基于 request 授权
大约 1 分钟
基于 request 授权
1、用户-权限-资源
需求:
- 具有USER_LIST权限的用户可以访问/user/list接口
- 具有USER_ADD权限的用户可以访问/user/add接口
配置权限
SecurityFilterChain
//开启授权保护
http.authorizeRequests(
authorize -> authorize
//具有USER_LIST权限的用户可以访问/user/list
.requestMatchers("/user/list").hasAuthority("USER_LIST")
//具有USER_ADD权限的用户可以访问/user/add
.requestMatchers("/user/add").hasAuthority("USER_ADD")
//对所有请求开启授权保护
.anyRequest()
//已认证的请求会被自动授权
.authenticated()
);
授予权限
DbUserManager#loadUserByUsername 中添加权限
Collection<GrantedAuthority> authorities = new ArrayList<>();
// authorities.add(()->"USER_LIST");
authorities.add(()->"USER_ADD");
登录成功后,访问 /user/list 接口,报错 403,内容如下:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Nov 01 18:40:09 CST 2023
There was an unexpected error (type=Forbidden, status=403).
Forbidden
自定义未授权响应结果
public class MyAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
//创建结果对象
HashMap<String, Object> result = new HashMap<>();
result.put("code", -1);
result.put("message", "没有权限");
//转换成json字符串
String json = JSON.toJSONString(result);
//返回响应
response.setContentType("application/json;charset=UTF-8");
response.getWriter().println(json);
}
}
配置
http.exceptionHandling(exception -> {
exception.accessDeniedHandler(new MyAccessDeniedHandler()); //请求未授权的处理
});
重新访问:http://localhost:8080/user/list ,响应结果如下:
{
code: -1,
message: "没有权限"
}