RoleAdministrators 权限控制

maxkey-core/src/main/java/org/maxkey/authn/AbstractAuthenticationProvider.java

@@ -17,6 +17,8 @@
 
 package org.maxkey.authn;
 
+import java.util.ArrayList;
+
 import org.maxkey.authn.online.OnlineTicketServices;
 import org.maxkey.authn.realm.AbstractAuthenticationRealm;
 import org.maxkey.authn.support.rememberme.AbstractRemeberMeService;
@@ -35,6 +37,8 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 /**
  * login Authentication abstract class.
@@ -65,6 +69,12 @@ public abstract class AbstractAuthenticationProvider {
     @Autowired
     @Qualifier("onlineTicketServices")
     protected OnlineTicketServices onlineTicketServices;
+    
+    static  ArrayList<GrantedAuthority> grantedAdministratorsAuthoritys = new ArrayList<GrantedAuthority>();
+    
+    static {
+        grantedAdministratorsAuthoritys.add(new SimpleGrantedAuthority("ROLE_ADMINISTRATORS"));
+    }
 
     protected abstract String getProviderName();
 

maxkey-core/src/main/java/org/maxkey/authn/BasicAuthentication.java

@@ -23,7 +23,6 @@ import java.util.Collection;
 import org.maxkey.authn.online.OnlineTicket;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 
 public class BasicAuthentication implements Authentication {
@@ -39,14 +38,12 @@ public class BasicAuthentication implements Authentication {
     OnlineTicket onlineTicket;
     ArrayList<GrantedAuthority> grantedAuthority;
     boolean authenticated;
+    boolean roleAdministrators;
 
     /**
      * BasicAuthentication.
      */
     public BasicAuthentication() {
-        grantedAuthority = new ArrayList<GrantedAuthority>();
-        grantedAuthority.add(new SimpleGrantedAuthority("ROLE_USER"));
-        grantedAuthority.add(new SimpleGrantedAuthority("ORDINARY_USER"));
     }
 
     /**
@@ -56,9 +53,6 @@ public class BasicAuthentication implements Authentication {
         this.username = username;
         this.password = password;
         this.authType = authType;
-        grantedAuthority = new ArrayList<GrantedAuthority>();
-        grantedAuthority.add(new SimpleGrantedAuthority("ROLE_USER"));
-        grantedAuthority.add(new SimpleGrantedAuthority("ORDINARY_USER"));
     }
     @Override
     public String getName() {
@@ -177,6 +171,14 @@ public class BasicAuthentication implements Authentication {
         this.onlineTicket = onlineTicket;
     }
 
+    public boolean isRoleAdministrators() {
+        return roleAdministrators;
+    }
+
+    public void setRoleAdministrators(boolean roleAdministrators) {
+        this.roleAdministrators = roleAdministrators;
+    }
+
     @Override
     public String toString() {
         StringBuilder builder = new StringBuilder();

maxkey-core/src/main/java/org/maxkey/authn/RealmAuthenticationProvider.java

@@ -17,6 +17,8 @@
 
 package org.maxkey.authn;
 
+import java.util.ArrayList;
+
 import org.maxkey.authn.online.OnlineTicket;
 import org.maxkey.domain.UserInfo;
 import org.maxkey.web.WebConstants;
@@ -26,6 +28,8 @@ import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -157,13 +161,25 @@ public class RealmAuthenticationProvider extends AbstractAuthenticationProvider
         OnlineTicket onlineTicket = new OnlineTicket(onlineTickitId,authentication);
         this.onlineTicketServices.store(onlineTickitId, onlineTicket);
         authentication.setOnlineTicket(onlineTicket);
+        ArrayList<GrantedAuthority> grantedAuthoritys = authenticationRealm.grantAuthority(userInfo);
+        //set default roles
+        grantedAuthoritys.add(new SimpleGrantedAuthority("ROLE_USER"));
+        grantedAuthoritys.add(new SimpleGrantedAuthority("ROLE_ORDINARY_USER"));
         
         authentication.setAuthenticated(true);
+        
+        for(GrantedAuthority grantedAuthority : grantedAuthoritys) {
+            if(grantedAdministratorsAuthoritys.contains(grantedAuthority)) {
+                authentication.setRoleAdministrators(true);
+                _logger.trace("ROLE ADMINISTRATORS Authentication .");
+            }
+        }
+        
         UsernamePasswordAuthenticationToken authenticationToken =
                 new UsernamePasswordAuthenticationToken(
                         authentication, 
                         "PASSWORD", 
-                        authenticationRealm.grantAuthority(userInfo)
+                        grantedAuthoritys
                 );
         
         authenticationToken.setDetails(

maxkey-web-manage/src/main/java/org/maxkey/web/interceptor/PermissionAdapter.java

@@ -17,22 +17,19 @@
 
 package org.maxkey.web.interceptor;
 
-import java.util.ArrayList;
 import java.util.concurrent.ConcurrentHashMap;
 
 import javax.servlet.RequestDispatcher;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.maxkey.authn.BasicAuthentication;
 import org.maxkey.configuration.ApplicationConfig;
 import org.maxkey.web.WebContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 /**
@@ -52,11 +49,6 @@ public class PermissionAdapter extends HandlerInterceptorAdapter {
 	
 	static  ConcurrentHashMap<String ,String >navigationsMap=null;
 	
-	static  ArrayList<GrantedAuthority> grantedAuthoritys = new ArrayList<GrantedAuthority>();
-	static {
-	    grantedAuthoritys.add(new SimpleGrantedAuthority("ADMINISTRATORS"));
-	}
-	
 	/*
 	 * 请求前处理
 	 *  (non-Javadoc)
@@ -74,20 +66,14 @@ public class PermissionAdapter extends HandlerInterceptorAdapter {
             dispatcher.forward(request, response);
             return false;
         }
-	        
-		 boolean isGrantedAuthority = false;
-		 for(GrantedAuthority grantedAuthority : grantedAuthoritys) {
-		     if(WebContext.getAuthentication().getAuthorities().contains(grantedAuthority)) {
-		         isGrantedAuthority = true;
-		         _logger.trace("ADMINISTRATORS Authentication .");
-		     }
-		 }
-		 
-		 if(!isGrantedAuthority) {
-		     RequestDispatcher dispatcher = request.getRequestDispatcher("/logout");
-	            dispatcher.forward(request, response);
-	            return false;
-		 }
+        
+        //非管理员用户直接注销
+        if (!((BasicAuthentication) WebContext.getAuthentication().getPrincipal()).isRoleAdministrators()) {
+            _logger.debug("Not ADMINISTRATORS Authentication .");
+            RequestDispatcher dispatcher = request.getRequestDispatcher("/logout");
+            dispatcher.forward(request, response);
+            return false;
+        }
 		
 		boolean hasAccess=true;
 		

maxkey-web-maxkey/src/main/resources/templates/views/layout/top.ftl

@@ -40,12 +40,13 @@
 									<div  style="float:right;" >&nbsp;&nbsp;<@locale code="login.password.changepassword"/>&nbsp;&nbsp;</div>
 								</a>
 							</td>
+							<#if  Session["current_authentication"].principal.roleAdministrators==true >
 							<td id="manage" nowrap>
 								<a target="_blank"  href="<@base/>/authz/maxkey_mgt">
 									<div  style="float:right;" >&nbsp;&nbsp;<@locale code="global.text.manage"/>&nbsp;&nbsp;</div>
 								</a>
 							</td>
-				
+							</#if>
 							<td id="logout" class="ui-widget-header" >
 								<a  href="<@base/>/logout?reLoginUrl=login">
 									<div  style="float:right;" >&nbsp;&nbsp;<@locale code="global.text.logout"/>&nbsp;&nbsp;</div>