第一种使用shiro的注解方式:
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true" />
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
配置上,在方法头上加上注解就可以了,网上资料很多,就不详说了
使用自定义注解
先上自定义注解:
package com.isoftstone.common.permission;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})//适用的地方 有 方法上 类上等
public @interface CheckPermission {
String [] permission();//可以传多个权限标示
}
注解使用:
/**
* 保存
* @param 基本用户信息
* @param 角色id
* @return
* @author {huzhe}
*/
@RequestMapping(value = "/saveUser")
@CheckPermission(permission={BusinessPermissionLabel.permission_addChildAccount})
public OperationPrompt saveUser(UserBasicInfo userbaseInfo,String addRoleIds) {
多个权限标示使用逗号隔开;
第二种:使用spring aop 方法验证 基于上边的自定义
使用shiro验证是否标示是否有权限
currentUser.isPermitted(per)
package com.isoftstone.common.permission;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.subject.Subject;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.stereotype.Component;
@Aspect
@Component
//次方法根据spring aop贴入方法 进行权限验证
public class PermissionInterceptor {
@Around("execution(* com.isoftstone.dcf.portal..*(..)) && @annotation(checkPermission)")
public Object doInterceptor(ProceedingJoinPoint pjp,CheckPermission checkPermission) throws Throwable{
long time = new java.util.Date().getTime();
boolean isPermissioin = false;
Subject currentUser = SecurityUtils.getSubject();
//没有获得注解 及不需要权限-- 则直接运行
if(null!=checkPermission){
String [] permission = checkPermission.permission();
for(String per:permission){
//当前登录人 具有权限
if(currentUser.isPermitted(per)){
isPermissioin = true;
break;
}
}
}else{
isPermissioin = true;
}
System.out.println("(AOP)拦截到了:"+pjp.getSignature().getName()+"方法所用时间:"+time+"到"+new java.util.Date().getTime());
if(isPermissioin){
//有执行方法或权限不拦截
return pjp.proceed();
}else{
//抛出无权限异常
throw new AuthorizationException();
}
}
}
需要在spring配置文件中开始aop注解:
<!-- 打开aop使用aop进行权限验证 -->
<aop:aspectj-autoproxy />
方式3:使用spring mvc拦截所有url验证:
<!-- 使用spring mvc拦截器进行权限验证 -->
<mvc:interceptors>
<bean class="com.isoftstone.common.permission.PermissionInterceptorAdapter" />
</mvc:interceptors>
这个方法实现大致一样:
package com.isoftstone.common.permission;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.subject.Subject;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
//次方法根据spring mvc拦截器进行权限验证
public class PermissionInterceptorAdapter extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
HandlerMethod handler2=(HandlerMethod) handler;
CheckPermission checkPermission = handler2.getMethodAnnotation(CheckPermission.class);
long time = new java.util.Date().getTime();
boolean isPermissioin = false;
Subject currentUser = SecurityUtils.getSubject();
//没有获得注解 及不需要权限-- 则直接运行
if(null!=checkPermission){
String [] permission = checkPermission.permission();
for(String per:permission){
//当前登录人 具有权限
if(currentUser.isPermitted(per)){
isPermissioin = true;
break;
}
}
}else{
isPermissioin = true;
}
System.out.println("拦截到了mvc方法:"+handler2.getMethod()+"方法所用时间:"+time+"到"+new java.util.Date().getTime());
if(isPermissioin){
//有执行方法或权限不拦截
return true;
}else{
//跑出无权限异常
throw new AuthorizationException();
}
}
}
除了spring和shiro使用的包:
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.8.0</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.8.0</version>
</dependency>
spring自定义异常拦截:
package com.isoftstone.common.exception;
import java.io.IOException;
import java.sql.SQLException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.ModelAndView;
import com.isoftstone.common.bo.PermissioinPage;
/**
* 自定义权限异常处理
* @author Administrator
*
*/
@Component
public class MyHandlerExceptionResolver implements HandlerExceptionResolver {
@Override
public ModelAndView resolveException(HttpServletRequest request,
HttpServletResponse response, Object object, Exception exception) {
//是否为ajax请求
String requestType = request.getHeader("X-Requested-With");
if(exception instanceof AuthorizationException){
response.setStatus(413);//无权限异常 主要用于ajax请求返回
response.addHeader("Error-Json", "{code:413,msg:'nopermission',script:''}");
response.setContentType("text/html;charset=utf-8");
if("XMLHttpRequest".equals(requestType)){
return new ModelAndView();
}
return new ModelAndView("redirect:/html/413.html");
}
return null;
}