spring shiro权限注解方式验证;

第一种使用shiro的注解方式:

 
     		 
    

	    
	

配置上,在方法头上加上注解就可以了,网上资料很多,就不详说了


使用自定义注解

先上自定义注解:

package com.isoftstone.common.permission;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Retention(RetentionPolicy.RUNTIME) 
@Target({ElementType.METHOD})//适用的地方 有 方法上  类上等
public @interface CheckPermission {
   String [] permission();//可以传多个权限标示
}

注解使用:


	/**
	 * 保存
	 * @param   基本用户信息
	 * @param   角色id
	 * @return
	 * @author {huzhe}
	 */
	@RequestMapping(value = "/saveUser")
	@CheckPermission(permission={BusinessPermissionLabel.permission_addChildAccount})
	public OperationPrompt saveUser(UserBasicInfo userbaseInfo,String addRoleIds) {

多个权限标示使用逗号隔开;


第二种:使用spring aop   方法验证   基于上边的自定义   

使用shiro验证是否标示是否有权限 

currentUser.isPermitted(per)

package com.isoftstone.common.permission;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.subject.Subject;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.stereotype.Component;

@Aspect
@Component
//次方法根据spring aop贴入方法 进行权限验证
public class PermissionInterceptor {

	    @Around("execution(* com.isoftstone.dcf.portal..*(..)) && @annotation(checkPermission)")  
	    public Object doInterceptor(ProceedingJoinPoint pjp,CheckPermission checkPermission) throws Throwable{
	    	long time = new java.util.Date().getTime();
	    	boolean isPermissioin = false;
	    	Subject currentUser = SecurityUtils.getSubject();  
	    	 //没有获得注解  及不需要权限-- 则直接运行
	    	if(null!=checkPermission){
	    		String [] permission = checkPermission.permission();
	    		for(String per:permission){
	    			//当前登录人 具有权限
	    			if(currentUser.isPermitted(per)){
	    				isPermissioin = true;
	    				break;
	    			}
	    		}
	    	}else{
	    		isPermissioin = true;
	    	}
	    	
	    	System.out.println("(AOP)拦截到了:"+pjp.getSignature().getName()+"方法所用时间:"+time+"到"+new java.util.Date().getTime());
	        if(isPermissioin){
	        	//有执行方法或权限不拦截
	            return pjp.proceed();
	        }else{
	        	//抛出无权限异常
	        	throw new AuthorizationException();
	        }
	          
	    }  
}

需要在spring配置文件中开始aop注解:


 
     



方式3:使用spring mvc拦截所有url验证:

    
    
            
    
         


这个方法实现大致一样:

package com.isoftstone.common.permission;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.subject.Subject;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
//次方法根据spring mvc拦截器进行权限验证
public class PermissionInterceptorAdapter extends HandlerInterceptorAdapter  {

	@Override
	public boolean preHandle(HttpServletRequest request,
			HttpServletResponse response, Object handler) throws Exception {
		HandlerMethod handler2=(HandlerMethod) handler;
		CheckPermission checkPermission = handler2.getMethodAnnotation(CheckPermission.class);
		long time = new java.util.Date().getTime();
    	boolean isPermissioin = false;
    	Subject currentUser = SecurityUtils.getSubject();  
    	 //没有获得注解  及不需要权限-- 则直接运行
    	if(null!=checkPermission){
    		String [] permission = checkPermission.permission();
    		for(String per:permission){
    			//当前登录人 具有权限
    			if(currentUser.isPermitted(per)){
    				isPermissioin = true;
    				break;
    			}
    		}
    	}else{
    		isPermissioin = true;
    	}
    	
    	System.out.println("拦截到了mvc方法:"+handler2.getMethod()+"方法所用时间:"+time+"到"+new java.util.Date().getTime());
        if(isPermissioin){
        	//有执行方法或权限不拦截
            return true;
        }else{
        	//跑出无权限异常
        	throw new AuthorizationException();
        }
	}

}








 除了spring和shiro使用的包:

		
		  org.aspectj
		  aspectjrt
		  1.8.0
		
		
		  org.aspectj
		  aspectjweaver
		  1.8.0
		


spring自定义异常拦截:

package com.isoftstone.common.exception;

import java.io.IOException;
import java.sql.SQLException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.ModelAndView;

import com.isoftstone.common.bo.PermissioinPage;

/**
 * 自定义权限异常处理
 * @author Administrator
 *
 */
@Component
public class MyHandlerExceptionResolver implements HandlerExceptionResolver  {

	@Override
	public ModelAndView resolveException(HttpServletRequest request,
			HttpServletResponse response, Object object, Exception exception) {
		//是否为ajax请求
	    String requestType = request.getHeader("X-Requested-With");
	     if(exception instanceof AuthorizationException){
			response.setStatus(413);//无权限异常  主要用于ajax请求返回
			response.addHeader("Error-Json", "{code:413,msg:'nopermission',script:''}");
			response.setContentType("text/html;charset=utf-8");
			if("XMLHttpRequest".equals(requestType)){
				return new ModelAndView();
			}
			return new ModelAndView("redirect:/html/413.html");
		}
		return null;
	}



马上下班了,写的比较着急,有问题的话,大家留言,互相讨论!

你可能感兴趣的:(spring,shiro,maven)