spring 整合shiro ,并实现动态url 配置

shiro 与Spring 结合

• 数据库实现，参考RBAC角色权限控制的实现

• maven 导入相关包

      
          org.apache.shiro
          shiro-core
          1.3.2
      
      
      
          org.apache.shiro
          shiro-web
          1.3.2
      
      
      
          org.apache.shiro
          shiro-spring
          1.3.2
      
      
      
          org.apache.shiro
          shiro-ehcache
          1.3.2
      
  

• web.xml 配置

  shiroFilter org.springframework.web.filter.DelegatingFilterProxy shiroFilter /*

• spring_shiro.xml

  
  
  
  
  
  
      
      
  
  
  
  
  
  
  
  
  
      
      
      
      
      
      
      
      
      
      
      
          
              /manageUser/login=anon
              
          
      
  
  

• 自定义的realm

  public class MyShiroRealm extends AuthorizingRealm {
  static IManageUserService manageUserService;
  public static final String SESSION_USER_KEY = “temp”;

  /**
   * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用,负责在应用程序中决定用户的访问控制的方法
   */
  @Override
  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
  //可自定义实现内容
      SecurityUtils.getSubject().getSession()
   .getAttribute(OneballShiroRealm.SESSION_USER_KEY);
      SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
      return info;
  }
  
  /**
   * 认证回调函数，登录信息和用户验证信息验证
   */
  @Override
  protected AuthenticationInfo doGetAuthenticationInfo(
          AuthenticationToken authcToken) throws AuthenticationException {
      //判断 manageUserService 是否为空
      if (manageUserService == null) {
          manageUserService = (ManageUserService) ApplicationContextUtil.getBean("manageUserService");
      }
      UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
      String userName = token.getUsername();
      String passWord = String.valueOf(token.getPassword());
      ManageUser manageUser = manageUserService.login(userName, passWord);
  
      if (manageUser == null) {
          return null; // 异常处理，找不到数据
      }
  
      Subject subject =  SecurityUtils.getSubject();
  
      //shiro session
      Session session = SecurityUtils.getSubject().getSession();
      session.setTimeout(60 * 60 * 3 * 1000);
      session.setAttribute(OneballShiroRealm.SESSION_USER_KEY, manageUser);
  
      //当前 Realm 的 name
      String realmName = this.getName();
      //登陆的主要信息: 可以是一个实体类的对象, 但该实体类的对象一定是根据 token 的 username 查询得到的.
      Object principal = authcToken.getPrincipal();
      return new SimpleAuthenticationInfo(principal, passWord, realmName);
  }
  
  
  public IManageUserService getManageUserService() {
      return manageUserService;
  }
  
  public void setManageUserService(IManageUserService manageUserService) {
      this.manageUserService = manageUserService;
  }
  

  }

• 继承ShiroFilterFactoryBean，实现从数据库动态加载权限信息

  public class ShiroPermissionFactory extends ShiroFilterFactoryBean {

  private ManageUserService manageUserService;
  
  
  /**记录配置中的过滤链*/
  public static String definition="";
  
  
  /**
   * 初始化设置过滤链
   */
  @Override
  public void setFilterChainDefinitions(String definitions) {
  

  // String token = manageUserService.getAdminToken(0);

      //可从数据库读取后，添加至过滤链，参考此处已注释的代码
      definition = definitions;//记录配置的静态过滤链
  

  // List permissions = permissService.findAll();
  Map otherChains = new HashMap();
  // permissions.forEach(permiss->{
  // //perms.add(e)
  otherChains.put(“/discover/newstag”, “authc,roles[user,admin]”);
  // });
  //加载配置默认的过滤链
  Ini ini = new Ini();
  ini.load(definitions);
  Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS);
  if (CollectionUtils.isEmpty(section)) {
  section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
  }
  //加上数据库中过滤链
  section.putAll(otherChains);
  setFilterChainDefinitionMap(section);

  }
  
  public ManageUserService getManageUserService() {
      return manageUserService;
  }
  
  public void setManageUserService(ManageUserService manageUserService) {
      this.manageUserService = manageUserService;
  }
  

  }

• FilterChainDefinitionsService实现，无需部署，重新加载权限

  @Service
  public class FilterChainDefinitionsService implements IFilterChainDefinitionsService {
  @Autowired
  private ShiroPermissionFactory permissFactory;

  @Override
  public void reloadFilterChains() {
      synchronized (permissFactory) {   //强制同步，控制线程安全
          AbstractShiroFilter shiroFilter = null;
  
          try {
              shiroFilter = (AbstractShiroFilter) permissFactory.getObject();
  
              PathMatchingFilterChainResolver resolver = (PathMatchingFilterChainResolver) shiroFilter
                      .getFilterChainResolver();
              // 过滤管理器
              DefaultFilterChainManager manager = (DefaultFilterChainManager) resolver.getFilterChainManager();
              // 清除权限配置
              manager.getFilterChains().clear();
              permissFactory.getFilterChainDefinitionMap().clear();
              // 重新设置权限
              permissFactory.setFilterChainDefinitions(ShiroPermissionFactory.definition);//传入配置中的filterchains
  
              Map chains = permissFactory.getFilterChainDefinitionMap();
              //重新生成过滤链
              if (!CollectionUtils.isEmpty(chains)) {
                  chains.forEach((url, definitionChains) -> {
                      manager.createChain(url, definitionChains.trim().replace(" ", ""));
                  });
              }
              // manager.addToChain("/discover/banner", "perms", "sssss");
  
  
          } catch (Exception e) {
              e.printStackTrace();
          }
      }
  }
  

  }

• 登录验证的实现

  //示例代码，未实现加密验证
  private String loginUser(ManageUser user) {
  // if (isRelogin(user)) {
  // // 如果已经登陆，无需重新登录
  // return “success”;
  // }
  return shiroLogin(user); // 调用shiro的登陆验证
  }

  private String shiroLogin(ManageUser user) {
      UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword().toCharArray(), null);
  

  // token.setRememberMe(true);
  // shiro登陆验证
  try {
  // System.out.println(SecurityUtils.getSubject());
  SecurityUtils.getSubject().login(token);
  } catch (UnknownAccountException ex) {
  return “用户不存在或者密码错误！”;
  } catch (IncorrectCredentialsException ex) {
  return “用户不存在或者密码错误！”;
  }catch (ExcessiveAttemptsException ex) {
  return “账号或密码错误次数过多,请稍后重试！”;
  } catch (AuthenticationException ex) {
  return ex.getMessage(); // 自定义报错信息
  } catch (Exception ex) {
  ex.printStackTrace();
  return “内部错误，请重试！”;
  }
  return “success”;
  }

  private boolean isRelogin(ManageUser user) {
      Subject us = SecurityUtils.getSubject();
      if (us.isAuthenticated()) {
          return true; // 参数未改变，无需重新登录，默认为已经登录成功
      }
      return false; // 需要重新登陆
  }