之前搭建好的 http://blog.csdn.net/qq_16414483/article/details/79371388
这次是权限,只是简单通过角色来控制
需要 role(角色表) user_role(用户_角色对应表) 因为可能多对多查询 ,建立中间表
主页index.jsp只是简单设置
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib uri="http://shiro.apache.org/tags" prefix="shiro" %>
<html>
<body>
<h1>Hello World!</h1>
<shiro:hasRole name="admin"><h1>一般角色</h1></shiro:hasRole>
<shiro:hasRole name="spueradmin"><h2>普通角色</h2></shiro:hasRole>
<shiro:hasRole name="ccc"><h3>高级角色</h3></shiro:hasRole>
<shiro:hasRole name="adminccc"><h4>厉害角色</h4></shiro:hasRole>
</body>
</html>
这里的<shiro:hasRole name="admin"> 只是数据库设置的角色名字
这里只是部分sql代码
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.java.Olym.explore.mapper.RoleMapper">
<select id="queryRoleById" resultType="string">
select tr.role_name as roleName
from t_user_role tur join t_role tr
on tur.role_id = tr.role_id
where tur.user_id = #{uid}
</select>
</mapper>
这里RoleService 和 RoleMapper 就不贴出来,只是照写
最后是 继承 AuthorizingRealm 的Realm类的权限方法添加代码
package com.java.Olym.shiro;
import java.util.Set;
import javax.annotation.Resource;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ByteSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.java.Olym.explore.entity.User;
import com.java.Olym.explore.service.RoleService;
import com.java.Olym.explore.service.UserService;
/**
* 登录身份校验
*/
public class MyShiroRealm extends AuthorizingRealm {
private final Logger log = LoggerFactory.getLogger(this.getClass());
@Resource
private UserService userService;
@Resource
private RoleService roleService;
/**
* 验证用户身份
*
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)throws AuthenticationException {
log.info("$--验证用户身份:MyShiroRealm.doGetAuthenticationInfo()");
//获取用户的输入的账号.
String loginName = ((String)token.getPrincipal()).trim();
char[] pwd = (char[]) token.getCredentials();
/*UsernamePasswordToken loginToken = (UsernamePasswordToken) token;
String username = loginToken.getUsername();*/
log.info(String.format("$--loginName=%s;pwd=%s",loginName,String.valueOf(pwd)));
User userInfo = userService.getUser(loginName);
if(userInfo!=null )
{
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
userInfo.getUserName(), //用户名(数据库查询出来)
userInfo.getUserPassword(), //密码(数据库查询出来)
ByteSource.Util.bytes(userInfo.getCredentialsSalt()),//salt=username+salt ByteSource.Util.bytes(userInfo.getCredentialsSalt()
getName() //realm name
);
// AuthenticationInfo authenticationInfo =
// new SimpleAuthenticationInfo(userInfo, userInfo.getPassword(), this.getName());
//放入session(有疑虑)
Subject currentUser = SecurityUtils.getSubject();
Session session = currentUser.getSession();
session.setAttribute("userInfo",userInfo);
return authenticationInfo;
}
return null;
}
/**
* 权限信息
* 此方法调用 hasRole,hasPermission的时候才会进行回调.
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
log.info("---------------------------------------------------------------------");
log.info("$--权限配置-->MyShiroRealm.doGetAuthorizationInfo()");
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
//设置权限信息.查询数据设置权限列表....
String userName = (String)principals.getPrimaryPrincipal();
//获取userid
User user1 = userService.getUser(userName);
String userId = userService.getUser(userName).getUserId()+"";
log.info("该用户的id是--"+userId);
// 获取可用的角色
Set<String> userAvailableRoles= roleService.queryRoleById(userId);
log.info("该用户的可用角色是--"+userAvailableRoles.toString());
authorizationInfo.setRoles(userAvailableRoles);
return authorizationInfo;
}
}
至此,测试结果如图
,没有厉害角色,就是<shiro:hasRole name="adminccc">不在,测试结果成功!