1.sql语句权限表
CREATE TABLE role
(
id INT NOT NULL AUTO_INCREMENT COMMENT 'ID',
name VARCHAR(20) NOT NULL COMMENT '角色名称',
description VARCHAR(200) COMMENT '描述',
PRIMARY KEY (id)
) ENGINE = InnoDB COMMENT '角色';
CREATE TABLE permission
(
id INT NOT NULL AUTO_INCREMENT COMMENT 'ID',
name VARCHAR(20) NOT NULL COMMENT '权限名称',
expression VARCHAR(100) NOT NULL COMMENT '权限表达式',
parent_id INT COMMENT '上一级权限ID',
PRIMARY KEY (id)
) ENGINE = InnoDB COMMENT '权限';
CREATE TABLE user_role
(
id INT NOT NULL AUTO_INCREMENT COMMENT 'ID',
user_id INT NOT NULL COMMENT '用户ID',
role_id INT NOT NULL COMMENT '角色ID',
PRIMARY KEY (id)
) ENGINE = InnoDB COMMENT '用户-角色';
CREATE TABLE role_permission
(
id INT NOT NULL AUTO_INCREMENT COMMENT 'ID',
role_id INT NOT NULL COMMENT '角色ID',
permission_id INT NOT NULL COMMENT '权限ID',
PRIMARY KEY (id)
) ENGINE = InnoDB COMMENT '角色-权限';
2.导入jar包
<shiro.version>1.4.1</shiro.version>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>
3.创建一个MyRealm 类 继承AuthorizingRealm抽象类
@Autowired
private UserMapper userMapper;
@Autowired
private RoleMapper roleMapper;
@Autowired
private PermissionMapper permissionMapper;
/**
* 授权(查询用户是否拥有某些权限和角色)
*
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
log.info("授权操作");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 获取用户名
User user = (User) principals.getPrimaryPrincipal();
// 根据用户查询该用户的角色
Set<String> roles = new HashSet<>();
Set<String> prems = new HashSet<>();
List<Role> roleList = roleMapper.findByUserId(user.getId());
for (Role role : roleList) {
// 把角色添加到集合中
roles.add(role.getName());
// 根据角色查询权限
List<Permission> permissionList = permissionMapper.findByRoleId(role.getId());
for (Permission permission : permissionList) {
prems.add(permission.getExpression());
}
}
info.setRoles(roles);
info.setStringPermissions(prems);
return info;
}
/**
* 认证(登陆)
*
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
log.info("认证操作");
// 获取用户名
String username = (String) token.getPrincipal();
// 根据用户名查询用户
User user = userMapper.findByUsername(username);
// 判断用户是否存在
if (user == null) {
throw new UnknownAccountException("未知用户");
}
// 获取密码
String password = user.getPassword();
// 获取盐
String salt = user.getSalt();
return new SimpleAuthenticationInfo(user, password, ByteSource.Util.bytes(salt), this.getName());
}
4.实现AuthenticationInfo和AuthorizationInfo方法
AuthenticationInfo:这个方法是认证(登录)
AuthorizationInfo:这个方法是授权(权限,角色)
5.把这个对象给spring管理
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
6.如果想使用注解在Controller使用就使用这个注解@RequiresRoles(“admin”)
7.在使用注解之前一定要注意将开启shiro注解,!!!(而且)
<!--开启shiro注解,需要在spring加载完成后再加载-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
8.原因是
我们知道Shiro的注解授权是基于Spring的AOP实现的。在程序启动时会自动扫描作了注解的Class,当发现注解时,就自动注入授权代码实现。也就是说,要注入授权控制