权限控制

travel/admin/src/main/java/com/lc/admin/config/SecurityConfig.java

@@ -2,6 +2,7 @@ package com.lc.admin.config;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -12,6 +13,7 @@ import javax.annotation.Resource;
 
 @Configuration
 @EnableWebSecurity
+@EnableGlobalMethodSecurity( prePostEnabled = true )
 public class SecurityConfig {
 
     @Resource
@@ -39,6 +41,7 @@ public class SecurityConfig {
                         "/login.html",
                         "/login.do",
                         "/logout.do",
+                        "/403.html",
                         "/static/**"
                 ).permitAll()
                 //其他请求  全部必须登录才能访问
@@ -46,6 +49,10 @@ public class SecurityConfig {
                 //结束权限配置
                 .and();
 
+        and.exceptionHandling()
+                .authenticationEntryPoint(  new TravelAuthenticationEntryPoint() )
+                        .accessDeniedHandler( new TravelAccessDeniedHandler() );
+
         and.addFilterBefore( securityFilter, UsernamePasswordAuthenticationFilter.class);
 
         return and.build();

travel/admin/src/main/java/com/lc/admin/config/SecurityFilter.java

@@ -1,7 +1,10 @@
 package com.lc.admin.config;
 
 import com.cl.mbg.model.TUser;
+import com.lc.pojo.LoginUser;
+import com.lc.pojo.PermissionPojo;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
@@ -13,6 +16,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Objects;
 
 @Component
@@ -32,11 +37,18 @@ public class SecurityFilter extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
         HttpSession session = request.getSession(true);
-        TUser user = (TUser) session.getAttribute("user");
+        LoginUser user = (LoginUser) session.getAttribute("user");
         SecurityContext context = SecurityContextHolder.getContext();
         if (Objects.nonNull(user)) {
+            List<PermissionPojo> permission = user.getPermission();
+            ArrayList<SimpleGrantedAuthority> objects = new ArrayList<>();
+            for ( PermissionPojo userPermission: permission ) {
+                SimpleGrantedAuthority authority = new SimpleGrantedAuthority(userPermission.getKeyword());
+                objects.add( authority );
+            }
             UsernamePasswordAuthenticationToken AuthenticationToken =
-                    new UsernamePasswordAuthenticationToken( user.getUsername(), null, null );
+                    new UsernamePasswordAuthenticationToken( user.getUser().getUsername(),
+                            null, objects );
             context.setAuthentication( AuthenticationToken );
         } else {
             SecurityContextHolder.clearContext();

travel/admin/src/main/java/com/lc/admin/config/TravelAccessDeniedHandler.java

@@ -0,0 +1,31 @@
+package com.lc.admin.config;
+
+import com.alibaba.fastjson2.JSON;
+import com.lc.common.utils.Result;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+public class TravelAccessDeniedHandler implements AccessDeniedHandler{
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        String accept = request.getHeader("Accept");
+        if ( accept.contains("application/json") ) {
+            response.addHeader("Content-Type", "application/json");
+            response.addHeader("Keep-Alive", "timeout=0");
+            response.setCharacterEncoding("UTF-8");
+            PrintWriter writer = response.getWriter();
+            writer.println(
+                    JSON.toJSONString(Result.fail("权限不足"))
+            );
+            writer.flush();
+        } else {
+            response.sendRedirect("/403.html");
+        }
+    }
+}

travel/admin/src/main/java/com/lc/admin/config/TravelAuthenticationEntryPoint.java

@@ -0,0 +1,38 @@
+package com.lc.admin.config;
+
+import com.alibaba.fastjson2.JSON;
+import com.lc.common.utils.Result;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+public class TravelAuthenticationEntryPoint implements AuthenticationEntryPoint {
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
+
+        String accept = request.getHeader("Accept");
+
+        if ( accept.contains("application/json") ) {
+            response.addHeader("Content-Type", "application/json");
+            response.addHeader("Keep-Alive", "timeout=0");
+            response.setCharacterEncoding("UTF-8");
+            PrintWriter writer = response.getWriter();
+            writer.println(
+                    JSON.toJSONString(Result.fail("您需要登录"))
+            );
+            writer.flush();
+        } else {
+            String requestURI = request.getRequestURI();
+            if ( requestURI.equals("/") ) {
+                response.sendRedirect("/login.html");
+            } else {
+                response.sendRedirect("/403.html");
+            }
+        }
+    }
+}

travel/admin/src/main/java/com/lc/admin/controller/StaticController.java

@@ -61,4 +61,9 @@ public class StaticController {
         return "report_member";
     }
 
+    @RequestMapping("/403.html")
+    public String denied(){
+        return "403";
+    }
+
 }

travel/admin/src/main/java/com/lc/admin/controller/TravelItemController.java

@@ -4,6 +4,7 @@ import com.cl.mbg.model.TTravelitem;
 import com.lc.common.pojo.TravelParams;
 import com.lc.common.utils.Result;
 import com.lc.service.TravelItemService;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -28,11 +29,13 @@ public class TravelItemController {
         return Result.ok("恭喜您自由行添加成功！！！");
     }
 
+    @PreAuthorize("hasAuthority('TRAVELITEM_QUERY')")
     @PostMapping("/findPage.do")
     public Result findPage(@RequestBody TravelParams travelParams){
         return Result.data( travelItemService.findPage(travelParams) );
     }
 
+    @PreAuthorize("hasAuthority('TRAVELITEM_DELETE')")
     @GetMapping("/delete.do")
     public Result delete(int id){
         int i = travelItemService.deleteById(id);

travel/admin/src/main/java/com/lc/admin/controller/UserController.java

@@ -2,6 +2,7 @@ package com.lc.admin.controller;
 
 import com.cl.mbg.model.TUser;
 import com.lc.common.utils.Result;
+import com.lc.pojo.LoginUser;
 import com.lc.service.UsersService;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
@@ -26,7 +27,7 @@ public class UserController {
             @RequestParam String password,
             HttpServletRequest request,
             HttpServletResponse response) throws IOException {
-        TUser user = null;
+        LoginUser user = null;
         try {
             user = usersService.login(username, password);
         } catch (Exception e) {
@@ -52,8 +53,8 @@ public class UserController {
     @ResponseBody
     @GetMapping("/user/getUsername.do")
     public Result getUsername( HttpSession session ){
-        TUser user = (TUser) session.getAttribute("user");
-        return Result.data( user );
+        LoginUser user = (LoginUser) session.getAttribute("user");
+        return Result.data( user.getUser() );
     }
 
 }

travel/admin/src/main/resources/templates/403.html

@@ -5,6 +5,8 @@
     <title>Title</title>
 </head>
 <body>
-  没有权限
+<hr />
+<h1>没有权限</h1>
+<hr />
 </body>
 </html>

travel/dao/pom.xml

@@ -21,6 +21,12 @@
     </properties>
 
     <dependencies>
+        <dependency>
+            <groupId>com.cl.mbg</groupId>
+            <artifactId>mbg</artifactId>
+            <version>0.0.1-SNAPSHOT</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 
 </project>

travel/dao/src/main/java/com/lc/dao/PermissionDao.java

@@ -0,0 +1,9 @@
+package com.lc.dao;
+
+import com.lc.pojo.PermissionPojo;
+
+import java.util.List;
+
+public interface PermissionDao {
+    List<PermissionPojo> getUserPermission(int uid);
+}

travel/dao/src/main/java/com/lc/pojo/LoginUser.java

@@ -0,0 +1,12 @@
+package com.lc.pojo;
+
+import com.cl.mbg.model.TUser;
+import lombok.Data;
+
+import java.util.List;
+
+@Data
+public class LoginUser {
+    TUser user;
+    List<PermissionPojo> Permission;
+}

travel/dao/src/main/java/com/lc/pojo/PermissionPojo.java

@@ -0,0 +1,8 @@
+package com.lc.pojo;
+
+import lombok.Data;
+
+@Data
+public class PermissionPojo {
+    private String keyword;
+}

travel/dao/src/main/resources/com/lc/dao/PermissionDao.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+<mapper namespace="com.lc.dao.PermissionDao">
+
+    <select id="getUserPermission" resultType="com.lc.pojo.PermissionPojo">
+        SELECT keyword FROM t_permission WHERE id IN
+           (
+               SELECT permission_id FROM t_role_permission WHERE role_id IN
+                     (
+                         SELECT role_id FROM t_user_role WHERE user_id = #{uid}
+                     )
+           )
+    </select>
+
+</mapper>

travel/service/src/main/java/com/lc/service/UsersService.java

@@ -1,7 +1,8 @@
 package com.lc.service;
 
 import com.cl.mbg.model.TUser;
+import com.lc.pojo.LoginUser;
 
 public interface UsersService {
-    TUser login(String username, String password) throws Exception;
+    LoginUser login(String username, String password) throws Exception;
 }

travel/service/src/main/java/com/lc/service/impl/UsersServiceImpl.java

@@ -4,6 +4,9 @@ import cn.hutool.crypto.SecureUtil;
 import com.cl.mbg.mapper.TUserMapper;
 import com.cl.mbg.model.TUser;
 import com.cl.mbg.model.TUserExample;
+import com.lc.dao.PermissionDao;
+import com.lc.pojo.LoginUser;
+import com.lc.pojo.PermissionPojo;
 import com.lc.service.UsersService;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
@@ -17,11 +20,14 @@ public class UsersServiceImpl implements UsersService {
     @Resource
     TUserMapper userMapper;
 
+    @Resource
+    PermissionDao permissionDao;
+
     @Value("${user.password.salt}")
     String salt;
 
     @Override
-    public TUser login(String username, String password) throws Exception {
+    public LoginUser login(String username, String password) throws Exception {
         TUserExample tUserExample = new TUserExample();
         tUserExample.createCriteria().andUsernameEqualTo( username );
         List<TUser> tUsers = userMapper.selectByExample(tUserExample);
@@ -39,7 +45,15 @@ public class UsersServiceImpl implements UsersService {
         );
         //System.out.println( "用户密码" + pwd );
         if ( pwd.equals( userPassword ) ) {
-            return user;
+
+            List<PermissionPojo> userPermission =
+                    permissionDao.getUserPermission(user.getId());
+
+            LoginUser loginUser = new LoginUser();
+            loginUser.setUser(user);
+            loginUser.setPermission(userPermission);
+
+            return loginUser;
         }
         return null;
     }