1.自定义注释
package com.hsfw.backyard.biz.security.authority; import java.lang.annotation.*; /** * 数据权限过滤自定义注解 * * @Description * @Author: liucq * @Date: 2018/12/14 */ @Target(ElementType.METHOD) @Retention(RetentionPolicy.RUNTIME) @Documented public @interface UserPermissionAop { String value() default ""; }
2.Utils
package com.hsfw.backyard.biz.security.authority.util; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.Method; public class ReflectUtil { /** * 利用反射获取指定对象的指定属性 * * @param obj 目标对象 * @param fieldName 目标属性 * @return 目标属性的值 */ public static Object getFieldValue(Object obj, String fieldName) { Object result = null; Field field = ReflectUtil.getField(obj, fieldName); if (field != null) { field.setAccessible(true); try { result = field.get(obj); } catch (IllegalArgumentException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IllegalAccessException e) { // TODO Auto-generated catch block e.printStackTrace(); } } return result; } /** * 利用反射获取指定对象里面的指定属性 * * @param obj 目标对象 * @param fieldName 目标属性 * @return 目标字段 */ private static Field getField(Object obj, String fieldName) { Field field = null; for (Class<?> clazz = obj.getClass(); clazz != Object.class; clazz = clazz.getSuperclass()) { try { field = clazz.getDeclaredField(fieldName); break; } catch (NoSuchFieldException e) { // 这里不用做处理,子类没有该字段可能对应的父类有,都没有就返回null。 } } return field; } /** * 利用反射设置指定对象的指定属性为指定的值 * * @param obj 目标对象 * @param fieldName 目标属性 * @param fieldValue 目标值 */ public static void setFieldValue(Object obj, String fieldName, String fieldValue) { Field field = ReflectUtil.getField(obj, fieldName); if (field != null) { try { field.setAccessible(true); field.set(obj, fieldValue); } catch (IllegalArgumentException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IllegalAccessException e) { // TODO Auto-generated catch block e.printStackTrace(); } } } /** * 根据文件路径 获取反射对象并执行对应方法 * * @author GaoYuan * @date 2018/4/17 上午9:51 */ public static Object reflectByPath(String path) { try { //获取类名 String className = path.substring(0, path.lastIndexOf(".")); //获取方法名 String methodName = path.substring(path.lastIndexOf(".") + 1, path.length()); // 获取字节码文件对象 Class c = Class.forName(className); Constructor con = c.getConstructor(); Object obj = con.newInstance(); // public Method getMethod(String name,Class<?>... parameterTypes) // 第一个参数表示的方法名,第二个参数表示的是方法的参数的class类型 Method method = c.getMethod(methodName); // 调用obj对象的 method 方法 return method.invoke(obj); } catch (Exception e) { e.printStackTrace(); } return null; } }
package com.hsfw.backyard.biz.security.authority.util;//package com.foruo.sc.permission.example.util; import com.hsfw.backyard.biz.security.authority.UserPermissionAop; import org.apache.ibatis.mapping.MappedStatement; import java.lang.reflect.Method; public class PermissionUtils { public static UserPermissionAop getPermissionByDelegate(MappedStatement mappedStatement) { UserPermissionAop permissionAop = null; try { String id = mappedStatement.getId(); String className = id.substring(0, id.lastIndexOf(".")); String methodName = id.substring(id.lastIndexOf(".") + 1, id.length()); final Class cls = Class.forName(className); final Method[] method = cls.getMethods(); for (Method me : method) { if (me.getName().equals(methodName) && me.isAnnotationPresent(UserPermissionAop.class)) { permissionAop = me.getAnnotation(UserPermissionAop.class); } } } catch (Exception e) { e.printStackTrace(); } return permissionAop; } }
3.mybatis
package com.hsfw.backyard.biz.security.authority.mybatis; import com.hsfw.backyard.biz.ContextHolder; import com.hsfw.backyard.biz.model.sys.User; import com.hsfw.backyard.biz.security.authority.UserPermissionAop; import com.hsfw.backyard.biz.security.authority.util.PermissionUtils; import com.hsfw.backyard.biz.security.authority.util.ReflectUtil; import com.hsfw.backyard.dal.mapper.model.UserDataManageDO; import org.apache.ibatis.executor.statement.RoutingStatementHandler; import org.apache.ibatis.executor.statement.StatementHandler; import org.apache.ibatis.mapping.BoundSql; import org.apache.ibatis.mapping.MappedStatement; import org.apache.ibatis.plugin.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; import java.sql.Connection; import java.util.List; import java.util.Properties; @Intercepts({ @Signature(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class}) }) @Component public class PrepareInterceptor implements Interceptor { private static final Logger log = LoggerFactory.getLogger(PrepareInterceptor.class); @Override public Object plugin(Object target) { return Plugin.wrap(target, this); } @Override public void setProperties(Properties properties) { } @Override public Object intercept(Invocation invocation) throws Throwable { if (log.isInfoEnabled()) { log.info("进入 PrepareInterceptor 拦截器..."); } if (invocation.getTarget() instanceof RoutingStatementHandler) { RoutingStatementHandler handler = (RoutingStatementHandler) invocation.getTarget(); StatementHandler delegate = (StatementHandler) ReflectUtil.getFieldValue(handler, "delegate"); //通过反射获取delegate父类BaseStatementHandler的mappedStatement属性 MappedStatement mappedStatement = (MappedStatement) ReflectUtil.getFieldValue(delegate, "mappedStatement"); BoundSql boundSql = delegate.getBoundSql(); ReflectUtil.setFieldValue(boundSql, "sql", permissionSql(boundSql.getSql(), mappedStatement)); } return invocation.proceed(); } /** * 权限sql包装,以及是否需要包装 * * @param sql * @return */ protected String permissionSql(String sql, MappedStatement mappedStatement) { UserPermissionAop permissionAop = PermissionUtils.getPermissionByDelegate(mappedStatement); StringBuilder sbSql = new StringBuilder(sql); if (permissionAop != null) { String id = mappedStatement.getId(); String methodName = id.substring(id.lastIndexOf(".") + 1, id.length()); //方法过滤,待讨论 if (methodName.equals("countByCondition") || methodName.equals("pageByCondition")) { return getAppendSql(sbSql, methodName); } } return sbSql.toString(); } /** * sql拼接 * * @param sbSql * @param methodName * @return */ public String getAppendSql(StringBuilder sbSql, String methodName) { //当前用户信息 User user = ContextHolder.user(); List<UserDataManageDO> managedUserList = user.getUserDatalist(); String findUserList = String.valueOf(user.getId()); for (int i = 0; i < managedUserList.size(); i++) { findUserList.concat("," + String.valueOf(managedUserList.get(i).getManagedUserId())); } if (methodName.equals("countByCondition")) { sbSql = sbSql.append(" and operate_user_id in (" + findUserList + ") "); } else { sbSql = new StringBuilder("select * from (").append(sbSql).append(" ) temp where temp.operate_user_id in (" + findUserList + ") "); } return sbSql.toString(); } }
package com.hsfw.backyard.biz.security.authority.mybatis; import com.hsfw.backyard.biz.security.authority.UserPermissionAop; import com.hsfw.backyard.biz.security.authority.util.PermissionUtils; import com.hsfw.backyard.biz.security.authority.util.ReflectUtil; import org.apache.ibatis.executor.resultset.ResultSetHandler; import org.apache.ibatis.mapping.MappedStatement; import org.apache.ibatis.plugin.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Component; import java.lang.reflect.Method; import java.sql.Statement; import java.util.ArrayList; import java.util.Properties; @Intercepts({ @Signature(type = ResultSetHandler.class, method = "handleResultSets", args = {Statement.class}) }) @Component public class ResultInterceptor implements Interceptor { /** * 日志 */ private static final Logger log = LoggerFactory.getLogger(ResultInterceptor.class); @Override public Object plugin(Object target) { return Plugin.wrap(target, this); } @Override public void setProperties(Properties properties) { } @Override public Object intercept(Invocation invocation) throws Throwable { if (log.isInfoEnabled()) { log.info("进入 ResultInterceptor 拦截器..."); } ResultSetHandler resultSetHandler1 = (ResultSetHandler) invocation.getTarget(); //通过java反射获得mappedStatement属性值 //可以获得mybatis里的resultype MappedStatement mappedStatement = (MappedStatement) ReflectUtil.getFieldValue(resultSetHandler1, "mappedStatement"); //获取切面对象 UserPermissionAop permissionAop = PermissionUtils.getPermissionByDelegate(mappedStatement); //执行请求方法,并将所得结果保存到result中 Object result = invocation.proceed(); if (permissionAop != null) { if (result instanceof ArrayList) { ArrayList resultList = (ArrayList) result; for (int i = 0; i < resultList.size(); i++) { Object oi = resultList.get(i); Class c = oi.getClass(); Class[] types = {String.class}; Method method = c.getMethod("setRegionCd", types); // 调用obj对象的 method 方法 method.invoke(oi, ""); if (log.isInfoEnabled()) { log.info("数据权限处理【过滤结果】..."); } } } } return result; } }