7.自定义Realm实现授权

1.仅仅通过ini配置文件来指定权限不够灵活，并且不方便。在实际应用中大多数情况下都将用户信息，角色信息，权限信息保存到数据库中，所以需要去数据库中获取相关的权限信息。可以使用shiro提供的jdbcRealm（当然也不灵活），也可以自定义Realm来实现。

2.自定义Realm需要继承AuthorizingRealm

ini配置文件：

[main]

UserRealm=com.lyh.shouquanRealm_demo
securityManager.realms=$UserRealm

自定义Realm类：

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import java.util.ArrayList;
import java.util.List;

public class shouquanRealm_demo extends AuthorizingRealm {
    //自定义授权方法
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        String username = principalCollection.getPrimaryPrincipal().toString();
        System.out.println("授权的用户名------------"+username);
        //根据这个用户名去数据库中查询出对应的权限信息
        //模拟一下从数据库中查询出的结果
        List permission = new ArrayList<>();
        permission.add("user:add");
        permission.add("user:update");
        permission.add("user:delete");
        permission.add("user:find");
        SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
        for(String s:permission){
            info.addStringPermission(s);
        }
        return info;
    }

    //自定义身份认证方法
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        //获取身份信息,获取用户输入的用户名
        String username = (String)authenticationToken.getPrincipal();
        System.out.println("用户名==========="+username);
        //根据用户名到数据库查询密码
        //模拟从数据库获得密码123
        String pwd="123";
        //将从数据库中查询的信息，封装到SimpleAuthenticationInfo中
        SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username,pwd, getName());
        return info;
    }
}

shiro测试代码：

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;


public class TestShouquanRealm_demo {
    public static void main(String[] args) {
        //1、获取SecurityManager工厂，此处使用Ini配置文件初始化SecurityManager
        Factory factory= new IniSecurityManagerFactory("classpath:shouquanRealm.ini");

        //2、得到SecurityManager实例 并绑定给SecurityUtils
        SecurityManager securityManager = factory.getInstance();
        SecurityUtils.setSecurityManager(securityManager);

        //3、得到Subject及创建用户名/密码身份验证Token（即用户身份/凭证）
        Subject subject = SecurityUtils.getSubject();

        UsernamePasswordToken token = new UsernamePasswordToken("zhangsan", "123");

        try {
            subject.login(token);
            if(subject.isAuthenticated()){
                System.out.println("验证通过");
            }
            boolean permitted = subject.isPermittedAll("user:add","user:find","user:update","user:delete");
            System.out.println(permitted);
        } catch (AuthenticationException e) {
            e.printStackTrace();
            System.out.println("验证失败");
        }
    }
}