Skip to content

iBiz4j Spring R7
iBiz4j Spring R7
提交 9e2009a8 编写于 作者: zhouweidong's avatar zhouweidong
浏览文件
操作

简化权限校验

上级 72721eca
显示空白字符变更
内嵌 并排
正在显示 包含 43 行增加508 行删除
SLN/%PUBPRJ%-provider/%PUBPRJ%-provider-%SYSAPI_PKGPATH%/src/main/java/%SYS_PKGPATH%/%SYSAPI_PKGPATH%/rest/%ITEM%Resource.java.ftl
浏览文件 @ 9e2009a8
...@@ -46,6 +46,7 @@ import org.springframework.data.domain.Pageable; ...@@ -46,6 +46,7 @@ import org.springframework.data.domain.Pageable;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.context.annotation.Lazy; import org.springframework.context.annotation.Lazy;
import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.access.prepost.PostAuthorize;
import io.swagger.annotations.Api; import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation; import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse; import io.swagger.annotations.ApiResponse;
...@@ -145,7 +146,7 @@ public class ${itemCodeName}Resource { ...@@ -145,7 +146,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})") <@outputHasPermissionAnnotation 'this.${itemCodeNameLC}Mapping.toDomain(#${itemCodeNameLC}dtos)' '${sys.codeName}-${de.codeName}-${deaction.codeName}' />
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}") @RequestMapping(method = RequestMethod.POST, value = "${fullPath}")
...@@ -169,7 +170,7 @@ public class ${itemCodeName}Resource { ...@@ -169,7 +170,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})") <@outputHasPermissionAnnotation 'this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC})' '${sys.codeName}-${de.codeName}-${deaction.codeName}' />
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -194,7 +195,7 @@ public class ${itemCodeName}Resource { ...@@ -194,7 +195,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})") //@PreAuthorize("hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.${reqMtd}, value = "${fullPath}/${deactionCodeName?lower_case}") @RequestMapping(method = RequestMethod.${reqMtd}, value = "${fullPath}/${deactionCodeName?lower_case}")
...@@ -214,7 +215,7 @@ public class ${itemCodeName}Resource { ...@@ -214,7 +215,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})") <@outputHasPermissionAnnotation 'this.${deCodeNameLC}Service.get(#${itemCodeNameLC + keyCNLC})' '${sys.codeName}-${de.codeName}-${deaction.codeName}' />
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -235,7 +236,7 @@ public class ${itemCodeName}Resource { ...@@ -235,7 +236,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})") @PostAuthorize("hasPermission(this.${itemCodeNameLC}Mapping.toDomain(returnObject.body),'${sys.codeName}-${de.codeName}-${deaction.codeName}')")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}") @ApiOperation(value = "${deaction.getLogicName()}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}")
@RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -409,7 +410,7 @@ public class ${itemCodeName}Resource { ...@@ -409,7 +410,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})") //@PreAuthorize("hasPermission('','Create',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}") @ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}")
@RequestMapping(method = RequestMethod.POST, value = "${fullPath}") @RequestMapping(method = RequestMethod.POST, value = "${fullPath}")
...@@ -438,7 +439,7 @@ public class ${itemCodeName}Resource { ...@@ -438,7 +439,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})") //@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Update',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}") @ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}")
@RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.PUT, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -507,7 +508,7 @@ public class ${itemCodeName}Resource { ...@@ -507,7 +508,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})") //@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Remove',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}") @ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}")
@RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.DELETE, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -528,7 +529,7 @@ public class ${itemCodeName}Resource { ...@@ -528,7 +529,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})") //@PreAuthorize("hasPermission('','Save',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dto})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}") @ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}")
@RequestMapping(method = RequestMethod.${reqMtd}, value = "${fullPath}/${deactionCodeName?lower_case}") @RequestMapping(method = RequestMethod.${reqMtd}, value = "${fullPath}/${deactionCodeName?lower_case}")
...@@ -554,7 +555,7 @@ public class ${itemCodeName}Resource { ...@@ -554,7 +555,7 @@ public class ${itemCodeName}Resource {
<#if noDEPrefield> <#if noDEPrefield>
<@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/> <@outputHasAnyAuthorityAnnotation '${sys.codeName}-${de.codeName}-${deaction.codeName}-all'/>
<#else> <#else>
@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})") //@PreAuthorize("hasPermission(#${itemCodeNameLC + keyCNLC},'Get',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO})")
</#if> </#if>
@ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}") @ApiOperation(value = "${deaction.getLogicName()}${byParams}", tags = {"${itemCodeName}" }, notes = "${deaction.getLogicName()}${byParams}")
@RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}") @RequestMapping(method = RequestMethod.GET, value = "${fullPath}/{${itemCodeNameLC + keyCNLC}}")
...@@ -654,11 +655,16 @@ public class ${itemCodeName}Resource { ...@@ -654,11 +655,16 @@ public class ${itemCodeName}Resource {
@PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${permissionTag}')") @PreAuthorize("hasAnyAuthority('ROLE_SUPERADMIN','${permissionTag}')")
</#macro> </#macro>
<#comment>输出实体资源鉴权注解[hasAnyAuthority]</#comment>
<#macro outputHasPermissionAnnotation param1 param2>
//@PreAuthorize("hasPermission(${param1},'${param2}')")
</#macro>
<#comment>输出实体批处理权限注解[hasAnyAuthority]</#comment> <#comment>输出实体批处理权限注解[hasAnyAuthority]</#comment>
<#macro outputBatchPermissionAnnotation deAction deStorageMode> <#macro outputBatchPermissionAnnotation deAction deStorageMode>
<#if deAction=='Remove'> <#if deAction=='Remove'>
@PreAuthorize("hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO,#ids})") //@PreAuthorize("hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,this.permissionDTO,#ids})")
<#else> <#else>
@PreAuthorize("hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dtos})") //@PreAuthorize("hasPermission('${deAction}',{'${deStorageMode}',this.${itemCodeNameLC}Mapping,#${itemCodeNameLC}dtos})")
</#if> </#if>
</#macro> </#macro>
SLN/%PUBPRJ%-util/src/main/java/%SYS_PKGPATH%/util/security/AuthPermissionEvaluator.java.ftl
浏览文件 @ 9e2009a8
...@@ -3,27 +3,16 @@ TARGET=PSSYSTEM ...@@ -3,27 +3,16 @@ TARGET=PSSYSTEM
</#ibiztemplate> </#ibiztemplate>
package ${pub.getPKGCodeName()}.util.security; package ${pub.getPKGCodeName()}.util.security;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import com.mongodb.QueryBuilder;
import ${pub.getPKGCodeName()}.util.annotation.DEField; import ${pub.getPKGCodeName()}.util.annotation.DEField;
import ${pub.getPKGCodeName()}.util.domain.DTOBase;
import ${pub.getPKGCodeName()}.util.domain.EntityBase; import ${pub.getPKGCodeName()}.util.domain.EntityBase;
import ${pub.getPKGCodeName()}.util.domain.MappingBase;
import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType; import ${pub.getPKGCodeName()}.util.enums.DEPredefinedFieldType;
import ${pub.getPKGCodeName()}.util.helper.DEFieldCacheMap; import ${pub.getPKGCodeName()}.util.helper.DEFieldCacheMap;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Lazy;
import org.springframework.data.mongodb.core.MongoTemplate;
import org.springframework.data.mongodb.core.query.BasicQuery;
import org.springframework.data.mongodb.core.query.Query;
import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils; import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
import javax.annotation.Resource;
import java.io.Serializable; import java.io.Serializable;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import java.util.*; import java.util.*;
...@@ -37,273 +26,71 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -37,273 +26,71 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
@Value("${r'${ibiz.enablePermissionValid:false}'}") @Value("${r'${ibiz.enablePermissionValid:false}'}")
boolean enablePermissionValid; //是否开启权限校验 boolean enablePermissionValid; //是否开启权限校验
/**
*实体主键标识
*/
private String keyFieldTag="keyfield";
@Resource
@Lazy
private MongoTemplate mongoTemplate;
/** /**
* 批处理权限检查[createBatch:updateBatch:removeBatch] * 实体行为鉴权
* @param authentication * @param authentication
* @param DEAction * @param entity
* @param params * @param action
* @return * @return
*/ */
@Override @Override
public boolean hasPermission(Authentication authentication, Object DEAction, Object params) { public boolean hasPermission(Authentication authentication, Object entity, Object action) {
//未开启权限校验、超级管理员则不进行权限检查 //未开启权限校验、超级管理员则不进行权限检查
if(AuthenticationUser.getAuthenticationUser().getSuperuser()==1 || !enablePermissionValid) if(AuthenticationUser.getAuthenticationUser().getSuperuser()==1 || !enablePermissionValid)
return true; return true;
List paramList = (ArrayList) params;
String deStorageMode= (String) paramList.get(0);
String action=String.valueOf(DEAction);
List<String> ids=null;
EntityBase entity;
List<EntityBase> entityList = null;
MappingBase mappingBase= (MappingBase) paramList.get(1);
//参数准备
if(action.equalsIgnoreCase("remove")){
entity= (EntityBase) mappingBase.toDomain(paramList.get(2));
ids= (List<String>) paramList.get(3);
}
else{
List<DTOBase> dtoList = (List<DTOBase>) paramList.get(2);
if(dtoList.size()==0)
return false;
entityList =mappingBase.toDomain(dtoList);
entity = (EntityBase) mappingBase.toDomain(dtoList.get(0));
}
if (entity==null)
return false;
Set<String> entityDataRange = getAuthorities(authentication,entity.getClass().getSimpleName(),action); String strAction=String.valueOf(action);
Set<String> entityDataRange = getAuthorities(authentication,strAction);
if(entityDataRange.size()==0) if(entityDataRange.size()==0)
return false; return false;
//拥有全部数据访问权限时,则跳过权限检查 //拥有全部数据访问权限时,则跳过权限检查
if(isAllData(action,entityDataRange)){ if(isAllData(strAction,entityDataRange)){
return true; return true;
} }
if(action.equalsIgnoreCase("create")){ if(entity instanceof ArrayList){
return createBatchActionPermissionValid(entityList,entityDataRange); List<EntityBase> entities= (List<EntityBase>) entity;
for(EntityBase entityBase: entities){
boolean result=actionValid(entityBase,entityDataRange);
if(!result){
return false;
} }
else if(action.equalsIgnoreCase("save")){
return saveBatchActionPermissionValid(deStorageMode, entityList, entityDataRange);
} }
else{
if(!action.equalsIgnoreCase("remove")){
ids=getIds(entity,entityList);
} }
if(ids.size()==0) else{
return false; EntityBase entityBase= (EntityBase) entity;
return otherBatchActionPermissionValidRouter(deStorageMode, entity ,ids, entityDataRange); return actionValid(entityBase,entityDataRange);
} }
return true;
} }
/**
* 实体行为权限检查 :用于检查当前用户是否拥有实体的新建、编辑、删除权限
*
* @param authentication
* @param id 当前操作数据的主键
* @param action 当前操作行为:如:[READUPDATEDELETE]
* @param params 相关参数
* @return true/false true则允许当前行为,false拒绝行为
*/
@Override @Override
public boolean hasPermission(Authentication authentication, Serializable id, String action, Object params) { public boolean hasPermission(Authentication authentication, Serializable id, String action, Object params) {
//未开启权限校验、超级管理员则不进行权限检查
if(AuthenticationUser.getAuthenticationUser().getSuperuser()==1 || !enablePermissionValid)
return true;
List paramList = (ArrayList) params;
String deStorageMode= (String) paramList.get(0);
MappingBase mappingBase= (MappingBase) paramList.get(1);
DTOBase dtoBase = (DTOBase) paramList.get(2);
EntityBase entity = (EntityBase) mappingBase.toDomain(dtoBase);
if (StringUtils.isEmpty(entity))
return false;
Set<String> entityDataRange = getAuthorities(authentication,entity.getClass().getSimpleName(),action);
if(entityDataRange.size()==0)
return false;
//拥有全部数据访问权限时,则跳过权限检查
if(isAllData(action,entityDataRange)){
return true; return true;
} }
if(action.equalsIgnoreCase("save")){
Map<String,String> permissionField=getPermissionField(entity);
String keyFieldName=permissionField.get(keyFieldTag);
Object srfKey=entity.get(keyFieldName);
if(ObjectUtils.isEmpty(srfKey))
action="create";
else
action="update";
}
if(action.equalsIgnoreCase("create")){
return createActionPermissionValid(entity,entityDataRange);
}
else{
return otherActionPermissionValidRouter(deStorageMode, entity, id, entityDataRange);
}
}
/** /**
* 获取用户权限资源 * 获取用户权限资源
* @param authentication * @param authentication
* @param entityName
* @param action * @param action
* @return * @return
*/ */
private Set<String> getAuthorities(Authentication authentication,String entityName,String action){ private Set<String> getAuthorities(Authentication authentication , String action){
Collection authorities=authentication.getAuthorities(); Collection authorities=authentication.getAuthorities();
Set<String> entityDataRange = new HashSet(); Set<String> entityDataRange = new HashSet();
Iterator var2 = authorities.iterator(); Iterator var2 = authorities.iterator();
while(var2.hasNext()) { while(var2.hasNext()) {
GrantedAuthority authority = (GrantedAuthority)var2.next(); GrantedAuthority authority = (GrantedAuthority)var2.next();
if(authority.getAuthority().contains(String.format("%s-%s-",entityName,action))) if(authority.getAuthority().contains(action))
entityDataRange.add(authority.getAuthority()); entityDataRange.add(authority.getAuthority());
} }
return entityDataRange; return entityDataRange;
} }
/**
* save校验
* @param deStorageMode
* @param entityList
* @param entityDataRange
* @return
*/
private boolean saveBatchActionPermissionValid(String deStorageMode, List<EntityBase> entityList, Set<String> entityDataRange) {
if(entityList==null || entityList.size()==0)
return false;
EntityBase tempEntity=entityList.get(0);
Map<String,String> permissionField=getPermissionField(tempEntity);
String keyFieldName=permissionField.get(keyFieldTag);
List createList=new ArrayList();
List<String> updateList =new ArrayList();
for(EntityBase entity : entityList){
Object id = entity.get(keyFieldName);
if(ObjectUtils.isEmpty(id))
createList.add(entity);
else
updateList.add(String.valueOf(id));
}
if(updateList.size()>0){
boolean isUpdate = otherBatchActionPermissionValidRouter(deStorageMode, tempEntity ,updateList, entityDataRange);
if(!isUpdate)
return false;
}
if(createList.size()>0){
boolean isCreate=createBatchActionPermissionValid(entityList,entityDataRange);
if(!isCreate)
return false;
}
return true;
}
/**
* 批处理新建权限校验
* @param entityList
* @param entityDataRange
* @return
*/
private boolean createBatchActionPermissionValid(List<EntityBase> entityList,Set<String> entityDataRange){
for(EntityBase entity : entityList){
boolean isCreate = createActionPermissionValid(entity ,entityDataRange);
if(!isCreate){
return false;
}
}
return true;
}
/**
* 批处理行为权限校验[get:update:delete]
* @param deStorageMode
* @param entity
* @param ids
* @param entityDataRange
* @return
*/
private boolean otherBatchActionPermissionValidRouter(String deStorageMode , EntityBase entity , List<String> ids , Set<String> entityDataRange){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlBatchPermissionValid(entity ,ids, entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlBatchPermissionValid(entity, ids , entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true;
}
else {
throw new RuntimeException(String.format("未能识别实体对应存储模式[%s]",deStorageMode));
}
}
/**
* SQL批处理权限校验
* @param entity
* @param ids
* @param entityDataRange
* @return
*/
private boolean sqlBatchPermissionValid(EntityBase entity , List<String> ids, Set<String> entityDataRange){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
//通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND ( %s in (%s) ) ",getPermissionSQL(entity,entityDataRange),keyFieldName,getEntityKeyCond(ids)); //拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper);
if(list.size() == ids.size()){
return true;
}else{
return false;
}
}
/**
* NoSQL批处理权限校验
* @param entity
* @param ids
* @param entityDataRange
* @return
*/
private boolean noSqlBatchPermissionValid(EntityBase entity, List<String> ids, Set<String> entityDataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,entityDataRange);
//权限条件拼接主键
permissionCond.and(keyFieldName).in(ids);
//执行权限检查
Query query = new BasicQuery(permissionCond.get().toString());
List list=mongoTemplate.find(query,entity.getClass());
if(list.size()==ids.size()){
return true;
}
else{
return false;
}
}
/** /**
* 是否为全部数据 * 是否为全部数据
* @param action * @param action
...@@ -320,14 +107,13 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -320,14 +107,13 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
} }
/** /**
* 新建行为校验 * 实体行为权限校验
* @param entity * @param entity
* @param entityDataRange * @param entityDataRange
* @return * @return
*/ */
private boolean createActionPermissionValid(EntityBase entity, Set<String> entityDataRange){ private boolean actionValid(EntityBase entity, Set<String> entityDataRange){
boolean isCreate=true;
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性 Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield"); String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield"); String orgDeptField=permissionField.get("orgsecfield");
...@@ -377,204 +163,8 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -377,204 +163,8 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
return false; return false;
} }
return isCreate;
}
/**
* 根据实体存储模式,进行鉴权
* @param deStorageMode
* @param entity
* @param id
* @param entityDataRange
* @return
*/
private boolean otherActionPermissionValidRouter(String deStorageMode, EntityBase entity , Object id , Set<String> entityDataRange){
if(deStorageMode.equalsIgnoreCase("sql")){
return sqlPermissionValid(entity , id, entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("nosql")){
return noSqlPermissionValid(entity , id, entityDataRange);
}
else if(deStorageMode.equalsIgnoreCase("serviceapi")){
return true;
}
else {
throw new RuntimeException(String.format("未能识别[%s]实体对应存储模式[%s]",entity.getClass().getSimpleName(),deStorageMode));
}
}
/**
* sql存储模式实体行为鉴权
* @param entity
* @param id
* @param entityDataRange
* @return
*/
private boolean sqlPermissionValid(EntityBase entity , Object id, Set<String> entityDataRange){
ServiceImpl service= SpringContextHolder.getBean(String.format("%s%s",entity.getClass().getSimpleName(),"ServiceImpl"));//获取实体service对象
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
//通过权限表达式来获取sql
String permissionSQL= String.format(" (%s) AND (%s='%s')",getPermissionSQL(entity,entityDataRange),permissionField.get(keyFieldTag),id); //拼接权限条件-编辑
//执行sql进行权限检查
QueryWrapper permissionWrapper=getPermissionWrapper(permissionSQL);//构造权限条件
List list=service.list(permissionWrapper);
if(list.size()>0){
return true;
}else{
return false;
}
}
/**
* NoSQL实体行为鉴权
* @param entity
* @param id
* @param entityDataRange
* @return
*/
private boolean noSqlPermissionValid(EntityBase entity, Object id, Set<String> entityDataRange) {
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String keyField=permissionField.get(keyFieldTag);
//根据权限表达式填充权限条件
QueryBuilder permissionCond=getNoSqlPermissionCond(entity,entityDataRange);
//权限条件拼接主键
permissionCond.and(keyField).is(id);
//执行权限检查
Query query = new BasicQuery(permissionCond.get().toString());
List list=mongoTemplate.find(query,entity.getClass());
if(list.size()>0){
return true; return true;
} }
else{
return false;
}
}
/**
* NoSQL存储模式的表格查询填充权限条件
* @param entity
* @param entityDataRange
* @return
*/
private QueryBuilder getNoSqlPermissionCond( EntityBase entity ,Set<String> entityDataRange){
QueryBuilder permissionSQL=new QueryBuilder();
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield");
String createManField=permissionField.get("createmanfield");
AuthenticationUser authenticationUser = AuthenticationUser.getAuthenticationUser();
Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo();
Set<String> orgParent = userInfo.get("parentorg");
Set<String> orgChild = userInfo.get("suborg");
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
for(String permissionCond:entityDataRange){
if(permissionCond.endsWith("curorg")){ //本单位
permissionSQL.or(new QueryBuilder().and(orgField).is(AuthenticationUser.getAuthenticationUser().getOrgid()).get());
}
else if(permissionCond.endsWith("porg")){//上级单位
permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgParent)).get());
}
else if(permissionCond.endsWith("sorg")){//下级单位
permissionSQL.or(new QueryBuilder().and(orgField).in(formatStringArr(orgChild)).get());
}
else if(permissionCond.endsWith("createman")){//建立人
permissionSQL.or(new QueryBuilder().and(createManField).is(AuthenticationUser.getAuthenticationUser().getUserid()).get());
}
else if(permissionCond.endsWith("curorgdept")){//本部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).is(AuthenticationUser.getAuthenticationUser().getMdeptid()).get());
}
else if(permissionCond.endsWith("porgdept")){//上级部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptParent)).get());
}
else if(permissionCond.endsWith("sorgdept")){//下级部门
permissionSQL.or(new QueryBuilder().and(orgDeptField).in(formatStringArr(orgDeptChild)).get());
}
else if(permissionCond.endsWith("all")){
permissionSQL.or(new QueryBuilder().get());
}
}
return permissionSQL;
}
/**
* SQL获取权限条件
* @param entity
* @param entityDataRange
* @return
*/
private String getPermissionSQL(EntityBase entity, Set<String> entityDataRange){
Map<String,String> permissionField=getPermissionField(entity);//获取组织、部门预置属性
String nPermissionSQL = "1<>1";
String orgField=permissionField.get("orgfield");
String orgDeptField=permissionField.get("orgsecfield");
String createManField=permissionField.get("createmanfield");
StringBuffer permissionSQL=new StringBuffer();
AuthenticationUser authenticationUser = AuthenticationUser.getAuthenticationUser();
Map<String, Set<String>> userInfo = authenticationUser.getOrgInfo();
Set<String> orgParent = userInfo.get("parentorg");
Set<String> orgChild = userInfo.get("suborg");
Set<String> orgDeptParent = userInfo.get("parentdept");
Set<String> orgDeptChild = userInfo.get("subdept");
for(String permissionCond: entityDataRange){
permissionSQL.append("OR");
if(permissionCond.endsWith("curorg")){ //本单位
permissionSQL.append(String.format("(%s='%s')",orgField,AuthenticationUser.getAuthenticationUser().getOrgid()));
}
else if(permissionCond.endsWith("porg")){//上级单位
permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgParent)));
}
else if(permissionCond.endsWith("sorg")){//下级单位
permissionSQL.append(String.format(" %s in(%s) ", orgField, formatStringArr(orgChild)));
}
else if(permissionCond.endsWith("createman")){//建立人
permissionSQL.append(String.format("(%s='%s')",createManField,AuthenticationUser.getAuthenticationUser().getUserid()));
}
else if(permissionCond.endsWith("curorgdept")){//本部门
permissionSQL.append(String.format("(%s='%s')",orgDeptField,AuthenticationUser.getAuthenticationUser().getMdeptid()));
}
else if(permissionCond.endsWith("porgdept")){//上级部门
permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptParent)));
}
else if(permissionCond.endsWith("sorgdept")){//下级部门
permissionSQL.append(String.format(" %s in (%s) ", orgDeptField, formatStringArr(orgDeptChild)));
}
else if(permissionCond.endsWith("all")){//全部数据
permissionSQL.append("(1=1)");
}
else{
permissionSQL.append(nPermissionSQL);
}
}
if(StringUtils.isEmpty(permissionSQL.toString()))
return "";
String resultCond=parseResult(permissionSQL, "OR");
return resultCond;
}
/**
* 构造 wrapper
* @param whereCond
* @return
*/
private QueryWrapper getPermissionWrapper(String whereCond){
QueryWrapper permissionWrapper=new QueryWrapper();
if(!StringUtils.isEmpty(whereCond)){
permissionWrapper.apply(whereCond);
}
return permissionWrapper;
}
/** /**
* 获取实体权限字段 orgid/orgsecid * 获取实体权限字段 orgid/orgsecid
...@@ -627,65 +217,4 @@ public class AuthPermissionEvaluator implements PermissionEvaluator { ...@@ -627,65 +217,4 @@ public class AuthPermissionEvaluator implements PermissionEvaluator {
} }
return deFieldMap; return deFieldMap;
} }
/**
* 转换[a,b]格式字符串到 'a','b'格式
* @return
*/
private String formatStringArr(Set<String> array) {
String[] arr = array.toArray(new String[array.size()]);
return "'" + String.join("','", arr) + "'";
}
/**
* 格式转换
* @param cond
* @param operator
* @return
*/
private String parseResult(StringBuffer cond, String operator) {
String resultCond = cond.toString();
if (resultCond.startsWith(operator))
resultCond = resultCond.replaceFirst(operator, "");
if (resultCond.endsWith(operator))
resultCond = resultCond.substring(0, resultCond.lastIndexOf(operator));
return resultCond;
}
/**
* 转换[a,b]格式字符串到 'a','b'格式
*
* @return
*/
private String getEntityKeyCond(List<String> array) {
String[] arr = array.toArray(new String[array.size()]);
return "'" + String.join("','", arr) + "'";
}
/**
* 获取实体主键集合
* @param entityBase
* @param entityList
* @return
*/
private List<String> getIds(EntityBase entityBase ,List<EntityBase> entityList) {
List<String> entityKeyList=new ArrayList<>();
Map<String,String> permissionField=getPermissionField(entityBase);//获取组织、部门预置属性
String keyFieldName=permissionField.get(keyFieldTag);
if(StringUtils.isEmpty(keyFieldName))
return entityKeyList;
for(EntityBase entity: entityList){
Object objEntityKey = entity.get(keyFieldName);
if(!ObjectUtils.isEmpty(objEntityKey)){
entityKeyList.add(String.valueOf(objEntityKey));
}
}
return entityKeyList;
}
} }
\ No newline at end of file
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册