在项目添加权限
shiro处理权限流程:
(1)把所有的权限交给shiro管理 --createFilterChainDefinitionMap 可以体现处理
(2)在realm里面 就要查询当前用户的权限,如果这个权限在shiro管理返回之内,这个用户就有响应的权限
否则就没有
从数据库查询所有权限交个shiro管理
List<Permission> permissions = permissionService.findAll();
for (Permission permission : permissions) {
mp.put(permission.getUrl(), "perms["+permission.getSn()+"]");
}
查询当前用户具备权限
--sql查询当前用户的权限
select p.* from employee e
join employee_role er on e.id = er.employee_id
join role r on er.role_id = r.id
join role_permission rp on rp.role_id = r.id
join permission p on p.id = rp.permission_id
where e.id = 2
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//授权方法
Employee employee =(Employee) principalCollection.getPrimaryPrincipal();
//根据用户名得到权限代码
//从数据库查询当前用户的所有的权限
// Set<String> permissions = getPermissionsByUsername(employee.getUsername());
Set<String> permissionSet = permissionService.findPermissionByEmployeeId(employee.getId());
//shiro就会自己取进行权限的比较
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setStringPermissions(permissionSet);
return authorizationInfo;
}
权限出问题之后,ajax怎么返回
原因:在角色管理中删除了权限后,再进行操作会报
解决方法:
(1)写一个过滤器 覆写PermissionsAuthorizationFilter
(2)重写 onAccessDenied方法
方法里面 就判断如果是ajax请求 就直接返回json格式,
否则就走原来的格式,返回页面
public class AisellPermissionFilter extends PermissionsAuthorizationFilter {
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
Subject subject = this.getSubject(request,response);
if(subject.getPrincipal()==null){
this.saveRequestAndRedirectToLogin(request,response);
}else{
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse)response;
String header = req.getHeader("X-Requested-With");
if(header!=null&&"XMLHttpRequest".equals(header)){
resp.setContentType("text/json;charset=UTF-8");
resp.getWriter().print("{\"success\":false,\"msg\":\"没有权限\"}");
}else {
String unauthorizedUrl = this.getUnauthorizedUrl();
if (StringUtils.hasText(unauthorizedUrl)) {
WebUtils.issueRedirect(request, response, unauthorizedUrl);
} else {
WebUtils.toHttp(response).sendError(401);
}
}
}
return false;
}
}
在配置文件中配置这个过滤器
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
...
<property name="filters">
<map>
<entry key="aisellPerm" value-ref="aisellPermissionFilter"></entry>
</map>
</property>
<property name="filterChainDefinitionMap" ref="filterChainDefinitionMap1"></property>
</bean>
<bean id="aisellPermissionFilter" class="cn.itsource.aisell.shiro.AisellPermissionFilter"></bean>
权限url放行的map,把我们自己定义的过滤器引入即entry标签中的key值。(aisellPerm)
List<Permission> permissions = permissionService.findAll();
for (Permission permission : permissions) {
String url = permission.getUrl();
String sn = permission.getSn();
map.put(url,"aisellPerm["+sn+"]");
}
页面权限的按钮控制
添加标签来控制页面的按钮是否显示
引入包
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<shiro:hasPermission name="employee:delete">
<a href="#" data-method="delete" plain="true" class="easyui-linkbutton" iconCls="icon-remove">删除</a>
</shiro:hasPermission>
左侧树形菜单
现在菜单写死了,写到json文件里面,但是如果如果想添加一个菜单,还有修改的json文件,比较麻烦,所有把菜单存入数据库,读取数据库就OK
menu对象的确定
添加Menu domain类
public class Menu extends BaseDomain {
private String name;//菜单名称
private String url; //路径
private String icon; //图标
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name="parent_id")
@JsonIgnore //忽略json 在展示json格式的 parent不会展示出来 会造成死循环
private Menu parent;
//import javax.persistence.*;注意导包
@Transient //这个是临时属性,不交给jpa管理 ,自己来维护 -- 手动添加子菜单
private List<Menu> children = new ArrayList();
//兼容esayui的菜单树[id:1,text:'xxx']
public String getText(){
return this.name;
}
//setget...
}
service构造json的方法
public List<Menu> findMenuByLoginUser(Long employeeId) {
List<Menu> menus = new ArrayList();
//查询当前用户的所有的子菜单
List<Menu> subMenus = menuRepository.findByLoginUser(employeeId);
//循环子菜单 2,3,4,5 1 (7 8) 6
for (Menu subMenu : subMenus) {
//从子菜单里面拿到父菜单 6
Menu parentMenu = subMenu.getParent();
if(!menus.contains(parentMenu)) {
menus.add(parentMenu);
}
parentMenu.getChildren().add(subMenu);//[1,[2,3,4,5],6 [7,8]]
}
return menus;
}
用户主体工具
public class UserContent {
private static String LOGINUSER="loginUser";
public static void setUser(Employee employee){
Subject subject = SecurityUtils.getSubject();
subject.getSession().setAttribute(LOGINUSER,employee);
}
public static Object getUser(){
Subject subject = SecurityUtils.getSubject();
Object attribute = subject.getSession().getAttribute(LOGINUSER);
return attribute;
}
}
注意登陆时把用户employee加入
//subject主体 存入主体对象 --获取登录之后的主体对象
Employee employee =(Employee) SecurityUtils.getSubject().getPrincipal();
//设置session里面 每次都可以取
UserContent.setUser(employee);
把主页的jsp中菜单引入的url地址换成“/util/findMenuByEmployee”,完成从数据库查询菜单栏,结果就是不同的用户根据权限的不同,看到的菜单栏也不同。
@RequestMapping("/findMenuByEmployee")
@ResponseBody
public List<Menu> findMenuByEmployee(){
Employee employee =(Employee)UserContent.getUser();
return menuService.findMenuByLoginUser(employee.getId());
}