diff --git a/awardBE/src/main/java/edu/ncst/award/config/security/DataBaseUrlVoter.java b/awardBE/src/main/java/edu/ncst/award/config/DataBaseUrlVoter.java similarity index 84% rename from awardBE/src/main/java/edu/ncst/award/config/security/DataBaseUrlVoter.java rename to awardBE/src/main/java/edu/ncst/award/config/DataBaseUrlVoter.java index 2e57f23..3f38965 100644 --- a/awardBE/src/main/java/edu/ncst/award/config/security/DataBaseUrlVoter.java +++ b/awardBE/src/main/java/edu/ncst/award/config/DataBaseUrlVoter.java @@ -1,5 +1,6 @@ -package edu.ncst.award.config.security; +package edu.ncst.award.config; +import edu.ncst.award.model.system.Resource; import edu.ncst.award.model.system.Role; import edu.ncst.award.service.IResourceService; import edu.ncst.award.utils.URLUtils; @@ -78,18 +79,18 @@ public class DataBaseUrlVoter implements AccessDecisionVoter { return ACCESS_GRANTED; // 赞同票 } - List rolesResourceList = resourceService.getRolesResourceList(roleNames);//获取目标角色绑定的资源 - - + List rolesResourceList = resourceService.getUserScopeResourceList(roleNames);//获取目标角色绑定的资源 // Role Resource - if (rolesResourceList == null) { + if (rolesResourceList == null || rolesResourceList.size() <=0) { return ACCESS_DENIED; // 反对票 } - for (String allowUrl : rolesResourceList) { - boolean match = antPathMatcher.match(allowUrl, urlWithoutQueryString); + // 当方法和url都匹配上才匹配成功 + for (Resource resource : rolesResourceList) { + boolean match = antPathMatcher.match(resource.getUrl(), urlWithoutQueryString) + && fi.getHttpRequest().getMethod().equals(resource.getMethod()); if (match) { return ACCESS_GRANTED; // 赞同票 }