首先你的权限放置在jwt里,登录的时候同时获取你的权限信息
具体实现方式各有不同
//这边拿权限
StringBuilder sb = new StringBuilder();
user.getRoles().stream().forEach(role -> {
role.getPermissions().stream().forEach(permission -> {
//提取api权限
if (permission.getType() == PermissionConstants.PY_API) {
System.out.println(permission.getCode());
sb.append(permission.getCode()).append(",");
}
});
});
loginInfo.put("apis", sb);
设置name属性,访问的时候,根据name来得到对应的需要权限
@ApiOperation("根据ID删除User")
@DeleteMapping(value = "/user/{id}", name = "API-USER-DELETE")
public Result deleteById(@PathVariable String id) {
boolean b = userService.deleteById(id);
return b ? Result.SUCCESS() : Result.FAIL();
}
设置拦截器,里面截取RestController.class
String authorization = request.getHeader("Authorization");
if (!StringUtils.isEmpty(authorization) && authorization.startsWith("Bearer")) {
String token = authorization.replace("Bearer ", "");
Claims claims = JwtUtils.parseJwt(token);
if (claims == null)
throw new CommonException(ResultCode.UNAUTHENTICATED);
//通过claims获取当前用户的可访问API权限字符串
String apis = (String) claims.get("apis");
//通过handler来
HandlerMethod handlerMethod = (HandlerMethod) handler;
RequestMapping annotation = handlerMethod.getMethodAnnotation(RequestMapping.class);
//获取当前请求接口中的name属性
String name = annotation.name();
//判断用户是否具有响应的请求权限
if(apis.contains(name)){
request.setAttribute("user_claims",claims);
return true;
}else{
throw new CommonException(ResultCode.UNAUTHORISE);
}
}
throw new CommonException(ResultCode.UNAUTHENTICATED);