♻️ 向上抽象一层安全校验注解实现，方便业务模块和底层安全框架解耦

link gh-205

Author: Hccake

ballcat-dependencies/pom.xml

@@ -501,7 +501,7 @@
 			</dependency>
 			<dependency>
 				<groupId>org.ballcat</groupId>
-				<artifactId>ballcat-security-web</artifactId>
+				<artifactId>ballcat-spring-security</artifactId>
 				<version>${revision}</version>
 			</dependency>
 			<dependency>

pom.xml

@@ -72,7 +72,7 @@
 		<module>redis/ballcat-spring-boot-starter-redis</module>
 
 		<module>security/ballcat-security-core</module>
-		<module>security/ballcat-security-web</module>
+		<module>security/ballcat-spring-security</module>
 		<module>security/ballcat-spring-security-oauth2-authorization-server</module>
 		<module>security/ballcat-spring-security-oauth2-core</module>
 		<module>security/ballcat-spring-security-oauth2-resource-server</module>

security/ballcat-security-core/pom.xml

@@ -11,35 +11,28 @@
 	<artifactId>ballcat-security-core</artifactId>
 
 	<dependencies>
+		<!-- slf4j日志 -->
 		<dependency>
-			<groupId>org.ballcat</groupId>
-			<artifactId>ballcat-common-util</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>jakarta.servlet</groupId>
-			<artifactId>jakarta.servlet-api</artifactId>
-			<scope>provided</scope>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot</artifactId>
-			<scope>provided</scope>
+			<groupId>org.ballcat</groupId>
+			<artifactId>ballcat-common-util</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-context</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-autoconfigure</artifactId>
+			<groupId>jakarta.servlet</groupId>
+			<artifactId>jakarta.servlet-api</artifactId>
+			<scope>provided</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-configuration-processor</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-crypto</artifactId>
+			<artifactId>spring-boot-autoconfigure</artifactId>
+			<scope>provided</scope>
 		</dependency>
 	</dependencies>
 </project>

security/ballcat-security-core/src/main/java/org/ballcat/security/SecurityConstant.java

@@ -0,0 +1,105 @@
+/*
+ * Copyright 2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.ballcat.security.access.expression;
+
+import org.aopalliance.intercept.MethodInvocation;
+import org.ballcat.security.authorization.SecurityChecker;
+import org.springframework.aop.framework.AopProxyUtils;
+import org.springframework.aop.support.AopUtils;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.context.expression.BeanFactoryResolver;
+import org.springframework.context.expression.MethodBasedEvaluationContext;
+import org.springframework.core.DefaultParameterNameDiscoverer;
+import org.springframework.core.ParameterNameDiscoverer;
+import org.springframework.expression.BeanResolver;
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+
+import java.lang.reflect.Method;
+
+/**
+ * 默认的鉴权表达式处理器
+ *
+ * @author Hccake
+ * @see org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
+ * @since 2.0.0
+ */
+public class DefaultSecurityExpressionHandler implements SecurityExpressionHandler, ApplicationContextAware {
+
+	private ExpressionParser expressionParser = new SpelExpressionParser();
+
+	private ParameterNameDiscoverer parameterNameDiscoverer = new DefaultParameterNameDiscoverer();
+
+	private BeanResolver beanResolver;
+
+	private final SecurityChecker securityChecker;
+
+	public DefaultSecurityExpressionHandler(SecurityChecker securityChecker) {
+		this.securityChecker = securityChecker;
+	}
+
+	@Override
+	public ExpressionParser getExpressionParser() {
+		return this.expressionParser;
+	}
+
+	public void setExpressionParser(ExpressionParser expressionParser) {
+		this.expressionParser = expressionParser;
+	}
+
+	@Override
+	public final EvaluationContext createEvaluationContext(MethodInvocation mi) {
+		StandardEvaluationContext ctx = createEvaluationContextInternal(mi, getParameterNameDiscoverer());
+		ctx.setBeanResolver(this.beanResolver);
+		ctx.setRootObject(this.securityChecker);
+		return ctx;
+	}
+
+	private StandardEvaluationContext createEvaluationContextInternal(MethodInvocation mi,
+			ParameterNameDiscoverer parameterNameDiscoverer) {
+		return new MethodBasedEvaluationContext(mi.getThis(), getSpecificMethod(mi), mi.getArguments(),
+				parameterNameDiscoverer);
+	}
+
+	private Method getSpecificMethod(MethodInvocation mi) {
+		return AopUtils.getMostSpecificMethod(mi.getMethod(), AopProxyUtils.ultimateTargetClass(mi.getThis()));
+	}
+
+	@Override
+	public void setApplicationContext(ApplicationContext applicationContext) {
+		this.beanResolver = new BeanFactoryResolver(applicationContext);
+	}
+
+	/**
+	 * Sets the {@link ParameterNameDiscoverer} to use. The default is
+	 * {@link DefaultParameterNameDiscoverer}.
+	 * @param parameterNameDiscoverer new parameterNameDiscoverer
+	 */
+	public void setParameterNameDiscoverer(ParameterNameDiscoverer parameterNameDiscoverer) {
+		this.parameterNameDiscoverer = parameterNameDiscoverer;
+	}
+
+	/**
+	 * @return The current {@link ParameterNameDiscoverer}
+	 */
+	protected ParameterNameDiscoverer getParameterNameDiscoverer() {
+		return this.parameterNameDiscoverer;
+	}
+
+}

security/ballcat-security-core/src/main/java/org/ballcat/security/SecurityStore.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.ballcat.security.access.expression;
+
+import org.aopalliance.intercept.MethodInvocation;
+import org.springframework.aop.framework.AopInfrastructureBean;
+import org.springframework.expression.EvaluationContext;
+import org.springframework.expression.ExpressionParser;
+
+/**
+ * 安全表达式处理器
+ *
+ * @author Hccake
+ * @since 2.0.0
+ * @see org.springframework.security.access.expression.SecurityExpressionHandler
+ */
+public interface SecurityExpressionHandler extends AopInfrastructureBean {
+
+	/**
+	 * @return an expression parser for the expressions used by the implementation.
+	 */
+	ExpressionParser getExpressionParser();
+
+	/**
+	 * Provides an evaluation context in which to evaluate security expressions for the
+	 * invocation type.
+	 */
+	EvaluationContext createEvaluationContext(MethodInvocation invocation);
+
+}

security/ballcat-security-core/src/main/java/org/ballcat/security/SecurityToken.java

@@ -1,3 +1,18 @@
+/*
+ * Copyright 2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.ballcat.security.annotation;
 
 import java.lang.annotation.*;
@@ -6,6 +21,7 @@
  * 鉴权, 默认为登录即可访问
  *
  * @author lingting 2023-03-29 20:38
+ * @author hccake
  */
 @Target({ ElementType.METHOD, ElementType.TYPE })
 @Retention(RetentionPolicy.RUNTIME)
@@ -14,58 +30,9 @@
 public @interface Authorize {
 
 	/**
-	 * 是否允许匿名, 为true时, 登录和未登录均允许访问. 优先级最高
-	 */
-	boolean anyone() default false;
-
-	/**
-	 * 是否仅允许系统用户访问 和 normal 同时为true则该接口无法被访问
-	 */
-	boolean onlySystem() default false;
-
-	/**
-	 * 仅允许普通用户访问 和 sys 同时为true则该接口无法被访问
-	 */
-	boolean onlyNormal() default false;
-
-	/**
-	 * 必须拥有所有指定角色才可以访问, 为空时允许所有角色访问.
-	 */
-	String[] hasRole() default {};
-
-	/**
-	 * 必须拥有任一指定角色才可以访问, 为空时允许所有角色访问.
-	 */
-	String[] hasAnyRole() default {};
-
-	/**
-	 * 必须拥有所有指定权限才可以访问, 为空时允许所有权限访问.
-	 */
-	String[] hasPermissions() default {};
-
-	/**
-	 * 必须拥有任一指定权限才可以访问, 为空时允许所有权限访问.
-	 */
-	String[] hasAnyPermissions() default {};
-
-	/**
-	 * 必须未拥有所有指定角色才可以访问, 为空时允许所有角色访问.
-	 */
-	String[] notRole() default {};
-
-	/**
-	 * 必须未拥有任一指定角色才可以访问, 为空时允许所有角色访问.
-	 */
-	String[] notAnyRole() default {};
-
-	/**
-	 * 必须未拥有所有指定权限才可以访问, 为空时允许所有权限访问.
-	 */
-	String[] notPermissions() default {};
-
-	/**
-	 * 必须未拥有任一指定权限才可以访问, 为空时允许所有权限访问.
+	 * @return the Spring-EL expression to be evaluated before invoking the protected
+	 * method
 	 */
-	String[] notAnyPermissions() default {};
+	String value();
 
 }