问题描述
应用系统是基于jackrabbit,使用shiro来做授权与认证。在建模时,很多文件操作都建立在 xxx/documents/xxx下。这些文件根据类型对不同角色有不同访问权限,但在url中无法区分。
分析
shiro filter 如下图:
HttpMethodPermissionFilter类的方法
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
String[] perms = (String[]) mappedValue;
// append the http action to the end of the permissions and then back to super
String action = getHttpMethodAction(request);
String[] resolvedPerms = buildPermissions(perms, action);
return super.isAccessAllowed(request, response, resolvedPerms);
}
这个函数从shiro.ini中取出permission,并将http method(GET,POST…)翻译成action(read,create…),然后判断是否有权限操作。
方案
可以用建立一个HttpMethodPermissionFilter的子类,将fileType取出来,动态构造Permission,之后可以用jdbcRealm来认证。
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
String[] perms = (String[]) mappedValue;
// append the http action to the end of the permissions and then back to super
String action = getHttpMethodAction(request);
String fileType = getFileType(request);
String[] resolvedPerms = buildPermissionsByFileType(perms, action,fileType);
return super.isAccessAllowed(request, response, resolvedPerms);
}