Running果子 2016-01-15
http://my.oschina.net/sheldon1/blog/603351
一,自定义realm,重写认证,授权,验证权限三个方法
public class UserRealm extends AuthorizingRealm { @Autowired private SysUserService userService; @Autowired private UserAuthService userAuthService; private Logger logger = LoggerFactory.getLogger(this.getClass()); /** * 授权 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { SysUser user = (SysUser) principals.getPrimaryPrincipal(); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.setRoles(userAuthService.findStringRoles(user.getId())); authorizationInfo.setStringPermissions(userAuthService.findStringPermissions(user.getId())); return authorizationInfo; } /** * 认证 */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { logger.info("----------------认证----------------"); UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername().trim(); String password = ""; if (upToken.getPassword() != null) { password = new String(upToken.getPassword()); } SysUser user = userService.login(username, password); if (user != null) { SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, password.toCharArray(), getName()); return info; } return null; } //重写权限判断方法,加入正则判断 @Override public boolean isPermitted(PrincipalCollection principals, String permission) { AuthorizationInfo info = getAuthorizationInfo(principals); Collection<String> permissions = info.getStringPermissions(); return permissions.contains(permission) || patternMatch(permissions, permission); } /** * 正则 * @param patternUrlList * @param requestUri * @return */ public boolean patternMatch(Collection<String> patternUrlList, String requestUri) { boolean flag = false; for (String patternUri : patternUrlList) { if (StringUtils.isNotEmpty(patternUri)) { Pattern pattern = Pattern.compile(patternUri); Matcher matcher = pattern.matcher(requestUri); if (matcher.matches()) { flag = true; break; } } } return flag; }
二、授权filter
isAccessAllowed,拦截方法,返回true表示通过验证,返回false会执行onAccessDenied方法。
public class LoginCheckPermissionFilter extends AuthorizationFilter { public Logger logger = LoggerFactory.getLogger(getClass()); @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { HttpServletRequest httpServletRequest = (HttpServletRequest) request; String url = httpServletRequest.getRequestURI(); try { Subject user = SecurityUtils.getSubject(); return user.isPermitted(url); } catch (Exception e) { logger.error("check permission error", e); } return true; } @Override protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { Subject subject = getSubject(request, response); HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletResponse httpServletResponse = (HttpServletResponse) response; String method = httpServletRequest.getMethod(); if (subject.getPrincipal() == null) { saveRequestAndRedirectToLogin(request, response); } else { String unauthorizedUrl = getUnauthorizedUrl(); if (StringUtils.hasText(unauthorizedUrl)) { if (method.equals("POST")) { httpServletResponse.setHeader("Content-Type", "application/json;charset=UTF-8"); String result = JSON.toJSONString(new BaseResp("没有权限,请联系管理员!", BizConstants.FAIL)); httpServletResponse.getWriter().write(result); } else { WebUtils.issueRedirect(request, response, unauthorizedUrl); } } else { WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED); } } return false; } }
三、shiro部分配置
<property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login"/> <!--<property name="successUrl" value="/loginOK" />--> <property name="unauthorizedUrl" value="/noPermission"/> <property name="filters"> <map> <entry key="perms" value-ref="loginCheckPermissionFilter"/> <entry key="user" value-ref="myUserFilter"/> </map> </property> <property name="filterChainDefinitions"> <value> /favicon.ico = anon /resources/** = anon /PoiTemplate/** = anon /login = anon /logout = user /** = user,perms </value> </property> </bean>