今天主要是通过使用shiro,在不同身份的用户登录时,实现不同的权限,可以完成不同的功能。
数据库设计
t_role表
t_role_permissions表
t_user_roles表
t_user中有一列存储用户身份
实现步骤
新建realm包,新建NewsRealm类实现授权和认证
public class NewsRealm extends AuthorizingRealm {
public void setName(String name){
setName("newsRealm");
}
@Autowired
private IUserService userService;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
User user = (User) principalCollection.getPrimaryPrincipal();
Set<Role> roles = user.getRoles();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
for(Role r: roles){
info.addRole(r.getName());
for(Permission p:r.getPermissions()){
info.addStringPermission(p.getCode());
}
}
return info;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String username = token.getUsername();
String password = new String(token.getPassword());
User user = userService.checkUser(username, password);
if(user != null){
return new SimpleAuthenticationInfo(user, password, this.getName());
}else{
return null;
}
}
}
新建一个ShiroConfiguration类,实现shiro配置功能
@Configuration
public class ShiroConfiguration {
@Bean
public NewsRealm getRealm(){
return new NewsRealm();
}
@Bean
public SecurityManager securityManager(NewsRealm newsRealm){
return new DefaultWebSecurityManager(newsRealm);
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/admin");
shiroFilterFactoryBean.setUnauthorizedUrl("/unauthor");
Map<String, String> filterMap = new LinkedHashMap<>();
//anon 都不拦截
//authc 都拦截
filterMap.put("/admin/login", "anon");
filterMap.put("/admin/**", "authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);
return shiroFilterFactoryBean;
}
@Bean
public AuthorizationAttributeSourceAdvisor advisor(SecurityManager securityManager){
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
登录方法也进行了重写
@PostMapping("login")
public String login(String username, String password, HttpSession session, RedirectAttributes redirectAttributes) {
try{
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject subject = SecurityUtils.getSubject();
subject.login(token);
User user = (User) subject.getPrincipal();
session.setAttribute("user", user);
return "admin/index";
}catch (Exception e){
redirectAttributes.addFlashAttribute("message","用户名和密码错误哦");
return "redirect:/admin";
}
}
使用过程中,使用@RequiresPermissions或者@RequiresRoles来进行授权。我测试时,在ITypeService接口实现类中使用的是下方代码
@Override
@RequiresPermissions(value = "user-delete")
public void deleteById(Long id) {
typeDao.deleteById(id);
}
@RequiresPermissions(value = “user-delete”),这样只有拥有删除权限的管理员可以删除,没有权限的用户就不会执行。