shiro配置
来源:互联网 发布:防网络尖兵方法 编辑:程序博客网 时间:2024/05/19 14:39
在spring的配置文件的写法:
<!--************************请求权限的设置********************--><!--realm配置,realm是shiro的桥梁,它主要是用来判断subject是否可以登录及权限等 自己写的类主要是判断用户角色权限继承AuthorizingRealm--><bean id="siteRealm" class="com.sanhai.nep.managerService.filter.SiteRealmManager"></bean><!--securityManager是shiro的核心,初始化时协调各个模块运行--><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realm" ref="siteRealm"/></bean><!-- 自定义的角色过滤器 继承AuthorizationFilter--><bean id="anyRoles" class="com.sanhai.nep.managerService.filter.CustomRolesAuthorizationFilter"/><!--shiro过滤器配置,bean的id值须与web中的filter-name的值相同--><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><property name="securityManager" ref="securityManager"/><!-- 没有权限或者失败后跳转的页面 --><property name="unauthorizedUrl" value="/views/common/unauthorized.html"/><property name="loginUrl" value="/views/common/login.jsp"/><property name="filterChainDefinitions"><value>/appRoute=authc,anyRoles[role]/appAPI=authc,anyRoles[role]</value></property></bean><!-- 用户授权信息Cache --><bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"/><!-- 保证实现了Shiro内部lifecycle函数的bean执行 --><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/><!-- AOP式方法级权限检查 --><bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"depends-on="lifecycleBeanPostProcessor"><property name="proxyTargetClass" value="true"/></bean><bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"><property name="securityManager" ref="securityManager"/></bean><!--************************shir********************-->
其中过滤的关键字含义:
- anon:例子/admins/**=anon 没有参数,表示可以匿名使用。
- authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数
- roles:例子/admins/user/=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。
- port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal。
自定义角色过滤器的类:
package com.sanhai.nep.managerService.filter;import org.apache.shiro.subject.Subject;import org.apache.shiro.web.filter.authz.AuthorizationFilter;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class CustomRolesAuthorizationFilter extends AuthorizationFilter {@Overrideprotected boolean isAccessAllowed(ServletRequest req, ServletResponse resp, Object mappedValue) throws Exception {Subject subject = getSubject(req, resp);String[] rolesArray = (String[]) mappedValue;HttpServletRequest request = (HttpServletRequest) req;StringBuffer url = request.getRequestURL();request.getSession().setAttribute("url", url);//把当前的请求的url放在session里面,在SiteRealmManager中判断使用if (rolesArray == null || rolesArray.length == 0) { //没有角色限制,有权限访问return true;}for (int i = 0; i < rolesArray.length; i++) {if (subject.hasRole(rolesArray[i])) { //若当前用户是rolesArray中的任何一个,则有权限访问return true;}}return false;}}
realm配置,realm是shiro的桥梁,它主要是用来判断subject是否可以登录及权限等
package com.sanhai.nep.managerService.filter;import com.sanhai.common.util.Contants;import com.sanhai.nep.managerService.entity.MenuEntity;import org.apache.log4j.Logger;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.*;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.session.Session;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.Subject;import java.util.ArrayList;import java.util.HashSet;import java.util.List;import java.util.Set;/*** Created by 胥源博 on 2016/7/12.*/public class SiteRealmManager extends AuthorizingRealm {private Logger logger = Logger.getLogger(this.getClass());@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {Subject currentUser = SecurityUtils.getSubject();String roleName = "unRole";//默认没有权限if (null != currentUser) {Session session = currentUser.getSession();//获取用户的所有的权限List list = (List) session.getAttribute("menuList");List<MenuEntity> chList = new ArrayList();//获取当前访问的urlStringBuffer url = (StringBuffer) session.getAttribute("url");//遍历url看看用户有没有权限K:if (list != null && list.size() > 0) {for (int i = 0; i < list.size(); i++) {MenuEntity menuEntity = (MenuEntity) list.get(i);//当有二级菜单权限的时候if (menuEntity.getChildMenu() != null && menuEntity.getChildMenu().size() != 0) {//获取当前一级菜单下面的所有二级菜单权限chList = menuEntity.getChildMenu();//遍历当前菜单下的所有二级菜单权限for (int j = 0; j < chList.size(); j++) {MenuEntity menuEntity_ = chList.get(j);//判断能不能匹配上 当匹配上的时候说明用户具有权限跳出所有的循环判断if (url.toString().indexOf(menuEntity_.getUri()) != -1) {roleName = "role";break K;}}}//当匹配上的时候说明用户具有权限跳出所有的循环判断if (menuEntity.getUri() != null && !"".equals(menuEntity.getUri())) {if (menuEntity.getUri().indexOf(url.toString()) != -1) {roleName = "role";break K;}}}}// //查询用户流水例外// if (url.toString().indexOf("itemizedAccount") != -1) {// roleName = "role";// }}Set<String> roleNames = new HashSet<String>();Set<String> permissions = new HashSet<String>();roleNames.add(roleName);//添加角色SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames);info.setStringPermissions(permissions);return info;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {Subject currentUser = SecurityUtils.getSubject();String accout = null;if (null != currentUser) {Session session = currentUser.getSession();accout = (String) session.getAttribute(Contants.SESSION_KEY_ACCOUNT);//从session中取得用户名}UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;if (token.getUsername().equals(accout)) {return new SimpleAuthenticationInfo(accout, token.getPassword(), getName());} else {throw new AuthenticationException();}}}
依赖包:
<!-- Apache Shiro --><!-- 核心包 --><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.2.1</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-web</artifactId><version>1.2.1</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-ehcache</artifactId><version>1.2.1</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.2.1</version></dependency>
阅读全文
0 0
- Shiro 配置
- shiro配置
- shiro配置
- Shiro配置
- shiro配置
- shiro配置
- Shiro配置
- shiro配置
- shiro 配置
- shiro 配置
- 配置shiro
- shiro配置
- 【Apache-Shiro】shiro配置详解
- Apache Shiro 配置
- Apache Shiro 配置
- shiro详细配置
- shiro.ini 配置详解
- shiro简单配置
- C语言定义和声明
- = 改为 in
- 网易面试题记录(题目来源-->牛客网)
- 64位驱动相对偏移的计算E8call
- 吴恩达关于dev / test sets的形象解释
- shiro配置
- 导出带有多个标签页的Excel表格代码
- 生成简单的Excel表格示例
- 【Shiro权限管理】15.Shiro授权流程分析
- WARN OgnlValueStack:68
- hashmap hash后得出下标的方法
- springMVC 简易运行流程
- Python基础
- LeetCode 442.Find All Duplicates in an Array
