shiro配置
来源:互联网 发布:防网络尖兵方法 编辑:程序博客网 时间:2024/05/19 14:39
在spring的配置文件的写法:
<!--************************请求权限的设置********************-->
<!--realm配置,realm是shiro的桥梁,它主要是用来判断subject是否可以登录及权限等 自己写的类主要是判断用户角色权限继承AuthorizingRealm-->
<bean id="siteRealm" class="com.sanhai.nep.managerService.filter.SiteRealmManager">
</bean>
<!--securityManager是shiro的核心,初始化时协调各个模块运行-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="siteRealm"/>
</bean>
<!-- 自定义的角色过滤器 继承AuthorizationFilter-->
<bean id="anyRoles" class="com.sanhai.nep.managerService.filter.CustomRolesAuthorizationFilter"/>
<!--shiro过滤器配置,bean的id值须与web中的filter-name的值相同-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- 没有权限或者失败后跳转的页面 -->
<property name="unauthorizedUrl" value="/views/common/unauthorized.html"/>
<property name="loginUrl" value="/views/common/login.jsp"/>
<property name="filterChainDefinitions">
<value>
/appRoute=authc,anyRoles[role]
/appAPI=authc,anyRoles[role]
</value>
</property>
</bean>
<!-- 用户授权信息Cache -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"/>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- AOP式方法级权限检查 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true"/>
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<!--************************shir********************-->
其中过滤的关键字含义:
- anon:例子/admins/**=anon 没有参数,表示可以匿名使用。
- authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数
- roles:例子/admins/user/=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。
- port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal。
自定义角色过滤器的类:
package com.sanhai.nep.managerService.filter;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class CustomRolesAuthorizationFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest req, ServletResponse resp, Object mappedValue) throws Exception {
Subject subject = getSubject(req, resp);
String[] rolesArray = (String[]) mappedValue;
HttpServletRequest request = (HttpServletRequest) req;
StringBuffer url = request.getRequestURL();
request.getSession().setAttribute("url", url);//把当前的请求的url放在session里面,在SiteRealmManager中判断使用
if (rolesArray == null || rolesArray.length == 0) { //没有角色限制,有权限访问
return true;
}
for (int i = 0; i < rolesArray.length; i++) {
if (subject.hasRole(rolesArray[i])) { //若当前用户是rolesArray中的任何一个,则有权限访问
return true;
}
}
return false;
}
}
realm配置,realm是shiro的桥梁,它主要是用来判断subject是否可以登录及权限等
package com.sanhai.nep.managerService.filter;
import com.sanhai.common.util.Contants;
import com.sanhai.nep.managerService.entity.MenuEntity;
import org.apache.log4j.Logger;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
* Created by 胥源博 on 2016/7/12.
*/
public class SiteRealmManager extends AuthorizingRealm {
private Logger logger = Logger.getLogger(this.getClass());
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
Subject currentUser = SecurityUtils.getSubject();
String roleName = "unRole";//默认没有权限
if (null != currentUser) {
Session session = currentUser.getSession();
//获取用户的所有的权限
List list = (List) session.getAttribute("menuList");
List<MenuEntity> chList = new ArrayList();
//获取当前访问的url
StringBuffer url = (StringBuffer) session.getAttribute("url");
//遍历url看看用户有没有权限
K:
if (list != null && list.size() > 0) {
for (int i = 0; i < list.size(); i++) {
MenuEntity menuEntity = (MenuEntity) list.get(i);
//当有二级菜单权限的时候
if (menuEntity.getChildMenu() != null && menuEntity.getChildMenu().size() != 0) {
//获取当前一级菜单下面的所有二级菜单权限
chList = menuEntity.getChildMenu();
//遍历当前菜单下的所有二级菜单权限
for (int j = 0; j < chList.size(); j++) {
MenuEntity menuEntity_ = chList.get(j);
//判断能不能匹配上 当匹配上的时候说明用户具有权限跳出所有的循环判断
if (url.toString().indexOf(menuEntity_.getUri()) != -1) {
roleName = "role";
break K;
}
}
}
//当匹配上的时候说明用户具有权限跳出所有的循环判断
if (menuEntity.getUri() != null && !"".equals(menuEntity.getUri())) {
if (menuEntity.getUri().indexOf(url.toString()) != -1) {
roleName = "role";
break K;
}
}
}
}
// //查询用户流水例外
// if (url.toString().indexOf("itemizedAccount") != -1) {
// roleName = "role";
// }
}
Set<String> roleNames = new HashSet<String>();
Set<String> permissions = new HashSet<String>();
roleNames.add(roleName);//添加角色
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames);
info.setStringPermissions(permissions);
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
Subject currentUser = SecurityUtils.getSubject();
String accout = null;
if (null != currentUser) {
Session session = currentUser.getSession();
accout = (String) session.getAttribute(Contants.SESSION_KEY_ACCOUNT);//从session中取得用户名
}
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
if (token.getUsername().equals(accout)) {
return new SimpleAuthenticationInfo(accout, token.getPassword(), getName());
} else {
throw new AuthenticationException();
}
}
}
依赖包:
<!-- Apache Shiro -->
<!-- 核心包 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.1</version>
</dependency>
阅读全文
0 0
- Shiro 配置
- shiro配置
- shiro配置
- Shiro配置
- shiro配置
- shiro配置
- Shiro配置
- shiro配置
- shiro 配置
- shiro 配置
- 配置shiro
- shiro配置
- 【Apache-Shiro】shiro配置详解
- Apache Shiro 配置
- Apache Shiro 配置
- shiro详细配置
- shiro.ini 配置详解
- shiro简单配置
- C语言定义和声明
- = 改为 in
- 网易面试题记录(题目来源-->牛客网)
- 64位驱动相对偏移的计算E8call
- 吴恩达关于dev / test sets的形象解释
- shiro配置
- 导出带有多个标签页的Excel表格代码
- 生成简单的Excel表格示例
- 【Shiro权限管理】15.Shiro授权流程分析
- WARN OgnlValueStack:68
- hashmap hash后得出下标的方法
- springMVC 简易运行流程
- Python基础
- LeetCode 442.Find All Duplicates in an Array