前面我们都是通过判断当前用户的角色来判断权限的
接下来我们通过注解的形式
开启认证
@EnableGlobalMethodSecurity(prePostEnabled = true)
在applicatoin或者在我们的securityConfig上配置。
创建一个PermissionCheckService
@Service("permission")
public class PermissionCheckService {
@Autowired
private IUserService userService;
public boolean adminPermission() {
// 获取到当前权限所有的角色,进行角色对比即可确定权限
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
HttpServletResponse response = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getResponse();
//如果token返回false
String token = CookieUtils.getCookie(request, Constants.User.COOKIE_TOKE_KEY);
if (TextUtils.isEmpty(token)) {
return false;
}
SobUser sobUser = userService.checkSobUser(request, response);
if (sobUser == null || TextUtils.isEmpty(sobUser.getRoles())) {
return false;
}
if (Constants.User.ROLE_ADMIN.equals(sobUser.getRoles())) {
return true;
}
return false;
}
}
权限控制
@PreAuthorize("@permission.adminPermission()")
@GetMapping("/list")
public ResponseResult listUsers(HttpServletRequest request,
HttpServletResponse response,
@RequestParam("page") int page, @RequestParam("size") int size) {
return userService.listUsers(request,
response, page, size);
}
403无权限访问处理
添加一个配置
@Configuration
public class ErrorPageConfig implements ErrorPageRegistrar {
@Override
public void registerErrorPages(ErrorPageRegistry registry) {
registry.addErrorPages(new ErrorPage(HttpStatus.FORBIDDEN, "/403"));
}
}
提供一个403的controller-->从code转成Json
@GetMapping("/403")
@ResponseBody
public ResponseResult page403() {
ResponseResult failed = new ResponseResult(ResponseState.ACCOUNT_FORBID);
return failed;
}