基于SpringBoot实现请求的数据权限验证

1.实现方案

对需要进行数据权限的请求添加自定义注解,通过拦截器对请求进行拦截,判断是否需要进行数据权限验证和执行数据权限验证的逻辑。(GET请求没问题,POST请求因为HttpRequest的流getReader只能读取一次,如果在拦截器处理后,进入Handler会抛异常。此问题后面单独说

2.代码实现

2.1 抽象数据权限验证类

/**
 * @Description 抽象的数据权限类
 * @Author zouxiaodong
 * @Date 2022/03/01 15:36
 */
public abstract class AbstractDataAuth {

    /**
     * @Author zouxiaodong
     * @Description 数据权限控制逻辑
     * @Date 2022/03/01 15:42
     * @Param [httpServletRequest, httpServletResponse]
     * @return boolean
     **/
    public abstract boolean checkDataAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse);
}

2.2 自定义注解,增加在需要进行数据权限验证的Handler上

/**
 * @Author zouxiaodong
 * @Description 数据权限认证的注解
 * @Date 2022/03/01 15:16
 **/
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface DataAuthValid {

    /**
     * 名称
     **/
    String name() default "";

    /**
     * 数据权限开关,默认开启
     **/
    boolean switchAuth() default true;

    /**
     * 数据权限处理类
     **/
    Class<? extends AbstractDataAuth> dataAuthClass();
}

2.3 自定义拦截器,判断请求对应的handler是否有注解(是否需要进行权限验证)

/**
 * @Description 数据权限拦截器
 * @Author zouxiaodong
 * @Date 2022/03/01 16:18
 */
@Component
@Slf4j
public class DataAuthInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler){
        try {
            // 如果不是方法
            if(!(handler instanceof HandlerMethod)){
                return true;
            }
            DataAuthValid dataAuthValid = ((HandlerMethod) handler).getMethodAnnotation(DataAuthValid.class);
            if(dataAuthValid == null || !dataAuthValid.switchAuth()){
                return true;
            }else{
                Class<? extends AbstractDataAuth> dataAuthClass = dataAuthValid.dataAuthClass();
//                return dataAuthClass.newInstance().checkDataAuth(request,response);
                return SpringUtil.getBean(dataAuthClass).checkDataAuth(request,response);
            }
        }catch (Exception e){
            log.error("DataAuthInterceptor执行请求:{}拦截异常。异常信息为:{}",request.getRequestURI(),e.getMessage());
            return false;
        }
    }
}

2.4 自定义Filter(对特定请求的HttpRequest进行Wrapper处理,避免Post请求对流进行二次读取时的异常)

/**
 * @Description 需要对post或者put请求进行数据权限验证时的filter
 * @Author zouxiaodong
 * @Date 2022/03/02 16:07
 */
@Slf4j
public class PostMethodFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        CustomHttpServletRequestWrapper customHttpServletRequestWrapper = null;
        HttpServletRequest req = (HttpServletRequest)request;
        try {
            customHttpServletRequestWrapper = new CustomHttpServletRequestWrapper(req);
        }catch (Exception e){
            log.warn("请求({})执行filter异常。异常信息为:{}",req.getRequestURI(), e.getMessage());
        }
        chain.doFilter((Objects.isNull(customHttpServletRequestWrapper) ? request : customHttpServletRequestWrapper), response);
    }
}

2.5 自定义HttpServletRequestWrapper,对HttpRequest进行处理

/**
 * @Description 自定义请求wrapper
 * @Author zouxiaodong
 * @Date 2022/03/02 10:34
 */
@Slf4j
public class CustomHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private byte[] body;

    public byte[] getBody() {
        return body;
    }

    public String getBodyAsString(){
        return new String(body,StandardCharsets.UTF_8);
    }

    /**
     * Constructs a request object wrapping the given request.
     *
     * @param request The request to wrap
     * @throws IllegalArgumentException if the request is null
     */
    public CustomHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
        super(request);
        StringBuilder sb = new StringBuilder();
        String line;
        BufferedReader reader = request.getReader();
        while ((line=reader.readLine()) != null){
            sb.append(line);
        }
        this.body = sb.toString().getBytes(StandardCharsets.UTF_8);
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body);
        return new ServletInputStream() {

            @Override
            public int read() throws IOException {
                return byteArrayInputStream.read();
            }

            @Override
            public void setReadListener(ReadListener listener) {
            }

            @Override
            public boolean isReady() {
                return true;
            }

            @Override
            public boolean isFinished() {
                return false;
            }
        };
    }

    @Override
    public BufferedReader getReader() throws IOException {
        return new BufferedReader(new InputStreamReader(this.getInputStream()));
    }
}

2.6 针对自定义的Interceptor和Filter进行系统配置

/**
 * @Description 数据权限filter和interceptor配置
 * @Author zouxiaodong
 * @Date 2022/03/01 16:36
 */
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {

    @Bean
    public FilterRegistrationBean servletRegistrationBean() {
        PostMethodFilter postMethodFilter = new PostMethodFilter();
        FilterRegistrationBean<PostMethodFilter> bean = new FilterRegistrationBean<>();
        bean.setFilter(postMethodFilter);
        bean.setName("postMethodFilter");
        bean.addUrlPatterns("/snapshot/updatePolicy");
        bean.setOrder(Ordered.LOWEST_PRECEDENCE);
        return bean;
    }

    @Override
    public void addInterceptors(InterceptorRegistry registry){
        //对所有请求进行拦截
        registry.addInterceptor(new DataAuthInterceptor()).addPathPatterns("/**").
                //解决swagger无法访问的问题
                excludePathPatterns("/swagger-resources/**", "/webjars/**", "/v2/**", "/swagger-ui.html/**");
    }

    //解决swagger无法访问的问题
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/");
        registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/");
    }

}

2.7 将注解加到需要进行数据权限验证的方法上

 /**
     * @Author zouxiaodong
     * @Description 更新虚拟机的快照策略(如果之前没有策略则新增,有则更新策略)
     * @Date 2021/12/08 9:51
     * @Param [vmID, snapshotPolicy]
     * @return com.zkxy.common.returnUtil.OperationResult<java.lang.Boolean>
     **/
    @ApiOperation("更新虚拟机的快照策略(如果之前没有策略则新增,有则更新策略;如果之前有策略,新的策略为空则进行策略禁用或停止)")
    @RequestMapping(value = "/updatePolicy",method = RequestMethod.POST)
    @DataAuthValid(name = "updatePolicy",switchAuth = true,dataAuthClass = UpdatePolicyDataAuth.class)
    public OperationResult<Boolean> updatePolicy(@ApiParam(name = "policy",value = "新的虚拟机快照策略",required = true) @RequestBody UpdateSnapshotPolicy policy){
        ......
    }

2.8 实现注解中具体数据权限认证类

/**
 * @Description 快照策略升级的数据权限认证
 * @see VMSnapshotController#updatePolicy(com.zkxy.eda.vmware.vcenter.pojo.UpdateSnapshotPolicy)
 * @Author zouxiaodong
 * @Date 2022/03/02 9:15
 */
@Slf4j
@Component
public class UpdatePolicyDataAuth extends AbstractDataAuth{

    @Autowired
    private VirtualMachineService virtualMachineService;

    @Override
    public boolean checkDataAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if(RequestMethod.POST.name().equals(httpServletRequest.getMethod())){
            try{
                String body = ((CustomHttpServletRequestWrapper)httpServletRequest).getBodyAsString();
                UpdateSnapshotPolicy updateSnapshotPolicy = JSONObject.parseObject(body, UpdateSnapshotPolicy.class);
                if(updateSnapshotPolicy == null){
                    return false;
                }
                String vmId = updateSnapshotPolicy.getVmId();
                List<ZkxyVirtualMachine> zkxyVirtualMachines = virtualMachineService.getVirtualMachinesByUserSession();
                if(!CollectionUtils.isEmpty(zkxyVirtualMachines)){
                    for (ZkxyVirtualMachine zkxyVirtualMachine:zkxyVirtualMachines){
                        if(zkxyVirtualMachine.getVmId().equals(vmId)){
                            return true;
                        }
                    }
                }
                httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                OperationResult<ZkxyVirtualMachine> result = OperationResult.fail(null,String.format("您没有权限访问此云主机(%s)",vmId),null);
                httpServletResponse.setHeader("Content-Type","application/json;charset=UTF-8");
                httpServletResponse.getWriter().write(JSONObject.toJSONString(result));
                httpServletResponse.getWriter().flush();
                log.warn("请求({})已拒绝!vmId:{}",httpServletRequest.getRequestURI(),vmId);
            }catch (Exception e){
                log.error("请求({})处理异常.异常信息为:{}",httpServletRequest.getRequestURI(),e.getMessage());
            }
        }
        return false;
    }
}

 3.开发过程中的问题

一开始的时候只自定义了Interceptor,在对POST请求拦截器中读取了HttpRequest的getReader,导致执行到Handler时,系统提示:

java.lang.IllegalStateException: getReader() has already been called for this request
    org.apache.catalina.connector.Request.getInputStream(Request.java:1032)
    org.apache.catalina.connector.RequestFacade.getInputStream(RequestFacade.java:364)

 此时就需要自定义Filter(步骤2.4,Filter的配置在步骤2.6)对需要的请求进行HttpRequest处理(步骤2.5),转为HttpServletRequestWrapper,然后将该HttpServletRequestWrapper放入过滤链中传递下去。

如果系统中有swagger,新增自定义拦截器后可能会导致swagger不可用,步骤2.6中增加注释的两个配置代码即可

posted @ 2022-03-03 15:01  CoderZZZ  阅读(2017)  评论(1编辑  收藏  举报