6.Authorizer(授权、访问控制)

最新推荐文章于 2021-06-13 11:38:10 发布
最新推荐文章于 2021-06-13 11:38:10 发布
阅读量2.1k 收藏 2
点赞数
分类专栏: shiro 文章标签: shiro 授权 访问控制
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wojiaolinaaa/article/details/48264079
版权

Authorizer主要是执行授权操作,即访问资源的控制。在shiro里,authorizer通常不直接使用,而是配置在SecurityManager里,由SecurityManager委托调用。
AuthorizingRealm和ModularRealmAuthorizer
前面讲过一个AuthorizingRealm,它也实现了Authorizer的接口。
AuthorizingRealm:
1.负责和底层的数据库交互,获取所需授权数据
2.缓存授权数据
3.真正授权逻辑判断
ModularRealmAuthorizer:
1.里面设置了realms,真正的授权逻辑交互是通过迭代realms,调用realm的授权功能
2.和SecurityManager协调授权访问,实现PAM
这里写图片描述

1.Authorizer

public interface Authorizer {

    //判断PrincipalCollection是否有String permission(该String会转换为Permission对象)资源权限。是:true  否:false
    boolean isPermitted(PrincipalCollection principals, String permission);

    //判断PrincipalCollection是否有permission资源权限。是:true  否:false
    boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission);

    //返回一组String permissions授权判断的 boolean[]
    boolean[] isPermitted(PrincipalCollection subjectPrincipal, String... permissions);

    //返回一组permissions授权判断的 boolean[]
    boolean[] isPermitted(PrincipalCollection subjectPrincipal, List<Permission> permissions);

    //判断一组String permissions是否 全部 授权成功。 是:true  否:false
    boolean isPermittedAll(PrincipalCollection subjectPrincipal, String... permissions);

    //判断一组permissions是否 全部 授权成功。 是:true  否:false
    boolean isPermittedAll(PrincipalCollection subjectPrincipal, Collection<Permission> permissions);

    //判断PrincipalCollection是否有String permission(该String会转换为Permission对象)资源权限。 失败:抛出AuthorizationException异常
    void checkPermission(PrincipalCollection subjectPrincipal, String permission) throws AuthorizationException;

    //判断PrincipalCollection是否有permission资源权限。 失败:抛出AuthorizationException异常
    void checkPermission(PrincipalCollection subjectPrincipal, Permission permission) throws AuthorizationException;

    //判断一组String permissions是否 全部 授权成功。 失败:抛出AuthorizationException异常
    void checkPermissions(PrincipalCollection subjectPrincipal, String... permissions) throws AuthorizationException;

    //判断一组permissions是否 全部 授权成功。 失败:抛出AuthorizationException异常
    void checkPermissions(PrincipalCollection subjectPrincipal, Collection<Permission> permissions) throws AuthorizationException;

    //根据subjectPrincipal判断是否存在该角色。  是:true  否:false
    boolean hasRole(PrincipalCollection subjectPrincipal, String roleIdentifier);

    //根据subjectPrincipal判断一组role是否授权成功,然后返回boolean[]
    boolean[] hasRoles(PrincipalCollection subjectPrincipal, List<String> roleIdentifiers);

    //判断是否一组role全部授权成功。  是:true  否:false
    boolean hasAllRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers);

    //根据subjectPrincipal判断是否存在该角色。  失败:抛出AuthorizationException异常
    void checkRole(PrincipalCollection subjectPrincipal, String roleIdentifier) throws AuthorizationException;

    //判断是否一组(集合)role全部授权成功。  失败:抛出AuthorizationException异常
    void checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) throws AuthorizationException;

    //判断是否一组(数组)role全部授权成功。  失败:抛出AuthorizationException异常
    void checkRoles(PrincipalCollection subjectPrincipal, String... roleIdentifiers) throws AuthorizationException;

}

2.ModularRealmAuthorizer

/**
ModularRealmAuthorizer:
1.里面设置了realms,真正的授权逻辑交互是通过迭代realms,调用realm的授权功能
2.和SecurityManager协调授权访问,实现PAM

**/
public class ModularRealmAuthorizer implements Authorizer, PermissionResolverAware, RolePermissionResolverAware {

    //Realm集合,真正的授权处理
    protected Collection<Realm> realms;

    //Permission转换器,String->Permission
    protected PermissionResolver permissionResolver;

    //角色资源转换器,转换角色为一组确切的资源
    protected RolePermissionResolver rolePermissionResolver;


    public ModularRealmAuthorizer() {
    }


    public ModularRealmAuthorizer(Collection<Realm> realms) {
        setRealms(realms);
    }


    public Collection<Realm> getRealms() {
        return this.realms;
    }


    public void setRealms(Collection<Realm> realms) {
        this.realms = realms;
    //Realm设置之后调用applyPermissionResolverToRealms设置this.PermissionResolver到Realm里的PermissionResolver
        applyPermissionResolverToRealms();
    //Realm设置之后调用applyRolePermissionResolverToRealms设置this.PermissionResolver到Realm里的RolePermissionResolver
        applyRolePermissionResolverToRealms();

    /**
        上面两个方法的寓意主要是,如果多个Realm被同时设置进来,保证他们的资源转换器是一致的,该ModularRealmAuthorizer
        作为SecurityManager委托的对象,且代理了真正的Realm执行授权逻辑,也可以看做是Realm的门面。
    **/
    }


    public PermissionResolver getPermissionResolver() {
        return this.permissionResolver;
    }


    public void setPermissionResolver(PermissionResolver permissionResolver) {
        this.permissionResolver = permissionResolver;
    //调用applyPermissionResolverToRealms设置this.PermissionResolver到Realm里的PermissionResolver
        applyPermissionResolverToRealms();
    }

    //迭代Realm设置this.PermissionResolver到Realm的PermissionResolver
    protected void applyPermissionResolverToRealms() {
        PermissionResolver resolver = getPermissionResolver();
        Collection<Realm> realms = getRealms();
        if (resolver != null && realms != null && !realms.isEmpty()) {
            for (Realm realm : realms) {
                if (realm instanceof PermissionResolverAware) {
                    ((PermissionResolverAware) realm).setPermissionResolver(resolver);
                }
            }
        }
    }


    public RolePermissionResolver getRolePermissionResolver() {
        return this.rolePermissionResolver;
    }


    public void setRolePermissionResolver(RolePermissionResolver rolePermissionResolver) {
        this.rolePermissionResolver = rolePermissionResolver;
    //调用applyRolePermissionResolverToRealms设置this.PermissionResolver到Realm里的RolePermissionResolver
        applyRolePermissionResolverToRealms();
    }


    //迭代Realm设置this.RolePermissionResolver到Realm的RolePermissionResolver
    protected void applyRolePermissionResolverToRealms() {
        RolePermissionResolver resolver = getRolePermissionResolver();
        Collection<Realm> realms = getRealms();
        if (resolver != null && realms != null && !realms.isEmpty()) {
            for (Realm realm : realms) {
                if (realm instanceof RolePermissionResolverAware) {
                    ((RolePermissionResolverAware) realm).setRolePermissionResolver(resolver);
                }
            }
        }
    }


    //保证Realm不为空,如果为空抛出异常
    protected void assertRealmsConfigured() throws IllegalStateException {
        Collection<Realm> realms = getRealms();
        if (realms == null || realms.isEmpty()) {
            String msg = "Configuration error:  No realms have been configured!  One or more realms must be " +
                    "present to execute an authorization operation.";
            throw new IllegalStateException(msg);
        }
    }

    //迭代Realm ,调用realm.isPermitted(principals, String permission),有一个成功则返回true
    public boolean isPermitted(PrincipalCollection principals, String permission) {
        assertRealmsConfigured();
        for (Realm realm : getRealms()) {
            if (!(realm instanceof Authorizer)) continue;
            if (((Authorizer) realm).isPermitted(principals, permission)) {
                return true;
            }
        }
        return false;
    }

    //迭代Realm ,调用realm.isPermitted(principals, Permission permission),有一个成功则返回true
    public boolean isPermitted(PrincipalCollection principals, Permission permission) {
        assertRealmsConfigured();
        for (Realm realm : getRealms()) {
            if (!(realm instanceof Authorizer)) continue;
            if (((Authorizer) realm).isPermitted(principals, permission)) {
                return true;
            }
        }
        return false;
    }

    //迭代permissions,调用this.isPermitted(PrincipalCollection principals, String permission),返回一组boolean[]
    public boolean[] isPermitted(PrincipalCollection principals, String... permissions) {
        assertRealmsConfigured();
        if (permissions != null && permissions.length > 0) {
            boolean[] isPermitted = new boolean[permissions.length];
            for (int i = 0; i < permissions.length; i++) {
                isPermitted[i] = isPermitted(principals, permissions[i]);
            }
            return isPermitted;
        }
        return new boolean[0];
    }

    //迭代permissions,调用this.isPermitted(PrincipalCollection principals, Permission permission),返回一组boolean[]
    public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions) {
        assertRealmsConfigured();
        if (permissions != null && !permissions.isEmpty()) {
            boolean[] isPermitted = new boolean[permissions.size()];
            int i = 0;
            for (Permission p : permissions) {
                isPermitted[i++] = isPermitted(principals, p);
            }
            return isPermitted;
        }

        return new boolean[0];
    }

    //迭代permissions,调用this.isPermitted(PrincipalCollection principals, String permission)有一个false,则false。否则true
    public boolean isPermittedAll(PrincipalCollection principals, String... permissions) {
        assertRealmsConfigured();
        if (permissions != null && permissions.length > 0) {
            for (String perm : permissions) {
                if (!isPermitted(principals, perm)) {
                    return false;
                }
            }
        }
        return true;
    }

    //迭代permissions,调用this.isPermitted(PrincipalCollection principals, Permission permission)有一个false,则false。否则true
    public boolean isPermittedAll(PrincipalCollection principals, Collection<Permission> permissions) {
        assertRealmsConfigured();
        if (permissions != null && !permissions.isEmpty()) {
            for (Permission permission : permissions) {
                if (!isPermitted(principals, permission)) {
                    return false;
                }
            }
        }
        return true;
    }

    //调用this.isPermitted(PrincipalCollection principals, String permission),返回false则抛出异常:UnauthorizedException(
    public void checkPermission(PrincipalCollection principals, String permission) throws AuthorizationException {
        assertRealmsConfigured();
        if (!isPermitted(principals, permission)) {
            throw new UnauthorizedException("Subject does not have permission [" + permission + "]");
        }
    }

    //调用this.isPermitted(PrincipalCollection principals, Permission permission),返回false则抛出异常:UnauthorizedException(
    public void checkPermission(PrincipalCollection principals, Permission permission) throws AuthorizationException {
        assertRealmsConfigured();
        if (!isPermitted(principals, permission)) {
            throw new UnauthorizedException("Subject does not have permission [" + permission + "]");
        }
    }

    //迭代permissions。调用this.checkPermission(PrincipalCollection principals, String permission)
    public void checkPermissions(PrincipalCollection principals, String... permissions) throws AuthorizationException {
        assertRealmsConfigured();
        if (permissions != null && permissions.length > 0) {
            for (String perm : permissions) {
                checkPermission(principals, perm);
            }
        }
    }

    //迭代permissions。调用this.checkPermission(PrincipalCollection principals, Permission permission)
    public void checkPermissions(PrincipalCollection principals, Collection<Permission> permissions) throws AuthorizationException {
        assertRealmsConfigured();
        if (permissions != null) {
            for (Permission permission : permissions) {
                checkPermission(principals, permission);
            }
        }
    }

    //迭代Realms。如果有一个成功则返回true,否则:false
    public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
        assertRealmsConfigured();
        for (Realm realm : getRealms()) {
            if (!(realm instanceof Authorizer)) continue;
            if (((Authorizer) realm).hasRole(principals, roleIdentifier)) {
                return true;
            }
        }
        return false;
    }

    //迭代roleIdentifiers,调用this.hasRole(PrincipalCollection principals, String roleIdentifier),封装结果到Boolean[]返回
    public boolean[] hasRoles(PrincipalCollection principals, List<String> roleIdentifiers) {
        assertRealmsConfigured();
        if (roleIdentifiers != null && !roleIdentifiers.isEmpty()) {
            boolean[] hasRoles = new boolean[roleIdentifiers.size()];
            int i = 0;
            for (String roleId : roleIdentifiers) {
                hasRoles[i++] = hasRole(principals, roleId);
            }
            return hasRoles;
        }

        return new boolean[0];
    }

    //迭代roleIdentifiers,所有成功则返回true,否则false
    public boolean hasAllRoles(PrincipalCollection principals, Collection<String> roleIdentifiers) {
        assertRealmsConfigured();
        for (String roleIdentifier : roleIdentifiers) {
            if (!hasRole(principals, roleIdentifier)) {
                return false;
            }
        }
        return true;
    }

    //判断是否有角色role,没有则抛出异常UnauthorizedException
    public void checkRole(PrincipalCollection principals, String role) throws AuthorizationException {
        assertRealmsConfigured();
        if (!hasRole(principals, role)) {
            throw new UnauthorizedException("Subject does not have role [" + role + "]");
        }
    }

    //判断一组(集合)roles,是否全部存在,不是则抛出异常
    public void checkRoles(PrincipalCollection principals, Collection<String> roles) throws AuthorizationException {
        //SHIRO-234 - roles.toArray() -> roles.toArray(new String[roles.size()])
        if (roles != null && !roles.isEmpty()) checkRoles(principals, roles.toArray(new String[roles.size()]));
    }

    //判断一组(数组)roles,是否全部存在,不是则抛出异常
    public void checkRoles(PrincipalCollection principals, String... roles) throws AuthorizationException {
        assertRealmsConfigured();
        if (roles != null) {
            for (String role : roles) {
                checkRole(principals, role);
            }
        }
    }
}
_浪子
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Shiro Authorizer授权
04-28 142
If Else授权   角色检查  Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole("administrator")) { //show the admin button } else { //don't show the button? Grey ...
Authorizer、PermissionResolver及RolePermissionResolver
crazy_tong的博客
12-05 1142
本人语文不咋地 理解慢 理解: Authorizer 的职责是进行授权访问控制)  这个东西就是用来授权的; PermissionResolver 用于解析权限字符串   得到 Permission 实例; RolePermissionResolver 用于根据角色解析相应的权限集合。 BitPermission 用于实现位移方式的权限,如规则是: 权限字
使用shiro-spring-boot-web-starter报错bean named 'authorizer' that could not be found
Big的装逼广场
11-04 4897
本人在使用spring boot  + shiro时,为了省时间,懒得写shiro的配置bean,就依赖了shiro-spring-boot-web-starter,结果出了以下问题: 使用的依赖包为 &lt;dependency&gt; &lt;groupId&gt;org.apache.shiro&lt;/groupId&gt; &lt;artifactId&gt;s...
小程序第三方平台初体验(下)|微专辑
yjl223的博客
04-20 3767
本文来自于微专辑,源文件地址http://www.weizhuanji.com/Article/132       接着上次的的来说,进入代码流程体验阶段,开始之前先呈清几个概念。   token 学名令牌,(通俗话说口令)。公众号要完成第三方平台要调用接口完成对应的功能,需要access_token,第三方平台,能做公众号大部分的事情,那做为特殊的公众号当然也需要access_token,不
第三章 授权——《跟我学Shiro
jinnianshilongnian的专栏
02-21 712
  目录贴: 跟我学Shiro目录贴   授权,也叫访问控制,即在应用中控制谁能访问哪些资源(如访问页面/编辑数据/页面操作等)。在授权中需了解的几个关键对象:主体(Subject)、资源(Resource)、权限(Permission)、角色(Role)。 主体 主体,即访问应用的用户,在Shiro中使用Subject代表该用户。用户只有授权后才允许访问相应的资源。 资源 在应...
Authorizer
03-26
6. **测试用例**:确保Authorizer功能的正确性,包括各种权限组合下的访问控制测试。 7. **文档**:详细解释了如何集成和使用Authorizer,以及其核心概念和工作原理。 在实际应用中,"Authorizer"可能被用于Web应用...
PyPI 官网下载 | aserto-authorizer-grpc-0.1.2.tar.gz
01-31
这个库可能包含了一系列的授权策略和规则,使得开发者可以轻松地在gRPC服务中集成细粒度的访问控制。通过这种方式,服务能够确保只有具有适当权限的用户或服务才能执行特定操作。 **Zookeeper与分布式** 在标签中...
strimzi-kafka-group-authorizer:Strimzi Kafka Operator的简单授权者,可以基于模式为用户组配置ACL
03-11
在Kafka集群中,权限管理是至关重要的,因为这确保了数据的安全性和隔离性,防止未经授权的访问。 Kafka是一个分布式流处理平台,它处理大量的实时数据。为了保护这些数据,Kafka支持ACLs,这是一种用于控制哪些...
SimonSays::guard:用于Rails和Ruby的简单,基于声明的基于角色的访问控制系统
02-05
这个gem是Rails的一个简单的,基于声明的,基于角色的访问控制系统,可以很好地配合设计!安装可以通过您的Gemfile安装SimonSays。 gem 'simon_says'用法SimonSays包含两个部分: 模块mixin,它提供一种方法来定义...
Shiro框架详解.pptx
01-20
2. 配置授权访问顾问 业务功能拓展: 配置:shiro 缓存管理器,减少授权时,频繁访问数据库查询用户权限信息的过程。 Shiro 框架原理实现流程: Shiro 框架的原理实现流程主要包括三个步骤: 1. 认证:Shiro ...
shiro中自定义多realm,并指定realm实现验证
qq_37941840的博客
06-13 2416
我们平常的系统建设中大多数都涉及到两种及以上的登陆方式,例如:手机号码登陆、用户名及密码登陆等,而此时我们是不是就得需要两个realm才能实现?
PermissionResolver接口
iteye_10899的博客
11-01 315
PermissionResolver权限处理器,主要是用来处理传过来的权限信息的,里面只有一个方法,先对其解析如下: Permission resolvePermission(String permissionString);
shiro错误:Subject does not have permission [user:select]
热门推荐
weixin_34274029的博客
12-30 1万+
使用的是jdbcRealm,在数据库中有相应的权限 错误日志: org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [user:select] at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularR...
shiro实现多个realm的认证和授权
kuai_le_de_xiao_erbi的博客
01-02 4795
认证的话大家可以参考这个链接shiro实现不同身份使用不同Realm进行验证 这里具体说一下授权的处理,下面是我的代码public class CustomerAuthrizer extends ModularRealmAuthorizer { @Override public boolean isPermitted(PrincipalCollection principals,
shiro 权限框架自定义Realm
u012014505的博客
09-10 5852
shiro 权限框架自定义Realm
Shiro入门10:自定义Realm进行授权
机智猫
03-30 1万+
需求:     |---前一个的程序通过shiro-permission.ini作为数据源对权限信息进行静态配置,实际开发中从数据库中获取权限数据         就需要自定义realm,由Realm从数据库查询权限数据。     |---Realm根据用户身份查询权限数据,将权限数据返回给Authorizer授权器)     |     |---自定义Realm【实现Authoriz
shiro认证授权流程
刘杰 廊坊师范学院信息技术提高班十期
06-30 1675
shiro框架的出现使得认证和授权变的简单,那shiro是如歌进行认证和授权的呢,下面来看看其流程: 认证流程: 认证流程: 1、通过ini配置文件创建securityManager 2、调用subject.login方法主体提交认证,提交的token 3、securityManager进行认证,securityManager最终由ModularRealmAuthentica
RolePermissionResolver接口
iteye_10899的博客
11-01 166
RolePermissionResolver主要是用来处理角色对应的权限,里面只有一个方法,先对其解析如下: Collection&lt;Permission&gt; resolvePermissionsInRole(String roleString);//根据角色获取角色对应的权限集合 ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值