Shiro权限认证与授权详解-优快云博客

shire

1、用户认证
通过login方法调用
   public Map<String, Object> login(String username, String password) {

       Subject subject= SecurityUtils.getSubject();
       UsernamePasswordToken token = new UsernamePasswordToken(username, password);
       try{
           subject.login(token);//直接调用继承AuthorizingRealm的AuthRealm对象的doGetAuthenticationInfo(AuthenticationToken token)
       }catch ( UnknownAccountException uae ) {
           logger.warn("login(String, String)", uae);
       } catch ( IncorrectCredentialsException ice ) {
           logger.warn("login(String, String)", ice);
       } catch ( LockedAccountException lae ) {
           logger.warn("login(String, String)", lae);
       } catch ( ExcessiveAttemptsException eae ) {
           logger.warn("login(String, String)", eae);
       } catch ( AuthenticationException ae ) {
           logger.warn("login(String, String)", ae);
       }
       if (subject.isAuthenticated()) {
           Map<String, Object> loginResult=new HashMap<String, Object>();
           loginResult.put(CURRENT_USER,subject.getPrincipals().oneByType(User.class));
           return loginResult;
       }
       return null;
   }

   /*
   *
   *校验
   *
   */
public class AuthRealm extends AuthorizingRealm {
   @Override
   /*
   *
   *用户授权
   *
   */
   protected AuthorizationInfo doGetAuthorizationInfo(
           PrincipalCollection principals) {

       if (principals == null) {
           throw new AuthorizationException(
                   "PrincipalCollection method argument cannot be null.");
       }

       UUID uid = principals.oneByType(UUID.class);
       SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

       if (ConfigUtil.isDynamicAuthz()) {
           throw new UnsupportedOperationException("动态赋权暂不被支持");
       }

       Map<String, Object> params=new HashMap<String, Object>();
       params.put("EQ_UID", uid);

       List<Permission> permissions = permissionDao.list(params);
       for (Permission permission : permissions) {
               info.addStringPermission(permission.getCode());//后续校验info中是否含有当前用户的code
       }

       return info;
   }

   /*
   *
   *用户认证
   *
   */
   protected AuthenticationInfo doGetAuthenticationInfo(
           AuthenticationToken token) throws AuthenticationException {

       UsernamePasswordToken upToken = (UsernamePasswordToken) token;
       String username = upToken.getUsername();

       if (StringUtils.isBlank(username)) {
           throw new AccountException("不允许为空的用户名通过该认证");
       }
       User user = userDao.getByCode(username);
       if (null == user) {
           throw new UnknownAccountException("不存在的用户");
       }
       if (!user.isEnable()) {
           throw new LockedAccountException("该用户不可用");
       }
       String password = CodecUtil.md5(user.getId().toString()
               + new String(upToken.getPassword()));
       upToken.setPassword(password.toCharArray());
       if (userDao.checkPassword(user.getId(), password).longValue()==1L) {
           Set<Object> principals=new HashSet<Object>();
           principals.add(username);
           principals.add(user);
           principals.add(user.getId());
           SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(
                   principals, password.toCharArray(), getName());//与token比较一样返回info
           return info;

       } else {
           throw new IncorrectCredentialsException("密码错误");
       }
   }
}

2、用户授权
用户登录后配置filter进行过滤请求配置，进行权限检查
/**
* 权限的过滤器
*
* @author wangjintao
*
*/
public class AuthzFilter extends AuthorizationFilter {
   private String unknownPermUrl;
   private String unAuthzPageUrl;
   private String unAuthzDataUrl;

   @Resource
   private PermissionService permissionService;

   @Override
   /*
   *
   *请求接入
   *
   */
   protected boolean isAccessAllowed(ServletRequest request,
           ServletResponse response, Object mappedValue) throws Exception {
       Subject subject = getSubject(request, response);
       String url = WebUtils.toHttp(request).getServletPath();
       Permission permission = permissionService.getByUrl(url);
       if (null == permission) {
           return false;
       }
       boolean returnboolean = subject.isPermitted(permission.getCode());//直接调用继承AuthorizingRealm的AuthRealm对象的doGetAuthorizationInfo(PrincipalCollection principals)
       return returnboolean;
   }

   @Override
   protected boolean onAccessDenied(ServletRequest request,
           ServletResponse response) throws IOException {

       Subject subject = getSubject(request, response);
       try {
           if (subject.getPrincipal() == null) {

               WebUtils.toHttp(request)
                       .getRequestDispatcher(this.getLoginUrl())
                       .forward(request, response);

           } else {
               String url = WebUtils.toHttp(request).getServletPath();
               Permission permission = permissionService.getByUrl(url);
               if (null == permission) {
                   WebUtils.toHttp(request)
                           .getRequestDispatcher(this.getUnknownPermUrl())
                           .forward(request, response);
               } else {
                   if (permission.getType().equals(PermissionType.DATA)) {
                       WebUtils.toHttp(request)
                       .getRequestDispatcher(this.getUnAuthzDataUrl())
                       .forward(request, response);
                   }else{
                       WebUtils.toHttp(request)
                       .getRequestDispatcher(this.getUnAuthzDataUrl())
                       .forward(request, response);
                   }

               }
           }
       } catch (ServletException e) {
           logger.error("onAccessDenied(ServletRequest, ServletResponse)", e);
       }
       return false;
   }

}