迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
开源软件名称:foruo-sc-permission开源软件地址:https://gitee.com/gmarshal/foruo-sc-permission开源软件介绍:数据权限管理中心
需求场景第一种场景:行级数据处理原sql: select id,username,region from sys_user ; 需要封装成: select * from ( select id,username,region from sys_user ) where 1=1 and region like “3210%"; 解释
此场景还有以下情况: # 判断select * from (select id,username,region from sys_user ) where 1=1 and region != 320101;# 枚举select * from (select id,username,region from sys_user ) where 1=1 and region in (320101,320102,320103);... 第二种场景:列级数据处理原sql: select id,username,region from sys_user ;
技术实现mybatis拦截器在编写mybatis的拦截器之前,我们先来了解下mybaits的拦截目标方法 1、Executor (update, query, flushStatements, commit, rollback, getTransaction, close, isClosed)2、ParameterHandler (getParameterObject, setParameters)3、StatementHandler (prepare, parameterize, batch, update, query)4、ResultSetHandler (handleResultSets, handleOutputParameters) 这里选择StatementHandler 的 prepare 方法作为sql执行之前的拦截进行sql封装,使用ResultSetHandler 的 handleResultSets 方法作为sql执行之后的结果拦截过滤。 sql执行前
/** * mybatis数据权限拦截器 - prepare * @author GaoYuan * @date 2018/4/17 上午9:52 */@Intercepts({ @Signature(type = StatementHandler.class, method = "prepare", args = { Connection.class,Integer.class })})@Componentpublic class PrepareInterceptor implements Interceptor { /** 日志 */ private static final Logger log = LoggerFactory.getLogger(PrepareInterceptor.class); @Override public Object plugin(Object target) { return Plugin.wrap(target, this); } @Override public void setProperties(Properties properties) {} @Override public Object intercept(Invocation invocation) throws Throwable { if(log.isInfoEnabled()){ log.info("进入 PrepareInterceptor 拦截器..."); } if(invocation.getTarget() instanceof RoutingStatementHandler) { RoutingStatementHandler handler = (RoutingStatementHandler) invocation.getTarget(); StatementHandler delegate = (StatementHandler) ReflectUtil.getFieldValue(handler, "delegate"); //通过反射获取delegate父类BaseStatementHandler的mappedStatement属性 MappedStatement mappedStatement = (MappedStatement) ReflectUtil.getFieldValue(delegate, "mappedStatement"); //千万不能用下面注释的这个方法,会造成对象丢失,以致转换失败 //MappedStatement mappedStatement = (MappedStatement) invocation.getArgs()[0]; PermissionAop permissionAop = PermissionUtils.getPermissionByDelegate(mappedStatement); if(permissionAop == null){ if(log.isInfoEnabled()){ log.info("数据权限放行..."); } return invocation.proceed(); } if(log.isInfoEnabled()){ log.info("数据权限处理【拼接SQL】..."); } BoundSql boundSql = delegate.getBoundSql(); ReflectUtil.setFieldValue(boundSql, "sql", permissionSql(boundSql.getSql())); } return invocation.proceed(); } /** * 权限sql包装 * @author GaoYuan * @date 2018/4/17 上午9:51 */ protected String permissionSql(String sql) { StringBuilder sbSql = new StringBuilder(sql); String userMethodPath = PermissionConfig.getConfig("permission.client.userid.method"); //当前登录人 String userId = (String)ReflectUtil.reflectByPath(userMethodPath); //如果用户为 1 则只能查询第一条 if("1".equals(userId)){ //sbSql = sbSql.append(" limit 1 "); //如果有动态参数 regionCd if(true){ String premission_param = "regionCd"; //select * from (select id,name,region_cd from sys_exam ) where region_cd like '${}%' String methodPath = PermissionConfig.getConfig("permission.client.params." + premission_param); String regionCd = (String)ReflectUtil.reflectByPath(methodPath); sbSql = new StringBuilder("select * from (").append(sbSql).append(" ) s where s.regionCd like concat("+ regionCd +",'%') "); } } return sbSql.toString(); }} sql执行后
/** * mybatis数据权限拦截器 - handleResultSets * 对结果集进行过滤 * @author GaoYuan * @date 2018/4/17 上午9:52 */@Intercepts({ @Signature(type = ResultSetHandler.class, method = "handleResultSets", args={Statement.class})})@Componentpublic class ResultInterceptor implements Interceptor { /** 日志 */ private static final Logger log = LoggerFactory.getLogger(ResultInterceptor.class); @Override public Object plugin(Object target) { return Plugin.wrap(target, this); } @Override public void setProperties(Properties properties) {} @Override public Object intercept(Invocation invocation) throws Throwable { if(log.isInfoEnabled()){ log.info("进入 ResultInterceptor 拦截器..."); } ResultSetHandler resultSetHandler1 = (ResultSetHandler) invocation.getTarget(); //通过java反射获得mappedStatement属性值 //可以获得mybatis里的resultype MappedStatement mappedStatement = (MappedStatement)ReflectUtil.getFieldValue(resultSetHandler1, "mappedStatement"); //获取切面对象 PermissionAop permissionAop = PermissionUtils.getPermissionByDelegate(mappedStatement); //执行请求方法,并将所得结果保存到result中 Object result = invocation.proceed(); if(permissionAop != null) { if (result instanceof ArrayList) { ArrayList resultList = (ArrayList) result; for (int i = 0; i < resultList.size(); i++) { Object oi = resultList.get(i); Class c = oi.getClass(); Class[] types = {String.class}; Method method = c.getMethod("setRegionCd", types); // 调用obj对象的 method 方法 method.invoke(oi, ""); if(log.isInfoEnabled()){ log.info("数据权限处理【过滤结果】..."); } } } } return result; }} 其中 难点
解答拦截器获取dao层注解不同方法的拦截器获取方法稍微有所区别,具体在上面的 获取当前登录人标识由于不同框架或者不同项目,获取当天登录人的方法可能不一样,那么就只能通过配置的方式动态将 # 客户端获取当前登录人标识permission.client.userid.method=com.raising.sc.permission.example.util.UserUtils.getUserId 然后利用Java反射机制,触发getUserId( )方法。 传递动态参数比如用户A只能查询自己单位以及下属单位的所有数据;配置中心配置的where部分的sql如下: org_cd like concat(${orgCd},'%') 然后通过 配置文件或者数据库获取到 orgCd 对应的方法路径: com.raising.sc.permission.example.util.UserUtils.getRegionCdByUserId 当然,现在这样只是简单的动态参数,其余的还需要后续的开发,这里只是最简单的尝试。 拓展从产品的角度来说,此模块需要有三个部分组成:
在结合 涉及知识点:
项目源码码云:https://gitee.com/gmarshal/foruo-sc-permission 博客地址https://my.oschina.net/gmarshal/blog/1797026 ![]() |
请发表评论