一,自定义realm,重写认证,授权,验证权限三个方法
public class UserRealm extends AuthorizingRealm {
@Autowired
private SysUserService userService;
@Autowired
private UserAuthService userAuthService;
private Logger logger = LoggerFactory.getLogger(this.getClass());
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SysUser user = (SysUser) principals.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setRoles(userAuthService.findStringRoles(user.getId()));
authorizationInfo.setStringPermissions(userAuthService.findStringPermissions(user.getId()));
return authorizationInfo;
}
/**
* 认证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
logger.info("----------------认证----------------");
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername().trim();
String password = "";
if (upToken.getPassword() != null) {
password = new String(upToken.getPassword());
}
SysUser user = userService.login(username, password);
if (user != null) {
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, password.toCharArray(), getName());
return info;
}
return null;
}
//重写权限判断方法,加入正则判断
@Override
public boolean isPermitted(PrincipalCollection principals, String permission) {
AuthorizationInfo info = getAuthorizationInfo(principals);
Collection<String> permissions = info.getStringPermissions();
return permissions.contains(permission) || patternMatch(permissions, permission);
}
/**
* 正则
* @param patternUrlList
* @param requestUri
* @return
*/
public boolean patternMatch(Collection<String> patternUrlList, String requestUri) {
boolean flag = false;
for (String patternUri : patternUrlList) {
if (StringUtils.isNotEmpty(patternUri)) {
Pattern pattern = Pattern.compile(patternUri);
Matcher matcher = pattern.matcher(requestUri);
if (matcher.matches()) {
flag = true;
break;
}
}
}
return flag;
}
二、授权filter
isAccessAllowed,拦截方法,返回true表示通过验证,返回false会执行onAccessDenied方法。
public class LoginCheckPermissionFilter extends AuthorizationFilter {
public Logger logger = LoggerFactory.getLogger(getClass());
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String url = httpServletRequest.getRequestURI();
try {
Subject user = SecurityUtils.getSubject();
return user.isPermitted(url);
} catch (Exception e) {
logger.error("check permission error", e);
}
return true;
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
Subject subject = getSubject(request, response);
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
String method = httpServletRequest.getMethod();
if (subject.getPrincipal() == null) {
saveRequestAndRedirectToLogin(request, response);
} else {
String unauthorizedUrl = getUnauthorizedUrl();
if (StringUtils.hasText(unauthorizedUrl)) {
if (method.equals("POST")) {
httpServletResponse.setHeader("Content-Type", "application/json;charset=UTF-8");
String result = JSON.toJSONString(new BaseResp("没有权限,请联系管理员!", BizConstants.FAIL));
httpServletResponse.getWriter().write(result);
} else {
WebUtils.issueRedirect(request, response, unauthorizedUrl);
}
} else {
WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
return false;
}
}
三、shiro部分配置
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login"/>
<!--<property name="successUrl" value="/loginOK" />-->
<property name="unauthorizedUrl" value="/noPermission"/>
<property name="filters">
<map>
<entry key="perms" value-ref="loginCheckPermissionFilter"/>
<entry key="user" value-ref="myUserFilter"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/favicon.ico = anon
/resources/** = anon
/PoiTemplate/** = anon
/login = anon
/logout = user
/** = user,perms
</value>
</property>
</bean>