1

我想Authorizations在我的控制器上应用一些逻辑Methods 我有一个名为的端点,该端点Interview 具有 findInterviewById(id)返回Interview对象的方法。

该应用程序拥有不同的用户 [ Owner , Recruiters , Candidate and Guest ]

每个人都可以访问 findInterviewById(id) 来读取面试对象和 createInterview(Interview) 方法来创建面试,但是每个人都必须根据自己的角色以限制模式读取或写入对象

例子

  • Recruiter:可以读取整个面试对象返回的findInterviewById(id)
  • Guest : 应该只读取访问对象返回的部分字段findInterviewById(id)

方法也是一样createInterview(Interview),Recruiter可以触及面试的所有领域,但Candidate可以触及一些领域

一些解决方案说您可以复制端点,但这不是大型应用程序的最佳实践

我如何实现这个特定的授权逻辑来实现这种行为

4

2 回答 2

1

您可以使用 c# 的匿名功能并仅返回基于角色的特定属性。例如

If (role == "Guest")
var condidate = new { Id = 1, FirstName = "James", LastName = 
"Bond", location = "noida", skill = ".net" };

else if (role == "Recruiter")
var condidate = new { Id = 1, FirstName = "James", LastName = 
"Bond", location = "noida", skill = ".net", salary = "11LPA",         
expectSalary= "15LPA"};

您可以编写您的业务逻辑。以上可以在 API 方法 findInterviewById() 或 CreateInterview()

于 2020-07-08T11:40:00.087 回答
1

您可以@JsonSerialize根据用户的权限使用并实现所需的 JSON 响应serialize(Interview interview, JsonGenerator jgen, SerializerProvider provider)

例子

考虑负责显示用户列表的 UserDTO 类。您必须@JsonSerialize(using = CustomSerializer.class)在 DTO 或域的类级别使用。

DTO/模态

@JsonSerialize(using = UserDTOSerializer.class)
public class UserDTO {

    private Long id;

    @NotBlank
    @Pattern(regexp = Constants.LOGIN_REGEX)
    @Size(min = 1, max = 50)
    private String login;

    @Size(max = 50)
    private String firstName;

    @Size(max = 50)
    private String lastName;

    @Email
    @Size(min = 5, max = 254)
    private String email;

    @Size(max = 256)
    private String imageUrl;

    private boolean activated = false;

    //getter-setters and constructors
}

自定义序列化器

现在让我们通过 serialize() 方法实现自定义序列@Override,在其中您可以从安全上下文中获取权限并自定义响应如下

import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.ser.std.StdSerializer;
import com.learning.jhipster.security.AuthoritiesConstants;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

import java.io.IOException;

@Component
public class UserDTOSerializer extends StdSerializer<UserDTO> {

    public UserDTOSerializer() {
        this(null);
    }

    public UserDTOSerializer(Class<UserDTO> t) {
        super(t);
    }

    @Override
    public void serialize(UserDTO user, JsonGenerator jgen, SerializerProvider provider) throws IOException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        jgen.writeStartObject();
        if(authentication.getAuthorities().toString().contains(AuthoritiesConstants.ADMIN)) {
            jgen.writeNumberField("id", user.getId());
            jgen.writeStringField("login", user.getLogin());
            jgen.writeBooleanField("activated", user.isActivated());
            jgen.writeStringField("imageUrl", user.getImageUrl());
        }
        jgen.writeStringField("firstName", user.getFirstName());
        jgen.writeStringField("lastName", user.getLastName());
        jgen.writeStringField("email", user.getEmail());
        jgen.writeEndObject();
    }
}

回复

以ROLE_USER权限登录的用户会得到如下响应

[
    {
        "firstName": "User",
        "lastName": "User",
        "email": "user@localhost"
    }
]

以ROLE_ADMIN登录的用户将收到以下响应

[
    {
        "id": 1,
        "login": "system",
        "activated": true,
        "imageUrl": "",
        "firstName": "System",
        "lastName": "System",
        "email": "system@localhost"
    }
]
于 2020-07-08T16:13:24.013 回答