一、Spring Data Rest

Spring Data REST 是 Spring Data 项目的一部分，它提供了一种快速创建 RESTful Web 服务的方法，可以直接暴露 Spring Data 仓库中的数据。通过 Spring Data REST，开发者可以轻松地将数据持久层的操作（如 CRUD 操作）暴露为 RESTful API，而不需要编写大量的控制器代码。这大大简化了 RESTful API 的开发过程。

1、主要特点

自动暴露 Repository 为 RESTful API：
○ Spring Data REST 可以自动将 Spring Data 仓库中的方法暴露为 RESTful API。例如，如果你有一个 UserRepository，Spring Data REST 会自动为你生成相应的 CRUD 操作的 RESTful 端点。

HATEOAS 支持：

○ HATEOAS（Hypermedia As The Engine Of Application State）是 REST 架构风格的一个重要原则。Spring Data REST 生成的 API 自动包含超媒体链接，帮助客户端发现和导航资源。

自定义控制器：

○ 虽然 Spring Data REST 可以自动暴露仓库方法，但你仍然可以添加自定义控制器来处理特定的业务逻辑。你可以通过 @RepositoryRestResource 注解来自定义仓库的暴露方式。

事件监听：

○ Spring Data REST 提供了事件监听机制，可以在资源创建、更新、删除等操作前后触发自定义逻辑。这可以通过实现 ApplicationListener 接口并监听 BeforeCreateEvent、AfterCreateEvent 等事件来实现。

分页和排序：

○ Spring Data REST 自动支持分页和排序。客户端可以通过 URL 参数（如 ?page=0&size=20&sort=name,asc）来请求分页和排序后的数据。

文档生成：

○ Spring Data REST 可以生成 API 文档，帮助客户端了解可用的端点和操作。你可以通过访问 /api-docs 端点来获取这些文档。

2、CRUD使用示例

以目前数言机器人项目为例，在使用mybatis同时加入Spring Data Rest
示例对应表：msg_robot 机器人表

添加依赖

<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-rest</artifactId>
</dependency>
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>

创建实体

虽然已经有机器人表实体，但作用在mybatis，这里新建实体。后面考虑实体如何合并

import cn.com.yunke.msgbot.constant.CommonConstant;
import lombok.Data;
import lombok.RequiredArgsConstructor;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
import javax.persistence.Table;
import java.time.LocalDateTime;@Table(name = "msg_robot")
@Entity
@Data
@RequiredArgsConstructor
public class MsgRobotRestPO {@GeneratedValue@Idprivate Long id;/*** 租户code*/private String orgCode;/*** 机器人名称*/private String robotName;}

创建仓库接口

纯接口不带方法，带方法可以实现自定义查询

@RepositoryRestResource(collectionResourceRel = "msgRobotRestPoes", path = "msgRobotRestPoes")
public interface MsgRobotRestRepository extends JpaRepository<MsgRobotRestPO, Long> {Collection<MsgRobotRestPO> findByRobotName(@Param("robotName") String  robotName);
}

访问 API
启动应用后，你可以通过以下 URL 访问 RESTful API：
● 获取所有机器人：GET /bmsMsgRobotRestPoes
● 分页获取机器人：GET /bmsMsgRobotRestPoes?page=1&size=2&sort=createTime
● 获取单个机器人：GET /bmsMsgRobotRestPoes/{id}
返回体：

{"orgCode": "","robotName": "555","_links": {"self": {"href": "http://127.0.0.1:9000/bmsMsgRobotRestPoes/1642067545749266432"},"bmsMsgRobotRestPO": {"href": "http://127.0.0.1:9000/bmsMsgRobotRestPoes/1642067545749266432"}}
}

● 创建机器人：POST /msgRobotRestPoes =>201
● 更新机器人：PATCH /msgRobotRestPoes/{id} =>200
● 删除机器人：DELETE /msgRobotRestPoes/{id} =>204
● 查询机器人：GET /msgRobotRestPoes/search/findByRobotName?robotName=111111
特性分析
1、自动生成的不能直接详细的条件查询
需要在Repository接口上定义方法，上面Repository代码
通过search查询实现，效率比之前快，但没有ZenStack灵活

3、关联关系

Spring Data Rest 会自动检测实体之间的关联广西，并创建关联资源，如：机器人下配置信息

@Table(name = "msg_robot")
@Entity
@Data
@RequiredArgsConstructor
public class MsgRobotRestPO {@Id@GeneratedValue(strategy = GenerationType.IDENTITY)private Long id;/*** 租户code*/private String orgCode;/*** 机器人名称*/private String robotName;@OneToMany(cascade = CascadeType.ALL, orphanRemoval = true)@JoinColumn(name = "robot_id")private List<MsgRobotParamConfigRestPO> paramConfig;
}

@Table(name = "msg_robot_param_config")
@Entity
@Data
@RequiredArgsConstructor
public class MsgRobotParamConfigRestPO {private static final long serialVersionUID = 1L;/*** id*/@Id@GeneratedValueprivate Long id;/*** 对应配置的id*/private String configId;/*** 对应配置的值*/private String configValue;/*** 机器人*/@ManyToOne(fetch = FetchType.LAZY)private MsgRobotRestPO robot;
}

映射关系查询结果

{"orgCode": "222","robotName": "555","paramConfig": [],"_links": {"self": {"href": "http://127.0.0.1:9000/msgRobotRestPoes/1762047555096432644"},"bmsMsgRobotRestPO": {"href": "http://127.0.0.1:9000/msgRobotRestPoes/1762047555096432644"}}
}

4、事件

通过监听事件，我们可以在资源的创建、更新、删除等操作时执行自定义逻辑

@Component
@RepositoryEventHandler(BmsMsgRobot.class)
public class BmsMsgRobotEventHandler {@HandleBeforeCreatepublic void handleBeforeCreate(BmsMsgRobot robot) {System.out.println("handleBeforeCreate robot");}
}

5、数据权限

1、Spring Data Rest 数据权限，可以通过集成Spring Security实现对资源的安全控制。配置安全规则，限制对部分资源的访问权限。

a. 添加依赖

<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>

b.配置 Spring Security

创建一个配置类来配置 Spring Security，并实现自定义的认证和授权机制。
自定义认证过滤器
创建一个自定义的认证过滤器，用于调用外部接口验证用户的权限。

package cn.com.yunke.msgbot.rest.filter;
import cn.com.yunke.msgbot.exception.BotServiceException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {public CustomAuthenticationFilter(String defaultFilterProcessesUrl, AuthenticationManager authenticationManager) {super(new AntPathRequestMatcher(defaultFilterProcessesUrl));setAuthenticationManager(authenticationManager);}@Overridepublic Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {String sessionId = request.getParameter("sessionId");if (sessionId == null || sessionId.isEmpty()) {throw new BotServiceException("Session ID is required");}// 调用外部接口验证 session IDboolean isValid = callExternalApiToValidateSession(sessionId);if (!isValid) {throw new BotServiceException("Invalid session ID");}// 创建并返回 Authentication 对象UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(sessionId, "", Collections.emptyList());return getAuthenticationManager().authenticate(authRequest);}private boolean callExternalApiToValidateSession(String sessionId) {// 调用外部接口验证 session ID// 返回 true 或 false// 示例代码：// 假设外部接口返回一个 JSON 对象，包含 isValid 字段// 使用 HttpClient 或其他 HTTP 客户端库调用外部接口return true;}@Overrideprotected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {SecurityContextHolder.getContext().setAuthentication(authResult);chain.doFilter(request, response);}
}

自定义认证提供者

创建一个自定义的认证提供者，用于处理认证逻辑。

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;public class CustomAuthenticationProvider implements AuthenticationProvider {private final UserDetailsService userDetailsService;public CustomAuthenticationProvider(UserDetailsService userDetailsService) {this.userDetailsService = userDetailsService;}@Overridepublic Authentication authenticate(Authentication authentication) throws AuthenticationException {String sessionId = (String) authentication.getPrincipal();UserDetails userDetails = userDetailsService.loadUserByUsername(sessionId);if (userDetails == null) {throw new UsernameNotFoundException("User not found");}return new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());}@Overridepublic boolean supports(Class<?> authentication) {return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);}
}

自定义用户详细信息服务

创建一个自定义的用户详细信息服务，用于从外部接口获取用户详细信息。

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;import java.util.ArrayList;
import java.util.Collections;
import java.util.List;@Service
public class CustomUserDetailsService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String sessionId) throws UsernameNotFoundException {// 调用外部接口获取用户详细信息List<GrantedAuthority> authorities = callExternalApiToGetUserAuthorities(sessionId);if (authorities == null || authorities.isEmpty()) {throw new UsernameNotFoundException("User not found");}return new User(sessionId, "", authorities);}private List<GrantedAuthority> callExternalApiToGetUserAuthorities(String sessionId) {// 调用外部接口获取用户权限// 返回权限列表// 示例代码：// 假设外部接口返回一个 JSON 对象，包含 authorities 字段List<GrantedAuthority> authorities = new ArrayList<>();authorities.add(new SimpleGrantedAuthority("ROLE_admin"));return authorities;//return Collections.emptyList();}
}

配置 Spring Security

创建一个配置类来配置 Spring Security，并注册自定义的认证过滤器和认证提供者。

import cn.com.yunke.msgbot.rest.filter.CustomAuthenticationFilter;
import cn.com.yunke.msgbot.rest.provider.CustomAuthenticationProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Autowiredprivate UserDetailsService userDetailsService;@Beanpublic CustomAuthenticationFilter customAuthenticationFilter() throws Exception {CustomAuthenticationFilter filter = new CustomAuthenticationFilter("/", authenticationManager());return filter;}@Overrideprotected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/api-docs", "/h2-console/**").permitAll().anyRequest().authenticated().and().addFilterBefore(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class).httpBasic().and().csrf().disable().headers().frameOptions().disable(); // For H2 console}@Overrideprotected void configure(AuthenticationManagerBuilder auth) throws Exception {auth.authenticationProvider(new CustomAuthenticationProvider(userDetailsService));}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}
}

使用 @PreAuthorize 注解

在服务或控制器中使用 @PreAuthorize 注解来控制实体或者方法级别的访问。

@PreAuthorize("hasRole('ROLE_admin')")
@RepositoryRestResource(collectionResourceRel = "bmsMsgRobotRestPoes", path = "bmsMsgRobotRestPoes")
public interface BmsMsgRobotRestRepository extends JpaRepository<BmsMsgRobotRestPO, Long> {@PreAuthorize("hasRole('ROLE_member')")Collection<BmsMsgRobotRestPO> findByRobotName(@Param("robotName") String  robotName);//Page<BmsMsgRobotRestPO> findAll(@NotNull Pageable pageable);
}

注意：1、引入Spring Security需要考虑与之前全局拦截器兼容，不要冲突，考虑之前需要不拦截的接口等。

2、已有的全局拦截器，控制数据权限，权限体系与已有接口权限体系一致

6、其他功能

如更改路径、更改自动生产API名称、字段是否显示等更多内容参考官方文档
Spring Data REST官网