Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to intercept the gateway Restful interface". In the daily operation, I believe many people have doubts about how to intercept the gateway Restful interface. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to intercept the gateway Restful interface". Next, please follow the editor to study!

Scene demonstration

Let's take a look at the actual case and demonstrate this scenario. Add a blog user management function to the account-service module with the following API methods:

API URLHTTP method API description / blog/userPOST Save user / blog/user/ {id} GET query user / blog/user/ {id} DELETE Delete user / blog/user/ {id} PUT Update user Information

Then we add two user rights to the sys_permission table and grant them to the user role

In the verification method of the gateway layer, you can see that two permissions have been added.

Because the permission path for both DELETE and PUT is / blog/user/ {id}, this means that when the user is granted query permission, the user also has the permission to delete and update.

Solution

See here most students should think of, in order to achieve Restful-style fine rights management only through the URL path is not enough, need to be used with Method.

The most critical point is that "you need to add a method field to the permission table, and then determine the request path and match the request method when the gateway is verified." "the implementation steps are as follows:

Modify the permission table and add a method field

The Method corresponding to the permission is also concatenated to the permission when the loadUserByUsername () method builds the user permission. The key code is as follows: @ Override

Public UserDetails loadUserByUsername (String userName) throws UsernameNotFoundException {

/ / obtain local users

SysUser sysUser = sysUserMapper.selectByUserName (userName)

If (sysUser! = null) {

/ / get all roles of the current user

List roleList = sysRoleService.listRolesByUserId (sysUser.getId ())

SysUser.setRoles (roleList.stream (). Map (SysRole::getRoleCode) .Collectors.toList ())

List roleIds = roleList.stream () .map (SysRole::getId) .conversation (Collectors.toList ())

/ / get permissions for all roles

List permissionList = sysPermissionService.listPermissionsByRoles (roleIds)

/ / stitching method

List permissionUrlList = permissionList.stream ()

.map (item-> "[" + item.getMethod () + "]" + item.getUrl ())

.notify (Collectors.toList ())

SysUser.setPermissions (permissionUrlList)

/ / users who build oauth3

Return buildUserDetails (sysUser)

} else {

Throw new UsernameNotFoundException ("user [" + userName+ "] does not exist")

}

}

The user permissions built from the above code are as follows:

[GET] / account-service/blog/user/ {id}

[POST] / account-service/blog/user

You can view it through code debugging:

Permission verification method AccessManager#check (), verify [MEHOTD] RequestPath format @ Override

Public Mono check (Mono authenticationMono, AuthorizationContext authorizationContext) {

ServerWebExchange exchange = authorizationContext.getExchange ()

ServerHttpRequest request = exchange.getRequest ()

/ / request resources

String requestPath = request.getURI () .getPath ()

/ / stitching method

String methodPath = "[" + request.getMethod () + "]" + requestPath

/ / 1. Direct release corresponding to cross-domain pre-check request

If (request.getMethod ()) = = HttpMethod.OPTIONS) {

Return Mono.just (new AuthorizationDecision (true))

}

/ / whether to release it directly

If (permitAll (requestPath)) {

Return Mono.just (new AuthorizationDecision (true))

}

Return authenticationMono.map (auth-> new AuthorizationDecision (checkAuthorities (auth, methodPath)

.defaultIfEmpty (new AuthorizationDecision (false))

}

Check method checkAuthorities ():

Private boolean checkAuthorities (Authentication auth, String requestPath) {

If (auth instanceof OAuth3Authentication) {

OAuth3Authentication authentication = (OAuth3Authentication) auth

String clientId = authentication.getOAuth3Request () .getClientId ()

Log.info ("clientId is {}", clientId)

/ / set of permissions for the user

Collection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.