Supwisdom Source - institute/sw-backend.git/blob

   1 package com.supwisdom.institute.backend.admin.bff.security.web.access.intercept;
   2
   3 import java.io.IOException;
   4 import java.util.HashSet;
   5 import java.util.Set;
   6
   7 import javax.servlet.ServletException;
   8
   9 import org.springframework.beans.factory.annotation.Autowired;
  10 import org.springframework.security.access.AccessDecisionManager;
  11 import org.springframework.security.access.SecurityMetadataSource;
  12 import org.springframework.security.access.intercept.InterceptorStatusToken;
  13 import org.springframework.security.web.FilterInvocation;
  14 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
  15
  16 import com.supwisdom.infras.security.web.access.intercept.InfrasFilterSecurityInterceptor;
  17 import com.supwisdom.institute.backend.admin.bff.utils.AuthenticationUtil;
  18
  19 import lombok.extern.slf4j.Slf4j;
  20
  21 @Slf4j
  22 public class MyFilterSecurityInterceptor extends InfrasFilterSecurityInterceptor {
  23
  24   @Autowired
  25   private FilterInvocationSecurityMetadataSource securityMetadataSource;
  26
  27   @Autowired
  28   public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
  29
  30     super.setAccessDecisionManager(accessDecisionManager);
  31   }
  32
  33   @Override
  34   public void invoke(FilterInvocation fi) throws IOException, ServletException {
  35
  36     Set<String> noneSecurityUrl = new HashSet<String>();  // FIXME: 对无须访问控制的url，支持可配置
  37     noneSecurityUrl.add("/web/login");
  38     noneSecurityUrl.add("/web/logout");
  39     noneSecurityUrl.add("/web/index");
  40
  41     if (fi.getRequest() != null) {
  42       String requestUrl = fi.getRequestUrl(); log.debug("MyFilterSecurityInterceptor invoke requestUrl: {}", requestUrl);
  43       if (noneSecurityUrl.contains(requestUrl)) {
  44         fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
  45         return;
  46       }
  47     }
  48
  49     if(AuthenticationUtil.isAdministrator()){
  50      fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
  51        return;
  52   }
  53
  54     // fi里面有一个被拦截的url
  55     // 里面调用MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
  56     // 再调用MyAccessDecisionManager的decide方法来校验用户的权限是否足够
  57     InterceptorStatusToken token = super.beforeInvocation(fi);
  58     try {
  59       // 执行下一个拦截器
  60       fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
  61     } finally {
  62       super.afterInvocation(token, null);
  63     }
  64   }
  65
  66   @Override
  67   public Class<?> getSecureObjectClass() {
  68
  69     return FilterInvocation.class;
  70   }
  71
  72   @Override
  73   public SecurityMetadataSource obtainSecurityMetadataSource() {
  74
  75     return this.securityMetadataSource;
  76   }
  77
  78 }