一、shiro授权
原因:登录进来有的菜单看不到
有的没有权限
1、 在ShiroUserMapper.xml中新增内容
<select id="getRolesByUserId" resultType="java.lang.String" parameterType="java.lang.Integer"> select r.roleid from t_shiro_user u,t_shiro_user_role ur,t_shiro_role r where u.userid = ur.userid and ur.roleid = r.roleid and u.userid = #{userid} </select> <select id="getPersByUserId" resultType="java.lang.String" parameterType="java.lang.Integer"> select p.permission from t_shiro_user u,t_shiro_user_role ur,t_shiro_role_permission rp,t_shiro_permission p where u.userid = ur.userid and ur.roleid = rp.roleid and rp.perid = p.perid and u.userid = #{userid} </select>
2、Service层(ShiroUserMapper)
public Set<String> getRolesByUserId(@Param("userid")Integer userid); public Set<String> getPersByUserId(@Param("userid")Integer userid);
3、ShiroUserService
public Set<String> getRolesByUserId(Integer userid); public Set<String> getPersByUserId(Integer userid);
4、ShiroUserServiceImpl实现接口类
@Override public Set<String> getRolesByUserId(Integer userid) { return shiroUserMapper.getRolesByUserId(userid); } @Override public Set<String> getPersByUserId(Integer userid) { return shiroUserMapper.getPersByUserId(userid); }
5、重写自定义realm中的授权方法
MyRealm:
//重写授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
/*
* 授权
* 1、给用户授予角色
* 2、给用户授予权限
* 授予权限做法:
* 1、拿到账号
* 2、通过用户账号查询对应的能看到的那些菜单
* 3、将这些权限交给shiro管理
* 授予角色做法:
* 1、拿到账号
* 2、通过用户账号查询对应的能看到的那些角色
* 3、将这些权限交给shiro管理
* Mapper.xml
* */
System.out.println("用户授权...");
String username = principals.getPrimaryPrincipal().toString();
ShiroUser user = shiroUserService.queryByName(username);
Set<String> roles = shiroUserService.getRolesByUserId(user.getUserid());
Set<String> pers = shiroUserService.getPersByUserId(user.getUserid());
// SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// info.addRoles(roles);
// info.addStringPermissions(pers);
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
info.setRoles(roles);
info.setStringPermissions(pers);
return info;
}
6、结果
每一次操作的时候都会进入授权方法,每点一次操作都会进行一次判断你是什么角色,安全得到了保证,但是性能不好(可以使用缓存管理),
只有admin有权限,修改它为4
能访问到了
总结:
①、正常的不使用shiro缓存管理,性能非常的差,每次操作都会进入方法,同时也证明了shiro非常安全,
②、做shiro开发不要想当然
二、注解式开发
1、常用注解介绍
@RequiresAuthenthentication:表示当前Subject已经通过login进行身份验证;即 Subject.isAuthenticated()返回 true
@RequiresUser:表示当前Subject已经身份验证或者通过记住我登录的
@RequiresGuest:表示当前Subject没有身份验证或者通过记住我登录过,即是游客身份
@RequiresRoles(value = {"admin","user"},logical = Logical.AND):表示当前Subject需要角色admin和user
@RequiresPermissions(value = {"user:delete","user:b"},logical = Logical.OR):表示当前Subject需要权限user:delete或者user:b
2、注解的使用
使用注解式开发的原因:不可能什么都在applicationContext-shiro.xml中写
①、新建AnnotationController类
package com.mwy.aspect;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresUser;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
@Controller
public class AnnotationController {
//登录才能访问
@RequiresUser
@RequestMapping("/passUser")
public String passUser(HttpServletRequest request){
return "admin/addUser";
}
//角色才能访问
@RequiresRoles(value = {"1","4"},logical = Logical.AND)
@RequestMapping("/passRole")
public String passRole(HttpServletRequest request){
return "admin/listUser";
}
//权限才能访问
@RequiresPermissions(value = {"user:update","user:view"},logical = Logical.OR)
@RequestMapping("/passPer")
public String passPer(HttpServletRequest request){
return "admin/resetPwd";
}
@RequestMapping("/unauthorized")
public String unauthorized(){
return "unauthorized";
}
}
②、添加配置(Spring-mvc.xml)
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true"></property>
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<bean id="exceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="exceptionMappings">
<props>
<prop key="org.apache.shiro.authz.UnauthorizedException">
unauthorized
</prop>
</props>
</property>
<property name="defaultErrorView" value="unauthorized"/>
</bean>
③、结束jsp中测试
我在hello.jsp中测试
<ul>
shiro注解
<li>
<a href="${pageContext.request.contextPath}/passUser">用户认证</a>
</li>
<li>
<a href="${pageContext.request.contextPath}/passRole">角色</a>
</li>
<li>
<a href="${pageContext.request.contextPath}/passPer">权限认证</a>
</li>
</ul>
界面:
zs只能查看身份认证的按钮内容
ls、ww可以看权限认证按钮内容
zdm可以看所有按钮的内容
结束!!!