SpringSecurity6-授权-动态权限

接上一篇SpringSecurity认证，新增权限表及中间表：

permission表：

role_permission表：

引入配置：

/*** 动态权限校验*/
@Component
public class MyAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {// 路径匹配器，精确匹配private final AntPathMatcher antPathMatcher = new AntPathMatcher();@Resourceprivate PermissionService permissionService;@Overridepublic AuthorizationDecision check(Supplier<Authentication> authenticationSupplier, RequestAuthorizationContext object) {// 请求资源路径String requestURI = object.getRequest().getRequestURI();// 登录用户所拥有的权限-角色Authentication authentication = authenticationSupplier.get();Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();// 遍历角色for (GrantedAuthority authority : authorities) {// MyUser构建时存储的是角色名称String roleName = authority.getAuthority();// 查询角色的权限List<Permission> permissions = permissionService.getByRoleName(roleName);// 遍历角色的权限for (Permission permission : permissions) {// 如果匹配到权限，则放行if (antPathMatcher.match(permission.getPath(), requestURI)) {return new AuthorizationDecision(true);}}}// 未匹配到权限，则拒绝访问，403return new AuthorizationDecision(false);}
}

完成上述配置后，登录，访问资源，如果登录用户的角色没有对应的资源路径权限，则报403，否则正常访问。