Spring+Shiro权限控制+动态读取数据库

Spring+Shiro权限控制+动态读取数据库

在上一篇中只是简单的实现了权限控制,但都是配置在xml中,这样很不灵活,这一篇,我会从数据库中动态读取权限,然后根据用户组进行分配。建议先配置学习下之前的。跑成功了再来看这一篇。
上一篇传送门Spring+Shiro权限控制


需要的jar包

这里不需要添加新的jar包,直接在上一篇的基础写。
在web.xml中加入filter,创建shiro.xml然后添加到web.xml中。 然后将shiro.xml中最后一行解开,修改filters对应的value-ref的值。


shiro里面的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- 配置shiro -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- 指定Shiro验证用户登录的类为自定义的Realm(若有多个Realm,可用[realms]属性代替) -->
<property name="realm">
<bean class="com.liaoliao.shiro.MyRealm"/>
</property>
</bean>
<bean id="simplePermFilter" class="org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter"></bean>
<!-- org.apache.shiro.spring.web.ShiroFilterFactoryBean -->
<bean id="shiroFilter" class="com.liaoliao.shiro.ShiroPermissionFactory">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/sys/toLogin"/>
<property name="successUrl" value="/sys/login"/>
<property name="unauthorizedUrl" value="/sys/toLogin"/>
<!-- 权限配置 -->
<property name="filters">
<map>
<entry key="anyRoles" value-ref="anyRoles"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/bootstrap/** = anon
/css/** = anon
/fonts/** = anon
/images/** = anon
/js/** = anon
/public/** = anon
/public/** = anon
/sys/toLogin = anon
/sys/Login = anon
/sys/logout = anon
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean id="anyRoles" class="com.liaoliao.shiro.CustomRolesAuthorizationFilter" />
</beans>

shiro.xml的内容跟之前的差别很小。然后MyRealM的内容没有改变,跟之前的一样。

MyRealM.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
import org.apache.commons.lang3.builder.ToStringStyle;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import com.liaoliao.admin.entity.AdminUser;
import com.liaoliao.admin.entity.Permission;
import com.liaoliao.admin.service.AdminUserService;
import com.liaoliao.admin.service.PermissionService;
public class MyRealm extends AuthorizingRealm {
@Autowired
private AdminUserService adminUserService;
@Autowired
private PermissionService permissionService;
/**
* 为当前登录的Subject授予角色和权限
* -----------------------------------------------------------------------------------------------
* 经测试:本例中该方法的调用时机为需授权资源被访问时
* 经测试:并且每次访问需授权资源时都会执行该方法中的逻辑,这表明本例中默认并未启用AuthorizationCache
* 个人感觉若使用了Spring3.1开始提供的ConcurrentMapCache支持,则可灵活决定是否启用AuthorizationCache
* 比如说这里从数据库获取权限信息时,先去访问Spring3.1提供的缓存,而不使用Shior提供的AuthorizationCache
* -----------------------------------------------------------------------------------------------
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals){
//获取当前登录的用户名
String currentUsername = (String)super.getAvailablePrincipal(principals);
//从数据库中获取当前登录用户的详细信息
AdminUser adminUser = adminUserService.findByUserName(currentUsername);
SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
// Set<String> perlist = new HashSet<String>();
if(adminUser != null){
//在这里添加的role对应的就是权限的名,比如说,你给一个url添加了roles[管理员],有个叫mopoint的用户登录了,
//他想要访问这个url,那么在这里就需要给他赋予管理员这个权限,也就是说
//这里面simpleAuthorInfo.addRole("管理员");加上的就是管理员三个字。
simpleAuthorInfo.addRole(adminUser.getAdminGroup().getGroupName());
//这里我是通过数据库读取出来然后放入集合里面去的。
/* List<Permission> pers = permissionService.findByGroupId(adminUser.getAdminGroup().getId());
if(pers!=null && pers.size()>0){
for(Permission p:pers){
perlist.add(p.getNavigation().getNavigationUrl());
}
simpleAuthorInfo.addStringPermissions(perlist);
} */
//这里的perlist就是你能访问的url,比如说你数据库存放的一个url:/sys/videoList;这个url需要权限[管理员]。
//在上面已经给你的账号mopoint加上了role:[管理员],对应的,这里需要加上这个url。然后你的账号就能访问这个url了。
//比如配置在shiro.xml中的是/sys/videoList,那么这里的url就是"/sys/videoList";
String url="/sys/videoList";
simpleAuthorInfo.addStringPermissions(url);
return simpleAuthorInfo;
}else{
//如果返回空表示用户访问失败,会自动跳转到刚才unauthorizedUrl指定的地址。配置在shiro.xml里面
return null;
}
}
/**
* 验证当前登录的Subject
* 当在登录时执行Subject.login(),就会调用下面的这个接口:
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
//实际上这个authcToken在用户登录时通过currentUser.login(token)传过来的。
UsernamePasswordToken token = (UsernamePasswordToken)authcToken;
if(token.getUsername()==null){
//没有返回登录用户名对应的SimpleAuthenticationInfo对象时,就会在LoginController中抛出UnknownAccountException异常
return null;
}
AdminUser adminUser = adminUserService.findByUserName(token.getUsername());
if(null != adminUser){
String username = adminUser.getUserName();
String password = adminUser.getPassWord();
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(username, password, this.getName());
this.setAuthenticationSession(adminUser);
return authcInfo;
}else{
throw new UnknownAccountException("用户帐号不存在!");
}
}
/**
* 将一些数据放到ShiroSession中,以便于其它地方使用
* 比如Controller里面,使用时直接用HttpSession.getAttribute(key)就可以取到
*/
private void setAuthenticationSession(Object value){
/* Subject currentUser = SecurityUtils.getSubject();
if(null != currentUser){
Session session = currentUser.getSession();
session.setTimeout(1000 * 60 * 60 * 2);
session.setAttribute("currentUser", value);
}*/
}
}

controller的写法也没有区别,还是之前的那样。

LoginController.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
@Controller("adminLogin")
@RequestMapping("/sys")
public class LoginController {
/**
* 跳转到登录页面
* @param request
* @return
*/
@RequestMapping("/toLogin")
public String toLogin(HttpServletRequest request){
return "page/login";
}
//用户退出
@RequestMapping("/logout")
public String logout(HttpSession session){
String currentUser = (String)session.getAttribute("currentUser");
System.out.println("用户[" + currentUser + "]准备登出");
SecurityUtils.getSubject().logout();
System.out.println("用户[" + currentUser + "]已登出");
return InternalResourceViewResolver.REDIRECT_URL_PREFIX + "/login";
}
/**
* 验证登录:
* @param request
* @param response
* @param userName
* @param passCode
* @return
*/
@RequestMapping("/Login")
public String Login(HttpServletRequest request,HttpServletResponse response,String userName,String passWord){
UsernamePasswordToken token=new UsernamePasswordToken();
token.setRememberMe(true);
//获取当前的Subject
Subject currentUser = SecurityUtils.getSubject();
try {
currentUser.login(token);
System.out.println("对用户[" + token.getUsername() + "]进行登录验证...验证通过");
}catch(Exception e){
//这里细分,大概有五种异常,有兴趣可以点击文章最后的链接去看看。
e.printStackTrace();
System.out.println("用户名或密码不正确");
request.setAttribute("message_login", "用户名或密码不正确");
return InternalResourceViewResolver.FORWARD_URL_PREFIX +"/sys/toLogin";
}
//验证是否登录成功,这里的isAuthenticated()方法有时候不怎么灵通,具体我也不知道啥原因,欢迎小伙伴找我探讨~
if(currentUser.isAuthenticated()){
AminUser au=adminUserService.findByUserName(userName);
AdminUser sessionAu= (AdminUser) request.getSession().getAttribute("adminUser");
if(au == null && sessionAu == null){
System.out.println(111);
return InternalResourceViewResolver.FORWARD_URL_PREFIX +"/sys/toLogin";
}
request.setAttribute("adminUser", au);
HttpSession session = request.getSession();
session.setAttribute("adminUser", au);
session.setAttribute("token", token);
List<Permission> pList=permissionService.findByGroupId(au.getAdminGroup().getId());
request.setAttribute("list", pList);
return "forward:/sys/theHome";
}else{
System.out.println("未通过!");
token.clear();
return InternalResourceViewResolver.REDIRECT_URL_PREFIX +"/sys/toLogin";
}
}
}

接下来的是重点,首先是启动的时候从数据库中动态读取权限,然后配置到xml中。


启动读取数据库配置权限


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package com.liaoliao.shiro;
import java.util.List;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.web.config.IniFilterChainResolverFactory;
import org.springframework.beans.factory.annotation.Autowired;
import com.liaoliao.admin.entity.Navigation;
import com.liaoliao.admin.entity.Permission;
import com.liaoliao.admin.service.NavigationService;
import com.liaoliao.admin.service.PermissionService;
public class ShiroPermissionFactory extends ShiroFilterFactoryBean {
/**配置中的过滤链*/
public static String filterChainDefinitions;
@Autowired
private NavigationService navigationService;
@Autowired
private PermissionService permissionService;
/**
* 从数据库动态读取权限
*/
@Override
public void setFilterChainDefinitions(String definitions) {
ShiroPermissionFactory.filterChainDefinitions = definitions;
//数据库动态权限
List<Navigation> navigations = navigationService.findAll();
for(Navigation na : navigations){
//字符串拼接权限
if(na.getNavigationUrl() != null && !("".equals(na.getNavigationUrl()))){
List<Permission> permissions = permissionService.findByNavigationId(na.getId());
String pers="";
if(permissions!=null && permissions.size() == 1){
for(Permission p:permissions){
pers+=p.getAdminGroup().getGroupName()+",";
}
pers = pers.substring(0,pers.length()-1);
definitions = definitions+na.getNavigationUrl() + " = "+"authc,roles["+pers+"]";
}
if(permissions!=null && permissions.size()>1){
for(Permission p:permissions){
pers+=p.getAdminGroup().getGroupName()+",";
}
pers = pers.substring(0,pers.length()-1);
definitions = definitions+na.getNavigationUrl() + " = "+"authc,anyRoles["+pers+"]";
}
if(permissions==null || permissions.size()==0){
definitions = definitions+na.getNavigationUrl() + " = "+"authc,roles[超级管理员]";
}
}
definitions+="\n";
}
System.out.println(definitions);
//从配置文件加载权限配置
Ini ini = new Ini();
ini.load(definitions);
Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS);
if (CollectionUtils.isEmpty(section)) {
section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
}
//加入权限集合
setFilterChainDefinitionMap(section);
}
}

这里要注意的就是filterChainDefinitions这个变量名不能变,要跟shiro.xml中的权限name对应。我在这里是通过用户组名给每个url分配权限的。
比如说用户列表(/sys/userList)这个功能,我分配给你admin这个用户组没分配给user这个用户组,那么在这里,通过遍历出来的就是
/sys/userList authc,roles[admin];如果权限列表(/sys/permissionList),分配给了admin和user这两个用户组,那么遍历出来的就是:
/sys/permissionList authc,anyRoles[admin,user];到这里的时候,anyRoles里面还是且的关系,也就是说,你一个账号必须即是admin这个用户组
的,还必须是user这个用户组的,就不怎么合理,下面会讲解怎么处理这种情况。
在这里有两种存储方式,一种就是我写的这种,拼接字符串;还有种就是通过创建Map,然后通过key,value存储。
我这里用的就是拼接字符串,拼接字符串一定要注意的一个问题就是加个换行符。不然就会报些乱七八糟的错,我这里报的是:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
org.springframework.beans.factory.UnsatisfiedDependencyException:
Error creating bean with name 'accountAction': Unsatisfied dependency expressed through field 'redisService';
nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'redisService':
Unsatisfied dependency expressed through field 'redisTemplate';
nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException:
No qualifying bean of type 'org.springframework.data.redis.core.RedisTemplate<java.lang.String, java.lang.String>' available:
expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {@org.springframework.beans.factory.annotation.Autowired(required=true)}
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:588)
at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:366)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1264)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:483)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:761)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:543)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:443)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:325)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4745)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5207)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:596)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1805)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)

如果不写CustomRolesAuthorizationFilter这个文件,在这里可以实现:a,b两个用户组访问一个url,a中的用户可以访问,b中的用户不可以访问。
但是不能实现:比如说我这里有三个用户组a、b、c;两个url:sys/userList、sys/adminList;其中sys/userList可以被a,b中的用户组访问,sys/adminList可以被a,b,c中的用户访问;
无法限制c用户访问第一个url;所以就需要重写一个方法:isAccessAllowed,我用这个方法重写了一个anyRoles,这个方法的作用是实现了且的功能,在roles里面如果你写成roles[a,b];
那么你必须需要a和b的权限,才能访问这个路径,但是正常情况都是,a和b只要有一个就可以访问了。所以这里重写了isAccessAllowed方法,方法如下:


CustomRolesAuthorizationFilter方法


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
package com.liaoliao.shiro;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
// AuthorizationFilter抽象类事项了javax.servlet.Filter接口,它是个过滤器。
public class CustomRolesAuthorizationFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest req, ServletResponse resp, Object mappedValue) throws Exception {
Subject subject = getSubject(req, resp);
String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) { //没有角色限制,有权限访问
return true;
}
for (int i = 0; i < rolesArray.length; i++) {
if (subject.hasRole(rolesArray[i])) { //若当前用户是rolesArray中的任何一个,则有权限访问
return true;
}
}
return false;
}
}

这里就实现了或的功能,既能admin访问,又能user访问。
这样,动态读取数据库配置权限就讲解完了,下次有时候我会把动态更新配置写出来,欢迎小伙伴奉上鲜花鸡蛋~

文章目录
  1. 1. 需要的jar包
  2. 2. shiro里面的内容
  3. 3. MyRealM.java
  4. 4. LoginController.java
  5. 5. 启动读取数据库配置权限
  6. 6. CustomRolesAuthorizationFilter方法
,