自定义shiro需要使用的Realm
实现很简单。
看一下接口定义。
public class MyRealm1 implements Realm {
//返回一个唯一的Realm名字
String getName();
//判断此Realm是否支持此Token
boolean supports(AuthenticationToken token);
//根据Token获取认证信息
AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException;
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals)
}
核心方法就两个:
身份验证(getAuthenticationInfo 方法)验证账户和密码,并返回相关信息
权限获取(getAuthorizationInfo 方法) 获取指定身份的权限,并返回相关信息
特别说明一下令牌支持方法---supports方法
判断该令牌(Token)是否被支持。
要明确一点,令牌有很多种类型。
例如:HostAuthenticationToken(主机验证令牌),
UsernamePasswordToken(账户密码验证令牌),
等等。
总结下:
Realm 其实就是Shiro 与应用安全数据间的“桥梁”。
理解成数据源的安全域会比较合适。
附代码
public class MyShiroRealm extends AuthorizingRealm {
private static final Logger log = LoggerFactory.getLogger("adminLogger");
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = usernamePasswordToken.getUsername();
UserService userService = SpringUtil.getBean(UserService.class);
User user = userService.getUser(username);
if (user == null) {
throw new UnknownAccountException("用户名不存在");
}
if (!user.getPassword()
.equals(userService.passwordEncoder(new String(usernamePasswordToken.getPassword()), user.getSalt()))) {
throw new IncorrectCredentialsException("密码错误");
}
if (user.getStatus() != Status.VALID) {
throw new IncorrectCredentialsException("无效状态,请联系管理员");
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user, user.getPassword(),
ByteSource.Util.bytes(user.getSalt()), getName());
UserUtil.setUserSession(user);
return authenticationInfo;
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
log.debug("权限配置");
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
User user = UserUtil.getCurrentUser();
List<Role> roles = SpringUtil.getBean(RoleDao.class).listByUserId(user.getId());
Set<String> roleNames = roles.stream().map(Role::getName).collect(Collectors.toSet());
authorizationInfo.setRoles(roleNames);
List<Permission> permissionList = SpringUtil.getBean(PermissionDao.class).listByUserId(user.getId());
UserUtil.setPermissionSession(permissionList);
Set<String> permissions = permissionList.stream().filter(p -> !StringUtils.isEmpty(p.getPermission()))
.map(Permission::getPermission).collect(Collectors.toSet());
authorizationInfo.setStringPermissions(permissions);
return authorizationInfo;
}
/**
* 重写缓存key,否则集群下session共享时,会重复执行doGetAuthorizationInfo权限配置
*/
@Override
protected Object getAuthorizationCacheKey(PrincipalCollection principals) {
SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
Object object = principalCollection.getPrimaryPrincipal();
if (object instanceof User) {
User user = (User) object;
return "authorization:cache:key:users:" + user.getId();
}
return super.getAuthorizationCacheKey(principals);
}
}