1.权限判断
1.1获取到所有权限进行判断
public class FilterChainDefinitionMapBuilder {
@Autowired
private IPermissionService permissionService;
public Map<String,String> createFilterChainDefinitionMap(){
…
filterChainDefinitionMap.put("/logout","logout"); //不登录也可以访问
//从数据库拿到数据,放到咱们的Map中
//1.拿到所有权限
List<Permission> permissions = permissionService.findAll();
//2.遍历权限,拿到权限与资源
for (Permission permission : permissions) {
String url = permission.getUrl();//资源
String sn = permission.getSn();//权限
//把路径与资源放到拦截中去
filterChainDefinitionMap.put(url,"perms["+sn+"]");
}
filterChainDefinitionMap.put("/**","authc");
return filterChainDefinitionMap;
}
}
1.2.1.怎么拿到登录用户
//完成登录的认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
String username = token.getUsername();
Employee loginUser = employeeService.findByUsername(username);
if(loginUser==null){
return null;
}
//拿到登录用户的密码
String dbPassword = loginUser.getPassword();
//设置加盐
ByteSource salt = ByteSource.Util.bytes("itsource");
SimpleAuthenticationInfo authorizationInfo = new SimpleAuthenticationInfo(loginUser[此处主体就是咱们的登录用户(对象)],dbPassword,salt,getName());
return authorizationInfo;
}
修改页面展示:
主页面的用户现在变成了这个样子
修改代码:
<shiro:user>
欢迎[ <shiro:principal property="username" />]登录,<a href="${pageContext.request.contextPath}/logout">退出</a>
</shiro:user>
2.2.2.UserContext:设置与拿到当前登录用户
public class UserContext {
private static final String USER_IN_SESSION = "loginUser";
/**
* 把当前登录用户放入Session
* @param loginUser
*/
public static void setUser(Employee loginUser) {
Subject subject = SecurityUtils.getSubject();
subject.getSession().setAttribute(USER_IN_SESSION, loginUser);
}
/**
* 从Session中获取User
*/
public static Employee getUser() {
Subject subject = SecurityUtils.getSubject();
Employee curentUser = (Employee) subject.getSession().getAttribute(USER_IN_SESSION);
return curentUser;
}
}
2.2.3.LoginController:登录成功后把用户放到Session中
@RequestMapping(value="/login",method = RequestMethod.POST)
@ResponseBody
public JsonResult login(String username, String password){
//1.拿到访问的主体(当前登录用户)
Subject subject = SecurityUtils.getSubject();
//2.判断这个用户是否已经登录(通过验证)
if(!subject.isAuthenticated()){
….
}
//登录成功后,把当前登录用户放到session中
//1.拿到当前登录用户(这个主体就是当前登录用户)
Employee loginUser = (Employee) subject.getPrincipal();
//2.当前登录用户放到session中
UserContext.setUser(loginUser);
return new JsonResult();
}
通过sql拿到权限:
select p.* from employee e
join employee_role er on e.id = er.employee_id
join role r on er.role_id = r.id
join role_permission rp on rp.role_id = r.id
join permission p on rp.permission_id = p.id
where e.id = 2
2.2.4.根据用户id拿到权限
PermissionRepository
//根据当前登录用户拿到对应的权限
@Query("select distinct p.sn from Employee e join e.roles r join r.permissions p where e.id = ?1")
Set<String> findSnByEmp(Long employeeId);
IPermissionService
Set<String> findSnByEmp(Long employeeId);
PermissionServiceImpl
@Override
public Set<String> findSnByEmp(Long employeeId) {
return permissionRepository.findSnByEmp(employeeId);
}
2.2.5.JpaRealm:进入权限判断
public class JpaRealm extends AuthorizingRealm {
@Autowired
private IEmployeeService employeeService;
@Autowired
private IPermissionService permissionService;
//AuthorizationInfo:授权(是否有权限进入操作)
// 我们只需要把相应的权限交给Shiro,它就会自动比对
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//拿到主体信息(指的就是当前登录用户)
Employee loginUser = UserContext.getUser();
//获取权限资源(这里假设已经根据用户名到数据库中获取到了)
Set<String> permissions = permissionService.findSnByEmp(loginUser.getId());
//permissions.add("employee:index");
//permissions.add("role:index");
//permissions.add("employee:*");
//拿到授权对象,并且所有权限交给它
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setStringPermissions(permissions);
//返回授权对象
return simpleAuthorizationInfo;
}
…
}
2.3.权限判断Ajax请求
2.3.1.判断需知
现在,咱们进入一个页面进入判断已经能完成,但是如果是Ajax请求,如果返回的还是一个页面,用户的体验就非常的差,所以我们接下来要解决的是这个问题:
咱们所有的请求可以分为两大类,一个是跳转页面,xxx/index 还有一类是Ajax请求期望返回的是{“success”:false,”message”:”没有权限”}
区分处理是否是Ajax请求,普通跳转页面的请求 ,就跳转没有权限的页面,如果是ajax请求返回{“success”:false,”message”:”没有权限”}
?怎么Ajax 判断请求头里面是否有X-Requested-With
跳转页面请求头
Ajax请求多个一个请求头X-Requested-With XMLHttpRequest
2.3.2.自定义权限拦截器
public class ItsourceYxbPermissionsAuthorizationFilter extends PermissionsAuthorizationFilter {
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
Subject subject = this.getSubject(request, response);
if (subject.getPrincipal() == null) {
//没有登录成功后的操作
this.saveRequestAndRedirectToLogin(request, response);
} else {
//登录成功后没有权限的操作
//1.转成http的请求与响应操作
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
//2.根据请求确定是什么请求
String xRequestedWith = httpRequest.getHeader("X-Requested-With");
if (xRequestedWith != null &&"XMLHttpRequest".equals(xRequestedWith)) {
//3.在这里就代表是ajax请求
//表示ajax请求 {"success":false,"message":"没有权限"}
httpResponse.setContentType("text/json; charset=UTF-8");
httpResponse.getWriter().print("{\"success\":false,\"msg\":\"没有权限\"}");
}else {
String unauthorizedUrl = this.getUnauthorizedUrl();
if (StringUtils.hasText(unauthorizedUrl)) {
WebUtils.issueRedirect(request, response, unauthorizedUrl);
} else {
WebUtils.toHttp(response).sendError(401);
}
}
}
return false;
}
}
applicationContext-shiro.xml
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- 登录的url,如果没有登录,你访问的路径会跳到这个页面 -->
<property name="loginUrl" value="/login"/>
<!-- 登录成功的url,如果登录成功,会跳转到这个页面 -->
<property name="successUrl" value="/main"/>
<!-- 没有权限时跳转到这个位置 -->
<property name="unauthorizedUrl" value="/s/unauthorized.jsp"/>
<!-- 这个配置我们可以直接给一个map(动态的可以从代码中获取) -->
<property name="filterChainDefinitionMap" ref="filterChainDefinitionMap"></property>
<!-- 引用自定义的权限过滤器 -->
<property name="filters">
<map>
<entry key="yxbPerms" value-ref="yxbPermissionsAuthorizationFilter"></entry>
</map>
</property>
</bean>
<!-- 配置自定义权限过滤器 -->
<bean id="yxbPermissionsAuthorizationFilter" class="cn.itsource.yxb.shiro.filter.ItsourceYxbPermissionsAuthorizationFilter"></bean>
<!-- 这个bean是帮助咱们获取相应的值:它会到一个工厂bean中通过对应的方法拿到相应的值 -->
<bean id="filterChainDefinitionMap" factory-bean="filterChainDefinitionMapBuilder" factory-method="createFilterChainDefinitionMap"></bean>
<!-- 配置可以创建 -->
<bean id="filterChainDefinitionMapBuilder" class="cn.itsource.yxb.shiro.filter.FilterChainDefinitionMapBuilder"></bean>
FilterChainDefinitionMapBuilder
public Map<String,String> createFilterChainDefinitionMap(){
Map<String, String> filterChainDefinitionMap = new LinkedHashMap();
//注:对于一些不登录也可以放行的设置(大家可以根据实际情况添加)
filterChainDefinitionMap.put("/login","anon");
filterChainDefinitionMap.put("*.js","anon");
filterChainDefinitionMap.put("*.css","anon");
filterChainDefinitionMap.put("/css/**","anon");
filterChainDefinitionMap.put("/js/**","anon");
filterChainDefinitionMap.put("/easyui/**","anon");
filterChainDefinitionMap.put("/images/**","anon");
filterChainDefinitionMap.put("/logout","logout"); //不登录也可以访问
//这个值之后从数据库中查询到【用户-角色-权限-资源】
//从数据库拿到数据,放到咱们的Map中
//1.拿到所有权限
List<Permission> permissions = permissionService.findAll();
//2.遍历权限,拿到权限 资源
for (Permission permission : permissions) {
String url = permission.getUrl();//资源
String sn = permission.getSn();//权限
//把路径与资源放到拦截中去
filterChainDefinitionMap.put(url,"yxbPerms["+sn+"]");
}
filterChainDefinitionMap.put("/**","authc");
return filterChainDefinitionMap;
}
3.菜单读取
用户->角色->权限->菜单
用户有哪些权限,就应该有对应的菜单
(这里咱们可以分析数据库理解设计)
用户拥有对应的权限就拥有对应的菜单(二级菜单),如果此菜单有父菜单(一级菜单)也同时拥有
Domain设计
3.1.1. Menu
@Entity
@Table(name="menu")
public class Menu extends BaseDomain {
private String name;//菜单名称
private String url; //路径
private String icon; //图标
/**
* JsonIgnore:生成JSON的时候忽略这个属性
*/
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name="parent_id")
@JsonIgnore //这里生成json的时候要忽略,否则会造成功能相互调用
private Menu parent;
/**
* 还要配置一个一对多
* 这个字段不要交给JPA管理【到时候自己写代码管理】
* 数据库的menu表中就应该有一个children,而且还是List类型
* Transient:临时属性(JPA不管这个属性,和数据库没有关系)
*/
@Transient
private List<Menu> children = new ArrayList<>();
…
public String getText(){ //EasyUI的树需要一个text属性
return name;
}
}
3.1.2.Permission
@ManyToOne(fetch = FetchType.LAZY)
@JoinColumn(name="menu_id")
private Menu menu;
3.2.功能完成
3.2.1.MenuRepository
/根据用户名拿到一个人对应的所有子菜单
@Query("select distinct m from Employee e join e.roles r join r.permissions p join p.menu m where e.id = ?1")
List<Menu> findByLoginUser(Long userId);
3.2.2.MenuService
List<Menu> childrenMenus = menuRepository.findByLoginUser(userId);
//遍历子菜单(如果有父菜单放进入,没有单独创建)
for (Menu childrenMenu : childrenMenus) {
//拿到子菜单对应的父菜单
Menu parent = childrenMenu.getParent();
//判断如果父菜单中是否有这个菜单
if(parentMenus.contains(parent)){
//有的话,咱们就把子菜单放到父菜单中去
int i = parentMenus.indexOf(parent);
Menu parentMenu = parentMenus.get(i);
parentMenu.getChildren().add(childrenMenu);
}else{
//如果没有,再单独把父菜单放进去
parentMenus.add(parent);
parent.getChildren().add(childrenMenu);
}
}
return parentMenus
3.2.3.UtilController
@RequestMapping("/loginUserMenus")
@ResponseBody
public List loginUserMenus(Long id){
Employee loginUser = UserContext.getUser();
return menuService.findByLoginUser(loginUser.getId());
}
最后把主页面查找菜单的路径替换成咱们现在的路径即可(效果如下【不同的人看到的不同】)
4.页面按钮权限控制
4.1.功能描述
一个用户如果有查看员工的权限,但是它却没有删除的权限,我们连按钮都不应该让他看到!
4.2.功能实现
<shiro:hasPermission name="employee:save">
<a href="#" data-method="add" class="easyui-linkbutton" iconCls="icon-add" plain="true">添加</a>
</shiro:hasPermission>
<shiro:hasPermission name="employee:update">
<a href="#" data-method="edit" class="easyui-linkbutton" iconCls="icon-edit" plain="true">修改</a>
</shiro:hasPermission>
<shiro:hasPermission name="employee:delete">
<a href="#" data-method="del" class="easyui-linkbutton" iconCls="icon-remove" plain="true">删除</a>
</shiro:hasPermission>