我正在使用spring-boot编写web应用程序。它基于jwt身份验证我有模型用户,教师,学生,课程。教师和学生扩展用户
@Entity
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
private String username;
@ManyToMany(fetch = FetchType.LAZY)
@JoinTable(name = "user_roles",
joinColumns = @JoinColumn(name = "user_id"),
inverseJoinColumns = @JoinColumn(name = "role_id"))
private Set<Role> roles = new HashSet<>();
// Other fields and getters setters
}
@Entity
public class Course {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;
@ManyToOne
@JoinColumn(name = "teacher_id", nullable = false)
private Teacher teacher;
@ManyToMany(mappedBy = "enrolledCourses")
private Set<Student> students;
// Other fields and getters setters
}
@Entity
public class Teacher extends User{
@OneToMany(mappedBy = "teacher")
private Set<Course> courses;
// Other fields and getters setters
}
@Entity
public class Student extends User{
@ManyToMany
@JoinTable(
name = "course_student",
joinColumns = @JoinColumn(name = "student_id"),
inverseJoinColumns = @JoinColumn(name = "course_id"))
private Set<Course> enrolledCourses;
// Other fields and getters setters
}
此外,我还有Api课程,在那里我实现了张贴、放置、删除、更新和这些方法必须仅适用于教师用户。我的课程Api看起来像这个
@RestController
@RequestMapping("/teachers")
@PreAuthorize("hasRole('TEACHER')")
public class TeacherCourseController {
@GetMapping("/{teacherId}/courses")
public Set<Course> getCourse(@PathVariable("teacherId") Teacher teacher){
// code
}
@PostMapping("/{teacherId}/courses")
public Course createCourse(
@PathVariable("teacherId") Long teacherId,
@ModelAttribute CourseDto courseDto){
// code
}
@PutMapping("/{teacherId}/courses/{courseId}")
@JsonView(Views.IdName.class)
public Course updateCourse(
@ModelAttribute CourseDto courseDto,
@PathVariable("courseId") Course courseFromDb){
// code
}
@DeleteMapping("/{teacherId}/courses/{courseId}")
public void getCourse(@PathVariable("courseId") Course course) throws IOException {
// code
}
}
我的api url变得更糟了,看起来像这样http://localhost:8080/teachers/{teacherId}/课程/{课程Id}我如何检查老师是否要求他的课程而不是其他老师。感谢
为什么不把课程作为顶级资源?您将拥有类似/courses{courseId}的路径。在处理程序方法中,从对请求进行身份验证的JWT令牌中检查sub声明。如果索赔与授课教师的教师id不匹配,则返回403 Forbidden响应。
尽管课程是由老师教授的,但它们应该是自己的顶级资源,这是有道理的,因为学生可能会列出它们并注册。
如果您成功地进行了春季安全配置:
- 网络登录
- 令牌生成
- 在每次api调用中将令牌作为头传递
您必须访问spring安全上下文,才能获得调用您的rest端点的用户的电子邮件:
- https://mkyong.com/spring-security/get-current-logged-in-username-in-spring-security/
- http://www.appsdeveloperblog.com/spring-security-get-authenticated-principal-details/
- https://dzone.com/articles/how-to-get-current-logged-in-username-in-spring-se
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String name = auth.getName(); //get logged in username
通过真实的电子邮件(由于您在调用api之前登录了网络(和对数据库的查询,您可以确保老师只请求其课程,如果没有,则显示并出错:您无权访问此课程。
建议:只列出我的课程
如果是且端点仅适用于简单教师,则不要将教师Id设置为参数:
http://localhost:8080/teacher/courses/{courseId}
此teacherId不是必需的,因为您可以使用spring安全上下文获取教师的(真实电子邮件(,并使用教师电子邮件代替teacherId搜索课程
建议:我是一名管理员,我需要查看所有老师的课程
在这种情况下,您的端点是完全有效的:
http://localhost:8080/teachers/{teacherId}/courses/{courseId}