使用注解进行权限控制
1.原理:通过拦截器拦截特定的注解,然后解析注解里的值,然后判断subject.has*()转交给SecurityManager处理,层层流转最后会去比对域值或者缓存值。
2.拦截器源代码之一
public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler {
public PermissionAnnotationHandler() {
super(RequiresPermissions.class);
}
protected String[] getAnnotationValue(Annotation a) {
RequiresPermissions rpAnnotation = (RequiresPermissions)a;
return rpAnnotation.value();
}
public void assertAuthorized(Annotation a) throws AuthorizationException {
if (a instanceof RequiresPermissions) {
RequiresPermissions rpAnnotation = (RequiresPermissions)a;
//获取注解中的字符串数组值
String[] perms = this.getAnnotationValue(a);
//获取用户
Subject subject = this.getSubject();
if (perms.length == 1) {
//校验权限信息,转给SecurityManager处理。层层流转最后会去比对域值或者缓存值。
subject.checkPermission(perms[0]);
} else if (Logical.AND.equals(rpAnnotation.logical())) {
this.getSubject().checkPermissions(perms);
} else {
if (Logical.OR.equals(rpAnnotation.logical())) {
boolean hasAtLeastOnePermission = false;
String[] var6 = perms;
int var7 = perms.length;
for(int var8 = 0; var8 < var7; ++var8) {
String permission = var6[var8];
if (this.getSubject().isPermitted(permission)) {
hasAtLeastOnePermission = true;
}
}
if (!hasAtLeastOnePermission) {
this.getSubject().checkPermission(perms[0]);
}
}
}
}
}
}
2.最主要的的代码是在AuthenticatingRealm中
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
if (principals == null) {
return null;
} else {
AuthorizationInfo info = null;
if (log.isTraceEnabled()) {
log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]");
}
//
Cache<Object, AuthorizationInfo> cache =
//这个地方使用了缓存,下面两段代码告诉我们应该如何整合缓存
this.getAvailableAuthorizationCache();
Object key;
if (cache != null) {
if (log.isTraceEnabled()) {
log.trace("Attempting to retrieve the AuthorizationInfo from cache.");
}
key = this.getAuthorizationCacheKey(principals);
info = (AuthorizationInfo)cache.get(key);
if (log.isTraceEnabled()) {
if (info == null) {
log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]");
} else {
log.trace("AuthorizationInfo found in cache for principals [" + principals + "]");
}
}
}
if (info == null) {
//如果缓存中没数据就去自定义域中查找
info = this.doGetAuthorizationInfo(principals);
if (info != null && cache != null) {
if (log.isTraceEnabled()) {
log.trace("Caching authorization info for principals: [" + principals + "].");
}
//查找到的权限信息然后放到缓存中
key = this.getAuthorizationCacheKey(principals);
cache.put(key, info);
}
}
return info;
}
}
----------------------------使用缓存的调用关系1------------------------------------------
private Cache<Object, AuthorizationInfo> getAvailableAuthorizationCache() {
Cache<Object, AuthorizationInfo> cache = this.getAuthorizationCache();
if (cache == null && this.isAuthorizationCachingEnabled()) {
cache = this.getAuthorizationCacheLazy();
}
return cache;
}
-----------------------------使用缓存的调用关系2-----------------------------------------
private Cache<Object, AuthorizationInfo> getAuthorizationCacheLazy() {
if (this.authorizationCache == null) {
if (log.isDebugEnabled()) {
log.debug("No authorizationCache instance set. Checking for a cacheManager...");
}
//这里使用了CacheManager(是个接口) ,所以我们要自定义这个接口的实现类(作用就是得到Cache),然而Cache也是个接口,我们要自定义使用哪种Cache的实现类,(即自定义使用缓存的种类)
CacheManager cacheManager = this.getCacheManager();
if (cacheManager != null) {
String cacheName = this.getAuthorizationCacheName();
if (log.isDebugEnabled()) {
log.debug("CacheManager [" + cacheManager + "] has been configured. Building authorization cache named [" + cacheName + "]");
}
this.authorizationCache = cacheManager.getCache(cacheName);
} else if (log.isDebugEnabled()) {
log.debug("No cache or cacheManager properties have been set. Authorization cache cannot be obtained.");
}
}
return this.authorizationCache;
}