1.springmvc配置文件中配置
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd"> <!-- 默认的注解映射的支持 --> <mvc:annotation-driven /> <!-- 将 springSwaggerConfig加载到spring容器 --> <bean class="com.mangofactory.swagger.configuration.SpringSwaggerConfig" /> <!-- 将自定义的swagger配置类加载到spring容器 --> <bean class="com.aisino.qysds.common.util.SwaggerConfig" /> <!-- 静态资源文件,不会被Spring MVC拦截 --> <mvc:resources mapping="/api-doc/**" location="/api-doc/" /> <mvc:resources mapping="/js/**" location="/js/" /> <!-- 自动扫描的包名 --> <context:component-scan base-package="com.controller"/> <!-- 避免IE执行AJAX时,返回JSON出现下载文件 --> <bean id="mappingJacksonHttpMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter"> <property name="supportedMediaTypes"> <list> <value>text/html;charset=UTF-8</value> <value>text/plain;charset=UTF-8</value> <!-- <value>application/x-www-form-urlencoded;charset=UTF-8</value> --> </list> </property> </bean> <mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/**"/> <bean class="AuthorityAnnotationInterceptor"/> </mvc:interceptor> </mvc:interceptors> <aop:aspectj-autoproxy /> </beans>
2.自定义拦截器,实现HandlerInterceptor接口或继承HandlerInterceptor
import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import com.alibaba.fastjson.JSON; public class AuthorityAnnotationInterceptor extends HandlerInterceptorAdapter { final Logger logger = LoggerFactory.getLogger(getClass()); @SuppressWarnings("unchecked") @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { //开启swagger时,打开 // if (handler instanceof ResourceHttpRequestHandler) { // logger.error("swagger ok"); // return true; // } Authority authority=null; HandlerMethod handler2=(HandlerMethod) handler; Class<?> clazz=handler2.getBeanType(); //类注解 if(clazz.isAnnotationPresent(Authority.class)){ authority=clazz.getAnnotation(Authority.class); } //方法注解 if(handler2.getMethodAnnotation(Authority.class)!=null){ authority = handler2.getMethodAnnotation(Authority.class); } if(null == authority){ //没有声明权限,放行 return true; } logger.debug("fireAuthority", authority.toString()); HttpSession session = request.getSession(); boolean aflag = false; for(AuthorityType at : authority.authorityTypes()){ List<String> role = (List<String>)session.getAttribute("用户权限"); if(role.contains(at.getId())){ aflag = true; if(aflag){ aflag = true; break; } } } if(false == aflag){ response.getWriter().println("没有权限"); } return aflag; } }
3.自定义权限注解
import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; //支持在类和方法上 @Target({ElementType.TYPE,ElementType.METHOD}) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface Authority { AuthorityType[] authorityTypes(); }
4.权限枚举
public enum AuthorityType{ ONE("一级", "1"), TWO("二级", "2"), THREE("三级", "3"), ; private String name; private String id; private AuthorityType(String name, String id) { this.name = name; this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public String getId() { return id; } public void setId(String id) { this.id = id; } }
5.控制器Controller
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; @Controller @RequestMapping("/test/allow") @Authority(authorityTypes =AuthorityType.ONE) public class TestController extends BaseController { @ResponseBody @RequestMapping(value = "test", method = RequestMethod.GET) @Authority(authorityTypes =AuthorityType.TWO) public boolean test() { return true; } }
每次请求有权限的接口,都需要验证当前用户是否有该权限,有则通过,反之不通过,最后附上springmvc执行流程