissionWrapper
);
...
...
@@ -282,15 +279,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL批处理权限校验
* @param entity
* @param ids
* @param
d
ataRange
* @param
entityD
ataRange
* @return
*/
private
boolean
noSqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
JSONArray
d
ataRange
)
{
private
boolean
noSqlBatchPermissionValid
(
EntityBase
entity
,
List
<
String
>
ids
,
Set
<
String
>
entityD
ataRange
)
{
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
keyFieldName
=
permissionField
.
get
(
keyFieldTag
);
//根据权限表达式填充权限条件
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
d
ataRange
);
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
entityD
ataRange
);
//权限条件拼接主键
permissionCond
.
and
(
keyFieldName
).
in
(
ids
);
//执行权限检查
...
...
@@ -306,59 +303,26 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 是否为全部数据
* @param permissionList
* @param entityName
* @param action
* @param entityDataRange
* @return
*/
private
boolean
isAllData
(
String
entityName
,
String
action
,
JSONObject
permissionList
)
{
if
(
permissionList
==
null
)
return
false
;
if
(!
permissionList
.
containsKey
(
entityName
))
return
false
;
JSONObject
entity
=
permissionList
.
getJSONObject
(
entityName
);
if
(!
entity
.
containsKey
(
DEActionType
))
return
false
;
JSONObject
dataRange
=
entity
.
getJSONObject
(
DEActionType
);
//获取实体行为对应的数据范围
if
(
dataRange
.
containsKey
(
action
)
&&
dataRange
.
getJSONArray
(
action
).
contains
(
"all"
))
private
boolean
isAllData
(
String
action
,
Set
<
String
>
entityDataRange
)
{
for
(
String
dataRange
:
entityDataRange
){
if
(
dataRange
.
endsWith
(
String
.
format
(
"%s-all"
,
action
))){
return
true
;
return
false
;
}
/**
* 实体行为权限校验
* @param userPermission
* @param entityName
* @param action
* userPermission:{"ENTITY":{"DEACTION":{"READ":["CURORG"]},"DATASET":{"Default":["CURORG"]}}}
* @return
*/
private
boolean
validDEActionHasPermission
(
String
entityName
,
String
action
,
JSONObject
userPermission
){
boolean
hasPermission
=
false
;
if
(
userPermission
==
null
)
return
false
;
if
(!
userPermission
.
containsKey
(
entityName
))
return
false
;
JSONObject
entity
=
userPermission
.
getJSONObject
(
entityName
);
//获取实体
if
(!
entity
.
containsKey
(
DEActionType
))
return
false
;
JSONObject
dataRange
=
entity
.
getJSONObject
(
DEActionType
);
//获取实体行为对应的数据范围
if
(
dataRange
.
containsKey
(
action
)){
hasPermission
=
true
;
}
return
hasPermission
;
return
false
;
}
/**
* 新建行为校验
* @param entity
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
createActionPermissionValid
(
EntityBase
entity
,
JSONArray
dataRangeList
){
private
boolean
createActionPermissionValid
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
boolean
isCreate
=
true
;
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
...
...
@@ -379,24 +343,23 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set
<
String
>
userOrg
=
new
HashSet
<>();
Set
<
String
>
userOrgDept
=
new
HashSet
<>();
for
(
int
a
=
0
;
a
<
dataRangeList
.
size
();
a
++){
String
permissionCond
=
dataRangeList
.
getString
(
a
);
//权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//本单位
for
(
String
permissionCond:
entityDataRange
){
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//本单位
userOrg
.
add
(
authenticationUser
.
getOrgid
());
}
else
if
(
permissionCond
.
e
quals
(
"porg"
)){
//上级单位
else
if
(
permissionCond
.
e
ndsWith
(
"porg"
)){
//上级单位
userOrg
.
addAll
(
orgParent
);
}
else
if
(
permissionCond
.
e
quals
(
"sorg"
)){
//下级单位
else
if
(
permissionCond
.
e
ndsWith
(
"sorg"
)){
//下级单位
userOrg
.
addAll
(
orgChild
);
}
else
if
(
permissionCond
.
e
quals
(
"curorgdept"
)){
//本部门
else
if
(
permissionCond
.
e
ndsWith
(
"curorgdept"
)){
//本部门
userOrgDept
.
add
(
authenticationUser
.
getMdeptid
());
}
else
if
(
permissionCond
.
e
quals
(
"porgdept"
)){
//上级部门
else
if
(
permissionCond
.
e
ndsWith
(
"porgdept"
)){
//上级部门
userOrgDept
.
addAll
(
orgDeptParent
);
}
else
if
(
permissionCond
.
e
quals
(
"sorgdept"
)){
//下级部门
else
if
(
permissionCond
.
e
ndsWith
(
"sorgdept"
)){
//下级部门
userOrgDept
.
addAll
(
orgDeptChild
);
}
}
...
...
@@ -419,16 +382,16 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* @param deStorageMode
* @param entity
* @param id
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
otherActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
Object
id
,
JSONArray
dataRangeList
){
private
boolean
otherActionPermissionValidRouter
(
String
deStorageMode
,
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
){
if
(
deStorageMode
.
equalsIgnoreCase
(
"sql"
)){
return
sqlPermissionValid
(
entity
,
id
,
dataRangeList
);
return
sqlPermissionValid
(
entity
,
id
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"nosql"
)){
return
noSqlPermissionValid
(
entity
,
id
,
dataRangeList
);
return
noSqlPermissionValid
(
entity
,
id
,
entityDataRange
);
}
else
if
(
deStorageMode
.
equalsIgnoreCase
(
"serviceapi"
)){
return
true
;
...
...
@@ -442,15 +405,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* sql存储模式实体行为鉴权
* @param entity
* @param id
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
sqlPermissionValid
(
EntityBase
entity
,
Object
id
,
JSONArray
dataRangeList
){
private
boolean
sqlPermissionValid
(
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
){
ServiceImpl
service
=
SpringContextHolder
.
getBean
(
String
.
format
(
"%s%s"
,
entity
.
getClass
().
getSimpleName
(),
"ServiceImpl"
));
//获取实体service对象
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
//通过权限表达式来获取sql
String
permissionSQL
=
String
.
format
(
" (%s) AND (%s='%s')"
,
getPermissionSQL
(
entity
,
dataRangeList
),
permissionField
.
get
(
keyFieldTag
),
id
);
//拼接权限条件-编辑
String
permissionSQL
=
String
.
format
(
" (%s) AND (%s='%s')"
,
getPermissionSQL
(
entity
,
entityDataRange
),
permissionField
.
get
(
keyFieldTag
),
id
);
//拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper
permissionWrapper
=
getPermissionWrapper
(
permissionSQL
);
//构造权限条件
List
list
=
service
.
list
(
permissionWrapper
);
...
...
@@ -466,15 +429,15 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
* NoSQL实体行为鉴权
* @param entity
* @param id
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
boolean
noSqlPermissionValid
(
EntityBase
entity
,
Object
id
,
JSONArray
dataRangeList
)
{
private
boolean
noSqlPermissionValid
(
EntityBase
entity
,
Object
id
,
Set
<
String
>
entityDataRange
)
{
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
keyField
=
permissionField
.
get
(
keyFieldTag
);
//根据权限表达式填充权限条件
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
dataRangeList
);
QueryBuilder
permissionCond
=
getNoSqlPermissionCond
(
entity
,
entityDataRange
);
//权限条件拼接主键
permissionCond
.
and
(
keyField
).
is
(
id
);
//执行权限检查
...
...
@@ -492,10 +455,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* 为NoSQL存储模式的表格查询填充权限条件
* @param entity
* @param
dataRangeList
* @param
entityDataRange
* @return
*/
private
QueryBuilder
getNoSqlPermissionCond
(
EntityBase
entity
,
JSONArray
dataRangeList
){
private
QueryBuilder
getNoSqlPermissionCond
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
QueryBuilder
permissionSQL
=
new
QueryBuilder
();
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
...
...
@@ -509,30 +472,29 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
for
(
int
i
=
0
;
i
<
dataRangeList
.
size
();
i
++){
String
permissionCond
=
dataRangeList
.
getString
(
i
);
//权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//本单位
for
(
String
permissionCond:
entityDataRange
){
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//本单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getOrgid
()).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"porg"
)){
//上级单位
else
if
(
permissionCond
.
e
ndsWith
(
"porg"
)){
//上级单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
in
(
formatStringArr
(
orgParent
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"sorg"
)){
//下级单位
else
if
(
permissionCond
.
e
ndsWith
(
"sorg"
)){
//下级单位
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgField
).
in
(
formatStringArr
(
orgChild
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"createman"
)){
//建立人
else
if
(
permissionCond
.
e
ndsWith
(
"createman"
)){
//建立人
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
createManField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getUserid
()).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"curorgdept"
)){
//本部门
else
if
(
permissionCond
.
e
ndsWith
(
"curorgdept"
)){
//本部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
is
(
AuthenticationUser
.
getAuthenticationUser
().
getMdeptid
()).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"porgdept"
)){
//上级部门
else
if
(
permissionCond
.
e
ndsWith
(
"porgdept"
)){
//上级部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
in
(
formatStringArr
(
orgDeptParent
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"sorgdept"
)){
//下级部门
else
if
(
permissionCond
.
e
ndsWith
(
"sorgdept"
)){
//下级部门
permissionSQL
.
or
(
new
QueryBuilder
().
and
(
orgDeptField
).
in
(
formatStringArr
(
orgDeptChild
)).
get
());
}
else
if
(
permissionCond
.
e
quals
(
"all"
)){
else
if
(
permissionCond
.
e
ndsWith
(
"all"
)){
permissionSQL
.
or
(
new
QueryBuilder
().
get
());
}
}
...
...
@@ -543,10 +505,10 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
/**
* SQL获取权限条件
* @param entity
* @param
oppriList
* @param
entityDataRange
* @return
*/
private
String
getPermissionSQL
(
EntityBase
entity
,
JSONArray
oppriList
){
private
String
getPermissionSQL
(
EntityBase
entity
,
Set
<
String
>
entityDataRange
){
Map
<
String
,
String
>
permissionField
=
getPermissionField
(
entity
);
//获取组织、部门预置属性
String
nPermissionSQL
=
"1<>1"
;
...
...
@@ -561,31 +523,30 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
Set
<
String
>
orgDeptParent
=
userInfo
.
get
(
"parentdept"
);
Set
<
String
>
orgDeptChild
=
userInfo
.
get
(
"subdept"
);
for
(
int
i
=
0
;
i
<
oppriList
.
size
();
i
++
){
for
(
String
permissionCond:
entityDataRange
){
permissionSQL
.
append
(
"OR"
);
String
permissionCond
=
oppriList
.
getString
(
i
);
//权限配置条件
if
(
permissionCond
.
equals
(
"curorg"
)){
//本单位
if
(
permissionCond
.
endsWith
(
"curorg"
)){
//本单位
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
orgField
,
AuthenticationUser
.
getAuthenticationUser
().
getOrgid
()));
}
else
if
(
permissionCond
.
e
quals
(
"porg"
)){
//上级单位
else
if
(
permissionCond
.
e
ndsWith
(
"porg"
)){
//上级单位
permissionSQL
.
append
(
String
.
format
(
" %s in(%s) "
,
orgField
,
formatStringArr
(
orgParent
)));
}
else
if
(
permissionCond
.
e
quals
(
"sorg"
)){
//下级单位
else
if
(
permissionCond
.
e
ndsWith
(
"sorg"
)){
//下级单位
permissionSQL
.
append
(
String
.
format
(
" %s in(%s) "
,
orgField
,
formatStringArr
(
orgChild
)));
}
else
if
(
permissionCond
.
e
quals
(
"createman"
)){
//建立人
else
if
(
permissionCond
.
e
ndsWith
(
"createman"
)){
//建立人
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
createManField
,
AuthenticationUser
.
getAuthenticationUser
().
getUserid
()));
}
else
if
(
permissionCond
.
e
quals
(
"curorgdept"
)){
//本部门
else
if
(
permissionCond
.
e
ndsWith
(
"curorgdept"
)){
//本部门
permissionSQL
.
append
(
String
.
format
(
"(%s='%s')"
,
orgDeptField
,
AuthenticationUser
.
getAuthenticationUser
().
getMdeptid
()));
}
else
if
(
permissionCond
.
e
quals
(
"porgdept"
)){
//上级部门
else
if
(
permissionCond
.
e
ndsWith
(
"porgdept"
)){
//上级部门
permissionSQL
.
append
(
String
.
format
(
" %s in (%s) "
,
orgDeptField
,
formatStringArr
(
orgDeptParent
)));
}
else
if
(
permissionCond
.
e
quals
(
"sorgdept"
)){
//下级部门
else
if
(
permissionCond
.
e
ndsWith
(
"sorgdept"
)){
//下级部门
permissionSQL
.
append
(
String
.
format
(
" %s in (%s) "
,
orgDeptField
,
formatStringArr
(
orgDeptChild
)));
}
else
if
(
permissionCond
.
e
quals
(
"all"
)){
//全部数据
else
if
(
permissionCond
.
e
ndsWith
(
"all"
)){
//全部数据
permissionSQL
.
append
(
"(1=1)"
);
}
else
{
...
...
@@ -701,21 +662,6 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return
"'"
+
String
.
join
(
"','"
,
arr
)
+
"'"
;
}
/**
* 获取数据范围
* @param entityName
* @param action
* @param permissionList
* @return
*/
private
JSONArray
getDataRange
(
String
entityName
,
String
action
,
JSONObject
permissionList
){
//获取权限表达式[全部数据、本单位、本部门等]
JSONObject
entityObj
=
permissionList
.
getJSONObject
(
entityName
);
//获取实体
JSONObject
permissionType
=
entityObj
.
getJSONObject
(
DEActionType
);
JSONArray
dataRangeList
=
permissionType
.
getJSONArray
(
action
);
//行为:read;insert...
return
dataRangeList
;
}
/**
* 获取实体主键集合
* @param entityBase
...
...
This diff is collapsed.
Click to expand it.
ibzuaa-util/src/main/java/cn/ibizlab/util/service/IBZUSERServiceImpl.java
浏览文件 @
7b7d83fd
...
...
@@ -7,6 +7,7 @@ import cn.ibizlab.util.errors.BadRequestAlertException;
import
cn.ibizlab.util.helper.CachedBeanCopier
;
import
org.springframework.beans.factory.annotation.Value
;
import
org.springframework.context.annotation.Primary
;
import
org.springframework.security.core.authority.AuthorityUtils
;
import
org.springframework.security.core.userdetails.UsernameNotFoundException
;
import
org.springframework.stereotype.Service
;
import
cn.ibizlab.util.mapper.IBZUSERMapper
;
...
...
@@ -72,6 +73,9 @@ public class IBZUSERServiceImpl extends ServiceImpl<IBZUSERMapper, IBZUSER> impl
public
AuthenticationUser
createUserDetails
(
IBZUSER
user
)
{
AuthenticationUser
userdatail
=
new
AuthenticationUser
();
CachedBeanCopier
.
copy
(
user
,
userdatail
);
if
(
userdatail
.
getSuperuser
()==
1
){
userdatail
.
setAuthorities
(
AuthorityUtils
.
createAuthorityList
(
"ROLE_SUPERADMIN"
));
}
return
userdatail
;
}
}
\ No newline at end of file
This diff is collapsed.
Click to expand it.
编辑
预览
Markdown
格式
0%
请重试
or
添加新附件
添加附件
取消
您添加了
0
人
到此讨论。请谨慎行事。
先完成此消息的编辑!
取消
想要评论请
注册
或
登录