后端SpringSecurity实现动态权限校验

最新推荐文章于 2025-06-08 23:44:59 发布

深藏Blued蓝先生

最新推荐文章于 2025-06-08 23:44:59 发布

阅读量375

点赞数 3

文章标签： java

本文链接：https://blog.youkuaiyun.com/m0_64165935/article/details/145641266

版权

在框架DefaultSecurityFilterChain源码内打断点可以找到SpringSecurity的过滤器链可以看见一个叫AuthorizationFilter的过滤器在这里插入图片描述
很明显这个叫authorizationManager的应该是我们要找的玩意，直接去AuthorizationFilter内找这个类看他的源码可以发现check方法已经弃用，他推荐用的方法是authorize但这玩意也还是调用的check

@FunctionalInterface
public interface AuthorizationManager<T> {
   

	/**
	 * Determines if access should be granted for a specific authentication and object.
	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
	 * @param object the {@link T} object to check
	 * @throws AccessDeniedException if access is not granted
	 */
	default void verify(Supplier<Authentication> authentication, T object) {
   
		AuthorizationDecision decision = check(authentication, object);
		if (decision != null && !decision.isGranted()) {
   
			throw new AuthorizationDeniedException("Access Denied", decision);
		}
	}

	/**
	 * Determines if access is granted for a specific authentication and object.
	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
	 * @param object the {@link T} object to check
	 * @return an {@link AuthorizationDecision} or null if no decision could be made
	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
	 */
	@Nullable
	@Deprecated
	AuthorizationDecision check(Supplier<Authentication> authentication, T object);

	/**
	 * Determines if access is granted for a specific authentication and object.
	 * @param authentication the {@link Supplier} of the {@link Authentication} to
	 * authorize
	 * @param object the {@link T} object to authorize
	 * @return an {@link AuthorizationResult}
	 * @since 6.4
	 */
	@Nullable
	default AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
   
		return check(authentication, object);
	}

继续往下面看可以看见他是进行了校验然后返回了一个布尔值

	@Override
	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
   
		boolean granted = this.authorizationStrategy.isGranted(authentication.get());
		return new AuthorizationDecision(granted);
	}

代码实现逻辑大概是通过传进来的接口路径然后匹配权限

@Component
public class DynamicAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
   

    @Resource
    private DynamicSecurityMetadataSource securityMetadataSource;

最低0.47元/天解锁文章