Java整合mybatis实现过滤数据
我有一只肥螳螂 人气:0场景
- 权限1:只能看到自己创建的数据
- 权限2:只能看到本部门的数据
- 权限3:查看全部数据
例子
小明有权限1:
{
"code": "200",
"msg": "查询成功",
"data": [
{
"name": "name1",
"id": "1",
"creater": "xiaoming"
},
{
"name": "name2",
"id": "2",
"creater": "xiaoming"
}
]
}
大明具有权限2,小明相同部门
{
"code": "200",
"msg": "查询成功",
"data": [
{
"name": "name1",
"id": "1",
"creater": "xiaoming"
},
{
"name": "name2",
"id": "2",
"creater": "xiaoming"
},
{
"name": "name3",
"id": "3",
"creater": "daming"
},
{
"name": "name4",
"id": "4",
"creater": "daming"
}
]
}
领导有权限3,可以看到全部
{
"code": "200",
"msg": "查询成功",
"data": [
{
"name": "name1",
"id": "1",
"creater": "xiaoming"
},
{
"name": "name2",
"id": "2",
"creater": "xiaoming"
},
{
"name": "name3",
"id": "3",
"creater": "daming"
},
{
"name": "name4",
"id": "4",
"creater": "daming"
},
{
"name": "name5",
"id": "5",
"creater": "mingming"
}
]
}
执行流程
- Configuration:初始化基础配置,比如 MyBatis 的别名等,一些重要的类型对象,如插件,映射器,ObjectFactory 和 TypeHandler对象, MyBatis所有的配置信息都维持在 Configuration 对象之中。
- SqlSessionFactory:SqlSession工厂。
- SqlSession:作为MyBatis工作的主要顶层API,表示和数据库交互的会话,完成必要的数据库增删改查功能。
- Executor:真正执行sql语句的对象,调用 sqlSession 的方法时,本质上都是调用 executor 的方法,还负责获取 connection,创建 StatementHandler ,责调用 StatementHandler 操作数据库 ,并把结果集通过 ResultSetHandler 进行自动映射,另外,它还处理二级缓存的操作。
- StatementHandler:可以理解为是一次语句的执行,创建并持有 ParameterHandler 和 ResultSetHandler 对象,操作 dbc 的statement与进行数据库操作,另外它也实现了MyBatis的一级缓存。
- ParameterHandler: 处理入参,将java方法上的参数设置到被执行语句中
- ResultSetHandler:处理返回结果,处理jdbc的返回值,将其转换为java的对象
- TypeHandler:负责Java数据类型和JDBC数据类型之间的映射和转换,在 ParameterHandler 和 ResultsetHandler 中
- MappedStatement:MappedStatement维护了一条 <select|update|delete|insert> 节点的封装。
- SqlSource:负责根据用户传递的 parameterObject,动态地生成 SQL 语句,将信息封装到 BoundSql 对象中,并返回。
- BoundSql:表示动态生成的 SQL 语句以及相应的参数信息。
配置切面
- Interceptor: 实现 Interceptor 接口,mybatis 的拦截器
- @Intercepts:只有一个属性,即value,其返回值类型是一个@Signature类型的数组,表示我们可以配置多个@Signature注解
- @Signature:一个方法签名,其共有三个属性,分别为:type、method、args
- type:拦截的四种类型:Executor - 执行器方法 、StatementHandler - 拦截SQL语法构建处理、ParameterHandler - 拦截参数处理、ResultSetHandler - 拦截结果集处理
- method:对应接口中的某一个方法名,比如 Executor 的 query 方法
- args:对应接口中的某一个方法的参数,比如 Executor 中 query 方法因为重载原因,有多个,args就是指明参数类型,从而确定是具体哪一个方法;
@Intercepts({<!--{cke_protected}{C}%3C!%2D%2D%20%2D%2D%3E-->@Signature(type = org.apache.ibatis.executor.Executor.class, method = "query", args = {<!--{cke_protected}{C}%3C!%2D%2D%20%2D%2D%3E-->MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class})})@Slf4jpublic class MapperPermissionInterceptor implements Interceptor {<!--{cke_protected}{C}%3C!%2D%2D%20%2D%2D%3E--> @Override public Object intercept(Invocation invocation) throws Throwable {<!--{cke_protected}{C}%3C!%2D%2D%20%2D%2D%3E--> Object target = invocation.getTarget(); //被代理对象 Method method = invocation.getMethod(); //代理方法 Object[] args = invocation.getArgs(); //方法参数MappedStatement mappedStatement = (MappedStatement) args[0]; Object parameterObject = args[1]; // do something ...方法拦截前执行代码块 Object result = invocation.proceed(); // do something ...方法拦截后执行代码块 return result; } }@Intercepts({@Signature(type = org.apache.ibatis.executor.Executor.class, method = "query", args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class})})
@Slf4j
public class MapperPermissionInterceptor implements Interceptor {
@Override
public Object intercept(Invocation invocation) throws Throwable {
Object target = invocation.getTarget(); //被代理对象
Method method = invocation.getMethod(); //代理方法
Object[] args = invocation.getArgs(); //方法参数
MappedStatement mappedStatement = (MappedStatement) args[0];
Object parameterObject = args[1];
// do something ...方法拦截前执行代码块
Object result = invocation.proceed();
// do something ...方法拦截后执行代码块
return result;
}
}
方案
原 originalSql
select id, name, creater from tt
通过 mybatis 的切面实现
在前面添加 select * from ( ,后面添加 where 条件
select * from ( select id, name, creater from tt ) tmp where creater = "daming"
实现
- 配置权限开关
- 判断方法名是否包含 list 或者 page
- 添加 where 条件
@Intercepts({@Signature(type = org.apache.ibatis.executor.Executor.class, method = "query", args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class})})
@Slf4j
public class MapperPermissionInterceptor implements Interceptor {
@Autowired
PermissionProperty permissionProperty;
public static final String PACK_START_SQL = "select * from ( ";
public static final String PACK_END_SQL = ") tmp ";
public static final String PERMISSION_Y = "y";
@Override
public Object intercept(Invocation invocation) throws Throwable {
if(!PERMISSION_Y.toLowerCase().equals(permissionProperty.getMapper().toLowerCase())){
log.info("mapper 权限未开启");
return invocation.proceed();
}
MappedStatement mappedStatement = (MappedStatement) invocation.getArgs()[0];
Object parameter = invocation.getArgs()[1];
BoundSql boundSql = mappedStatement.getBoundSql(parameter);
String originalSql = boundSql.getSql().trim();
String id = mappedStatement.getId();
log.info("originalSql: {} ", originalSql);
log.info("id: {}", id);
String name = getMapperName(id);
String method = getMapperMethod(id);
log.info("name: {}, method: {} ", name, method);
String joinSql = dataPermissionSqlProvider().getJoinSql(name, method);
log.info("joinSql: {} ", joinSql);
if (Optional.ofNullable(joinSql).isPresent()) {
BoundSql newBoundSql = copyFromBoundSql(mappedStatement, boundSql, this.joinSql(originalSql, joinSql));
ParameterMap map = mappedStatement.getParameterMap();
MappedStatement newMs = copyFromMappedStatement(mappedStatement, new BoundSqlSqlSource(newBoundSql), map);
invocation.getArgs()[0] = newMs;
}
return invocation.proceed();
}
/**
* 获取 Mapper 名称
* @param id
* @return
*/
private String getMapperName(String id) {
String name = id.substring(0, id.lastIndexOf("."));
return name.substring(name.lastIndexOf(".") + 1);
}
/**
* 获取 Mapper 方法
* @param id
* @return
*/
private String getMapperMethod(String id) {
String method = id.substring(id.lastIndexOf(".") + 1);
return method;
}
private DataPermissionProvider dataPermissionSqlProvider() {
return (DataPermissionProvider) ApplicationContextUtil.getBean("dataPermissionProvider");
}
private String joinSql(String sql, String selectSql) {
sql = PACK_START_SQL + sql + PACK_END_SQL + selectSql;
log.info("packSql: {}", sql);
return sql;
}
public static class BoundSqlSqlSource implements SqlSource {
BoundSql boundSql;
public BoundSqlSqlSource(BoundSql boundSql) {
this.boundSql = boundSql;
}
@Override
public BoundSql getBoundSql(Object parameterObject) {
return boundSql;
}
}
private BoundSql copyFromBoundSql(MappedStatement ms, BoundSql boundSql, String sql) {
BoundSql newBoundSql = new BoundSql(ms.getConfiguration(), sql, boundSql.getParameterMappings(), boundSql.getParameterObject());
for (ParameterMapping mapping : boundSql.getParameterMappings()) {
String prop = mapping.getProperty();
if (boundSql.hasAdditionalParameter(prop)) {
newBoundSql.setAdditionalParameter(prop, boundSql.getAdditionalParameter(prop));
}
}
return newBoundSql;
}
/**
* 复制MappedStatement对象
*/
private MappedStatement copyFromMappedStatement(MappedStatement ms, SqlSource newSqlSource, ParameterMap parameterMap) {
MappedStatement.Builder builder = new MappedStatement.Builder(ms.getConfiguration(), ms.getId(), newSqlSource, ms.getSqlCommandType());
builder.resource(ms.getResource());
builder.fetchSize(ms.getFetchSize());
builder.statementType(ms.getStatementType());
builder.keyGenerator(ms.getKeyGenerator());
builder.timeout(ms.getTimeout());
builder.parameterMap(parameterMap);
builder.resultMaps(ms.getResultMaps());
builder.resultSetType(ms.getResultSetType());
builder.cache(ms.getCache());
builder.flushCacheRequired(ms.isFlushCacheRequired());
builder.useCache(ms.isUseCache());
return builder.build();
}
}加载全部内容