应用单点登录时，用户访问权限控制

maxkey-core/src/main/java/org/maxkey/authn/RealmAuthenticationProvider.java

@@ -29,7 +29,6 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -162,10 +161,6 @@ public class RealmAuthenticationProvider extends AbstractAuthenticationProvider
         //set OnlineTicket
         signinPrincipal.setOnlineTicket(onlineTicket);
         ArrayList<GrantedAuthority> grantedAuthoritys = authenticationRealm.grantAuthority(userInfo);
-        //set default roles
-        grantedAuthoritys.add(new SimpleGrantedAuthority("ROLE_USER"));
-        grantedAuthoritys.add(new SimpleGrantedAuthority("ROLE_ORDINARY_USER"));
-        
         signinPrincipal.setAuthenticated(true);
         
         for(GrantedAuthority administratorsAuthority : grantedAdministratorsAuthoritys) {
@@ -174,6 +169,9 @@ public class RealmAuthenticationProvider extends AbstractAuthenticationProvider
                 _logger.trace("ROLE ADMINISTRATORS Authentication .");
             }
         }
+        _logger.debug("Granted Authority " + grantedAuthoritys);
+        
+        signinPrincipal.setGrantedAuthorityApps(authenticationRealm.queryAuthorizedApps(grantedAuthoritys));
         
         UsernamePasswordAuthenticationToken authenticationToken =
                 new UsernamePasswordAuthenticationToken(

maxkey-core/src/main/java/org/maxkey/authn/SigninPrincipal.java

@@ -34,6 +34,7 @@ public class SigninPrincipal implements  UserDetails {
     
     OnlineTicket onlineTicket;
     ArrayList<GrantedAuthority> grantedAuthority;
+    ArrayList<GrantedAuthority> grantedAuthorityApps;
     boolean authenticated;
     boolean roleAdministrators;
 
@@ -133,6 +134,14 @@ public class SigninPrincipal implements  UserDetails {
         return false;
     }
 
+    public ArrayList<GrantedAuthority> getGrantedAuthorityApps() {
+        return grantedAuthorityApps;
+    }
+
+    public void setGrantedAuthorityApps(ArrayList<GrantedAuthority> grantedAuthorityApps) {
+        this.grantedAuthorityApps = grantedAuthorityApps;
+    }
+
     @Override
     public String getUsername() {
         if(this.userInfo != null) {

maxkey-core/src/main/java/org/maxkey/authn/realm/AbstractAuthenticationRealm.java

@@ -110,6 +110,16 @@ public abstract class AbstractAuthenticationRealm {
     public ArrayList<GrantedAuthority> grantAuthority(UserInfo userInfo) {
         return loginService.grantAuthority(userInfo);
     }
+    
+    /**
+     * grant Authority by grantedAuthoritys
+     * 
+     * @param grantedAuthoritys
+     * @return ArrayList<GrantedAuthority Apps>
+     */
+    public ArrayList<GrantedAuthority> queryAuthorizedApps(ArrayList<GrantedAuthority> grantedAuthoritys) {
+        return loginService.queryAuthorizedApps(grantedAuthoritys);
+    }
 
     /**
      * login log write to log db

maxkey-core/src/main/java/org/maxkey/persistence/db/LoginService.java

@@ -56,6 +56,8 @@ public class LoginService {
 
     private static final String DEFAULT_USERINFO_SELECT_STATEMENT = "SELECT * FROM  MXK_USERINFO WHERE USERNAME = ?";
     
+    private static final String DEFAULT_MYAPPS_SELECT_STATEMENT = "SELECT DISTINCT APP.ID,APP.NAME FROM MXK_APPS APP,MXK_GROUP_PRIVILEGES GP,MXK_GROUPS G  WHERE APP.ID=GP.APPID AND GP.GROUPID=G.ID AND G.ID IN(%s)";
+    
     protected JdbcTemplate jdbcTemplate;
     
     public LoginService(){
@@ -151,6 +153,24 @@ public class LoginService {
         }
     }
     
+    public ArrayList<GrantedAuthority> queryAuthorizedApps(ArrayList<GrantedAuthority> grantedAuthoritys) {
+        String grantedAuthorityString="'ROLE_ALL_USER'";
+        for(GrantedAuthority grantedAuthority : grantedAuthoritys) {
+            grantedAuthorityString += ",'"+ grantedAuthority.getAuthority()+"'";
+        }
+        
+        ArrayList<GrantedAuthority> listAuthorizedApps = (ArrayList<GrantedAuthority>) jdbcTemplate.query(
+                String.format(DEFAULT_MYAPPS_SELECT_STATEMENT, grantedAuthorityString), 
+                new RowMapper<GrantedAuthority>() {
+            public GrantedAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
+                return new SimpleGrantedAuthority(rs.getString("ID"));
+            }
+        });
+
+        _logger.debug("list Authorized Apps  " + listAuthorizedApps);
+        return listAuthorizedApps;
+    }
+    
     public List<Groups> queryGroups(UserInfo userInfo) {
         List<Groups> listGroups = jdbcTemplate.query(GROUPS_SELECT_STATEMENT, new RowMapper<Groups>() {
             public Groups mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -174,9 +194,11 @@ public class LoginService {
         // query roles for user
         List<Groups> listGroups = queryGroups(userInfo);
 
-        // set role for spring security
+        //set default roles
         ArrayList<GrantedAuthority> grantedAuthority = new ArrayList<GrantedAuthority>();
         grantedAuthority.add(new SimpleGrantedAuthority("ROLE_USER"));
+        grantedAuthority.add(new SimpleGrantedAuthority("ROLE_ORDINARY_USER"));
+        grantedAuthority.add(new SimpleGrantedAuthority("ROLE_ALL_USER"));
         for (Groups group : listGroups) {
             grantedAuthority.add(new SimpleGrantedAuthority(group.getId()));
         }