业务场景:
根据业务需要,这里将角色按照数据范围做权限限定,提供三级权限分别为:
1、全部:可以查看所有的数据
2、自定义:按照组织架构,可以查看当前所匹配的组织架构数据
3、个人:仅能查看由自己创建,或者数据流转到自己节点的数据
思路:
1、定义Mybatis拦截器DataScopeInterceptor,用于每次拦截查询sql语句,附带数据范围权限sql条件
2、定义注解DataScope,用来声明哪些操作需要做范围限制
3、springboot装配该拦截器
注:这里如果有使用MybatisPlus的分页插件,需要保证执行顺序:DataScopeInterceptor > PaginationInterceptor
步骤:
1、定义Mybatis拦截器DataScopeInterceptor
| /** | |
| * 数据权限拦截器 | |
| * ALL = 全部 | |
| * CUSTOMIZE = 自定义 | |
| * SELF = 个人 | |
| * | |
| * @author Shamee | |
| * @date 2021-04-16 | |
| */ | |
| ({(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class})}) | |
| public class DataScopeInterceptor extends AbstractSqlParserHandler implements Interceptor { | |
| final private Function<String, Map<String, Object>> function; | |
| public Object intercept(Invocation invocation) throws Throwable { | |
| LOGGER.info("mybatis sql注入..."); | |
| StatementHandler statementHandler = (StatementHandler) PluginUtils.realTarget(invocation.getTarget()); | |
| MetaObject metaObject = SystemMetaObject.forObject(statementHandler); | |
| this.sqlParser(metaObject); | |
| // 先判断是不是SELECT操作 | |
| MappedStatement mappedStatement = (MappedStatement) metaObject.getValue("delegate.mappedStatement"); | |
| if (!SqlCommandType.SELECT.equals(mappedStatement.getSqlCommandType())) { | |
| return invocation.proceed(); | |
| } | |
| BoundSql boundSql = (BoundSql) metaObject.getValue("delegate.boundSql"); | |
| String originalSql = boundSql.getSql(); | |
| com.ruijie.upc.app.common.annotation.DataScope dsAnnotation = isDataScope(mappedStatement.getId()); | |
| // 不含该注解,或者注解不开启DataScope校验 | |
| if (ObjectUtil.isNull(dsAnnotation) || !dsAnnotation.isDataScope()) { | |
| return invocation.proceed(); | |
| } | |
| String[] orgScopeNames = dsAnnotation.orgScopeNames(); | |
| String[] selfScopeNames = dsAnnotation.selfScopeNames(); | |
| String userId = ShiroUtils.getCurrentUserId(); | |
| List<String> areaIds = new ArrayList<>(); | |
| DataScopeType dsType = DataScopeType.SELF; | |
| if (CollectionUtil.isEmpty(areaIds)) { | |
| //查询当前用户的 角色 最小权限 | |
| Map<String, Object> result = function.apply(userId); | |
| if (result == null) { | |
| return invocation.proceed(); | |
| } | |
| Integer dataScopeType = (Integer) result.get("dataScopeType"); | |
| dsType = DataScopeType.get(dataScopeType); | |
| areaIds = (List<String>) result.get("areaIds"); | |
| } | |
| //查全部 | |
| if (DataScopeType.ALL.equals(dsType)) { | |
| return invocation.proceed(); | |
| } | |
| //查个人 | |
| if (DataScopeType.SELF.equals(dsType)) { | |
| if(selfScopeNames != null && selfScopeNames.length > 0){ | |
| String collect = Arrays.asList(selfScopeNames).stream().map(o -> { | |
| return "temp_data_scope." + o + "='" + userId + "'"; | |
| }).collect(Collectors.joining(" or ")); | |
| originalSql = "select * from (" + originalSql + ") temp_data_scope where (" + collect + ")"; | |
| } | |
| } | |
| //查其他 | |
| else if (orgScopeNames != null && orgScopeNames.length > 0) { | |
| String join = CollectionUtil.join(areaIds, ","); | |
| String collect = Arrays.asList(selfScopeNames).stream().map(o -> { | |
| return "temp_data_scope." + o + " in (" + join + ")"; | |
| }).collect(Collectors.joining(" or ")); | |
| originalSql = "select * from (" + originalSql + ") temp_data_scope where (" + collect + ")"; | |
| } | |
| metaObject.setValue("delegate.boundSql.sql", originalSql); | |
| return invocation.proceed(); | |
| } | |
| public Object plugin(Object o) { | |
| if (o instanceof StatementHandler) { | |
| return Plugin.wrap(o, this); | |
| } | |
| return o; | |
| } | |
| public void setProperties(Properties properties) { | |
| } | |
| /** | |
| * 校验是否含有DataScope注解 | |
| * @param namespace | |
| * @return | |
| * @throws ClassNotFoundException | |
| */ | |
| private com.ruijie.upc.app.common.annotation.DataScope isDataScope(String namespace) throws ClassNotFoundException { | |
| if(StrUtil.isBlank(namespace)){ | |
| return null; | |
| } | |
| //获取mapper名称 | |
| String className = namespace.substring(0, namespace.lastIndexOf(".")); | |
| //获取方法名 | |
| String methodName = namespace.substring(namespace.lastIndexOf(".") + 1, namespace.length()); | |
| //获取当前mapper 的方法 | |
| Method[] methods = Class.forName(className).getMethods(); | |
| Optional<Method> first = Arrays.asList(methods).stream().filter(method -> method.getName().equals(methodName)).findFirst(); | |
| com.ruijie.upc.app.common.annotation.DataScope annotation = first.get().getAnnotation(com.ruijie.upc.app.common.annotation.DataScope.class); | |
| return annotation; | |
| } | |
| } |
2、定义注解DataScope
| /** | |
| * 数据权限校验注解 | |
| * @author Shamee | |
| * @date 2021-04-27 | |
| */ | |
| @Target(ElementType.METHOD) | |
| @Retention(RetentionPolicy.RUNTIME) | |
| @Documented | |
| public @interface DataScope { | |
| /** | |
| * 是否开启DataScope校验,默认是 | |
| * @return | |
| */ | |
| boolean isDataScope() default true; | |
| /** | |
| * 限制范围的字段名称 (除个人外),暂时限定到省区 | |
| */ | |
| String[] orgScopeNames() default {"province_id"}; | |
| /** | |
| * 限制数据流装,范围是个人时的字段 | |
| */ | |
| String[] selfScopeNames() default {"created_by"}; | |
| } |
由于为了兼容每个表命名字段不一致问题,这里采用传参的方式,由业务开发人员自由传参
再定义一个枚举:
| /** | |
| * 数据范围枚举 | |
| * @author Shamee | |
| * @date 2021-04-16 | |
| */ | |
| public enum DataScopeType implements IEnum<Integer> { | |
| /** | |
| * ALL="全部" | |
| */ | |
| ALL(1, "全部"), | |
| /** | |
| * CUSTOMIZE=“自定义” | |
| */ | |
| CUSTOMIZE(2, "自定义"), | |
| /** | |
| * SELF="个人" | |
| */ | |
| SELF(3, "个人") | |
| ; | |
| private Integer value; | |
| private String text; | |
| public Integer getValue() { | |
| return value; | |
| } | |
| public static DataScopeType get(Integer val) { | |
| return match(val, null); | |
| } | |
| public static DataScopeType get(String val) { | |
| return match(val, null); | |
| } | |
| public static DataScopeType match(String val, DataScopeType def) { | |
| for (DataScopeType enm : DataScopeType.values()) { | |
| if (enm.name().equalsIgnoreCase(val)) { | |
| return enm; | |
| } | |
| } | |
| return def; | |
| } | |
| public static DataScopeType match(Integer val, DataScopeType def) { | |
| if (val == null) { | |
| return def; | |
| } | |
| for (DataScopeType enm : DataScopeType.values()) { | |
| if (val.equals(enm.getValue())) { | |
| return enm; | |
| } | |
| } | |
| return def; | |
| } | |
| public String getCode(){ | |
| return this.name(); | |
| } | |
| } |
3、springboot装配该拦截器
| /** | |
| * 配置mybatis信息 | |
| * @author Shamee | |
| * @date 2021-04-28 | |
| */ | |
| public class MybatisAutoConfiguration { | |
| private List<SqlSessionFactory> sqlSessionFactoryList; | |
| /** | |
| * 这里使用构造回调的方式提高DataScope拦截器的执行顺序, | |
| * 执行顺序必须:DataScopeInterceptor> PaginationInterceptor | |
| */ | |
| public void addMybatisInterceptors() { | |
| DataScopeInterceptor dataScopeInterceptor = dataScopeInterceptor(); | |
| for (SqlSessionFactory sqlSessionFactory : sqlSessionFactoryList) { | |
| sqlSessionFactory.getConfiguration().addInterceptor(dataScopeInterceptor); | |
| } | |
| } | |
| public DataScopeInterceptor dataScopeInterceptor() { | |
| return new DataScopeInterceptor((userId) -> SpringUtils.getBean(UserService.class).getDataScopeById(userId)); | |
| } | |
| } |
注:
1、这里由于公司基础架构决定,这里没办法使用@Order来提高执行顺序,故采用@PostConstruct方式来处理,比较粗暴。
2、getDataScopeById方法为数据库按照业务规则拉取角色所匹配到的数据范围,如自定义则为匹配到的组织架构数据
4、使用
| public interface SheetSpecialProjectDao extends BaseMapper<SheetSpecialProject> { | |
| @DataScope(selfScopeNames = {"created_by", "service_representative"}) | |
| IPage<SheetSpecialProjectPageDto> querySpecialProjectPage(IPage pageInput); | |
| } |
5、附加说明
1、Mybatis拦截器(插件)是采用代理的方式,装载到InterceptorChain中,这里的执行顺序会与配置的顺序相反来执行,即@Order越大,越优先执行,与Spring相反。具体可以查看mybatis官网或者源码。
2、插件类型:
- Executor (update, query, flushStatements, commit, rollback, getTransaction, close, isClosed)
- ParameterHandler (getParameterObject, setParameters)
- ResultSetHandler (handleResultSets, handleOutputParameters)
- StatementHandler (prepare, parameterize, batch, update, query)