一、应用场景
前后端分离架构,使用shiro做权限管理,登录成功将sessionId返回,访问接口时在请求头携带即可。由于业务需要,现有需要接口不做拦截,在方法内做权限判断,于是将sessionId携带在RequestParam中,进行登录或权限校验。
二、实现代码
ProfileResult:登录中构造安全数据的实体类
import com.guangjutx.entity.auth.Permission;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.UnknownSessionException;
import org.apache.shiro.session.mgt.DefaultSessionKey;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.subject.support.DefaultSubjectContext;
import java.util.List;
import java.util.Map;
/**
* @Title:ShiroUtils
* @Author 丁文浩
* @Date 2020/4/17 12:17
*/
@Slf4j
public class ShiroUtils {
public static ProfileResult getUserInfoBySessionId(String sessionId){
ProfileResult result = null;
try{
Session se = SecurityUtils.getSecurityManager().getSession(new DefaultSessionKey(sessionId));
Object obj = se.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);
SimplePrincipalCollection coll = (SimplePrincipalCollection) obj;
result = (ProfileResult)coll.getPrimaryPrincipal();
}catch (UnknownSessionException e){
log.error("There is no session with id [{}]",sessionId);
}
return result;
}
public static boolean isPermissions(ProfileResult profileResult,String permissions){
Map<String, Object> roleAndPerm = profileResult.getRoleAndPerm();
List<Permission> permissionList = (List)roleAndPerm.get("perms");
for(Permission permission : permissionList){
if(permission.getCode().equals(permissions)){
return true;
}
}
return false;
}
}