解决方案:
先直接说下解决方案,权限点设计成如下:
/api/books/{id:\d*}
问题描述:
获取书本详情的标准restful路由,一般是这样的/api/books/12, 12即该book的id,如果需要拥有访问该路由的权限,一般可以这样设计/api/books/*。
但是如果类似有一个获取书本封面的请求,比如:/api/books/getCover,那么如果给了/api/books/*这样的权限的话,getCover这个也可以请求成功,就无法区分了。
源码分析:
请求地址和权限点匹配判断代码:
if(antPathMatcher.match(permission.getRequestUrl(),requestUri)){...
}
匹配代码的源码如下:
那我们来分析下matchStrings 这个方法
private boolean matchStrings(String pattern, String str,@Nullable Map<String, String> uriTemplateVariables) {return getStringMatcher(pattern).matchStrings(str, uriTemplateVariables);
}
接下来看下getStringMatcher
protected AntPathStringMatcher getStringMatcher(String pattern) {AntPathStringMatcher matcher = null;Boolean cachePatterns = this.cachePatterns;if (cachePatterns == null || cachePatterns.booleanValue()) {matcher = this.stringMatcherCache.get(pattern);}if (matcher == null) {matcher = new AntPathStringMatcher(pattern, this.caseSensitive);if (cachePatterns == null && this.stringMatcherCache.size() >= CACHE_TURNOFF_THRESHOLD) {// Try to adapt to the runtime situation that we're encountering:// There are obviously too many different patterns coming in here...// So let's turn off the cache since the patterns are unlikely to be reoccurring.deactivatePatternCache();return matcher;}if (cachePatterns == null || cachePatterns.booleanValue()) {this.stringMatcherCache.put(pattern, matcher);}}return matcher;
}
接下来看AntPathStringMatcher的构造函数:
public AntPathStringMatcher(String pattern, boolean caseSensitive) {this.rawPattern = pattern;this.caseSensitive = caseSensitive;StringBuilder patternBuilder = new StringBuilder();Matcher matcher = GLOB_PATTERN.matcher(pattern);int end = 0;while (matcher.find()) {patternBuilder.append(quote(pattern, end, matcher.start()));String match = matcher.group();if ("?".equals(match)) {patternBuilder.append('.');}else if ("*".equals(match)) {patternBuilder.append(".*");}else if (match.startsWith("{") && match.endsWith("}")) {int colonIdx = match.indexOf(':');if (colonIdx == -1) {patternBuilder.append(DEFAULT_VARIABLE_PATTERN);this.variableNames.add(matcher.group(1));}else {String variablePattern = match.substring(colonIdx + 1, match.length() - 1);patternBuilder.append('(');patternBuilder.append(variablePattern);patternBuilder.append(')');String variableName = match.substring(1, colonIdx);this.variableNames.add(variableName);}}end = matcher.end();}// No glob pattern was found, this is an exact String matchif (end == 0) {this.exactMatch = true;this.pattern = null;}else {this.exactMatch = false;patternBuilder.append(quote(pattern, end, pattern.length()));this.pattern = Pattern.compile(patternBuilder.toString(),Pattern.DOTALL | (this.caseSensitive ? 0 : Pattern.CASE_INSENSITIVE));}
}
看到这里基本上也就明白了,这里如果设定的*号,这匹配的是.*,那参考这里
else if (match.startsWith("{") && match.endsWith("}")) {
我们把获取详情的权限点设计成
/api/books/{id:\d*}
这样就可以匹配/api/books/12或者/api/books/123之类的详情,又不会包含/api/books/getCover这样的接口。
