动态鉴权管理器路径匹配优化 #884
Description
后台资源配置通常不会包含server. servlet. context-path,如果配置该值会导致通过当前路径无法查询到所需的权限,建议在com.macro.mall.security.component.DynamicAuthorizationManager获取path时移除context-path.
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext requestAuthorizationContext) {
HttpServletRequest request = requestAuthorizationContext.getRequest();
String path = request.getRequestURI().substring(request.getContextPath().length());
PathMatcher pathMatcher = new AntPathMatcher();
//白名单路径直接放行
List<String> ignoreUrls = ignoreUrlsConfig.getUrls();
for (String ignoreUrl : ignoreUrls) {
if (pathMatcher.match(ignoreUrl, path)) {
return new AuthorizationDecision(true);
}
}
//权限校验逻辑
List<ConfigAttribute> configAttributeList = securityDataSource.getConfigAttributesWithPath(path);
List<String> needAuthorities = configAttributeList.stream()
.map(ConfigAttribute::getAttribute)
.collect(Collectors.toList());
...
}