shiro1 我只是想让大家明白shiro的认证是很简单的。
现在说一下shiro的前后端分离的权限问题
几位朋友让我写Demo或者类似前后端分离相关,这是很多初级程序员都不是太懂得问题:
先说一下原理,其实shiro的权限分离唯一用到的是cookie。shiro是通过请求中的cookie存储一个session会话的id,来进行区分用户的权限,你要明白这一点,下面就是重写shiro中获取cookie中的sessionId的方法来获取请求头Authorization中的密钥,而密钥储存的便是登录是返回的sessionId,进而可以前后端分离的项目中使用shiro框架
首先看一下前后端分离的controller:
这里第一个标记是认证用户登录是否成功,如果成功继续,第二个人标记就是cookie的id,之后你就要重写SessionManager这个方法,为什么要重写这个方法说明一下:通过重写不但可以拿到cookie的id同时可以让shiro不走默认的cookie,默认的cookie里面什么都没有,所以必须重写拿到id密钥这样shiro就会知道这个请求的用户的权限:
packagecom.neil.config;
importorg.apache.shiro.web.servlet.ShiroHttpServletRequest;
importorg.apache.shiro.web.session.mgt.DefaultWebSessionManager;
importorg.apache.shiro.web.util.WebUtils;
importorg.slf4j.Logger;
importorg.slf4j.LoggerFactory;
importorg.springframework.stereotype.Component;
importorg.springframework.stereotype.Service;
importjavax.servlet.ServletRequest;
importjavax.servlet.ServletResponse;
importjavax.servlet.http.HttpServletRequest;
importjava.io.Serializable;
/**
* Created by Palerock
*/
@Component
public classSessionManagerextendsDefaultWebSessionManager {
private static finalLoggerlog= LoggerFactory.getLogger(DefaultWebSessionManager.class);
privateStringauthorization="Authorization";
/**
* 重写获取sessionId的方法调用当前Manager的获取方法
*/
@Override
protectedSerializable getSessionId(ServletRequest request, ServletResponse response) {
return this.getReferencedSessionId(request, response);
}
/**
* 获取sessionId从请求中
*/
privateSerializable getReferencedSessionId(ServletRequest request, ServletResponse response) {
String id =this.getSessionIdCookieValue(request, response);
/* String id = request.getParameter("JSESSIONID");*/
if(id !=null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,"cookie");
}else{
id =this.getUriPathSegmentParamValue(request,"JSESSIONID");
if(id ==null) {
// 获取请求头中的session
id = WebUtils.toHttp(request).getHeader(this.authorization);
if(id ==null) {
String name =this.getSessionIdName();
id = request.getParameter(name);
if(id ==null) {
id = request.getParameter(name.toLowerCase());
}
}
}
if(id !=null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,"url");
}
}
if(id !=null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
}
returnid;
}
privateString getSessionIdCookieValue(ServletRequest request, ServletResponse response) {
if(!this.isSessionIdCookieEnabled()) {
log.debug("Session ID cookie is disabled - session id will not be acquired from a request cookie.");
return null;
}else if(!(requestinstanceofHttpServletRequest)) {
log.debug("Current request is not an HttpServletRequest - cannot get session ID cookie. Returning null.");
return null;
}else{
HttpServletRequest httpRequest = (HttpServletRequest) request;
return this.getSessionIdCookie().readValue(httpRequest, WebUtils.toHttp(response));
}
}
privateString getUriPathSegmentParamValue(ServletRequest servletRequest, String paramName) {
if(!(servletRequestinstanceofHttpServletRequest)) {
return null;
}else{
HttpServletRequest request = (HttpServletRequest) servletRequest;
String uri = request.getRequestURI();
if(uri ==null) {
return null;
}else{
intqueryStartIndex = uri.indexOf(63);
if(queryStartIndex >=0) {
uri = uri.substring(0, queryStartIndex);
}
intindex = uri.indexOf(59);
if(index <0) {
return null;
}else{
String TOKEN = paramName +"=";
uri = uri.substring(index +1);
index = uri.lastIndexOf(TOKEN);
if(index <0) {
return null;
}else{
uri = uri.substring(index + TOKEN.length());
index = uri.indexOf(59);
if(index >=0) {
uri = uri.substring(0, index);
}
returnuri;
}
}
}
}
}
privateString getSessionIdName() {
String name =this.getSessionIdCookie() !=null?this.getSessionIdCookie().getName() :null;
if(name ==null) {
name ="JSESSIONID";
}
returnname;
}
}
接下来在ShiroConfiguration注入一下就ok拉,报错是因为警告不能引入不影响代码运行:
这里源码资源不是前后端分离的,是前后端在一起的,前后端分离改一下就行啦:
http://pan.baidu.com/s/1mh9EGWC
需要本人同意:
qq:179061434
