当前位置:网站首页>Ruoyi interface permission verification
Ruoyi interface permission verification
2022-07-03 06:29:00 【xuhss_ com】
High quality resource sharing
Learning route guidance ( Click unlock ) | Knowledge orientation | Crowd positioning |
---|---|---|
🧡 Python Actual wechat ordering applet 🧡 | Progressive class | This course is python flask+ Perfect combination of wechat applet , From the deployment of Tencent to the launch of the project , Create a full stack ordering system . |
Python Quantitative trading practice | beginner | Take you hand in hand to create an easy to expand 、 More secure 、 More efficient quantitative trading system |
This article belongs to ruoyi Project practice series
ruoyi In the front end, the system dynamically displays directories and buttons mainly through whether permission characters are included or not . To prevent passage http Request to bypass permission restrictions , The back-end interface also needs to be designed with relevant permissions .
@PreAuthorize Use
Due to @PreAuthorize
The principle is not well understood , So here is only a brief explanation in ruoyi How the project is applied .
Before requesting to call the interface , By @preAuthorize
The annotated interface needs to be validated first . Via annotation parameters value()
Return value true
and false
To determine whether you have permission .
public @interface PreAuthorize {
String value();
}
Ruoyi Not using native Spel expression , It's using custom PermissionService
class , Through which custom methods hasPermi(String Permission)
To judge the authority . Use examples of annotations :@PreAuthorize("@ss.hasPermi('system:menu:list')")
public boolean hasPermi(String permission)
{
if (StringUtils.isEmpty(permission))// With annotations, there must be permission value
{
return false;
}
LoginUser loginUser = SecurityUtils.getLoginUser();
if (StringUtils.isNull(loginUser) ||
CollectionUtils.isEmpty(loginUser.getPermissions()))
{
return false;
}
return hasPermissions(loginUser.getPermissions(), permission);
private boolean hasPermissions(Set permissions, String permission)
{
return permissions.contains(ALL_PERMISSION) ||
permissions.contains(StringUtils.trim(permission)); // Determine whether to hold " All permissions ” character , Or hold the permission
}
Interface permission verification process
Use two examples to explain how the front-end request passes through the back-end interface permission verification .
Login Anonymous request
- Login The request path is
/login
, In the filter chainAnnoymousAuthenticationFilter
Add anonymousauthentication
To Spring In the context . because/login
Request inSecurityConfig.java
Set anonymous request in , So we can successfully reachSysLoginController
. - call
SysLoginService.login
Method , A key line of command :
Authentication authentication = authenticationManager
.authenticate(new UsernamePasswordAuthenticationToken(username, password));
authenticationManager.authenticate()
It's the hook method , stay AbstractUserDetailsAuthenticationProvider
To realize , According to the incoming token Type to automatically select , here UsernamePasswordAuthenticationToken
Will be made by DaoAuthenticationProvider
To deal with it ( If you are not clear, you can set two breakpoints before and after to see the call stack ).
3. stay DaoAuthenticationProvider
You can see the key line in :
UserDetails loadedUser = this.getUserDetailsService()
.loadUserByUsername(username);
This will invoke our custom implementation UserDetailsServiceImpl#loadUserByUsername
Method ( As shown in the flow chart ), get user Information . As for why you use custom methods , Because in SecurityConfig.java
Configured in
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
- Generate token, Then return .
Logged in request
The logged in request process is simple , In the flow chart some filters It will be customized JwtAuthenticationFilter
, It will pass token get user Information , And then load Spring
The context of , Easy to extract and use .
Once tangled with the point of stepping on the pit
Due to SpringSecurity Relatively unfamiliar , Although powerful , But its complexity is also greatly improved , So while debugging the project, I read many introductory blog posts , All of them mentioned UsernamePasswordAuthenticationFilter
, However, I did not see the call of this filter during repeated debugging in the actual project .
reason :Security Configuration files need to be added httpSecurity.formLogin()
Enable form login to use this filter. View all... Used by the project filter You can use the following test code :
class RuoYiApplicationTest {
@Autowired
private FilterChainProxy filterChainProxy;
@Test
public void test() {
List filterChains = filterChainProxy.getFilterChains();
for(SecurityFilterChain sfc:filterChains){
for(Filter filter:sfc.getFilters()){
System.out.println(filter.getClass().getName());
}
}
}
}
边栏推荐
- Oauth2.0 - using JWT to replace token and JWT content enhancement
- IE browser flash back, automatically open edge browser
- Pdf files can only print out the first page
- 23 design models
- 深入解析kubernetes controller-runtime
- 技术管理进阶——你了解成长的全貌吗?
- MATLAB如何修改默认设置
- Local rviz call and display of remote rostopic
- Floating menu operation
- Oauth2.0 - Introduction and use and explanation of authorization code mode
猜你喜欢
随机推荐
Heap sort and priority queue
Click cesium to obtain three-dimensional coordinates (longitude, latitude and elevation)
Example of joint use of ros+pytoch (semantic segmentation)
方差迭代公式推导
Learning notes -- principles and comparison of k-d tree and IKD tree
Difference between shortest path and minimum spanning tree
.NET程序配置文件操作(ini,cfg,config)
Yolov3 learning notes
Selenium - by changing the window size, the width, height and length of different models will be different
Derivation of variance iteration formula
Svn branch management
有意思的鼠标指针交互探究
Common interview questions
Kubesphere - build Nacos cluster
How matlab modifies default settings
Scripy learning
Une exploration intéressante de l'interaction souris - pointeur
What's the difference between using the Service Worker Cache API and regular browser cache?
[system design] proximity service
Cesium entity (entities) entity deletion method