shrio自定義realm,權限攔截

jopen 10年前發布 | 28K 次閱讀 Shiro 安全相關

一,自定義realm,重寫認證,授權,驗證權限三個方法

public class UserRealm extends AuthorizingRealm {

    @Autowired
    private SysUserService userService;

    @Autowired
    private UserAuthService userAuthService;

    private Logger logger = LoggerFactory.getLogger(this.getClass());

    /**
     * 授權
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        SysUser user = (SysUser) principals.getPrimaryPrincipal();
        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
        authorizationInfo.setRoles(userAuthService.findStringRoles(user.getId()));
        authorizationInfo.setStringPermissions(userAuthService.findStringPermissions(user.getId()));

        return authorizationInfo;
    }

    /**
     * 認證
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        logger.info("----------------認證----------------");

        UsernamePasswordToken upToken = (UsernamePasswordToken) token;
        String username = upToken.getUsername().trim();
        String password = "";
        if (upToken.getPassword() != null) {
            password = new String(upToken.getPassword());
        }
        SysUser user = userService.login(username, password);

        if (user != null) {
            SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, password.toCharArray(), getName());
            return info;
        }
        return null;
    }

    //重寫權限判斷方法,加入正則判斷
    @Override
    public boolean isPermitted(PrincipalCollection principals, String permission) {
        AuthorizationInfo info = getAuthorizationInfo(principals);
        Collection<String> permissions = info.getStringPermissions();
        return permissions.contains(permission) || patternMatch(permissions, permission);
    }

    /**
     * 正則
     * @param patternUrlList
     * @param requestUri
     * @return
     */
    public boolean patternMatch(Collection<String> patternUrlList, String requestUri) {
        boolean flag = false;
        for (String patternUri : patternUrlList) {
            if (StringUtils.isNotEmpty(patternUri)) {
                Pattern pattern = Pattern.compile(patternUri);
                Matcher matcher = pattern.matcher(requestUri);
                if (matcher.matches()) {
                    flag = true;
                    break;
                }
            }
        }
        return flag;
    }

二、授權filter

isAccessAllowed,攔截方法,返回true表示通過驗證,返回false會執行onAccessDenied方法。

public class LoginCheckPermissionFilter extends AuthorizationFilter {

    public Logger logger = LoggerFactory.getLogger(getClass());

    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        String url = httpServletRequest.getRequestURI();
        try {
            Subject user = SecurityUtils.getSubject();

            return user.isPermitted(url);
        } catch (Exception e) {
            logger.error("check permission error", e);
        }
        return true;
    }

    @Override
    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
        Subject subject = getSubject(request, response);
        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
        String method = httpServletRequest.getMethod();
        if (subject.getPrincipal() == null) {
            saveRequestAndRedirectToLogin(request, response);
        } else {
            String unauthorizedUrl = getUnauthorizedUrl();
            if (StringUtils.hasText(unauthorizedUrl)) {
                if (method.equals("POST")) {
                    httpServletResponse.setHeader("Content-Type", "application/json;charset=UTF-8");
                    String result = JSON.toJSONString(new BaseResp("沒有權限,請聯系管理員!", BizConstants.FAIL));
                    httpServletResponse.getWriter().write(result);
                } else {
                    WebUtils.issueRedirect(request, response, unauthorizedUrl);
                }
            } else {
                WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
            }
        }
        return false;
    }
}

三、shiro部分配置

 <property name="securityManager" ref="securityManager"/>
    <property name="loginUrl" value="/login"/>
    <!--<property name="successUrl" value="/loginOK" />-->
    <property name="unauthorizedUrl" value="/noPermission"/>
    <property name="filters">
        <map>
            <entry key="perms" value-ref="loginCheckPermissionFilter"/>
            <entry key="user" value-ref="myUserFilter"/>
        </map>
    </property>

    <property name="filterChainDefinitions">
        <value>
            /favicon.ico = anon
            /resources/** = anon
            /PoiTemplate/** = anon
            /login = anon
            /logout = user
            /** = user,perms
        </value>
    </property>
</bean>


來自: http://my.oschina.net/sheldon1/blog/603351

 本文由用戶 jopen 自行上傳分享,僅供網友學習交流。所有權歸原作者,若您的權利被侵害,請聯系管理員。
 轉載本站原創文章,請注明出處,并保留原始鏈接、圖片水印。
 本站是一個以用戶分享為主的開源技術平臺,歡迎各類分享!