前言:常规来说,我们在做权限的时候,基本就是这么几个要素:用户、角色、资源(权限点)。角色本质上是给资源分组,这样不同的group具有不同的权限来控制用户更方便一些。
一般情况下,web应用的权限控制都会设计成把请求路径(也就是url,实质是uri)作为权限点来赋予角色不同的权限,在拦截器获取用户信息后,根据用户的角色找到对应的权限点,并与当前的请求路径匹配,最终返回是否具有权限。
那么,今天我想说的是,在一般的web项目中,在spring(MVC)框架下,我们是怎么灵活使用spring框架本身完成权限校验的。
对于一个web请求来说,我们都能得到一个HttpServletRequest对象,那么这个request对象有很多信息决定了这个请求的唯一性:请求路径uri、请求方法(常用rest风格的GET/POST/PUT/DELETE...)、请求参数params、请求头header(主要包括Content-Type、Referer、User-Agent、Cookie)等,可惜传统的权限控制实现方式是比较局限的,而且严重限制了制定rest风格的url。
所以,springmvc是怎么将当前request对象和所有controller的请求进行匹配的呢?我们可以利用这个机制实现权限控制。
OK,源码分析正式开始:
part I
springmvc继承了servlet的核心处理类:
org.springframework.web.servlet.DispatcherServlet extends javax.servlet.http.HttpServlet
而方法核心处理方法
org.springframework.web.servlet.DispatcherServlet#doService
调用了
org.springframework.web.servlet.DispatcherServlet#doDispatch
继续往下,又调用了
org.springframework.web.servlet.DispatcherServlet#getHandler
OK,这个方法里面我们会看到一个接口org.springframework.web.servlet.HandlerMapping,这是处理映射的最基础的接口。
来看看它的实现:
org.springframework.web.servlet.handler.AbstractHandlerMapping#getHandler
再看调用:
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#getHandlerInternal
// Handler method lookup /** * Look up a handler method for the given request. */ @Override protected HandlerMethod getHandlerInternal(HttpServletRequest request) throws Exception { String lookupPath = getUrlPathHelper().getLookupPathForRequest(request);// 查找当前的uri if (logger.isDebugEnabled()) { logger.debug("Looking up handler method for path " + lookupPath); } this.mappingRegistry.acquireReadLock(); try { HandlerMethod handlerMethod = lookupHandlerMethod(lookupPath, request);// 查找处理方法 if (logger.isDebugEnabled()) { if (handlerMethod != null) { logger.debug("Returning handler method [" + handlerMethod + "]"); } else { logger.debug("Did not find handler method for [" + lookupPath + "]"); } } return (handlerMethod != null ? handlerMethod.createWithResolvedBean() : null); } finally { this.mappingRegistry.releaseReadLock(); } }
来看org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod
/** * Look up the best-matching handler method for the current request. * If multiple matches are found, the best match is selected. * @param lookupPath mapping lookup path within the current servlet mapping * @param request the current request * @return the best-matching handler method, or {@code null} if no match * @see #handleMatch(Object, String, HttpServletRequest) * @see #handleNoMatch(Set, String, HttpServletRequest) */ protected HandlerMethod lookupHandlerMethod(String lookupPath, HttpServletRequest request) throws Exception { List<Match> matches = new ArrayList<Match>(); List<T> directPathMatches = this.mappingRegistry.getMappingsByUrl(lookupPath);// 根据uri获取所有的请求匹配,这里是一个列表,因为有些请求可能uri相同,method、参数等不同 // 其中这个类有两个变量很重要,1、org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.MappingRegistry#mappingLookup是一个RequestMappingInfo为key,HanderMethod为value的Map;2、org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.MappingRegistry#urlLookup是一个uri为key,RequestMappingInfo为value的Map if (directPathMatches != null) { addMatchingMappings(directPathMatches, matches, request);// 这里把直接匹配的进行二次筛选,具体看下面代码分析 } if (matches.isEmpty()) { // No choice but to go through all mappings... addMatchingMappings(this.mappingRegistry.getMappings().keySet(), matches, request); } if (!matches.isEmpty()) { Comparator<Match> comparator = new MatchComparator(getMappingComparator(request));// 给匹配到的列表根据优先级排序,以选择最佳匹配 Collections.sort(matches, comparator); if (logger.isTraceEnabled()) { logger.trace("Found " + matches.size() + " matching mapping(s) for [" + lookupPath + "] : " + matches); } Match bestMatch = matches.get(0); if (matches.size() > 1) { if (CorsUtils.isPreFlightRequest(request)) { return PREFLIGHT_AMBIGUOUS_MATCH; } Match secondBestMatch = matches.get(1); if (comparator.compare(bestMatch, secondBestMatch) == 0) { Method m1 = bestMatch.handlerMethod.getMethod(); Method m2 = secondBestMatch.handlerMethod.getMethod(); throw new IllegalStateException("Ambiguous handler methods mapped for HTTP path '" + request.getRequestURL() + "': {" + m1 + ", " + m2 + "}"); } } handleMatch(bestMatch.mapping, lookupPath, request); return bestMatch.handlerMethod; } else { return handleNoMatch(this.mappingRegistry.getMappings().keySet(), lookupPath, request); } }
继续看怎么进行二次筛选的:
/** * Checks if all conditions in this request mapping info match the provided request and returns * a potentially new request mapping info with conditions tailored to the current request. * <p>For example the returned instance may contain the subset of URL patterns that match to * the current request, sorted with best matching patterns on top. * @return a new instance in case all conditions match; or {@code null} otherwise */ @Override public RequestMappingInfo getMatchingCondition(HttpServletRequest request) { // 这里很关键了,这个方法是进一步把request对象和当前RequestMappingInfo的各个条件做比对进行匹配。所以这里匹配分为两步:第一步,匹配uri,第二步匹配其他condition。而这里陈列的conditions也是区分request对象是否唯一的所有条件。 RequestMethodsRequestCondition methods = this.methodsCondition.getMatchingCondition(request); ParamsRequestCondition params = this.paramsCondition.getMatchingCondition(request); HeadersRequestCondition headers = this.headersCondition.getMatchingCondition(request); ConsumesRequestCondition consumes = this.consumesCondition.getMatchingCondition(request); ProducesRequestCondition produces = this.producesCondition.getMatchingCondition(request); if (methods == null || params == null || headers == null || consumes == null || produces == null) { return null; } PatternsRequestCondition patterns = this.patternsCondition.getMatchingCondition(request); if (patterns == null) { return null; } RequestConditionHolder custom = this.customConditionHolder.getMatchingCondition(request); if (custom == null) { return null; } return new RequestMappingInfo(this.name, patterns, methods, params, headers, consumes, produces, custom.getCondition()); }
part II
接下来,我们看看spring怎么初始化所有的controller请求到内存的:
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping#afterPropertiesSet (实现了接口InitializingBean,bean实例化完成时执行)
这个方法会调用
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#initHandlerMethods
然后调用
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#detectHandlerMethods
继而调用
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#registerHandlerMethod
紧接着调用
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping.MappingRegistry#register
public void register(T mapping, Object handler, Method method) { // 这个方法就是将controller的请求和所在的类、方法一起注册到对应的变量中,放在内存供后续使用 this.readWriteLock.writeLock().lock(); try { HandlerMethod handlerMethod = createHandlerMethod(handler, method); assertUniqueMethodMapping(handlerMethod, mapping); if (logger.isInfoEnabled()) { logger.info("Mapped \"" + mapping + "\" onto " + handlerMethod); } this.mappingLookup.put(mapping, handlerMethod);// 赋值为map1,结构上文有说 List<String> directUrls = getDirectUrls(mapping); for (String url : directUrls) { this.urlLookup.add(url, mapping);// 赋值为map2,结构上文有说 } String name = null; if (getNamingStrategy() != null) { name = getNamingStrategy().getName(handlerMethod, mapping); addMappingName(name, handlerMethod); } CorsConfiguration corsConfig = initCorsConfiguration(handler, method, mapping); if (corsConfig != null) { this.corsLookup.put(handlerMethod, corsConfig); } this.registry.put(mapping, new MappingRegistration<T>(mapping, handlerMethod, directUrls, name)); } finally { this.readWriteLock.writeLock().unlock(); } }
注:核心的RequestMappingInfo这个类就是@RequestMapping注解的映射;
有些注释在贴的代码中夹杂着。。
part III
那么分析基本告一段落,我们只需要把
org.springframework.web.servlet.handler.AbstractHandlerMethodMapping#lookupHandlerMethod
稍微改造一下就行了。
附上改造后的入口代码:
package com.xxx.cms.web.interceptor; import com.google.common.collect.Maps; import com.xxx.cms.ucenter.domain.resource.PlatResource; import com.xxx.cms.ucenter.domain.user.User; import com.xxx.cms.ucenter.service.role.AccessPermissionService; import com.xxx.cms.web.access.AbstractHandlerMethodMapping; import com.xxx.cms.web.access.RequestMappingHandlerMapping; import com.xxx.cms.web.base.Constant; import com.xxx.cms.web.component.UserInfoService; import com.xxx.session.SessionException; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition; import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition; import org.springframework.web.servlet.mvc.method.RequestMappingInfo; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.util.List; import java.util.Map; /** * 用户权限校验拦截器 * * @author caiya * @since 1.0 */ public class UserAccessInterceptor extends HandlerInterceptorAdapter { private static final Logger logger = LoggerFactory.getLogger(UserAccessInterceptor.class); public static Map<String, AbstractHandlerMethodMapping<RequestMappingInfo>> MAPPING_CACHE_MAP = Maps.newConcurrentMap(); private final UserInfoService userInfoService; private final AccessPermissionService accessPermissionService; public UserAccessInterceptor(UserInfoService userInfoService, AccessPermissionService accessPermissionService) { this.userInfoService = userInfoService; this.accessPermissionService = accessPermissionService; } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { // 获取用户信息 User user = userInfoService.getUserInfo(Constant.getSessionId(request)); if (user == null) { throw new SessionException("用户会话失效!"); } // 权限校验 if (!match(user.getRoleId(), request)) { throw new IllegalAccessException("用户没有权限做此操作!"); } return super.preHandle(request, response, handler); } private boolean match(Long currentRoleId, HttpServletRequest request) throws Exception { // 先查询缓存,这里以role为key进行缓存 String currentAccessCacheKey = "access:roleId-" + currentRoleId; AbstractHandlerMethodMapping<RequestMappingInfo> currentMapping = MAPPING_CACHE_MAP.get(currentAccessCacheKey);// 从本地缓存获取数据 if (currentMapping == null) { // 查询数据库(这里会有另外的缓存) Map<Long, List<PlatResource>> accessMap = accessPermissionService.getRoleResources(); for (Map.Entry<Long, List<PlatResource>> entry : accessMap.entrySet()) { AbstractHandlerMethodMapping<RequestMappingInfo> mapping = new RequestMappingHandlerMapping(); List<PlatResource> resources = entry.getValue(); for (PlatResource resource : resources) { if (StringUtils.isBlank(resource.getUrlPath()) && StringUtils.isBlank(resource.getMethod())) { continue; } PatternsRequestCondition patternsCondition = new PatternsRequestCondition(resource.getUrlPath()); RequestMethodsRequestCondition methodsCondition = new RequestMethodsRequestCondition(RequestMethod.valueOf(resource.getMethod())); // reserve other conditions.. RequestMappingInfo requestMappingInfo = new RequestMappingInfo(null, patternsCondition, methodsCondition, null, null, null, null, null); mapping.registerMapping(requestMappingInfo, this.getClass(), this.getClass().getMethods()[0]);// ignore these params } if (entry.getKey().equals(currentRoleId)) { currentMapping = mapping; } try { // TODO 设置本地缓存,注意缓存更新策略 String accessCacheKey = "access:roleId-" + entry.getKey(); // MAPPING_CACHE_MAP.put(accessCacheKey, mapping); } catch (Exception e) { logger.error(e.getMessage(), e); } } } if (currentMapping == null) { return false; } AbstractHandlerMethodMapping.Match match = currentMapping.getBestMatch(request); return match != null && match.getMapping() != null; } }
其中改造了三个spring的类:
import com.xxx.cms.ucenter.service.role.AccessPermissionService;
import com.xxx.cms.web.access.AbstractHandlerMethodMapping;
import com.xxx.cms.web.access.RequestMappingHandlerMapping;
我想,这里就不必贴了吧。
文章编写急促,还请谅解。另欢迎交流~