目录
一、shiro授权角色、权限
授权
<select id="RoleidByUsername" resultType="java.lang.String" parameterType="java.lang.String">
SELECT roleid FROM t_shiro_user_role ur,t_shiro_user u where ur.userid=u.userid and u.username=#{userName}
</select>
<select id="PeridByUsername" resultType="java.lang.String" parameterType="java.lang.String">
SELECT rp.perid FROM t_shiro_user u,
t_shiro_user_role ur,
t_shiro_role_permission rp
where ur.userid=u.userid
and ur.roleid=rp.roleid
and u.username= #{userName}
</select>
Service层
User selectByPrimaryKey(Integer userid);
User queryByName(@Param("userName") String uname); @Override
public Set<String> RoleidByUsername(String uname) {
return userMapper.RoleidByUsername(uname);
}
@Override
public Set<String> PeridByUsername(String uname) {
return userMapper.PeridByUsername(uname);
}重写自定义realm中的授权方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = principals.getPrimaryPrincipal().toString();
// User user = userBiz.queryByName(username);
Set<String> roleid = userBiz.RoleidByUsername(username);
Set<String> perid = userBiz.PeridByUsername(username);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 将当前的权限交给shiro授权器
info.setStringPermissions(perid);
// 将当前的角色交给shiro授权器
info.setRoles(roleid);
return info;
// return null;
}二、注解式开发
常用注解介绍
@RequiresAuthenthentication:表示当前Subject已经通过login进行身份验证;即 Subject.isAuthenticated()返回 true
@RequiresUser:表示当前Subject已经身份验证或者通过记住我登录的
@RequiresGuest:表示当前Subject没有身份验证或者通过记住我登录过,即是游客身份
@RequiresRoles(value = {"admin","user"},logical = Logical.AND):表示当前Subject需要角色admin和user
@RequiresPermissions(value = {"user:delete","user:b"},logical = Logical.OR):表示当前Subject需要权限user:delete或者user:b
package com.cxy.controller;
import com.cxy.model.User;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresUser;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@Controller
public class ShiroController {
//@RequiresUser:表示当前方法 登录后才能使用
// RequiresUser等价于spring-shiro.xml中的 /user/updatePwd.jsp=authc 配置
@RequiresUser
@RequestMapping("/passUser")
public String passUser(HttpServletRequest request){
System.out.println("身份认证通过");
return "admin/addUser";
}
//@RequiresRoles :当前方法 只有符合权限才能使用
//@RequiresRoles等价于/admin/*.jsp=roles[4]的配置
@RequiresRoles(value = {"1","4"},logical = Logical.AND)
@RequestMapping("/passRole")
public String passRole(HttpServletRequest request){
System.out.println("角色认证通过");
return "admin/listUser";
}
// @RequiresPermissions 等价于 user/teacher.jsp=perms[2]
@RequiresPermissions(value = {"2","user:view"},logical = Logical.OR)
@RequestMapping("/passPer")
public String passPer(HttpServletRequest request){
System.out.println("权限认证通过");
return "admin/resetPwd";
}
@RequestMapping("/unauthorized")
public String unauthorized(){
return "unauthorized";
}
}
Springmvc.xml
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true"></property>
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<bean id="exceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="exceptionMappings">
<props>
<prop key="org.apache.shiro.authz.UnauthorizedException">
unauthorized
</prop>
</props>
</property>
<property name="defaultErrorView" value="unauthorized"/>
</bean>
217
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
