java - 关于Rest风格的API的如何做权限控制

Question

想要实现的效果是

比如如下两个接口
GET /order/{orderId}

POST /order/{orderId}/abc/{abcId}

想通过不同的角色或用户来分别限制他们能访问接口的某一个，即拥有权限的一个

现在的问题就是，通过什么样的方式能够将URL和上面的接口路径分别匹配上呢？
使用的是SpringMVC。

注：上面写的接口URL只是简单的，还有复杂的里面参数可以是正则表达式，或者两个参数通过特定字符串拼接的（如{param1}-{param2}，所以匹配路径不能用正则来做，这块不太了解SpringMVC的底层是如何实现的，求大神解答。

Answer 1

Why do I feel that the content of your question and the title have different meanings. Do you want to ask about permission control or path identification matching?

Answer 2

You must use the implementation WebSecurityConfigurerAdapter
As far as I know, the basic login of Spring security is User and Role.

Each URL can be controlled by implementing configure(WebSecurity web) of WebSecurityConfigurerAdapter.

For example, the following example account is in memory. After logging in, each resource can be restricted by hasRole():

        
@EnableWebSecurity
@Configuration
public class CustomWebSecurityConfigurerAdapter extends
   WebSecurityConfigurerAdapter {
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) {
    auth
      .inMemoryAuthentication()
        .withUser("user")  // #1
          .password("password")
          .roles("USER")
          .and()
        .withUser("admin") // #2
          .password("password")
          .roles("ADMIN","USER");
  }

  @Override
  public void configure(WebSecurity web) throws Exception {
    web
      .ignoring()
         .antMatchers("/resources/**"); // #3
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeUrls()
        .antMatchers("/signup","/about").permitAll() // #4
        .antMatchers("/admin/**").hasRole("ADMIN") // #6
        .anyRequest().authenticated() // 7
        .and()
    .formLogin()  // #8
        .loginUrl("/login") // #9
        .permitAll(); // #5
  }
}

Reference: Official documentation

Answer 3

The poster can go and learn about the shiro framework. For details, you can see here. It is a very good tutorial and easy to get started. This framework can solve your problems. http://jinnianshilongnian.ite...
When used with spring mvc, it is like Like this

@RestController
@RequestMapping("material")
public class MaterialController extends BaseController {
    @Autowired
    private MaterialService materialService;

    @RequestMapping(value = "{moduleId}/material", method = RequestMethod.GET)//限制了只接受get请求
    public Map queryMaterial(@PathVariable long moduleId) throws Exception {
        return resultMap(true, materialService.queryMaterial(moduleId));
    }

    @RequiresRoles("admin")//限制访问这个方法必须具备admin角色, 同样有RequiresPermission等其他权限注解
                           //可以根据不同的需求配置, 也可以通过其他方法实现动态权限控制
    @RequestMapping(value = "{moduleId}/preview", method = RequestMethod.GET)
    public Map preview(@PathVariable long moduleId) throws Exception {
        return resultMap(true, materialService.queryMaterialForPreview(moduleId));
    }
}

Answer 4

You can write a method yourself

Answer 5

Just use laravel

Answer 6

http base certification! ! ! !