RoleAdministrators 权限控制

83887ca2 · MaxKey单点登录官方 · 4c772d7a · 83887ca2 · 83887ca2 · 83887ca2
5 changed file
--- a/maxkey-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
+++ b/maxkey-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java
@@ -17,6 +17,8 @@

 package org.maxkey.authn;

+import java.util.ArrayList;
+
 import org.maxkey.authn.online.OnlineTicketServices;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
 import org.maxkey.authn.support.rememberme.AbstractRemeberMeService;
@@ -35,6 +37,8 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;

 /**
 * login Authentication abstract class.
@@ -65,6 +69,12 @@ public abstract class AbstractAuthenticationProvider {
    @Autowired
    @Qualifier("onlineTicketServices")
    protected OnlineTicketServices onlineTicketServices;
+    
+    static  ArrayList<GrantedAuthority> grantedAdministratorsAuthoritys = new ArrayList<GrantedAuthority>();
+    
+    static {
+        grantedAdministratorsAuthoritys.add(new SimpleGrantedAuthority("ROLE_ADMINISTRATORS"));
+    }

    protected abstract String getProviderName();


--- a/maxkey-core/src/main/java/org/maxkey/authn/BasicAuthentication.java
+++ b/maxkey-core/src/main/java/org/maxkey/authn/BasicAuthentication.java
@@ -23,7 +23,6 @@ import java.util.Collection;
 import org.maxkey.authn.online.OnlineTicket;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;


 public class BasicAuthentication implements Authentication {
@@ -39,14 +38,12 @@ public class BasicAuthentication implements Authentication {
    OnlineTicket onlineTicket;
    ArrayList<GrantedAuthority> grantedAuthority;
    boolean authenticated;
+    boolean roleAdministrators;

    /**
     * BasicAuthentication.
     */
    public BasicAuthentication() {
-        grantedAuthority = new ArrayList<GrantedAuthority>();
-        grantedAuthority.add(new SimpleGrantedAuthority("ROLE_USER"));
-        grantedAuthority.add(new SimpleGrantedAuthority("ORDINARY_USER"));
    }

    /**
@@ -56,9 +53,6 @@ public class BasicAuthentication implements Authentication {
        this.username = username;
        this.password = password;
        this.authType = authType;
-        grantedAuthority = new ArrayList<GrantedAuthority>();
-        grantedAuthority.add(new SimpleGrantedAuthority("ROLE_USER"));
-        grantedAuthority.add(new SimpleGrantedAuthority("ORDINARY_USER"));
    }
    @Override
    public String getName() {
@@ -177,6 +171,14 @@ public class BasicAuthentication implements Authentication {
        this.onlineTicket = onlineTicket;
    }

+    public boolean isRoleAdministrators() {
+        return roleAdministrators;
+    }
+
+    public void setRoleAdministrators(boolean roleAdministrators) {
+        this.roleAdministrators = roleAdministrators;
+    }
+
    @Override
    public String toString() {
        StringBuilder builder = new StringBuilder();

--- a/maxkey-core/src/main/java/org/maxkey/authn/RealmAuthenticationProvider.java
+++ b/maxkey-core/src/main/java/org/maxkey/authn/RealmAuthenticationProvider.java
@@ -17,6 +17,8 @@

 package org.maxkey.authn;

+import java.util.ArrayList;
+
 import org.maxkey.authn.online.OnlineTicket;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.web.WebConstants;
@@ -26,6 +28,8 @@ import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -157,13 +161,25 @@ public class RealmAuthenticationProvider extends AbstractAuthenticationProvider
        OnlineTicket onlineTicket = new OnlineTicket(onlineTickitId,authentication);
        this.onlineTicketServices.store(onlineTickitId, onlineTicket);
        authentication.setOnlineTicket(onlineTicket);
+        ArrayList<GrantedAuthority> grantedAuthoritys = authenticationRealm.grantAuthority(userInfo);
+        //set default roles
+        grantedAuthoritys.add(new SimpleGrantedAuthority("ROLE_USER"));
+        grantedAuthoritys.add(new SimpleGrantedAuthority("ROLE_ORDINARY_USER"));
        
        authentication.setAuthenticated(true);
+        
+        for(GrantedAuthority grantedAuthority : grantedAuthoritys) {
+            if(grantedAdministratorsAuthoritys.contains(grantedAuthority)) {
+                authentication.setRoleAdministrators(true);
+                _logger.trace("ROLE ADMINISTRATORS Authentication .");
+            }
+        }
+        
        UsernamePasswordAuthenticationToken authenticationToken =
                new UsernamePasswordAuthenticationToken(
                        authentication, 
                        "PASSWORD", 
-                        authenticationRealm.grantAuthority(userInfo)
+                        grantedAuthoritys
                );
        
        authenticationToken.setDetails(

--- a/maxkey-web-manage/src/main/java/org/maxkey/web/interceptor/PermissionAdapter.java
+++ b/maxkey-web-manage/src/main/java/org/maxkey/web/interceptor/PermissionAdapter.java
@@ -17,22 +17,19 @@

 package org.maxkey.web.interceptor;

-import java.util.ArrayList;
 import java.util.concurrent.ConcurrentHashMap;

 import javax.servlet.RequestDispatcher;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

+import org.maxkey.authn.BasicAuthentication;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.web.WebContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 /**
@@ -52,11 +49,6 @@ public class PermissionAdapter extends HandlerInterceptorAdapter {
 	
 	static  ConcurrentHashMap<String ,String >navigationsMap=null;
 	
-	static  ArrayList<GrantedAuthority> grantedAuthoritys = new ArrayList<GrantedAuthority>();
-	static {
-	    grantedAuthoritys.add(new SimpleGrantedAuthority("ADMINISTRATORS"));
-	}
-	
 	/*
 	 * 请求前处理
 	 *  (non-Javadoc)
@@ -74,20 +66,14 @@ public class PermissionAdapter extends HandlerInterceptorAdapter {
            dispatcher.forward(request, response);
            return false;
        }
-	        
-		 boolean isGrantedAuthority = false;
-		 for(GrantedAuthority grantedAuthority : grantedAuthoritys) {
-		     if(WebContext.getAuthentication().getAuthorities().contains(grantedAuthority)) {
-		         isGrantedAuthority = true;
-		         _logger.trace("ADMINISTRATORS Authentication .");
-		     }
-		 }
-		 
-		 if(!isGrantedAuthority) {
-		     RequestDispatcher dispatcher = request.getRequestDispatcher("/logout");
-	            dispatcher.forward(request, response);
-	            return false;
-		 }
+        
+        //非管理员用户直接注销
+        if (!((BasicAuthentication) WebContext.getAuthentication().getPrincipal()).isRoleAdministrators()) {
+            _logger.debug("Not ADMINISTRATORS Authentication .");
+            RequestDispatcher dispatcher = request.getRequestDispatcher("/logout");
+            dispatcher.forward(request, response);
+            return false;
+        }
 		
 		boolean hasAccess=true;
 		

--- a/maxkey-web-maxkey/src/main/resources/templates/views/layout/top.ftl
+++ b/maxkey-web-maxkey/src/main/resources/templates/views/layout/top.ftl
@@ -40,12 +40,13 @@
 									<div  style="float:right;" >&nbsp;&nbsp;<@locale code="login.password.changepassword"/>&nbsp;&nbsp;</div>
 								</a>
 							</td>
+							<#if  Session["current_authentication"].principal.roleAdministrators==true >
 							<td id="manage" nowrap>
 								<a target="_blank"  href="<@base/>/authz/maxkey_mgt">
 									<div  style="float:right;" >&nbsp;&nbsp;<@locale code="global.text.manage"/>&nbsp;&nbsp;</div>
 								</a>
 							</td>
-				
+							</#if>
 							<td id="logout" class="ui-widget-header" >
 								<a  href="<@base/>/logout?reLoginUrl=login">
 									<div  style="float:right;" >&nbsp;&nbsp;<@locale code="global.text.logout"/>&nbsp;&nbsp;</div>