shiro_03_授权及注解开发
shiro授权
在UserMapper.xml中新增内容
<select id="getRolesByUserId" resultType="java.lang.String" parameterType="java.lang.Integer">
select r.roleid from t_shiro_user u,t_shiro_user_role ur,t_shiro_role r
where u.userid = ur.userid and ur.roleid = r.roleid
and u.userid = #{userid}
</select>
<select id="getPersByUserId" resultType="java.lang.String" parameterType="java.lang.Integer">
select p.permission from t_shiro_user u,t_shiro_user_role ur,t_shiro_role_permission rp,t_shiro_permission p
where u.userid = ur.userid and ur.roleid = rp.roleid and rp.perid = p.perid
and u.userid = #{userid}
</select>
Service层
/**
* 查询用户对应的角色id集合
* @param userId
* @return
*/
Set<String> getRolesByUserId(@Param("userid") Integer userId);
/**
* 查询用户对应的权限名称集合
* @param userId
* @return
*/
Set<String> getPersByUserId(@Param("userid") Integer userId);
UserService.java
package com.javachz.ssm.service;
import com.javachz.ssm.model.User;
import java.util.Set;
/**
* @author 52hz
* @site www.javachz.com
* @company xxx公司
* @create 2019-11-30 21:21
*/
public interface UserService {
User queryByName(String userName);
Set<String> getRolesByUserId(Integer userId);
Set<String> getPersByUserId(Integer userId);
}
UserServletImpl .java
package com.javachz.ssm.service.Impl;
import com.javachz.ssm.mapper.UserMapper;
import com.javachz.ssm.model.User;
import com.javachz.ssm.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.Set;
/**
* @author 52hz
* @site www.javachz.com
* @company xxx公司
* @create 2019-11-30 21:22
*/
@Service("userService")
public class UserServletImpl implements UserService {
@Autowired
private UserMapper userMapper;
@Override
public User queryByName(String userName) {
return userMapper.queryByName(userName);
}
@Override
public Set<String> getRolesByUserId(Integer userId) {
return userMapper.getRolesByUserId(userId
);
}
@Override
public Set<String> getPersByUserId(Integer userId) {
return userMapper.getPersByUserId(userId);
}
}
MyRealm.java
package com.javachz.ssm.shiro;
import com.javachz.ssm.model.User;
import com.javachz.ssm.service.Impl.UserServletImpl;
import com.javachz.ssm.service.UserService;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.Set;
/**
* @author 52hz
* @site www.javachz.com
* @company xxx公司
* @create 2019-11-30 20:44
*/
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
public UserService getUserService() {
return userService;
}
public void setUserService(UserService userService) {
this.userService = userService;
}
/**
* 授权
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("进行授权.....");
User user = this.userService.queryByName(principalCollection.getPrimaryPrincipal().toString());
//当前认证过的用户对应的角色id集合
Set<String> rolesByUserId = this.userService.getRolesByUserId(user.getUserid());
Set<String> persByUserId = this.userService.getPersByUserId(user.getUserid());
AuthorizationInfo info=new SimpleAuthorizationInfo();
((SimpleAuthorizationInfo) info).setRoles(rolesByUserId);
((SimpleAuthorizationInfo) info).setStringPermissions(persByUserId);
return info;
}
/**
* 认证
* @param authenticationToken
* @return
* @throws AuthenticationException
* token是controller层传递过来的,登录操作访问这个方法
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
String userName=authenticationToken.getPrincipal().toString();
User user = this.userService.queryByName(userName);
AuthenticationInfo info=new SimpleAuthenticationInfo(
user.getUsername(),
user.getPassword(),
ByteSource.Util.bytes(user.getSalt()),
this.getName());
return info;
}
}
UserController.java
package com.javachz.ssm.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
/**
* @author 52hz
* @site www.javachz.com
* @company xxx公司
* @create 2019-11-30 21:58
*/
@Controller
public class UserController {
@RequestMapping("/login")
public String login(HttpServletRequest request) {
String username = request.getParameter("username");
String password= request.getParameter("password");
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
request.getSession().setAttribute("username", username);
return "main";
} catch (Exception e) {
request.setAttribute("message","用户或者密码错误!!!");
return "login";
}
}
@RequestMapping("/logout")
public String logout(HttpServletRequest request) {
Subject subject=SecurityUtils.getSubject();
subject.logout();
return "redirect:/login.jsp";
}
}
准备好相应的jsp页面,登录后操作效果图
login.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>用户登陆</h1>
<div style="color: red">${message}</div>
<form action="${pageContext.request.contextPath}/login " method="post">
帐号:<input type="text" name="username"><br>
密码:<input type="password" name="password"><br>
<input type="submit" value="确定">
<input type="reset" value="重置">
</form>
</body>
</html>
main.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@taglib prefix="r" uri="http://shiro.apache.org/tags" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>主界面<%=System.currentTimeMillis()%>,欢迎您:[${sessionScope.username}]</h1>
<ul>
系统功能列表
<li>
<a href="admin/addUser.jsp">用户新增</a>
</li>
<li>
<a href="admin/listUser.jsp">用户查询</a>
</li>
<li>
<a href="admin/resetPwd.jsp">重置用户密码</a>
</li>
<li>
<a href="admin/updateUser.jsp">用户修改</a>
</li>
<li>
<a href="user/updatePwd.jsp">个人密码修改</a>
</li>
<li>
<a href="user/teacher.jsp">老师简介</a>
</li>
<li>
<a href="${pageContext.request.contextPath}/logout">退出系统</a>
</li>
</ul>
<ul>
shiro标签
<li>
<r:hasPermission name="user:create">
<a href="admin/addUser.jsp">用户新增</a>
</r:hasPermission>
</li>
<li>
<a href="admin/listUser.jsp">用户查询</a>
</li>
<li>
<a href="admin/resetPwd.jsp">重置用户密码</a>
</li>
<li>
<r:hasPermission name="user:update">
<a href="admin/updateUser.jsp">用户修改</a>
</r:hasPermission>
</li>
<li>
<a href="user/updatePwd.jsp">个人密码修改</a>
</li>
<li>
<a href="${pageContext.request.contextPath}/logout">退出系统</a>
</li>
</ul>
</body>
</html>
shiro的注解式开发
常用注解介绍
@RequiresAuthenthentication:表示当前Subject已经通过login进行身份验证;即 Subject.isAuthenticated()返回 true
@RequiresUser:表示当前Subject已经身份验证或者通过记住我登录的
@RequiresGuest:表示当前Subject没有身份验证或者通过记住我登录过,即是游客身份
@RequiresRoles(value = {“admin”,“user”},logical = Logical.AND):表示当前Subject需要角色admin和user
@RequiresPermissions(value = {“user:delete”,“user:b”},logical = Logical.OR):表示当前Subject需要权限user:delete或者user:b
注解的使用
Controller层
@RequiresUser
@ResponseBody
@RequestMapping("/passUser")
public String passUser(HttpServletRequest request){
return "shiro pass User";
}
@RequiresRoles(value = {"2","4"},logical = Logical.OR)
@ResponseBody
@RequestMapping("/passRole")
public String passRole(HttpServletRequest request){
return "shiro pass Role";
}
@RequiresPermissions(value = {"user:load","user:export"},logical = Logical.AND)
@ResponseBody
@RequestMapping("/passAuth")
public String passAuth(HttpServletRequest request){
return "shiro pass Auth";
}
springmvc-servlet.xml配置拦截器
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true"></property>
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<bean id="exceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="exceptionMappings">
<props>
<prop key="org.apache.shiro.authz.UnauthorizedException">
unauthorized
</prop>
</props>
</property>
<property name="defaultErrorView" value="unauthorized"/>
</bean>
测试结果效果图
预测结果
zs只能查看身份认证的按钮内容
ls、ww可以看权限认证按钮内容
zdm可以看所有按钮的内容