MyBatis的动态拦截sql并修改
更新时间:2023年11月28日 08:55:23 作者:元芳,你怎么看
因工作需求,需要根据用户的数据权限,来查询并展示相应的数据,那么就需要动态拦截sql,本文就来介绍了MyBatis的动态拦截sql并修改,感兴趣的可以了解一下
需求
因工作需求,需要根据用户的数据权限,来查询并展示相应的数据,那么就需要动态拦截sql,在根据用户权限做相应的处理,因此需要一个通用拦截器,并以注解实现。该文只做查询拦截,如有其他需求,可根据工作做相应更改。
步骤一
该注解是方法级,因此需要注解在dao层方法上,如有需要也可更改为类级
注解:
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
@Documented
// 指名数据库查询方法需要和权限挂钩
public @interface Permission {
}
步骤二
定义拦截器实现接口重写其intercept方法
@Intercepts({
// @Signature(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class})
// @Signature( type = Executor.class, method = "update",args = {MappedStatement.class, Object.class}),
@Signature(type = Executor.class, method = "query",args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class}),
@Signature(type = Executor.class, method = "query",args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class, CacheKey.class, BoundSql.class})
})
@Component
public class PermissionInterceptor implements Interceptor {
@Override
public Object intercept(Invocation invocation) throws Throwable {
}
}
步骤三
拿到所有查询sql请求,并得到相应的statement
@Intercepts({
// @Signature(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class})
// @Signature( type = Executor.class, method = "update",args = {MappedStatement.class, Object.class}),
@Signature(type = Executor.class, method = "query",args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class}),
@Signature(type = Executor.class, method = "query",args = {MappedStatement.class, Object.class, RowBounds.class, ResultHandler.class, CacheKey.class, BoundSql.class})
})
@Component
public class PermissionInterceptor implements Interceptor {
@Override
public Object intercept(Invocation invocation) throws Throwable {
String processSql = ExecutorPluginUtils.getSqlByInvocation(invocation);
// 执行自定义修改sql操作
// 获取sql
String sql2Reset = processSql;
Statement statement = CCJSqlParserUtil.parse(processSql);
MappedStatement mappedStatement = (MappedStatement) invocation.getArgs()[0];
}
}
步骤四
如果后端未用分页,则这步可以省略在项目启动类下完成该配置
//得到spring上下文
ConfigurableApplicationContext run = SpringApplication.run(Application.class, args);
Interceptor permissionInterceptor = (Interceptor) run.getBean("permissionInterceptor");
//这种方式添加mybatis拦截器保证在pageHelper前执行
run.getBean(SqlSessionFactory.class).getConfiguration().addInterceptor(permissionInterceptor);
步骤五
工具类
package com.ydy.common.utils;
import com.ydy.common.annotation.Permission;
import org.apache.ibatis.mapping.BoundSql;
import org.apache.ibatis.mapping.MappedStatement;
import org.apache.ibatis.mapping.SqlCommandType;
import org.apache.ibatis.mapping.SqlSource;
import org.apache.ibatis.plugin.Invocation;
import org.apache.ibatis.reflection.DefaultReflectorFactory;
import org.apache.ibatis.reflection.MetaObject;
import org.apache.ibatis.reflection.factory.DefaultObjectFactory;
import org.apache.ibatis.reflection.wrapper.DefaultObjectWrapperFactory;
import java.lang.reflect.Method;
import java.lang.reflect.Type;
import java.sql.SQLException;
import java.util.Arrays;
import java.util.Objects;
public class ExecutorPluginUtils {
/**
* 获取sql语句
* @param invocation
* @return
*/
public static String getSqlByInvocation(Invocation invocation) {
final Object[] args = invocation.getArgs();
MappedStatement ms = (MappedStatement) args[0];
Object parameterObject = args[1];
BoundSql boundSql = ms.getBoundSql(parameterObject);
return boundSql.getSql();
}
/**
* 包装sql后,重置到invocation中
* @param invocation
* @param sql
* @throws SQLException
*/
public static void resetSql2Invocation(Invocation invocation, String sql) throws SQLException {
final Object[] args = invocation.getArgs();
MappedStatement statement = (MappedStatement) args[0];
Object parameterObject = args[1];
BoundSql boundSql = statement.getBoundSql(parameterObject);
MappedStatement newStatement = newMappedStatement(statement, new BoundSqlSqlSource(boundSql));
MetaObject msObject = MetaObject.forObject(newStatement, new DefaultObjectFactory(), new DefaultObjectWrapperFactory(),new DefaultReflectorFactory());
msObject.setValue("sqlSource.boundSql.sql", sql);
args[0] = newStatement;
}
private static MappedStatement newMappedStatement(MappedStatement ms, SqlSource newSqlSource) {
MappedStatement.Builder builder =
new MappedStatement.Builder(ms.getConfiguration(), ms.getId(), newSqlSource, ms.getSqlCommandType());
builder.resource(ms.getResource());
builder.fetchSize(ms.getFetchSize());
builder.statementType(ms.getStatementType());
builder.keyGenerator(ms.getKeyGenerator());
if (ms.getKeyProperties() != null && ms.getKeyProperties().length != 0) {
StringBuilder keyProperties = new StringBuilder();
for (String keyProperty : ms.getKeyProperties()) {
keyProperties.append(keyProperty).append(",");
}
keyProperties.delete(keyProperties.length() - 1, keyProperties.length());
builder.keyProperty(keyProperties.toString());
}
builder.timeout(ms.getTimeout());
builder.parameterMap(ms.getParameterMap());
builder.resultMaps(ms.getResultMaps());
builder.resultSetType(ms.getResultSetType());
builder.cache(ms.getCache());
builder.flushCacheRequired(ms.isFlushCacheRequired());
builder.useCache(ms.isUseCache());
return builder.build();
}
/**
* 是否标记为区域字段
* @return
*/
public static boolean isAreaTag( MappedStatement mappedStatement) throws ClassNotFoundException {
String id = mappedStatement.getId();
//获取类名
String className = id.substring(0, id.lastIndexOf("."));
Class clazz = Class.forName(className);
//获取方法名
String methodName = id.substring(id.lastIndexOf(".") + 1);
//这里是博主工作需求,防止pagehelper那里未生效
if(methodName.contains("_COUNT")){
methodName=methodName.replace("_COUNT","");
}
String m=methodName;
Class<?> classType = Class.forName(id.substring(0,mappedStatement.getId().lastIndexOf(".")));
//获取对应拦截方法名
String mName = mappedStatement.getId().substring(mappedStatement.getId().lastIndexOf(".") + 1);
//这里是博主工作需求,防止pagehelper那里未生效
if(mName.contains("_COUNT")){
mName=mName.replace("_COUNT","");
}
boolean ignore = false;
//获取该类(接口)的所有方法,如果你查询的方法就写在该类,就不需要下面的if判断
Method[] declaredMethods = classType.getDeclaredMethods();
Method declaredMethod = Arrays.stream(declaredMethods).filter(it -> it.getName().equals(m)).findFirst().orElse(null);
//该判断是拿到该接口的超类的方法,博主的查询方法就在超类里,因此需要利用下面代码来获取对应方法
if (declaredMethod == null) {
Type[] genericInterfaces = clazz.getGenericInterfaces();
declaredMethod = Arrays.stream(genericInterfaces).map(e ->
{
Method[] declaredMethods1 = ((Class) e).getDeclaredMethods();
return Arrays.stream(declaredMethods1).filter(it -> it.getName().equals(m)).findFirst().orElse(null);
}).filter(Objects::nonNull).findFirst().orElse(null);
}
if(declaredMethod!=null){
//查询方法是否被permission标记注解
ignore = declaredMethod.isAnnotationPresent(Permission.class);
}
return ignore;
}
/**
* 是否标记为区域字段
* @return
*/
public static boolean isAreaTagIngore( MappedStatement mappedStatement) throws ClassNotFoundException {
String id = mappedStatement.getId();
String className = id.substring(0, id.lastIndexOf("."));
Class clazz = Class.forName(className);
String methodName = id.substring(id.lastIndexOf(".") + 1);
Class<?> classType = Class.forName(id.substring(0,mappedStatement.getId().lastIndexOf(".")));
//获取对应拦截方法名
String mName = mappedStatement.getId().substring(mappedStatement.getId().lastIndexOf(".") + 1);
boolean ignore = false;
Method[] declaredMethods = classType.getDeclaredMethods();
Method declaredMethod = Arrays.stream(declaredMethods).filter(it -> it.getName().equals(methodName)).findFirst().orElse(null);
if (declaredMethod == null) {
Type[] genericInterfaces = clazz.getGenericInterfaces();
declaredMethod = Arrays.stream(genericInterfaces).map(e ->
{
Method[] declaredMethods1 = ((Class) e).getDeclaredMethods();
return Arrays.stream(declaredMethods1).filter(it -> it.getName().equals(methodName)).findFirst().orElse(null);
}).filter(Objects::nonNull).findFirst().orElse(null);
}
ignore = declaredMethod.isAnnotationPresent(Permission.class);
return ignore;
}
public static String getOperateType(Invocation invocation) {
final Object[] args = invocation.getArgs();
MappedStatement ms = (MappedStatement) args[0];
SqlCommandType commondType = ms.getSqlCommandType();
if (commondType.compareTo(SqlCommandType.SELECT) == 0) {
return "select";
}
return null;
}
// 定义一个内部辅助类,作用是包装sq
static class BoundSqlSqlSource implements SqlSource {
private BoundSql boundSql;
public BoundSqlSqlSource(BoundSql boundSql) {
this.boundSql = boundSql;
}
@Override
public BoundSql getBoundSql(Object parameterObject) {
return boundSql;
}
}
}
步骤六
如果方法被permission注解进入if方法,查询各自数据权限,拼接sql,替换sql。如未进入则放行。
if (ExecutorPluginUtils.isAreaTag(mappedStatement)) {
//获取该用户所具有的角色的数据权限dataScope
//因数据敏感省略
//获取该用户的所在公司或部门下的所有人
//例如 StringBuffer orgBuffer = new StringBuffer();
// orgBuffer.append("(");
//String collect = allUserByOrgs.stream().map(String::valueOf).collect(Collectors.joining(","));
//orgBuffer.append(collect).append(")");
//String orgsUser = orgBuffer.toString();
try {
if (statement instanceof Select) {
Select selectStatement = (Select) statement;
//其中的PlainSelect 可以拿到sql语句的全部节点信息,具体各位可以看源码
PlainSelect plain = (PlainSelect) selectStatement.getSelectBody();
//获取所有外连接
List<Join> joins = plain.getJoins();
//获取到原始sql语句
String sql = processSql;
StringBuffer whereSql = new StringBuffer();
switch (dataScope) {
//这里dataScope 范围 1 所有数据权限 2 本人 3,部门及分部门(递归) 4.公司及分公司(递归)
//所有数据权限作用在人上,因此sql用 in
case 1:
whereSql.append("1=1");
break;
case 2:
for (Join join : joins) {
Table rightItem = (Table) join.getRightItem();
//匹配表名
if(rightItem.getName().equals("sec_user")){
//获取别名
if(rightItem.getAlias()!=null){
whereSql.append(rightItem.getAlias().getName()).append(".id = ").append(SecurityUtils.getLoginUser().getId());
}else {
whereSql.append("id = ").append(deptsUser);
}
}
}
break;
case 3:
for (Join join : joins) {
Table rightItem = (Table) join.getRightItem();
if(rightItem.getName().equals("sec_user")){
if(rightItem.getAlias()!=null){
whereSql.append(rightItem.getAlias().getName()).append(".id in ").append(deptsUser);
}else {
whereSql.append("id in ").append(deptsUser);
}
}
}
break;
case 4:
for (Join join : joins) {
Table rightItem = (Table) join.getRightItem();
if(rightItem.getName().equals("sec_user")){
if(rightItem.getAlias()!=null){
whereSql.append(rightItem.getAlias().getName()).append(".id in ").append(orgsUser);
}else {
whereSql.append("id in ").append(deptsUser);
}
}
}
break;
}
//获取where节点
Expression where = plain.getWhere();
if (where == null) {
if (whereSql.length() > 0) {
Expression expression = CCJSqlParserUtil
.parseCondExpression(whereSql.toString());
Expression whereExpression = (Expression) expression;
plain.setWhere(whereExpression);
}
} else {
if (whereSql.length() > 0) {
//where条件之前存在,需要重新进行拼接
whereSql.append(" and ( " + where.toString() + " )");
} else {
//新增片段不存在,使用之前的sql
whereSql.append(where.toString());
}
Expression expression = CCJSqlParserUtil
.parseCondExpression(whereSql.toString());
plain.setWhere(expression);
}
sql2Reset = selectStatement.toString();
}
} catch (Exception e) {
e.printStackTrace();
}
}
// 替换sql
ExecutorPluginUtils.resetSql2Invocation(invocation, sql2Reset);
//放行
Object proceed = invocation.proceed();
return proceed;到此这篇关于MyBatis的动态拦截sql并修改的文章就介绍到这了,更多相关MyBatis动态拦截sql内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!
相关文章
Java String方法获取字符出现次数及字符最大相同部分示例
这篇文章主要介绍了Java String方法获取字符出现次数及字符最大相同部分,涉及java字符串的遍历、比较、计算等相关操作技巧,需要的朋友可以参考下2017-09-09
springboot跨域访问cros与@CrossOrigin注解详析
这篇文章主要给大家介绍了关于springboot跨域访问cros与@CrossOrigin注解的相关资料,跨域是指不同域名之间相互访问,它是浏览器的同源策略造成的,是浏览器对JavaScript施加的安全限制,需要的朋友可以参考下2023-12-12
这篇文章主要介绍了Java中如何对字符串进行utf-8编码问题,具有很好的参考价值,希望对大家有所帮助。如有错误或未考虑完全的地方,望不吝赐教2023-04-04
SpringBoot对接Twilio实现发送验证码和验证短信码
Twilio是一家提供云通信服务的公司,旨在帮助开发者和企业通过简单的API实现各种通信功能,下面我们来看看如何对接Twilio实现发送验证码和验证短信码吧2025-03-03
java线程安全锁ReentrantReadWriteLock原理分析readLock
这篇文章主要为大家介绍了java线程安全锁ReentrantReadWriteLock原理分析readLock,有需要的朋友可以借鉴参考下,希望能够有所帮助,祝大家多多进步,早日升职加薪2022-10-10
Java如何实现验证码验证功能呢?日常生活中,验证码随处可见,他可以在一定程度上保护账号安全,那么他是怎么实现的呢?今天通过本文给大家实例详解,需要的朋友参考下2017-02-02
本篇文章给大家详细分析了Java并发编程this逃逸的问题分享,对此有需要的朋友参考下。2018-02-02
这篇文章主要为大家详细介绍了SSH结合jquery实现三级联动效果,具有一定的参考价值,感兴趣的小伙伴们可以参考一下2017-01-01
这篇文章主要介绍了java compiler没有1.8的解决方法,非常不错,具有一定的参考借鉴价值,需要的朋友可以参考下2018-08-08
最近在工作中遇到一个需求,要利用反射对修饰符为final的成员变量进行修改,所以这篇文章主要给大家介绍了关于Java反射如何有效的修改final属性值的相关资料,文中通过示例代码介绍的非常详细,对需要的朋友可以参考下。2017-08-08
最新评论