shiro角色权限验证

shiro提供了对外验证角色和权限的API,都是通过Subject来调用。

@Test
	public void auth(){
		Subject subject=SecurityUtils.getSubject();
		UsernamePasswordToken token=new UsernamePasswordToken("zhang", "123");
		subject.login(token);
		if(subject.hasRole("role1")){
			System.out.println("have role");
		}else{
			System.out.println("not have role");
		}
		if(subject.isPermitted("user:update")){
			System.out.println("have permitted");
		}else{
			System.out.println("not have permitted");
		}
	}

当我们调用subject验证用户是否拥有某个角色.权限时,Subject会委托给org.apache.shiro.mgt.SecurityManager

public boolean isPermitted(String permission) {
        return hasPrincipals() && securityManager.isPermitted(getPrincipals(), permission);
    }
public boolean hasRole(String roleIdentifier) {
        return hasPrincipals() && securityManager.hasRole(getPrincipals(), roleIdentifier);
    }
SecurityManager会委托给org.apache.shiro.authz.Authorizer

public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager {


    private Authorizer authorizer;

    
    public AuthorizingSecurityManager() {
        super();
        this.authorizer = new ModularRealmAuthorizer();
    }
    public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
        return this.authorizer.hasRole(principals, roleIdentifier);
    }

权限的验证都是委托给Authorizer接口的定义如下:


public interface Authorizer{
	
	
    boolean isPermitted(PrincipalCollection principals, String permission);

    
    boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission);

    
    boolean[] isPermitted(PrincipalCollection subjectPrincipal, String... permissions);

   
    boolean[] isPermitted(PrincipalCollection subjectPrincipal, List<Permission> permissions);

   
    boolean isPermittedAll(PrincipalCollection subjectPrincipal, String... permissions);

   
    boolean isPermittedAll(PrincipalCollection subjectPrincipal, Collection<Permission> permissions);

    
    void checkPermission(PrincipalCollection subjectPrincipal, String permission) throws AuthorizationException;

   
    void checkPermission(PrincipalCollection subjectPrincipal, Permission permission) throws AuthorizationException;

   
    void checkPermissions(PrincipalCollection subjectPrincipal, String... permissions) throws AuthorizationException;

   
    void checkPermissions(PrincipalCollection subjectPrincipal, Collection<Permission> permissions) throws AuthorizationException;

    
    boolean hasRole(PrincipalCollection subjectPrincipal, String roleIdentifier);

    
    boolean[] hasRoles(PrincipalCollection subjectPrincipal, List<String> roleIdentifiers);

   
    boolean hasAllRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers);

    
    void checkRole(PrincipalCollection subjectPrincipal, String roleIdentifier) throws AuthorizationException;

    
    void checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) throws AuthorizationException;

    
    void checkRoles(PrincipalCollection subjectPrincipal, String... roleIdentifiers) throws AuthorizationException;
    

}
org.apache.shiro.authz.ModularRealmAuthorizer是SecurityManager的默认实现,直接取Realm中找,找到了就返回true。

 public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
        assertRealmsConfigured();
        for (Realm realm : getRealms()) {
            if (!(realm instanceof Authorizer)) continue;
            if (((Authorizer) realm).hasRole(principals, roleIdentifier)) {
                return true;
            }
        }
        return false;
    }
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
        assertRealmsConfigured();
        for (Realm realm : getRealms()) {
            if (!(realm instanceof Authorizer)) continue;
            if (((Authorizer) realm).isPermitted(principals, permission)) {
                return true;
            }
        }
        return false;
    }

结合第一章的身份认证,如果我们自定义realm,realm要实现的接口,做的事情很多,shiro提供了org.apache.shiro.realm.AuthorizingRealm,为我们实现好了这些接口的方法,我们只要提供权限信息和用户认证信息即可。demo如下

public class CustomRealm extends AuthorizingRealm {

	/**
	 * 获取权限信息
	 * author wenyi
	 * time: 2017年10月9日上午9:23:43
	 */
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		//登录的时候放入的用户信息
		User user=(User) principals.getPrimaryPrincipal();
		//伪代码,根据用户信息查到角色和权限
		//.....
		
		
		SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
		//添加角色
		String role="role1";
		info.addRole(role);
		//添加权限
		String permission="user:update";
		info.addStringPermission(permission);
		return info;
	}

	/**
	 * 
	 * 进行登录认证
	 * author wenyi
	 * time: 2017年10月9日上午9:24:18
	 */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		UsernamePasswordToken userToken=(UsernamePasswordToken)token;
		String userName=userToken.getUsername();
		//伪代码,根据token取到对应的用户信息,shiro只会比较密码是否正确,不会再比较用户名
		User user=new User();
		user.setUserName(userName);
		//伪代码,这个是根据token查到的密码,shiro会比较登录的密码与这个密码是否一致
		String password="from db";
		return new SimpleAuthenticationInfo(user, password, getName());
	}

}






  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值