-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
/
DefaultRoleBindingService.java
46 lines (43 loc) · 1.86 KB
/
DefaultRoleBindingService.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
package run.halo.app.core.extension.service;
import java.util.Collection;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import run.halo.app.security.authorization.AuthorityUtils;
/**
* <p>Obtain the authorities from the authenticated authentication and construct it as a RoleBinding
* list.</p>
* <p>After JWT authentication, the roles stored in the authorities are the roles owned by the user,
* so there is no need to query from the database.</p>
* <p>For tokens in other formats, after authentication, fill the authorities with the token into
* the SecurityContextHolder.</p>
*
* @author guqing
* @see AnonymousAuthenticationFilter
* @since 2.0.0
*/
@Slf4j
public class DefaultRoleBindingService implements RoleBindingService {
private static final String SCOPE_AUTHORITY_PREFIX = AuthorityUtils.SCOPE_PREFIX;
private static final String ROLE_AUTHORITY_PREFIX = AuthorityUtils.ROLE_PREFIX;
@Override
public Set<String> listBoundRoleNames(Collection<? extends GrantedAuthority> authorities) {
return authorities.stream()
.map(GrantedAuthority::getAuthority)
// Exclude anonymous user roles
.filter(authority -> !authority.equals("ROLE_ANONYMOUS"))
.map(scope -> {
if (scope.startsWith(SCOPE_AUTHORITY_PREFIX)) {
scope = scope.replaceFirst(SCOPE_AUTHORITY_PREFIX, "");
// keep checking the ROLE_ here
}
if (scope.startsWith(ROLE_AUTHORITY_PREFIX)) {
return scope.replaceFirst(ROLE_AUTHORITY_PREFIX, "");
}
return scope;
})
.collect(Collectors.toSet());
}
}