shiro呢,经常会遇到认证成功了,但是权限授权那里不执行,这是为什么,看内容
maven 依赖文件
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
shiro configuration代码
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
import com.hpay.web.shiro.UserAuthorizingRealm;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
/**
* Shiro配置类
* @author Garc
*
*/
@Configuration
public class ShiroConfig {
@Value("${maat.loginUrl}")
private String loginUrl;
/**
* 配置shiro过滤器
*/
@Bean("shiroFilter")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String,String> filterChainMap = new LinkedHashMap<>();
filterChainMap.put("/index","anon");
filterChainMap.put("/**","authc,perms");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainMap);
shiroFilterFactoryBean.setLoginUrl(loginUrl);
shiroFilterFactoryBean.setSuccessUrl("/index");
shiroFilterFactoryBean.setUnauthorizedUrl(loginUrl);
//自定义鉴权方式(动态URL鉴权)
Map<String, Filter> filter = new HashMap<>();
filter.put("perms",new ShiroUrlPermissionsFilter());
shiroFilterFactoryBean.setFilters(filter);
return shiroFilterFactoryBean;
}
/**
* 配置安全管理器
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(new UserAuthorizingRealm());
return securityManager;
}
//加入注解的使用,不加入这个注解不生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
//加入注解的使用,不加入这个注解不生效
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
//shiro注解判断没有权限执行跳转地址,setUnauthorizedUrl内容不执行的时候
@Bean
public SimpleMappingExceptionResolver simpleMappingExceptionResolver(){
Properties properties = new Properties();
properties.setProperty("org.apache.shiro.authz.UnauthorizedException", "/erro");
SimpleMappingExceptionResolver resolver = new SimpleMappingExceptionResolver();
resolver.setExceptionMappings(properties);
return resolver;
}
}
import com.hpay.commons.dto.LimitUser;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.HashSet;
import java.util.Set;
/**
* @author Garc
*
*/
public class UserAuthorizingRealm extends AuthorizingRealm {
private static Logger logger = LoggerFactory.getLogger(UserAuthorizingRealm.class);
/**
* 鉴权
* @param principals
* @return AuthorizationInfo
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
if (principals == null) {
throw new AuthorizationException("PrincipalCollection method argument cannot be null.");
}
LimitUser user = (LimitUser) getAvailablePrincipal(principals);
Set<String> permissions = new HashSet<>();
// 权限
permissions.add("user:auth");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setStringPermissions(permissions);
return info;
}
/**
* 认证
* @param token
* @return AuthenticationInfo
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken uToken = (UsernamePasswordToken) token;
String userName = uToken.getUsername();
String password = new String(uToken.getPassword());
if (StringUtils.isEmpty(userName) || StringUtils.isEmpty(password)) {
throw new UnknownAccountException("用户名密码为空");
}
LimitUser authUser = new LimitUser();
authUser.setUserName(userName);
authUser.setPassword(DigestUtils.md5Hex(password));
authUser.setUserId(Long.valueOf(password));
return new SimpleAuthenticationInfo(authUser, authUser.getPassword(), this.getName());
}
@Override
public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {
HashedCredentialsMatcher credentialsMatche = new HashedCredentialsMatcher();
credentialsMatche.setHashAlgorithmName("MD5");
credentialsMatche.setHashIterations(1);
super.setCredentialsMatcher(credentialsMatche);
}
}
解说内容:
shiro 运行自定义的realm 有两个方法,一个是认证,一个授权。
通常认证在配置 authc的时候会执行认证的代码,但是需要授权,就要配置权限。否则不会执行授权方法
authc是认证标识,表示某个地址访问时需要进行认证
anon是忽略
perms是授权的标识,配置后鉴权才会执行。怎么配置权限,有两种方法
一种是注解
一种是原始配置 /user/login** = perms[xx:xx]
springboot 的方式 filterChainMap.put("/index","perms[xx:xx]");
本示例代码中,perms后面没有指定权限,是因为配置了自定义权限
注解方式:
只要在需要访问的方法上配置注解@Requirespermissions 后,请求的时候就会执行到自定义的 realm 的授权方法上
shiro就会去检测该注解上是否含有该用户登录的权限
注解生效需要解决一个问题,就是自动注解扫描,一定要把以下代码给加上,否则注解不会生效:
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();
proxyCreator.setProxyTargetClass(true);
return proxyCreator;
}
如果想了解更多,可以加QQ群 119170668