智销系统项目day7 - 权限与菜单

1.session处理

1.1 登录成功后主体为用户

以前登录成功，传的是username，现在传主体Employee对象

//身份认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
   ...
    SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(loginUser,password,salt,getName());
    return authenticationInfo;
}

1.2 UserContext

session是从subject获取

存在shiro的session中后，HttpSession也会有值

public class UserContext {

    public static final String USER_IN_SESSION ="loginUser";

    //把登录成功的用户放到session中
    public static void setUser(Employee loginUser){
        Subject subject = SecurityUtils.getSubject();
        //代表登录成功,把当前登录用户放到Session中去(shiro的session)
        //1.拿到session
        Session session = subject.getSession();
        //2.把当前登录成功的用户放到session中去
        session.setAttribute(USER_IN_SESSION, loginUser);

    }
    
    //获取到当前登录用户
    public static Employee getUser(){
        Subject subject = SecurityUtils.getSubject();
        Session session = subject.getSession();
        Employee employee = (Employee) session.getAttribute(USER_IN_SESSION);
        return employee;
    }

}

2.授权管理

2.1 FilterChainDefinitionMapFactory

保存所有权限过滤的数据都是从数据库中获取

@Autowired
private IPermissionService permissionService;
public Map<String,String> createFilterChainDefinitionMap(){
    ...
    //拿到所有权限
    List<Permission> perms = permissionService.findAll();
    //设置相应的权限
    perms.forEach(p -> {
        filterChainDefinitionMap.put(p.getUrl(), "perms["+p.getSn()+"]");
    });

    filterChainDefinitionMap.put("/**", "authc");

    return filterChainDefinitionMap;
}

2.2 获取授权

授权部分的数据也是从数据库中获得的

应该拿到当前登录用户的所有权限

PermissionRepository

JPQL关联原则: 1.不写on 2.关联对象的别名.属性

//根据用户拿到他对应的所有权限
@Query("select distinct p.sn from Employee e join e.roles r join r.permissions p where e.id = ?1")
Set<String> findPermsByUser(Long userId);

PermissionService(调用略…)

JpaRealm

拿到当前登录用户,再获取它的权限

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    Employee loginUser = UserContext.getUser();
   //根据当前用户拿到对应的权限
    Set<String> perms = permissionService.findPermsByUser(loginUser.getId());
    //准备并返回AuthorizationInfo这个对象
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    authorizationInfo.setStringPermissions(perms);
    return authorizationInfo;
}

2.3 Ajax请求的权限处理

shiro处理没有权限是跳转页面,而我们如果是ajax请求,我们希望是返回json数据
ajax请求会有一个请求头:X-Requested-With: XMLHttpRequest
需要自定义一个shiro的权限过滤器

2.3.1 自定义权限过滤器

public class AisellPermissionsAuthorizationFilter extends PermissionsAuthorizationFilter {

    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {

        Subject subject = getSubject(request, response);
        // If the subject isn't identified, redirect to login URL
        if (subject.getPrincipal() == null) {
            saveRequestAndRedirectToLogin(request, response);
        } else {
            //一.拿到请求头
            HttpServletRequest req = (HttpServletRequest)request;
            // 拿到响应头
            HttpServletResponse resp = (HttpServletResponse)response;
            //设置响应头
            resp.setContentType("application/json;charset=UTF-8");
            String xr = req.getHeader("X-Requested-With");
            //二.判断这个请求头是否是Ajax请求
            if(xr!=null && "XMLHttpRequest".equals(xr)){
                //返回一个json {"success":false,"msg":"权限不足，请充值！"}
                resp.getWriter().print("{\"success\":false,\"msg\":\"你的权限不足，请充值！\"}");
            }else {
                //普通请求:拿到没有权限的跳转路径,进行跳转
                String unauthorizedUrl = getUnauthorizedUrl();
                if (StringUtils.hasText(unauthorizedUrl)) {
                    WebUtils.issueRedirect(request, response, unauthorizedUrl);
                } else {
                    WebUtils.toHttp(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
                }
            }
        }
        return false;
    }
}

2.3.2 applicationContext-shiro.xml

配置权限过滤器

entry key=“aisellPerms”:确定权限过滤器的名称

    
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
       ...
        
        <property name="filters">
            <map>
                <entry key="aisellPerms" value-ref="aisellPermissionsAuthorizationFilter"/>
            map>
        property>
    bean>

    
    <bean id="aisellPermissionsAuthorizationFilter" class="cn.itsource.aisell.shiro.AisellPermissionsAuthorizationFilter" />

2.3.3 修改过滤器配置

@Autowired
private IPermissionService permissionService;
public Map<String,String> createFilterChainDefinitionMap(){
    ...
    //拿到所有权限
    List<Permission> perms = permissionService.findAll();
    //设置相应的权限
    perms.forEach(p -> {
        filterChainDefinitionMap.put(p.getUrl(), "aisellPerms["+p.getSn()+"]");
    });
    ...
}

3.菜单管理

员工 -> 角色 -> 权限 -> 菜单

3.1 Menu

菜单domain的自关连配置

需要配置双向,但是不能让JPA去管理一对多(我们自己管理:@Transient)

双向生成JSON会产生死循环,需要一边进行忽略:@JsonIgnore

 //让它不再生成JSON
    @ManyToOne(fetch = FetchType.LAZY)
    @JoinColumn(name = "parent_id")
    @JsonIgnore
    private Menu parent;

    // 临时属性 -> 这个字段JPA就不管它了
    @Transient
    private List<Menu> children = new ArrayList<>();
        …
    public String getText(){ //EasyUI的树需要一个text属性
      return name;
    }

3.2 MenuRepository

public interface MenuRepository extends BaseRepository<Menu,Long>{
    @Query("select distinct m from Employee e join e.roles r join r.permissions p join p.menu m where e.id = ?1")
    List<Menu> findByUser(Long userId);
}

3.2 MenuService

根据设计只能通过员工找到子菜单

需要通过子菜单拿到父菜单

判断这个父菜单是否已经存到集合中

如果这个菜单单没有存起来,放到集合中
把当前这个子菜单放到父菜单中去

@Override
public List<Menu> findLoginMenu() {
    //1.准备一个装父菜单的容器
    List<Menu> parentMenus = new ArrayList<>();
    //2.拿到当前登录用户的所有子菜单
    Employee loginUser = UserContext.getUser();
    List<Menu> children = menuRepository.findByUser(loginUser.getId());
    //3.遍历子菜单，设置它们的关系
    for (Menu child : children) {
        //3.1 根据子菜单拿到它对应的父菜单
        Menu parent = child.getParent();
        //3.2 判断这个父菜单是否在容器中
        if(!parentMenus.contains(parent)){
            //3.3 如果不在，把父菜单放进去
            parentMenus.add(parent);
        }
        //3.4 为这个父菜单添加对应的子菜单
        parent.getChildren().add(child);
    }
    return parentMenus;
}

3.3 UtilController中返回值

@Autowired
private IMenuService menuService;

@RequestMapping("/loginUserMenu")
@ResponseBody
public List<Menu> loginUserMenu(){
    return menuService.findLoginMenu();
}

3.4 main.jsp修改路径

 $('#menuTree').tree({
            url:'/util/loginUserMenu',
            ...

4.shiro:hasPermission

没有这个权限,就不展示对应的按键

<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
...
<shiro:hasPermission name="employee:delete">
    <a href="javascript:;" data-method="delete" class="easyui-linkbutton" iconCls="icon-remove" plain="true">删除a>
shiro:hasPermission>