feat(security): PermissionAuthorizationManager 校验 http 方法

andanyoung · andanyoung · commit d15e6b98e74d · 2023-12-19T16:50:30.000+08:00
diff --git a/security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/HttpUrlPermission.java b/security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/HttpUrlPermission.java
@@ -0,0 +1,29 @@
+package com.admin4j.framework.security.authorization;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import org.springframework.http.HttpMethod;
+
+/**
+ * http 请求权限数据
+ *
+ * @author andanyang
+ * @since 2023/12/19 16:08
+ */
+@Data
+@NoArgsConstructor
+@AllArgsConstructor
+public class HttpUrlPermission {
+
+    /**
+     * http 请求方法;
+     * 为null 表示不限制请求方法
+     */
+    private HttpMethod httpMethod;
+    /**
+     * http 请求地址
+     * 如： /user/1
+     */
+    private String requestURI;
+}
diff --git a/security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/IPermissionUriService.java b/security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/IPermissionUriService.java
@@ -15,12 +15,12 @@ public interface IPermissionUriService {
      *
      * @return
      */
-    List<String> allPermissionUri();
+    List<HttpUrlPermission> allPermissionUrl();
 
     /**
      * 当前用户拥有的权限
      *
      * @return
      */
-    List<String> getMyPermissionUrls();
+    List<HttpUrlPermission> getMyPermissionUrls();
 }
diff --git a/security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/PermissionAuthorizationManager.java b/security-spring-boot-starter/src/main/java/com/admin4j/framework/security/authorization/PermissionAuthorizationManager.java
@@ -45,13 +45,14 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Requ
 
         // 获取当前请求的 URL 地址
         String requestURI = object.getRequest().getRequestURI();
-        boolean matchPermission = matchPermission(requestURI);
+        String method = object.getRequest().getMethod();
+        boolean matchPermission = matchPermission(requestURI, method);
         if (matchPermission) {
             return GRANTED;
         }
 
         // 沒有匹配到, 查看当前 requestURI 是否需要权限控制
-        return urlNeedPermission(requestURI) ? UN_AUTHORIZED : GRANTED;
+        return urlNeedPermission(requestURI, method) ? UN_AUTHORIZED : GRANTED;
     }
 
     /**
@@ -60,11 +61,15 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Requ
      *
      * @return
      */
-    public boolean urlNeedPermission(String requestURI) {
-
-        Collection<String> allPermissionUrls = getAllPermissionUrls();
-        for (String url : allPermissionUrls) {
-            if (antPathMatcher.match(url, requestURI)) {
+    public boolean urlNeedPermission(String requestURI, String method) {
+
+        Collection<HttpUrlPermission> allPermissionUrls = getAllPermissionUrls();
+        for (HttpUrlPermission urlPermission : allPermissionUrls) {
+            // method 相同 && 请求路径可以匹配
+            if (
+                    (urlPermission.getHttpMethod() == null || urlPermission.getHttpMethod().name().equalsIgnoreCase(method))
+                            &&
+                            antPathMatcher.match(urlPermission.getRequestURI(), requestURI)) {
                 return true;
             }
         }
@@ -77,15 +82,20 @@ public boolean urlNeedPermission(String requestURI) {
      * @param requestURI
      * @return
      */
-    public boolean matchPermission(String requestURI) {
-        Collection<String> permissionUrls = getPermissionUrls();
+    public boolean matchPermission(String requestURI, String method) {
+        Collection<HttpUrlPermission> permissionUrls = getPermissionUrls();
 
         if (permissionUrls == null || permissionUrls.isEmpty()) {
             return false;
         }
 
-        for (String url : permissionUrls) {
-            if (antPathMatcher.match(url, requestURI)) {
+        for (HttpUrlPermission urlPermission : permissionUrls) {
+
+            // method 相同 && 请求路径可以匹配
+            if (
+                    (urlPermission.getHttpMethod() == null || urlPermission.getHttpMethod().name().equalsIgnoreCase(method))
+                            &&
+                            antPathMatcher.match(urlPermission.getRequestURI(), requestURI)) {
                 return true;
             }
         }
@@ -97,7 +107,7 @@ public boolean matchPermission(String requestURI) {
      *
      * @return
      */
-    public Collection<String> getPermissionUrls() {
+    public Collection<HttpUrlPermission> getPermissionUrls() {
 
         return permissionUriService.getMyPermissionUrls();
     }
@@ -108,7 +118,7 @@ public Collection<String> getPermissionUrls() {
      *
      * @return
      */
-    protected Collection<String> getAllPermissionUrls() {
-        return permissionUriService.allPermissionUri();
+    protected Collection<HttpUrlPermission> getAllPermissionUrls() {
+        return permissionUriService.allPermissionUrl();
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,12 +15,12 @@ public interface IPermissionUriService {`
`15`	`15`	`*`
`16`	`16`	`* @return`
`17`	`17`	`*/`
`18`		`- List<String> allPermissionUri();`
	`18`	`+ List<HttpUrlPermission> allPermissionUrl();`
`19`	`19`
`20`	`20`	`/**`
`21`	`21`	`* 当前用户拥有的权限`
`22`	`22`	`*`
`23`	`23`	`* @return`
`24`	`24`	`*/`
`25`		`- List<String> getMyPermissionUrls();`
	`25`	`+ List<HttpUrlPermission> getMyPermissionUrls();`
`26`	`26`	`}`