目的:
shiro授权
shiro注解式开发
Shiro授权
首先设计shiro权限表:
从图中我们也清晰的看出五张表之间的关系
ShiroUserMapper
Set<String>getRolesByUserId(Integer uid);
Set<String> getPersByUserId(Integer uid);
ShiroUserMapper.xml
<select id="getRolesByUserId"resultType="java.lang.String"parameterType="java.lang.Integer">select r.roleid from t_shiro_user u,t_shiro_user_role ur,t_shiro_role r
where u.userid = ur.userid and ur.roleid = r.roleid
and u.userid = #{uid}
</select>
<select id="getPersByUserId"resultType="java.lang.String"parameterType="java.lang.Integer">select p.permission from t_shiro_user u,t_shiro_user_role ur,t_shiro_role_permission rp,t_shiro_permission p
where u.userid = ur.userid and ur.roleid = rp.roleid and rp.perid = p.perid
and u.userid = #{uid}
</select>
Service层
ShiroUserService
/*** 角色验证 * @paramuid * @return */Set<String>getRolesByUserId(Integer uid); /*** 权限判断 * @paramuid * @return */Set<String> getPersByUserId(Integer uid);
ShiroUserServiceIpml
@Service("shiroUserService") public class ShiroUserServiceImpl implementsShiroUserService { @Autowired privateShiroUserMapper shiroUserMapper; @Override publicShiroUser queryByName(String userName) { returnshiroUserMapper.queryByName(userName); } @Override public intinsert(ShiroUser shiroUser) { returnshiroUserMapper.insert(shiroUser); } @Override public Set<String> getRolesByUserId(Integer uid) { return shiroUserMapper.getRolesByUserId(uid); } @Override public Set<String> getPersByUserId(Integer uid) { returnshiroUserMapper.getPersByUserId(uid); } }
编写MyRealm中的授权方法去获取数据源
public class MyRealm extendsAuthorizingRealm { privateShiroUserService shiroUserService; publicShiroUserService getShiroUserService() { returnshiroUserService; } public voidsetShiroUserService(ShiroUserService shiroUserService) { this.shiroUserService =shiroUserService; } /*** 授权 * @paramprincipalCollection * @return */@Override protectedAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { ShiroUser shiroUser = this.shiroUserService.queryByName(principalCollection.getPrimaryPrincipal().toString()); Set<String> roleids = this.shiroUserService.getRolesByUserId(shiroUser.getUserid()); Set<String> perIds = this.shiroUserService.getPersByUserId(shiroUser.getUserid()); SimpleAuthorizationInfo info = newSimpleAuthorizationInfo(); info.setRoles(roleids); info.setStringPermissions(perIds); returninfo; } }
Shiro注解式开发
常用注解介绍
@RequiresAuthenthentication:表示当前Subject已经通过login进行身份验证;即 Subject.isAuthenticated()返回 true
@RequiresUser:表示当前Subject已经身份验证或者通过记住我登录的
@RequiresGuest:表示当前Subject没有身份验证或者通过记住我登录过,即是游客身份
@RequiresRoles(value = {"admin","user"},logical = Logical.AND):表示当前Subject需要角色admin和user
@RequiresPermissions(value = {"user:delete","user:b"},logical = Logical.OR):表示当前Subject需要权限user:delete或者user:b
注意: 必须将Shiro注解的开启放置到spring-mvc.xml中(即放在springMVC容器中加载),不然Shiro注解开启无效!
所以我们要在Springmvc文件中配置他
Springmvc.xml
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass"value="true"></property> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager"ref="securityManager"/> </bean> <bean id="exceptionResolver"class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <prop key="org.apache.shiro.authz.UnauthorizedException">unauthorized </prop> </props> </property> <property name="defaultErrorView"value="unauthorized"/> </bean>
再Controller中运用注解
/*** @author黄大娘 * @company dogsun * @oreata 2019-10-14 21:28 */@Controller public classShiroUserController { @Autowired privateShiroUserService shiroUserService;/*** 讲解身份认证的注释 * @paramreq * @paramresp * @return */@RequiresUser @RequestMapping("/passUser") publicString passUser(HttpServletRequest req, HttpServletResponse resp){ return "admin/addUser"; } /*** 角色认证的注释 * 此方法只有同时具备1.4两个角色id,才能访问 * @paramreq * @paramresp * @return */@RequiresRoles(value = {"1","4"},logical =Logical.AND) @RequestMapping("/passRole") publicString passRole(HttpServletRequest req, HttpServletResponse resp){ return "admin/listUser"; } /*** 如果角色,身份,权限的认证失败后的处理方式 * @paramreq * @paramresp * @return */@RequestMapping("/unauthorized") publicString ht(HttpServletRequest req, HttpServletResponse resp){ System.out.print("处理错误的方式!!!"); return "login"; } /*** 权限认证的注释 * * @paramreq * @paramresp * @return */@RequiresPermissions(value = {"user:update","user:view"},logical =Logical.OR) @RequestMapping("/passPer") publicString passPer(HttpServletRequest req, HttpServletResponse resp){ return "admin/resetPwd"; }}
main.jsp测试
<ul>shiro注解 <li> <a href="${pageContext.request.contextPath}/passUser">身份认证</a> </li> <li> <a href="${pageContext.request.contextPath}/passRole">角色认证</a> </li> <li> <a href="${pageContext.request.contextPath}/passPer">权限认证</a> </li> </ul>