重写AuthorizingRealm,自定义登录shiro规则和信息
public class UserRealm extends AuthorizingRealm {
private static final Logger logger = LoggerFactory.getLogger(UserRealm.class);
@Autowired
private LoginService loginService;
@Override
@SuppressWarnings("unchecked")
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Session session = SecurityUtils.getSubject().getSession();
//查询用户的权限
JSONObject permission = (JSONObject) session.getAttribute(Constants.SESSION_USER_PERMISSION);
logger.info("permission的值为:" + permission);
//为当前用户设置角色和权限
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addStringPermissions((Collection<String>) permission.get("permissionList"));
return authorizationInfo;
}
/**
* 验证当前登录的Subject
* LoginController.login()方法中执行Subject.login()时 执行此方法
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
String loginName = (String) authcToken.getPrincipal();
// 获取用户密码
String password = new String((char[]) authcToken.getCredentials());
String mdsPassword = Md5Utils.encrypt(loginName, password);
JSONObject user = loginService.getUser(loginName, mdsPassword);
if (user == null) {
//没找到帐号
throw new UnknownAccountException();
}
//交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
user,
password,
//user.getString("password"),
//ByteSource.Util.bytes("salt"), salt=username+salt,采用明文访问时,不需要此句
getName()
);
//session中不需要保存密码
user.remove("password");
//将用户信息放入session中
SecurityUtils.getSubject().getSession().setAttribute(Constants.SESSION_USER_INFO, user);
//超时时间设置为30分钟
SecurityUtils.getSubject().getSession().setTimeout(1800000);
return authenticationInfo;
}
}