shiro拦截url动态配置在数据库

转自：http://www.360doc.com/content/14/0424/14/9481725_371706346.shtml

核心思想:

1:对 org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.filterChains 执行清空,它维护的是个map.否则原先的没有被覆盖的filterChains还会存在!

2:对org.apache.shiro.web.filter.PathMatchingFilter.appliedPaths执行清空,它维护的是个map,否则原先的没有被覆盖的filter还会存在!

3:使用org.apache.shiro.web.filter.mgt.DefaultFilterChainManager.createChain(String, String)进行filterChains与appliedPaths的覆盖

 

Java代码  

1. package com.capitalbio.soft.service.account;  
2.   
3. import java.io.Serializable;  
4. import java.util.ArrayList;  
5. import java.util.Arrays;  
6. import java.util.List;  
7. import java.util.Map;  
8. import java.util.Map.Entry;  
9. import java.util.Set;  
10.   
11. import javax.annotation.PostConstruct;  
12. import javax.servlet.Filter;  
13.   
14. import org.apache.commons.lang3.StringUtils;  
15. import org.apache.shiro.SecurityUtils;  
16. import org.apache.shiro.authc.AuthenticationException;  
17. import org.apache.shiro.authc.AuthenticationInfo;  
18. import org.apache.shiro.authc.AuthenticationToken;  
19. import org.apache.shiro.authc.DisabledAccountException;  
20. import org.apache.shiro.authc.SimpleAuthenticationInfo;  
21. import org.apache.shiro.authc.UsernamePasswordToken;  
22. import org.apache.shiro.authc.credential.HashedCredentialsMatcher;  
23. import org.apache.shiro.authz.AuthorizationInfo;  
24. import org.apache.shiro.authz.SimpleAuthorizationInfo;  
25. import org.apache.shiro.cache.Cache;  
26. import org.apache.shiro.realm.AuthorizingRealm;  
27. import org.apache.shiro.subject.PrincipalCollection;  
28. import org.apache.shiro.subject.SimplePrincipalCollection;  
29. import org.apache.shiro.util.ByteSource;  
30. import org.apache.shiro.web.filter.PathMatchingFilter;  
31. import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;  
32. import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;  
33. import org.apache.shiro.web.servlet.AbstractShiroFilter;  
34. import org.slf4j.Logger;  
35. import org.slf4j.LoggerFactory;  
36. import org.springframework.beans.factory.annotation.Autowired;  
37. import org.springframework.stereotype.Component;  
38.   
39. import com.capitalbio.soft.core.cache.SysCache;  
40. import com.capitalbio.soft.core.shiro.FilterChainDefinitionsLoader;  
41. import com.capitalbio.soft.core.utils.encoding.EncodeUtils;  
42. import com.capitalbio.soft.core.utils.exception.ExceptionUtils;  
43. import com.capitalbio.soft.core.utils.reflection.ReflectionUtils;  
44. import com.capitalbio.soft.core.utils.security.Digests;  
45. import com.capitalbio.soft.core.utils.spring.SpringContextHolder;  
46. import com.capitalbio.soft.entity.account.Authority;  
47. import com.capitalbio.soft.entity.account.Role;  
48. import com.capitalbio.soft.entity.account.User;  
49. import com.google.common.base.Objects;  
50. import com.google.common.collect.Lists;  
51. import com.google.common.collect.Maps;  
52. import com.google.common.collect.Sets;  
53.   
54. @Component("shiroDbRealm")  
55. public class ShiroDbRealm extends AuthorizingRealm {  
56.       
57.     private static Logger logger = LoggerFactory.getLogger(ShiroDbRealm.class);  
58.     @Autowired private UserService userService;  
59.   
60.     /** 
61.      * 认证回调函数,登录时调用. 
62.      */  
63.     @Override  
64.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {  
65.         UsernamePasswordToken token = (UsernamePasswordToken) authcToken;  
66.         User user = userService.getByLoginName(token.getUsername(),false);  
67.         if (user != null) {  
68.             if(user.isUserDisabled()) { // DisabledAccountException || AuthenticationInfo org.apache.shiro.realm.SimpleAccountRealm.doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException  
69.                 throw new DisabledAccountException(); // throw new LockedAccountException("Account [" + user.getLoginName() + "] is locked.");  
70.             }  
71.             byte[] salt = EncodeUtils.decodeHex(user.getSalt());  
72.             return new SimpleAuthenticationInfo(new ShiroUser(user), user.getPassword(), ByteSource.Util.bytes(salt), getName());  
73.         } else {  
74.             return null;  
75.         }  
76.     }  
77.   
78.     /** 
79.      * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用.在配有缓存的情况下，只加载一次. 
80.      */  
81.     @Override  
82.     public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {  
83.         ShiroUser shiroUser = (ShiroUser) principals.getPrimaryPrincipal();  
84.         User user = userService.getByLoginName(shiroUser.getLoginName(),true);  
85.           
86.         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();  
87.   
88.         Set<String> roleSet = Sets.newLinkedHashSet(); // 角色集合  
89.         Set<String> authoritySet = Sets.newLinkedHashSet(); // 权限集合  
90.         Set<Authority> menuSet = Sets.newLinkedHashSet(); // 菜单集合  
91.         Map<String, List<Authority>> toolbars = Maps.newLinkedHashMap(); // 按钮集合  
92.         Set<Authority> authFilters = Sets.newLinkedHashSet();  
93.           
94.         if(null!=user && !user.isUserDisabled()) { // 判断是否用户是否禁用  
95.             for(Role r : user.getRoleList()) {  
96.                 if(!r.isRoleDisabled()) { // 判断角色是否禁用  
97.                     if(StringUtils.isNotBlank(r.getCode())) roleSet.add(r.getCode());  
98.                     for(Authority a : r.getAuthorityList()) { // 判断权限是否禁用  
99.                         if(authFilters.add(a)) { // 过滤已经处理过的权限  
100.                             if(!a.isAuthorityDisabled()) {  
101.                                 if(StringUtils.isNotBlank(a.getCode())) authoritySet.add(a.getCode()); // 增加权限编码  
102.                                 if(1==a.getAuthorityType()) {  
103.                                     menuSet.add(a); // 增加菜单  
104.                                 }else if(2==a.getAuthorityType() && null!=a.getParent()) { // 遍历增加按钮权限  
105.                                     String purl = a.getParent().getUrl();  
106.                                     if(StringUtils.isNotBlank(purl)) {  
107.                                         if(!toolbars.containsKey(purl)) {  
108.                                             toolbars.put(purl, new ArrayList<Authority>());   
109.                                         }  
110.                                         toolbars.get(purl).add(a);   
111.                                     }  
112.                                 }  
113.                             }  
114.                         }  
115.                     }  
116.                 }  
117.             }  
118.         }  
119.           
120.         info.setRoles(roleSet); // 设置角色  
121.         info.setStringPermissions(authoritySet); // 设置权限  
122.         shiroUser.setAuthorities(buildSubMenu(null,Lists.newArrayList(menuSet.toArray(new Authority[]{})))); // 设置菜单  
123.         shiroUser.setToolbars(toolbars); // 设置工具栏  
124.           
125.         logger.debug("{}当前用户权限:{}{}",SysCache.newline,SysCache.newline,authoritySet.toString().substring(1).replace(", ", SysCache.newline));  
126.           
127.         return info;  
128.     }  
129.       
130.       
131.     /** 
132.      * 更新用户授权信息缓存. 
133.      */  
134.     public void clearCachedAuthorizationInfo(Object principal) {  
135.         SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());  
136.         clearCachedAuthorizationInfo(principals);  
137.     }  
138.   
139.     /** 
140.      * 清除所有用户授权信息缓存. 
141.      */  
142.     public void clearAllCachedAuthorizationInfo() {  
143.         Cache<Object, AuthorizationInfo> cache = getAuthorizationCache();  
144.         if (cache != null) {  
145.             for (Object key : cache.keys()) {  
146.                 cache.remove(key);  
147.             }  
148.         }  
149.     }  
150.       
151.       
152.     /** 
153.      * 设定Password校验的Hash算法与迭代次数. 
154.      */  
155.     @PostConstruct  
156.     public void initCredentialsMatcher() {  
157.         HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(HASH_ALGORITHM);  
158.         matcher.setHashIterations(HASH_INTERATIONS);  
159.   
160.         setCredentialsMatcher(matcher);  
161.     }  
162.    
163.     /** 
164.      * 自定义Authentication对象，使得Subject除了携带用户的登录名外还可以携带更多信息. 
165.      */  
166.     public static class ShiroUser extends User implements Serializable {  
167.         private static final long serialVersionUID = 1778589964992915025L;  
168.   
169.         public ShiroUser() { }  
170.           
171.         public ShiroUser(String loginName) {  
172.             super(loginName);  
173.         }  
174.           
175.         public ShiroUser(User user) {  
176.             super(user.getId(),user.getLoginName(), user.getName(), user.getEmail(), user.getNickname(), user.getPhone(), user.getDisabled(), user.getSex(), user.getCreateDate());  
177.         }  
178.           
179.   
180.         /** 
181.          * 本函数输出将作为默认的<shiro:principal/>输出. 
182.          */  
183.         @Override  
184.         public String toString() {  
185.             return loginName;  
186.         }  
187.   
188.         /** 
189.          * 重载hashCode,只计算loginName; 
190.          */  
191.         @Override  
192.         public int hashCode() {  
193.             return Objects.hashCode(loginName);  
194.         }  
195.   
196.         /** 
197.          * 重载equals,只计算loginName; 
198.          */  
199.         @Override  
200.         public boolean equals(Object obj) {  
201.             if (this == obj)  
202.                 return true;  
203.             if (obj == null)  
204.                 return false;  
205.             if (getClass() != obj.getClass())  
206.                 return false;  
207.             ShiroUser other = (ShiroUser) obj;  
208.             if (loginName == null) {  
209.                 if (other.loginName != null)  
210.                     return false;  
211.             } else if (!loginName.equals(other.loginName))  
212.                 return false;  
213.             return true;  
214.         }  
215.     }  
216.       
217.     public static final String HASH_ALGORITHM = "SHA-1"; // 使用的加密算法  
218.     public static final int HASH_INTERATIONS = 1024; // 加密迭代次数  
219.     private static final int SALT_SIZE = 8; // 加密盐的大小  
220.       
221.     /** 
222.      * 设定安全的密码，生成随机的salt并经过1024次 sha-1 hash 
223.      */  
224.     public static User entryptUserPassword(User user) {  
225.         byte[] salt = Digests.generateSalt(SALT_SIZE);  
226.         user.setSalt(EncodeUtils.encodeHex(salt));  
227.   
228.         byte[] hashPassword = Digests.sha1(user.getPassword().getBytes(), salt, HASH_INTERATIONS);  
229.         user.setPassword(EncodeUtils.encodeHex(hashPassword));  
230.         return user;  
231.     }  
232.       
233.     /** 
234.      * 得到当前登录用户 
235.      * @return 
236.      */  
237.     public static ShiroUser getLoginUser() {  
238.         return (ShiroUser)SecurityUtils.getSubject().getPrincipal();  
239.     }  
240.       
241.     /**   
242.      * 通过登录名移除权限缓存 
243.      * @param loginId 
244.      * @return boolean  
245.      */  
246.     public static boolean removeAuthCacheByLoginName(String loginName) {  
247.         try {  
248.             SpringContextHolder.getBean(ShiroDbRealm.class).clearCachedAuthorizationInfo(new ShiroUser(loginName));  
249.             return true;  
250.         } catch (Exception e) {  
251.             e.printStackTrace();  
252.             logger.error(ExceptionUtils.getStackTraceAsString(e));  
253.             return false;  
254.         }  
255.     }  
256.       
257.     /** 
258.      * 重新载入过滤器url 
259.      * @param chains eg:keys:/static/**, value:authc,user,roles[admin] 
260.      */  
261.     @SuppressWarnings("unchecked")  
262.     public static void reloadShiroFilterChains(Map<String, String> chains) throws Exception  {  
263.         DefaultFilterChainManager filterManager = getFilterChainManager();  
264.           
265. //      logger.debug(getFiltersDescription(filterManager)); // 此句可注释掉...  
266.         for(Entry<String, Filter> filterEntry : filterManager.getFilters().entrySet()) {  
267.             if(PathMatchingFilter.class.isInstance(filterEntry.getValue())) {  
268.                 PathMatchingFilter filter = PathMatchingFilter.class.cast(filterEntry.getValue());  
269.                 Map<String, Object> appliedPaths = (Map<String, Object>)ReflectionUtils.getFieldValue(filter, "appliedPaths");  
270.                 synchronized (appliedPaths) {   
271.                     appliedPaths.clear();  
272.                 }  
273.             }  
274.         }  
275.         synchronized (filterManager.getFilterChains()) {  
276. //              filterManager.getFilters().clear();  
277.             logger.debug(""+filterManager.getFilterConfig());  
278.             filterManager.getFilterChains().clear();  
279.             for(Entry<String,String> chain : chains.entrySet()){  
280.                 filterManager.createChain(chain.getKey(), chain.getValue());  
281. //              logger.debug("{} = {}",chain.getKey(),chain.getValue());  
282.             }  
283.         }  
284.         logger.debug(getFiltersDescription(filterManager)); // 此句可注释掉...  
285.     }  
286.   
287.     /** 
288.      * 描述当前过滤器 
289.      */  
290.     @SuppressWarnings("unchecked")  
291.     public static String getFiltersDescription(DefaultFilterChainManager filterManager) {  
292.         StringBuilder filtersDesc = new StringBuilder();  
293.         for(Entry<String, Filter> filterEntryDesc : filterManager.getFilters().entrySet()) {  
294.             filtersDesc.append(SysCache.newline).append(filterEntryDesc.getKey()).append(":").append(SysCache.newline);  
295.             if(PathMatchingFilter.class.isInstance(filterEntryDesc.getValue())) {  
296.                 PathMatchingFilter filter = PathMatchingFilter.class.cast(filterEntryDesc.getValue());  
297.                 Map<String, Object> appliedPaths = (Map<String, Object>)ReflectionUtils.getFieldValue(filter, "appliedPaths");  
298.                 for(Entry<String, Object> paths : appliedPaths.entrySet()) {  
299.                     filtersDesc.append(paths.getKey()).append(" = ").append(Arrays.toString((String[])paths.getValue())).append(SysCache.newline);  
300.                 }  
301.             }  
302.         }  
303.         return filtersDesc.toString();  
304.     }  
305.       
306.     /** 
307.      * 重新载入过滤器url 
308.      */  
309.     public static void reloadShiroFilterChains() throws Exception {  
310.         Map<String, String> allDefinitionMap = SpringContextHolder.getBean(FilterChainDefinitionsLoader.class).loadAllDefinitionMap();  
311.         reloadShiroFilterChains(allDefinitionMap);  
312.     }  
313.       
314.     /** 
315.      * 将菜单组织为树形的结构 
316.      * 级联取出下级菜单(递归算法)  
317.      */  
318.     public static List<Authority> buildSubMenu(Authority parent,List<Authority> list) {  
319.         List<Authority> subNodes = Lists.newLinkedList();  
320.         for(Authority s : list) {  
321.             if((null==parent && null==s.getParent()) || (null!=parent && null!=s.getParent() && parent.getId().equals(s.getParent().getId()))) {  
322.                 s.setSubnodes(buildSubMenu(s, list));  
323.                 subNodes.add(s); // logger.debug((null!=parent? parent.getName() : "") + " > " + s.getName());  
324.             }  
325.         }  
326.         Authority.sort(subNodes,false);  
327.         return subNodes;  
328.     }  
329.       
330.     /** 
331.      * @return 得到过滤器链 
332.      */  
333.     public static DefaultFilterChainManager getFilterChainManager() {  
334.         return ((DefaultFilterChainManager)((PathMatchingFilterChainResolver)SpringContextHolder.getBean(AbstractShiroFilter.class).getFilterChainResolver()).getFilterChainManager());  
335.     }  
336.       
337.     /** 
338.      *  解决在登录时无法加载菜单项的问题,即在每次登录时重新加载用户权限缓存 
339.      */  
340.     public static void forceShiroToReloadUserAuthorityCache(String username) {  
341.         // SpringContextHolder.getBean(ShiroDbRealm.class).doGetAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());  
342.         ShiroDbRealm shiroDbRealm = SpringContextHolder.getBean(ShiroDbRealm.class);  
343.           
344.         shiroDbRealm.clearCachedAuthorizationInfo(new ShiroUser(username)); // 清除权限缓存  
345.         shiroDbRealm.isPermitted(SecurityUtils.getSubject().getPrincipals(), "强制shiro检查加载用户权限缓存,避免懒加载!" + System.currentTimeMillis());  
346.     }  
347.       
348. }