摘要:自定義注解順序創(chuàng)建自定義的注解資源管理器�����,繼承,添加新注解支持?jǐn)r截器�����,繼承方法攔截器�,繼承權(quán)限處理器,繼承���,校驗權(quán)限一自定義注解二權(quán)限處理器自定義權(quán)限處理器多個權(quán)限���,有一個就通過三方法攔截器自定義注解的方法攔截器驗證權(quán)限四切面攔截器自定義注
自定義Shiro注解
順序
創(chuàng)建自定義的注解
資源管理器,繼承AuthorizationAttributeSourceAdvisor���,添加新注解支持
AOP攔截器����,繼承AopAllianceAnnotationsAuthorizingMethodInterceptor
方法攔截器����,繼承AuthorizingAnnotationMethodInterceptor
權(quán)限處理器,繼承AuthorizingAnnotationHandler�����,校驗權(quán)限
一、自定義注解
@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Permissions {
String[] value();
}
二�、權(quán)限處理器
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
import org.apache.shiro.subject.Subject;
import java.lang.annotation.Annotation;
/**
* 自定義權(quán)限處理器
* @author BBF
*/
public class PermissionHandler extends AuthorizingAnnotationHandler {
public PermissionHandler() {
super(Permissions.class);
}
@Override
public void assertAuthorized(Annotation a) throws AuthorizationException {
if (a instanceof Permissions) {
Permissions annotation = (Permissions) a;
String[] perms = annotation.value();
Subject subject = getSubject();
if (perms.length == 1) {
subject.checkPermission(perms[0]);
return;
}
// 多個權(quán)限,有一個就通過
boolean hasAtLeastOnePermission = false;
for (String permission : perms) {
if (subject.isPermitted(permission)) {
hasAtLeastOnePermission = true;
break;
}
}
// Cause the exception if none of the role match,
// note that the exception message will be a bit misleading
if (!hasAtLeastOnePermission) {
subject.checkPermission(perms[0]);
}
}
}
}
三����、方法攔截器
import org.apache.shiro.aop.AnnotationResolver;
import org.apache.shiro.aop.MethodInvocation;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
/**
* 自定義注解的方法攔截器
* @author BBF
*/
public class PermissionMethodInterceptor extends AuthorizingAnnotationMethodInterceptor {
public PermissionMethodInterceptor() {
super(new PermissionHandler());
}
public PermissionMethodInterceptor(AnnotationResolver resolver) {
super(new PermissionHandler(), resolver);
}
@Override
public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
// 驗證權(quán)限
try {
((PermissionHandler) getHandler()).assertAuthorized(getAnnotation(mi));
} catch (AuthorizationException ae) {
// Annotation handler doesn"t know why it was called, so add the information here if possible.
// Don"t wrap the exception here since we don"t want to mask the specific exception, such as
// UnauthenticatedException etc.
if (ae.getCause() == null) {
ae.initCause(new AuthorizationException("Not authorized to invoke method: " + mi.getMethod()));
}
throw ae;
}
}
}
四、切面攔截器
import org.apache.shiro.spring.aop.SpringAnnotationResolver;
import org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor;
/**
* 自定義注解的AOP攔截器
* @author BBF
*/
public class PermissionAopInterceptor extends AopAllianceAnnotationsAuthorizingMethodInterceptor {
public PermissionAopInterceptor() {
super();
// 添加自定義的注解攔截器
this.methodInterceptors.add(new PermissionMethodInterceptor(new SpringAnnotationResolver()));
}
}
五�����、注解攔截器
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.springframework.core.annotation.AnnotationUtils;
import java.lang.reflect.Method;
/**
* 自定義的Shiro注解攔截器
* @author BBF
*/
public class ShiroAdvisor extends AuthorizationAttributeSourceAdvisor {
/**
* Create a new AuthorizationAttributeSourceAdvisor.
*/
public ShiroAdvisor() {
// 這里可以添加多個
setAdvice(new PermissionAopInterceptor());
}
@SuppressWarnings({"unchecked"})
@Override
public boolean matches(Method method, Class targetClass) {
Method m = method;
if (targetClass != null) {
try {
m = targetClass.getMethod(m.getName(), m.getParameterTypes());
return this.isFrameAnnotation(m);
} catch (NoSuchMethodException ignored) {
//default return value is false. If we can"t find the method, then obviously
//there is no annotation, so just use the default return value.
}
}
return super.matches(method, targetClass);
}
private boolean isFrameAnnotation(Method method) {
return null != AnnotationUtils.findAnnotation(method, Permissions.class);
}
}
六���、配置shiro
替換AuthorizationAttributeSourceAdvisor 為 ShiroAdvisor
/**
* 啟用注解攔截方式
* @return AuthorizationAttributeSourceAdvisor
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor advisor = new ShiroAdvisor();
advisor.setSecurityManager(securityManager());
return advisor;
}
文章版權(quán)歸作者所有,未經(jīng)允許請勿轉(zhuǎn)載,若此文章存在違規(guī)行為��,您可以聯(lián)系管理員刪除���。
轉(zhuǎn)載請注明本文地址:http://systransis.cn/yun/69190.html
