一.实现自定义注解 Auth类
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface Auth {
String action() default ""; //权限值,根据此值去匹配数据库中实际分配的权限值
String describe() default ""; //权限描述
}
二.编写自定义拦截器AuthInterceptor继承HandlerInterceptorAdapter,实现权限校验
public abstract class AuthInterceptor extends HandlerInterceptorAdapter {
private Logger log = LoggerFactory.getLogger(AuthInterceptor.class);
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
//获取使用权限注解的方法
Auth auth = ((HandlerMethod) handler).getMethod().getAnnotation(Auth.class);
if (auth == null) {
log.debug("cant find @Auth in this uri:" + request.getRequestURI());
return true;
}
//TODO 校验用户是否拥有该接口权限...
return true;
}
}
三.在接口上添加注解@Auth
比如我们定义账号查看的action=account_query,在对应的Controller中相应的方法上添加@Auth(action="account_query",describe="查看账号")
@Auth(action="account_query",describe="查看账号")
@RequestMapping(value = "/accountList",method = RequestMethod.POST)
public Result<ResultPage<AccountListResp>> accountList(AccountListReq req) throws Exception {
log.debug("账号列表,请求参数:",req);
return new Result<ResultPage<AccountListResp>>().success(accountBiz.pageList(req));
}
这样我们在所有请求过来的时候,只要接口上有@Auth注解的都会和我们权限设置的action进行对比,实现权限统一验证