简体中文(ZH-CN) English(EN) 繁体中文(ZH-TW) 日本語(JA) 한국어(KO) Melayu(MS) Français(FR) Deutsch(DE)
java - 关于Rest风格的API的如何做权限控制
PHPz
PHPz 2017-04-17 17:08:50
0
6
753

想要实现的效果是

比如如下两个接口
GET /order/{orderId}

POST /order/{orderId}/abc/{abcId}

想通过不同的角色或用户来分别限制他们能访问接口的某一个,即拥有权限的一个

现在的问题就是,通过什么样的方式能够将URL和上面的接口路径分别匹配上呢?
使用的是SpringMVC。

注:上面写的接口URL只是简单的,还有复杂的里面参数可以是正则表达式,或者两个参数通过特定字符串拼接的(如{param1}-{param2},所以匹配路径不能用正则来做,这块不太了解SpringMVC的底层是如何实现的,求大神解答。

PHPz
PHPz

学习是最好的投资!

reply all(6)
巴扎黑
巴扎黑2017-04-17 17:10:50 6 floor

Why do I feel that the content of your question and the title have different meanings. Do you want to ask about permission control or path identification matching?

Like +0
Add Reply
洪涛
洪涛2017-04-17 17:10:50 5 floor

You must use the implementation WebSecurityConfigurerAdapter
As far as I know, the basic login of Spring security is User and Role.

Each URL can be controlled by implementing configure(WebSecurity web) of WebSecurityConfigurerAdapter.

For example, the following example account is in memory. After logging in, each resource can be restricted by hasRole(): 

        
@EnableWebSecurity
@Configuration
public class CustomWebSecurityConfigurerAdapter extends
   WebSecurityConfigurerAdapter {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) {
    auth
      .inMemoryAuthentication()
        .withUser("user")  // #1
          .password("password")
          .roles("USER")
          .and()
        .withUser("admin") // #2
          .password("password")
          .roles("ADMIN","USER");
  }

  @Override
  public void configure(WebSecurity web) throws Exception {
    web
      .ignoring()
         .antMatchers("/resources/**"); // #3
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeUrls()
        .antMatchers("/signup","/about").permitAll() // #4
        .antMatchers("/admin/**").hasRole("ADMIN") // #6
        .anyRequest().authenticated() // 7
        .and()
    .formLogin()  // #8
        .loginUrl("/login") // #9
        .permitAll(); // #5
  }
}

Reference: Official documentation

Like +0
Add Reply
左手右手慢动作
左手右手慢动作2017-04-17 17:10:50 4 floor

The poster can go and learn about the shiro framework. For details, you can see here. It is a very good tutorial and easy to get started. This framework can solve your problems. http://jinnianshilongnian.ite...
When used with spring mvc, it is like Like this 

@RestController
@RequestMapping("material")
public class MaterialController extends BaseController {
    @Autowired
    private MaterialService materialService;

    @RequestMapping(value = "{moduleId}/material", method = RequestMethod.GET)//限制了只接受get请求
    public Map queryMaterial(@PathVariable long moduleId) throws Exception {
        return resultMap(true, materialService.queryMaterial(moduleId));
    }

    @RequiresRoles("admin")//限制访问这个方法必须具备admin角色, 同样有RequiresPermission等其他权限注解
                           //可以根据不同的需求配置, 也可以通过其他方法实现动态权限控制
    @RequestMapping(value = "{moduleId}/preview", method = RequestMethod.GET)
    public Map preview(@PathVariable long moduleId) throws Exception {
        return resultMap(true, materialService.queryMaterialForPreview(moduleId));
    }
}
Like +0
Add Reply
Ty80
Ty802017-04-17 17:10:50 3 floor

You can write a method yourself

Like +0
Add Reply
迷茫
迷茫2017-04-17 17:10:50 2 floor

Just use laravel

Like +0
Add Reply
巴扎黑
巴扎黑2017-04-17 17:10:50 1 floor

http base certification! ! ! !

Like +0
Add Reply
Popular Topics
More>
Popular Articles
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!