spring shiro权限注解方式验证

yxlnum 2015-03-05

第一种使用shiro的注解方式:

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">  
                <property name="proxyTargetClass" value="true" />   
       </bean>

 

<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">  
            <property name="securityManager" ref="securityManager"/>  
        </bean>

 

配置上,在方法头上加上注解就可以了,网上资料很多,就不详说了

使用自定义注解

先上自定义注解:

package com.isoftstone.common.permission;  
      
    import java.lang.annotation.ElementType;  
    import java.lang.annotation.Retention;  
    import java.lang.annotation.RetentionPolicy;  
    import java.lang.annotation.Target;  
      
    @Retention(RetentionPolicy.RUNTIME)   
    @Target({ElementType.METHOD})//适用的地方 有 方法上  类上等  
    public @interface CheckPermission {  
       String [] permission();//可以传多个权限标示  
    }

 注解使用:

/**  
     * 保存  
     * @param   基本用户信息  
     * @param   角色id  
     * @return  
     * @author {huzhe}  
     */  
    @RequestMapping(value = "/saveUser")  
    @CheckPermission(permission={BusinessPermissionLabel.permission_addChildAccount})  
    public OperationPrompt saveUser(UserBasicInfo userbaseInfo,String addRoleIds) {

 多个权限标示使用逗号隔开;

第二种:使用spring aop   方法验证   基于上边的自定义   

使用shiro验证是否标示是否有权限 

currentUser.isPermitted(per)

 

package com.isoftstone.common.permission;  
    import org.apache.shiro.SecurityUtils;  
    import org.apache.shiro.authz.AuthorizationException;  
    import org.apache.shiro.subject.Subject;  
    import org.aspectj.lang.ProceedingJoinPoint;  
    import org.aspectj.lang.annotation.Around;  
    import org.aspectj.lang.annotation.Aspect;  
    import org.springframework.stereotype.Component;  
      
    @Aspect  
    @Component  
    //次方法根据spring aop贴入方法 进行权限验证  
    public class PermissionInterceptor {  
      
            @Around("execution(* com.isoftstone.dcf.portal..*(..)) && @annotation(checkPermission)")    
            public Object doInterceptor(ProceedingJoinPoint pjp,CheckPermission checkPermission) throws Throwable{  
                long time = new java.util.Date().getTime();  
                boolean isPermissioin = false;  
                Subject currentUser = SecurityUtils.getSubject();    
                 //没有获得注解  及不需要权限-- 则直接运行  
                if(null!=checkPermission){  
                    String [] permission = checkPermission.permission();  
                    for(String per:permission){  
                        //当前登录人 具有权限  
                        if(currentUser.isPermitted(per)){  
                            isPermissioin = true;  
                            break;  
                        }  
                    }  
                }else{  
                    isPermissioin = true;  
                }  
                  
                System.out.println("(AOP)拦截到了:"+pjp.getSignature().getName()+"方法所用时间:"+time+"到"+new java.util.Date().getTime());  
                if(isPermissioin){  
                    //有执行方法或权限不拦截  
                    return pjp.proceed();  
                }else{  
                    //抛出无权限异常  
                    throw new AuthorizationException();  
                }  
                    
            }    
    }

 需要在spring配置文件中开始aop注解:

<!-- 打开aop使用aop进行权限验证 -->  
       <aop:aspectj-autoproxy />

方式3:使用spring mvc拦截所有url验证:

<!-- 使用spring mvc拦截器进行权限验证 -->  
<mvc:interceptors>  
        <bean class="com.isoftstone.common.permission.PermissionInterceptorAdapter" />  
</mvc:interceptors>

 这个方法实现大致一样:

package com.isoftstone.common.permission;  
    import javax.servlet.http.HttpServletRequest;  
    import javax.servlet.http.HttpServletResponse;  
    import org.apache.shiro.SecurityUtils;  
    import org.apache.shiro.authz.AuthorizationException;  
    import org.apache.shiro.subject.Subject;  
    import org.springframework.web.method.HandlerMethod;  
    import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;  
    //次方法根据spring mvc拦截器进行权限验证  
    public class PermissionInterceptorAdapter extends HandlerInterceptorAdapter  {  
      
        @Override  
        public boolean preHandle(HttpServletRequest request,  
                HttpServletResponse response, Object handler) throws Exception {  
            HandlerMethod handler2=(HandlerMethod) handler;  
            CheckPermission checkPermission = handler2.getMethodAnnotation(CheckPermission.class);  
            long time = new java.util.Date().getTime();  
            boolean isPermissioin = false;  
            Subject currentUser = SecurityUtils.getSubject();    
             //没有获得注解  及不需要权限-- 则直接运行  
            if(null!=checkPermission){  
                String [] permission = checkPermission.permission();  
                for(String per:permission){  
                    //当前登录人 具有权限  
                    if(currentUser.isPermitted(per)){  
                        isPermissioin = true;  
                        break;  
                    }  
                }  
            }else{  
                isPermissioin = true;  
            }  
              
            System.out.println("拦截到了mvc方法:"+handler2.getMethod()+"方法所用时间:"+time+"到"+new java.util.Date().getTime());  
            if(isPermissioin){  
                //有执行方法或权限不拦截  
                return true;  
            }else{  
                //跑出无权限异常  
                throw new AuthorizationException();  
            }  
        }  
      
    }

  除了spring和shiro使用的包:

<dependency>  
      <groupId>org.aspectj</groupId>  
      <artifactId>aspectjrt</artifactId>  
      <version>1.8.0</version>  
    </dependency>  
    <dependency>  
      <groupId>org.aspectj</groupId>  
      <artifactId>aspectjweaver</artifactId>  
      <version>1.8.0</version>  
    </dependency>

 spring自定义异常拦截:

package com.isoftstone.common.exception;  
      
    import java.io.IOException;  
    import java.sql.SQLException;  
    import javax.servlet.http.HttpServletRequest;  
    import javax.servlet.http.HttpServletResponse;  
      
    import org.apache.shiro.authz.AuthorizationException;  
    import org.apache.shiro.authz.UnauthorizedException;  
    import org.springframework.stereotype.Component;  
    import org.springframework.web.servlet.HandlerExceptionResolver;  
    import org.springframework.web.servlet.ModelAndView;  
      
    import com.isoftstone.common.bo.PermissioinPage;  
      
    /** 
     * 自定义权限异常处理 
     * @author Administrator 
     * 
     */  
    @Component  
    public class MyHandlerExceptionResolver implements HandlerExceptionResolver  {  
      
        @Override  
        public ModelAndView resolveException(HttpServletRequest request,  
                HttpServletResponse response, Object object, Exception exception) {  
            //是否为ajax请求  
            String requestType = request.getHeader("X-Requested-With");  
             if(exception instanceof AuthorizationException){  
                response.setStatus(413);//无权限异常  主要用于ajax请求返回  
                response.addHeader("Error-Json", "{code:413,msg:'nopermission',script:''}");  
                response.setContentType("text/html;charset=utf-8");  
                if("XMLHttpRequest".equals(requestType)){  
                    return new ModelAndView();  
                }  
                return new ModelAndView("redirect:/html/413.html");  
            }  
            return null;  
        }

相关推荐