Spring Boot integration Security series steps and troubleshooting (sixteen)-dynamic authorization management

1. New RbacService:

/**
 * 项目授权服务接口
 *
 * @author zhaohaibin
 */
public interface RbacService {

    /**
     * 权限判断
     *
     * @param request
     * @param authentication
     * @return
     */
    boolean hasPermission(HttpServletRequest request, Authentication authentication);

}

2. Implement RbacService:

/**
 * 项目授权服务接口实现
 *
 * @author zhaohaibin
 */
@Component("rbacService")
public class RbacServiceImpl implements RbacService {

    private AntPathMatcher antPathMatcher = new AntPathMatcher();

    @Override
    public boolean hasPermission(HttpServletRequest request, Authentication authentication) {
        Object principal = authentication.getPrincipal();

        boolean hasPermission = false;

        if (principal instanceof UserDetails) {
            // 如果用户名是admin，就永远返回true
            if (StringUtils.equals(((UserDetails) principal).getUsername(), ISysConstants.S_SYSTEM_SUPER_ADMIN)) {
                hasPermission = true;
            } else {
                // 读取用户所拥有权限的所有URL
                Set<String> urls = ((SystemUserDto) principal).getUrls();
                for (String url : urls) {
                    if (antPathMatcher.match(SecurityConstants.DEFAULT_PROJECT_NAME_URL + url, request.getRequestURI())) {
                        hasPermission = true;
                        break;
                    }
                }
            }
        }

        return hasPermission;
    }

}

SystemUserDto extends SystemUserPojo;
SystemUserPojo implements UserDetails

Update the loadUserByUsername method to return the object:

@Override
public SystemUserDto loadUserByUsername(String userName) throws UsernameNotFoundException{...}

3. Reference RbacServiceImpl (update MyAuthorizeConfigProvider):

/**
 * 项目授权配置
 *
 * @author zhaohaibin
 */
@Component
@Order(Integer.MAX_VALUE)
public class MyAuthorizeConfigProvider implements AuthorizeConfigProvider {
    @Override
    public void config(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry config) {

//        config.antMatchers("/user").hasRole("ADMIN");

        config.anyRequest().access("@rbacService.hasPermission(request,authentication)");

    }
}

4. Because config.anyRequest () must be executed, Order annotation is added, and DemoAuthorizeConfigManager and DemoAuthorizeConfigProvider are updated:
DemoAuthorizeConfigManager:

        // 其余请求都要认证
//        config.anyRequest().authenticated();

DemoAuthorizeConfigProvider：

@Component
@Order(Integer.MIN_VALUE)
public class DemoAuthorizeConfigProvider implements AuthorizeConfigProvider {...}

Troubleshoot:
暂无