search

Home  >  Q&A  >  body text

java - 关于Rest风格的API的如何做权限控制

想要实现的效果是

比如如下两个接口
GET /order/{orderId}

POST /order/{orderId}/abc/{abcId}

想通过不同的角色或用户来分别限制他们能访问接口的某一个,即拥有权限的一个

现在的问题就是,通过什么样的方式能够将URL和上面的接口路径分别匹配上呢?
使用的是SpringMVC。

注:上面写的接口URL只是简单的,还有复杂的里面参数可以是正则表达式,或者两个参数通过特定字符串拼接的(如{param1}-{param2},所以匹配路径不能用正则来做,这块不太了解SpringMVC的底层是如何实现的,求大神解答。

PHPzPHPz2767 days ago758

reply all(6)I'll reply

  • 巴扎黑

    巴扎黑2017-04-17 17:10:50

    Why do I feel that the content of your question and the title have different meanings. Do you want to ask about permission control or path identification matching?

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 17:10:50

    You must use the implementation WebSecurityConfigurerAdapter
    As far as I know, the basic login of Spring security is User and Role.

    Each URL can be controlled by implementing configure(WebSecurity web) of WebSecurityConfigurerAdapter.

    For example, the following example account is in memory. After logging in, each resource can be restricted by hasRole():

            
    @EnableWebSecurity
    @Configuration
    public class CustomWebSecurityConfigurerAdapter extends
       WebSecurityConfigurerAdapter {
      @Autowired
      public void configureGlobal(AuthenticationManagerBuilder auth) {
        auth
          .inMemoryAuthentication()
            .withUser("user")  // #1
              .password("password")
              .roles("USER")
              .and()
            .withUser("admin") // #2
              .password("password")
              .roles("ADMIN","USER");
      }
    
      @Override
      public void configure(WebSecurity web) throws Exception {
        web
          .ignoring()
             .antMatchers("/resources/**"); // #3
      }
    
      @Override
      protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeUrls()
            .antMatchers("/signup","/about").permitAll() // #4
            .antMatchers("/admin/**").hasRole("ADMIN") // #6
            .anyRequest().authenticated() // 7
            .and()
        .formLogin()  // #8
            .loginUrl("/login") // #9
            .permitAll(); // #5
      }
    }
    
    

    Reference: Official documentation

    reply
    0
  • ringa_lee

    ringa_lee2017-04-17 17:10:50

    The poster can go and learn about the shiro framework. For details, you can see here. It is a very good tutorial and easy to get started. This framework can solve your problems. http://jinnianshilongnian.ite...
    When used with spring mvc, it is like Like this

    @RestController
    @RequestMapping("material")
    public class MaterialController extends BaseController {
        @Autowired
        private MaterialService materialService;
    
        @RequestMapping(value = "{moduleId}/material", method = RequestMethod.GET)//限制了只接受get请求
        public Map queryMaterial(@PathVariable long moduleId) throws Exception {
            return resultMap(true, materialService.queryMaterial(moduleId));
        }
    
        @RequiresRoles("admin")//限制访问这个方法必须具备admin角色, 同样有RequiresPermission等其他权限注解
                               //可以根据不同的需求配置, 也可以通过其他方法实现动态权限控制
        @RequestMapping(value = "{moduleId}/preview", method = RequestMethod.GET)
        public Map preview(@PathVariable long moduleId) throws Exception {
            return resultMap(true, materialService.queryMaterialForPreview(moduleId));
        }
    }

    reply
    0
  • PHP中文网

    PHP中文网2017-04-17 17:10:50

    You can write a method yourself

    reply
    0
  • 迷茫

    迷茫2017-04-17 17:10:50

    Just use laravel

    reply
    0
  • 巴扎黑

    巴扎黑2017-04-17 17:10:50

    http base certification! ! ! !

    reply
    0
  • Cancelreply