Shiro来控制权限
首先我们需要来创建一个RBAC模型(图片网上找的)
RBAC.png
数据库模型建好以后便可进行配置:
我们在项目中创建Shiro的配置文件命名为shiro.ini,内容如下:
[main]
#数据源配置
dataSource=org.springframework.jdbc.datasource.DriverManagerDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://127.0.0.1:3306/test
dataSource.username=root
dataSource.password=root
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource=$dataSource
#用户认证(登录)查询语句,以用户名为查询条件
jdbcRealm.authenticationQuery = SELECT password FROM usr_user WHERE username = ?
#用户角色查询语句,以用户名为查询条件,判断用户是否拥有某个角色
jdbcRealm.userRolesQuery = SELECT usr_role.roleName from usr_user,usr_user_role,usr_role WHERE usr_user.username = ? AND usr_user.id = usr_user_role.userId AND usr_user_role.roleId = usr_role.id
#资源许可查询语句,以角色名称为查询条件,判断角色是否拥有某个资源的许可
jdbcRealm.permissionsQuery = SELECT usr_func.code from usr_role,usr_role_func,usr_func WHERE usr_role.roleName = ? AND usr_role.id = usr_role_func.roleId AND usr_role_func.funcId = usr_func.id
securityManager.realms=$jdbcRealm
数据源配置相信大家都很熟悉,我们主要配置的是securityManager的realms属性,shiro权限控制主要靠这个做具体的事情,至此简单的配置应完成了。
接下来我们写一个简单的测试类:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.ExpiredCredentialsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
import junit.framework.Assert;
@RunWith(JUnit4.class)
public class TestController {
@Test
public void test(){
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("admin", "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918");
try {
subject.login(token);
Assert.assertEquals(true, subject.isAuthenticated());
//判断用户是否拥有某个角色
System.out.println("has==manager" + subject.hasRole("manager")); //true
System.out.println("has==editor" + subject.hasRole("editor")); //false
//判断是否被授权
System.out.println("per==CX" + subject.isPermitted("YHGL:CX")); //true
System.out.println("per==XZ" + subject.isPermitted("YHGL:XZ")); //true
subject.logout();
} catch (IncorrectCredentialsException e) {
System.out.println("登录密码错误. Password for account " + token.getPrincipal() + " was incorrect.");
} catch (ExcessiveAttemptsException e) {
System.out.println("登录失败次数过多");
} catch (LockedAccountException e) {
System.out.println("帐号已被锁定. The account for username " + token.getPrincipal() + " was locked.");
} catch (DisabledAccountException e) {
System.out.println("帐号已被禁用. The account for username " + token.getPrincipal() + " was disabled.");
} catch (ExpiredCredentialsException e) {
System.out.println("帐号已过期. the account for username " + token.getPrincipal() + " was expired.");
} catch (UnknownAccountException e) {
System.out.println("帐号不存在. There is no user with username of " + token.getPrincipal());
}
}
}
UsernamePasswordToken主要用来做登录验证,这里我们是写死的,密码也是加密后存储在数据库的;
subject.login(token)这句代码则会触发我们的jdbcRealm.authenticationQuery = SELECT password FROM usr_user WHERE username = ?去数据库中进行验证;
subject.hasRole("manager")和subject.isPermitted("YHGL:CX")分别会触发jdbcRealm.userRolesQuery 和 jdbcRealm.permissionsQuery
后面我们在异常捕获中进行异常区分来做不同的提示
