Ruoyi interface permission verification

High quality resource sharing

This article belongs to ruoyi Project practice series

ruoyi In the front end, the system dynamically displays directories and buttons mainly through whether permission characters are included or not . To prevent passage http Request to bypass permission restrictions , The back-end interface also needs to be designed with relevant permissions .

@PreAuthorize Use

Due to @PreAuthorize The principle is not well understood , So here is only a brief explanation in ruoyi How the project is applied .
Before requesting to call the interface , By @preAuthorize The annotated interface needs to be validated first . Via annotation parameters value() Return value true and false To determine whether you have permission .

public @interface PreAuthorize {  
    String value();  
}

Ruoyi Not using native Spel expression , It's using custom PermissionService class , Through which custom methods hasPermi(String Permission) To judge the authority . Use examples of annotations ：@PreAuthorize("@ss.hasPermi('system:menu:list')")

public boolean hasPermi(String permission)  
{  
    if (StringUtils.isEmpty(permission))// With annotations, there must be permission value  
    {  
        return false;  
    }  
    LoginUser loginUser = SecurityUtils.getLoginUser();  
    if (StringUtils.isNull(loginUser) ||
     CollectionUtils.isEmpty(loginUser.getPermissions()))  
    {  
        return false;  
    }  
    return hasPermissions(loginUser.getPermissions(), permission);

private boolean hasPermissions(Set permissions, String permission)  
{  
    return permissions.contains(ALL_PERMISSION) ||
     permissions.contains(StringUtils.trim(permission)); // Determine whether to hold " All permissions ” character , Or hold the permission  
}

Interface permission verification process

Use two examples to explain how the front-end request passes through the back-end interface permission verification .

Login Anonymous request

1. Login The request path is /login, In the filter chain AnnoymousAuthenticationFilter Add anonymous authentication To Spring In the context . because /login Request in SecurityConfig.java Set anonymous request in , So we can successfully reach SysLoginController.
2. call SysLoginService.login Method , A key line of command ：

Authentication authentication = authenticationManager  
.authenticate(new UsernamePasswordAuthenticationToken(username, password));

authenticationManager.authenticate() It's the hook method , stay AbstractUserDetailsAuthenticationProvider To realize , According to the incoming token Type to automatically select , here UsernamePasswordAuthenticationToken Will be made by DaoAuthenticationProvider To deal with it （ If you are not clear, you can set two breakpoints before and after to see the call stack ）.
3. stay DaoAuthenticationProvider You can see the key line in ：

UserDetails loadedUser = this.getUserDetailsService()
.loadUserByUsername(username);

This will invoke our custom implementation UserDetailsServiceImpl#loadUserByUsername Method （ As shown in the flow chart ）, get user Information . As for why you use custom methods , Because in SecurityConfig.java Configured in

@Override  
protected void configure(AuthenticationManagerBuilder auth) throws Exception  
{  
    auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());  
}

4. Generate token, Then return .

Logged in request

The logged in request process is simple , In the flow chart some filters It will be customized JwtAuthenticationFilter, It will pass token get user Information , And then load Spring The context of , Easy to extract and use .

Once tangled with the point of stepping on the pit

Due to SpringSecurity Relatively unfamiliar , Although powerful , But its complexity is also greatly improved , So while debugging the project, I read many introductory blog posts , All of them mentioned UsernamePasswordAuthenticationFilter, However, I did not see the call of this filter during repeated debugging in the actual project .

reason ：Security Configuration files need to be added httpSecurity.formLogin() Enable form login to use this filter. View all... Used by the project filter You can use the following test code ：

class RuoYiApplicationTest {  
    @Autowired  
    private FilterChainProxy filterChainProxy;  
    @Test  
    public void test() {  
        List filterChains = filterChainProxy.getFilterChains(); 
 for(SecurityFilterChain sfc:filterChains){ 
 for(Filter filter:sfc.getFilters()){ 
 System.out.println(filter.getClass().getName()); 
 } 
 } 
 } 
}