1.session处理
1.1 登录成功后主体为用户
以前登录成功,传的是username,现在传主体Employee对象
//身份认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
...
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(loginUser,password,salt,getName());
return authenticationInfo;
}
1.2 UserContext
session是从subject获取
存在shiro的session中后,HttpSession也会有值
public class UserContext {
public static final String USER_IN_SESSION ="loginUser";
//把登录成功的用户放到session中
public static void setUser(Employee loginUser){
Subject subject = SecurityUtils.getSubject();
//代表登录成功,把当前登录用户放到Session中去(shiro的session)
//1.拿到session
Session session = subject.getSession();
//2.把当前登录成功的用户放到session中去
session.setAttribute(USER_IN_SESSION, loginUser);
}
//获取到当前登录用户
public static Employee getUser(){
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
Employee employee = (Employee) session.getAttribute(USER_IN_SESSION);
return employee;
}
}
2.授权管理
2.1 FilterChainDefinitionMapFactory
保存所有权限过滤的数据都是从数据库中获取
@Autowired
private IPermissionService permissionService;
public Map<String,String> createFilterChainDefinitionMap(){
...
//拿到所有权限
List<Permission> perms = permissionService.findAll();
//设置相应的权限
perms.forEach(p -> {
filterChainDefinitionMap.put(p.getUrl(), "perms["+p.getSn()+"]");
});
filterChainDefinitionMap.put("/**", "authc");
return filterChainDefinitionMap;
}
2.2 获取授权
授权部分的数据也是从数据库中获得的
应该拿到当前登录用户的所有权限
PermissionRepository
JPQL关联原则: 1.不写on 2.关联对象的别名.属性
//根据用户拿到他对应的所有权限
@Query("select distinct p.sn from Employee e join e.roles r join r.permissions p where e.id = ?1")
Set<String> findPermsByUser(Long userId);
PermissionService(调用略…)
JpaRealm
拿到当前登录用户,再获取它的权限
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
Employee loginUser = UserContext.getUser();
//根据当前用户拿到对应的权限
Set<String> perms = permissionService.findPermsByUser(loginUser.getId());
//准备并返回AuthorizationInfo这个对象
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setStringPermissions(perms);
return authorizationInfo;
}
2.3 Ajax请求的权限处理
shiro处理没有权限是跳转页面,而我们如果是ajax请求,我们希望是返回json数据
ajax请求会有一个请求头:X-Requested-With: XMLHttpRequest
需要自定义一个shiro的权限过滤器
2.3.1 自定义权限过滤器
public class AisellPermissionsAuthorizationFilter extends PermissionsAuthorizationFilter {
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
Subject subject = getSubject(request, response);
// If the subject isn't identified, redirect to login URL
if (subject.getPrincipal() == null) {
saveRequestAndRedirectToLogin(request, response);
} else {
//一.拿到请求头
HttpServletRequest req = (HttpServletRequest)request;
// 拿到响应头
HttpServletResponse resp = (HttpServletResponse)response;
//设置响应头
resp.setContentType("application/json;charset=UTF-8");
String xr = req.getHeader("X-Requested-With");
//二.判断这个请求头是否是Ajax请求
if(xr!=null && "XMLHttpRequest".equals(xr)){
//返回一个json {"success":false,"msg":"权限不足,请充值!"}
resp.getWriter().print("{\"success\":false,\"msg\":\"你的权限不足,请充值!\"}");
}else {
//普通请求:拿到没有权限的跳转路径,进行跳转
String unauthorizedUrl = getUnauthorizedUrl();
if (StringUtils.hasText(unauthorizedUrl)) {
WebUtils.issueRedirect(request, response, unauthorizedUrl);
} else {
WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
}
return false;
}
}
2.3.2 applicationContext-shiro.xml
配置权限过滤器
entry key=“aisellPerms”:确定权限过滤器的名称
<!-- 真正实现权限的过滤器 它的id名称和web.xml中的过滤器名称一样 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
...
<!-- 设置权限过滤器 -->
<property name="filters">
<map>
<entry key="aisellPerms" value-ref="aisellPermissionsAuthorizationFilter"/>
</map>
</property>
</bean>
<!-- 配置自定义shiro过滤器 -->
<bean id="aisellPermissionsAuthorizationFilter" class="cn.itsource.aisell.shiro.AisellPermissionsAuthorizationFilter" />
2.3.3 修改过滤器配置
@Autowired
private IPermissionService permissionService;
public Map<String,String> createFilterChainDefinitionMap(){
...
//拿到所有权限
List<Permission> perms = permissionService.findAll();
//设置相应的权限
perms.forEach(p -> {
filterChainDefinitionMap.put(p.getUrl(), "aisellPerms["+p.getSn()+"]");
});
...
}
3.菜单管理
员工 -> 角色 -> 权限 -> 菜单
3.1 Menu
菜单domain的自关连配置
需要配置双向,但是不能让JPA去管理一对多(我们自己管理:@Transient)
双向生成JSON会产生死循环,需要一边进行忽略:@JsonIgnore
//让它不再生成JSON
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name = "parent_id")
@JsonIgnore
private Menu parent;
// 临时属性 -> 这个字段JPA就不管它了
@Transient
private List<Menu> children = new ArrayList<>();
…
public String getText(){ //EasyUI的树需要一个text属性
return name;
}
3.2 MenuRepository
public interface MenuRepository extends BaseRepository<Menu,Long>{
@Query("select distinct m from Employee e join e.roles r join r.permissions p join p.menu m where e.id = ?1")
List<Menu> findByUser(Long userId);
}
3.2 MenuService
根据设计只能通过员工找到子菜单
需要通过子菜单拿到父菜单
判断这个父菜单是否已经存到集合中
如果这个菜单单没有存起来,放到集合中
把当前这个子菜单放到父菜单中去
@Override
public List<Menu> findLoginMenu() {
//1.准备一个装父菜单的容器
List<Menu> parentMenus = new ArrayList<>();
//2.拿到当前登录用户的所有子菜单
Employee loginUser = UserContext.getUser();
List<Menu> children = menuRepository.findByUser(loginUser.getId());
//3.遍历子菜单,设置它们的关系
for (Menu child : children) {
//3.1 根据子菜单拿到它对应的父菜单
Menu parent = child.getParent();
//3.2 判断这个父菜单是否在容器中
if(!parentMenus.contains(parent)){
//3.3 如果不在,把父菜单放进去
parentMenus.add(parent);
}
//3.4 为这个父菜单添加对应的子菜单
parent.getChildren().add(child);
}
return parentMenus;
}
3.3 UtilController中返回值
@Autowired
private IMenuService menuService;
@RequestMapping("/loginUserMenu")
@ResponseBody
public List<Menu> loginUserMenu(){
return menuService.findLoginMenu();
}
3.4 main.jsp修改路径
$('#menuTree').tree({
url:'/util/loginUserMenu',
...
4.shiro:hasPermission
没有这个权限,就不展示对应的按键
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
...
<shiro:hasPermission name="employee:delete">
<a href="javascript:;" data-method="delete" class="easyui-linkbutton" iconCls="icon-remove" plain="true">删除</a>
</shiro:hasPermission>