6.Authorizer(授权、访问控制)
Authorizer主要是执行授权操作,即访问资源的控制。在shiro里,authorizer通常不直接使用,而是配置在SecurityManager里,由SecurityManager委托调用。
AuthorizingRealm和ModularRealmAuthorizer
前面讲过一个AuthorizingRealm,它也实现了Authorizer的接口。
AuthorizingRealm:
1.负责和底层的数据库交互,获取所需授权数据
2.缓存授权数据
3.真正授权逻辑判断
ModularRealmAuthorizer:
1.里面设置了realms,真正的授权逻辑交互是通过迭代realms,调用realm的授权功能
2.和SecurityManager协调授权访问,实现PAM
1.Authorizer
public interface Authorizer {
//判断PrincipalCollection是否有String permission(该String会转换为Permission对象)资源权限。是:true 否:false
boolean isPermitted(PrincipalCollection principals, String permission);
//判断PrincipalCollection是否有permission资源权限。是:true 否:false
boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission);
//返回一组String permissions授权判断的 boolean[]
boolean[] isPermitted(PrincipalCollection subjectPrincipal, String... permissions);
//返回一组permissions授权判断的 boolean[]
boolean[] isPermitted(PrincipalCollection subjectPrincipal, List<Permission> permissions);
//判断一组String permissions是否 全部 授权成功。 是:true 否:false
boolean isPermittedAll(PrincipalCollection subjectPrincipal, String... permissions);
//判断一组permissions是否 全部 授权成功。 是:true 否:false
boolean isPermittedAll(PrincipalCollection subjectPrincipal, Collection<Permission> permissions);
//判断PrincipalCollection是否有String permission(该String会转换为Permission对象)资源权限。 失败:抛出AuthorizationException异常
void checkPermission(PrincipalCollection subjectPrincipal, String permission) throws AuthorizationException;
//判断PrincipalCollection是否有permission资源权限。 失败:抛出AuthorizationException异常
void checkPermission(PrincipalCollection subjectPrincipal, Permission permission) throws AuthorizationException;
//判断一组String permissions是否 全部 授权成功。 失败:抛出AuthorizationException异常
void checkPermissions(PrincipalCollection subjectPrincipal, String... permissions) throws AuthorizationException;
//判断一组permissions是否 全部 授权成功。 失败:抛出AuthorizationException异常
void checkPermissions(PrincipalCollection subjectPrincipal, Collection<Permission> permissions) throws AuthorizationException;
//根据subjectPrincipal判断是否存在该角色。 是:true 否:false
boolean hasRole(PrincipalCollection subjectPrincipal, String roleIdentifier);
//根据subjectPrincipal判断一组role是否授权成功,然后返回boolean[]
boolean[] hasRoles(PrincipalCollection subjectPrincipal, List<String> roleIdentifiers);
//判断是否一组role全部授权成功。 是:true 否:false
boolean hasAllRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers);
//根据subjectPrincipal判断是否存在该角色。 失败:抛出AuthorizationException异常
void checkRole(PrincipalCollection subjectPrincipal, String roleIdentifier) throws AuthorizationException;
//判断是否一组(集合)role全部授权成功。 失败:抛出AuthorizationException异常
void checkRoles(PrincipalCollection subjectPrincipal, Collection<String> roleIdentifiers) throws AuthorizationException;
//判断是否一组(数组)role全部授权成功。 失败:抛出AuthorizationException异常
void checkRoles(PrincipalCollection subjectPrincipal, String... roleIdentifiers) throws AuthorizationException;
}
2.ModularRealmAuthorizer
/** ModularRealmAuthorizer: 1.里面设置了realms,真正的授权逻辑交互是通过迭代realms,调用realm的授权功能 2.和SecurityManager协调授权访问,实现PAM **/
public class ModularRealmAuthorizer implements Authorizer, PermissionResolverAware, RolePermissionResolverAware {
//Realm集合,真正的授权处理
protected Collection<Realm> realms;
//Permission转换器,String->Permission
protected PermissionResolver permissionResolver;
//角色资源转换器,转换角色为一组确切的资源
protected RolePermissionResolver rolePermissionResolver;
public ModularRealmAuthorizer() {
}
public ModularRealmAuthorizer(Collection<Realm> realms) {
setRealms(realms);
}
public Collection<Realm> getRealms() {
return this.realms;
}
public void setRealms(Collection<Realm> realms) {
this.realms = realms;
//Realm设置之后调用applyPermissionResolverToRealms设置this.PermissionResolver到Realm里的PermissionResolver
applyPermissionResolverToRealms();
//Realm设置之后调用applyRolePermissionResolverToRealms设置this.PermissionResolver到Realm里的RolePermissionResolver
applyRolePermissionResolverToRealms();
/** 上面两个方法的寓意主要是,如果多个Realm被同时设置进来,保证他们的资源转换器是一致的,该ModularRealmAuthorizer 作为SecurityManager委托的对象,且代理了真正的Realm执行授权逻辑,也可以看做是Realm的门面。 **/
}
public PermissionResolver getPermissionResolver() {
return this.permissionResolver;
}
public void setPermissionResolver(PermissionResolver permissionResolver) {
this.permissionResolver = permissionResolver;
//调用applyPermissionResolverToRealms设置this.PermissionResolver到Realm里的PermissionResolver
applyPermissionResolverToRealms();
}
//迭代Realm设置this.PermissionResolver到Realm的PermissionResolver
protected void applyPermissionResolverToRealms() {
PermissionResolver resolver = getPermissionResolver();
Collection<Realm> realms = getRealms();
if (resolver != null && realms != null && !realms.isEmpty()) {
for (Realm realm : realms) {
if (realm instanceof PermissionResolverAware) {
((PermissionResolverAware) realm).setPermissionResolver(resolver);
}
}
}
}
public RolePermissionResolver getRolePermissionResolver() {
return this.rolePermissionResolver;
}
public void setRolePermissionResolver(RolePermissionResolver rolePermissionResolver) {
this.rolePermissionResolver = rolePermissionResolver;
//调用applyRolePermissionResolverToRealms设置this.PermissionResolver到Realm里的RolePermissionResolver
applyRolePermissionResolverToRealms();
}
//迭代Realm设置this.RolePermissionResolver到Realm的RolePermissionResolver
protected void applyRolePermissionResolverToRealms() {
RolePermissionResolver resolver = getRolePermissionResolver();
Collection<Realm> realms = getRealms();
if (resolver != null && realms != null && !realms.isEmpty()) {
for (Realm realm : realms) {
if (realm instanceof RolePermissionResolverAware) {
((RolePermissionResolverAware) realm).setRolePermissionResolver(resolver);
}
}
}
}
//保证Realm不为空,如果为空抛出异常
protected void assertRealmsConfigured() throws IllegalStateException {
Collection<Realm> realms = getRealms();
if (realms == null || realms.isEmpty()) {
String msg = "Configuration error: No realms have been configured! One or more realms must be " +
"present to execute an authorization operation.";
throw new IllegalStateException(msg);
}
}
//迭代Realm ,调用realm.isPermitted(principals, String permission),有一个成功则返回true
public boolean isPermitted(PrincipalCollection principals, String permission) {
assertRealmsConfigured();
for (Realm realm : getRealms()) {
if (!(realm instanceof Authorizer)) continue;
if (((Authorizer) realm).isPermitted(principals, permission)) {
return true;
}
}
return false;
}
//迭代Realm ,调用realm.isPermitted(principals, Permission permission),有一个成功则返回true
public boolean isPermitted(PrincipalCollection principals, Permission permission) {
assertRealmsConfigured();
for (Realm realm : getRealms()) {
if (!(realm instanceof Authorizer)) continue;
if (((Authorizer) realm).isPermitted(principals, permission)) {
return true;
}
}
return false;
}
//迭代permissions,调用this.isPermitted(PrincipalCollection principals, String permission),返回一组boolean[]
public boolean[] isPermitted(PrincipalCollection principals, String... permissions) {
assertRealmsConfigured();
if (permissions != null && permissions.length > 0) {
boolean[] isPermitted = new boolean[permissions.length];
for (int i = 0; i < permissions.length; i++) {
isPermitted[i] = isPermitted(principals, permissions[i]);
}
return isPermitted;
}
return new boolean[0];
}
//迭代permissions,调用this.isPermitted(PrincipalCollection principals, Permission permission),返回一组boolean[]
public boolean[] isPermitted(PrincipalCollection principals, List<Permission> permissions) {
assertRealmsConfigured();
if (permissions != null && !permissions.isEmpty()) {
boolean[] isPermitted = new boolean[permissions.size()];
int i = 0;
for (Permission p : permissions) {
isPermitted[i++] = isPermitted(principals, p);
}
return isPermitted;
}
return new boolean[0];
}
//迭代permissions,调用this.isPermitted(PrincipalCollection principals, String permission)有一个false,则false。否则true
public boolean isPermittedAll(PrincipalCollection principals, String... permissions) {
assertRealmsConfigured();
if (permissions != null && permissions.length > 0) {
for (String perm : permissions) {
if (!isPermitted(principals, perm)) {
return false;
}
}
}
return true;
}
//迭代permissions,调用this.isPermitted(PrincipalCollection principals, Permission permission)有一个false,则false。否则true
public boolean isPermittedAll(PrincipalCollection principals, Collection<Permission> permissions) {
assertRealmsConfigured();
if (permissions != null && !permissions.isEmpty()) {
for (Permission permission : permissions) {
if (!isPermitted(principals, permission)) {
return false;
}
}
}
return true;
}
//调用this.isPermitted(PrincipalCollection principals, String permission),返回false则抛出异常:UnauthorizedException(
public void checkPermission(PrincipalCollection principals, String permission) throws AuthorizationException {
assertRealmsConfigured();
if (!isPermitted(principals, permission)) {
throw new UnauthorizedException("Subject does not have permission [" + permission + "]");
}
}
//调用this.isPermitted(PrincipalCollection principals, Permission permission),返回false则抛出异常:UnauthorizedException(
public void checkPermission(PrincipalCollection principals, Permission permission) throws AuthorizationException {
assertRealmsConfigured();
if (!isPermitted(principals, permission)) {
throw new UnauthorizedException("Subject does not have permission [" + permission + "]");
}
}
//迭代permissions。调用this.checkPermission(PrincipalCollection principals, String permission)
public void checkPermissions(PrincipalCollection principals, String... permissions) throws AuthorizationException {
assertRealmsConfigured();
if (permissions != null && permissions.length > 0) {
for (String perm : permissions) {
checkPermission(principals, perm);
}
}
}
//迭代permissions。调用this.checkPermission(PrincipalCollection principals, Permission permission)
public void checkPermissions(PrincipalCollection principals, Collection<Permission> permissions) throws AuthorizationException {
assertRealmsConfigured();
if (permissions != null) {
for (Permission permission : permissions) {
checkPermission(principals, permission);
}
}
}
//迭代Realms。如果有一个成功则返回true,否则:false
public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
assertRealmsConfigured();
for (Realm realm : getRealms()) {
if (!(realm instanceof Authorizer)) continue;
if (((Authorizer) realm).hasRole(principals, roleIdentifier)) {
return true;
}
}
return false;
}
//迭代roleIdentifiers,调用this.hasRole(PrincipalCollection principals, String roleIdentifier),封装结果到Boolean[]返回
public boolean[] hasRoles(PrincipalCollection principals, List<String> roleIdentifiers) {
assertRealmsConfigured();
if (roleIdentifiers != null && !roleIdentifiers.isEmpty()) {
boolean[] hasRoles = new boolean[roleIdentifiers.size()];
int i = 0;
for (String roleId : roleIdentifiers) {
hasRoles[i++] = hasRole(principals, roleId);
}
return hasRoles;
}
return new boolean[0];
}
//迭代roleIdentifiers,所有成功则返回true,否则false
public boolean hasAllRoles(PrincipalCollection principals, Collection<String> roleIdentifiers) {
assertRealmsConfigured();
for (String roleIdentifier : roleIdentifiers) {
if (!hasRole(principals, roleIdentifier)) {
return false;
}
}
return true;
}
//判断是否有角色role,没有则抛出异常UnauthorizedException
public void checkRole(PrincipalCollection principals, String role) throws AuthorizationException {
assertRealmsConfigured();
if (!hasRole(principals, role)) {
throw new UnauthorizedException("Subject does not have role [" + role + "]");
}
}
//判断一组(集合)roles,是否全部存在,不是则抛出异常
public void checkRoles(PrincipalCollection principals, Collection<String> roles) throws AuthorizationException {
//SHIRO-234 - roles.toArray() -> roles.toArray(new String[roles.size()])
if (roles != null && !roles.isEmpty()) checkRoles(principals, roles.toArray(new String[roles.size()]));
}
//判断一组(数组)roles,是否全部存在,不是则抛出异常
public void checkRoles(PrincipalCollection principals, String... roles) throws AuthorizationException {
assertRealmsConfigured();
if (roles != null) {
for (String role : roles) {
checkRole(principals, role);
}
}
}
}