摘要:自定義注解順序創(chuàng)建自定義的注解資源管理器���,繼承,添加新注解支持?jǐn)r截器����,繼承方法攔截器,繼承權(quán)限處理器��,繼承�,校驗(yàn)權(quán)限一自定義注解二權(quán)限處理器自定義權(quán)限處理器多個(gè)權(quán)限,有一個(gè)就通過三方法攔截器自定義注解的方法攔截器驗(yàn)證權(quán)限四切面攔截器自定義注
自定義Shiro注解
順序
創(chuàng)建自定義的注解
資源管理器���,繼承AuthorizationAttributeSourceAdvisor,添加新注解支持
AOP攔截器�����,繼承AopAllianceAnnotationsAuthorizingMethodInterceptor
方法攔截器����,繼承AuthorizingAnnotationMethodInterceptor
權(quán)限處理器���,繼承AuthorizingAnnotationHandler,校驗(yàn)權(quán)限
一����、自定義注解
@Target({ElementType.METHOD})
@Retention(RetentionPolicy.RUNTIME)
public @interface Permissions {
String[] value();
}
二、權(quán)限處理器
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
import org.apache.shiro.subject.Subject;
import java.lang.annotation.Annotation;
/**
* 自定義權(quán)限處理器
* @author BBF
*/
public class PermissionHandler extends AuthorizingAnnotationHandler {
public PermissionHandler() {
super(Permissions.class);
}
@Override
public void assertAuthorized(Annotation a) throws AuthorizationException {
if (a instanceof Permissions) {
Permissions annotation = (Permissions) a;
String[] perms = annotation.value();
Subject subject = getSubject();
if (perms.length == 1) {
subject.checkPermission(perms[0]);
return;
}
// 多個(gè)權(quán)限�����,有一個(gè)就通過
boolean hasAtLeastOnePermission = false;
for (String permission : perms) {
if (subject.isPermitted(permission)) {
hasAtLeastOnePermission = true;
break;
}
}
// Cause the exception if none of the role match,
// note that the exception message will be a bit misleading
if (!hasAtLeastOnePermission) {
subject.checkPermission(perms[0]);
}
}
}
}
三����、方法攔截器
import org.apache.shiro.aop.AnnotationResolver;
import org.apache.shiro.aop.MethodInvocation;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
/**
* 自定義注解的方法攔截器
* @author BBF
*/
public class PermissionMethodInterceptor extends AuthorizingAnnotationMethodInterceptor {
public PermissionMethodInterceptor() {
super(new PermissionHandler());
}
public PermissionMethodInterceptor(AnnotationResolver resolver) {
super(new PermissionHandler(), resolver);
}
@Override
public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
// 驗(yàn)證權(quán)限
try {
((PermissionHandler) getHandler()).assertAuthorized(getAnnotation(mi));
} catch (AuthorizationException ae) {
// Annotation handler doesn"t know why it was called, so add the information here if possible.
// Don"t wrap the exception here since we don"t want to mask the specific exception, such as
// UnauthenticatedException etc.
if (ae.getCause() == null) {
ae.initCause(new AuthorizationException("Not authorized to invoke method: " + mi.getMethod()));
}
throw ae;
}
}
}
四、切面攔截器
import org.apache.shiro.spring.aop.SpringAnnotationResolver;
import org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor;
/**
* 自定義注解的AOP攔截器
* @author BBF
*/
public class PermissionAopInterceptor extends AopAllianceAnnotationsAuthorizingMethodInterceptor {
public PermissionAopInterceptor() {
super();
// 添加自定義的注解攔截器
this.methodInterceptors.add(new PermissionMethodInterceptor(new SpringAnnotationResolver()));
}
}
五����、注解攔截器
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.springframework.core.annotation.AnnotationUtils;
import java.lang.reflect.Method;
/**
* 自定義的Shiro注解攔截器
* @author BBF
*/
public class ShiroAdvisor extends AuthorizationAttributeSourceAdvisor {
/**
* Create a new AuthorizationAttributeSourceAdvisor.
*/
public ShiroAdvisor() {
// 這里可以添加多個(gè)
setAdvice(new PermissionAopInterceptor());
}
@SuppressWarnings({"unchecked"})
@Override
public boolean matches(Method method, Class targetClass) {
Method m = method;
if (targetClass != null) {
try {
m = targetClass.getMethod(m.getName(), m.getParameterTypes());
return this.isFrameAnnotation(m);
} catch (NoSuchMethodException ignored) {
//default return value is false. If we can"t find the method, then obviously
//there is no annotation, so just use the default return value.
}
}
return super.matches(method, targetClass);
}
private boolean isFrameAnnotation(Method method) {
return null != AnnotationUtils.findAnnotation(method, Permissions.class);
}
}
六、配置shiro
替換AuthorizationAttributeSourceAdvisor 為 ShiroAdvisor
/**
* 啟用注解攔截方式
* @return AuthorizationAttributeSourceAdvisor
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor advisor = new ShiroAdvisor();
advisor.setSecurityManager(securityManager());
return advisor;
}
文章版權(quán)歸作者所有���,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為����,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請(qǐng)注明本文地址:http://m.hztianpu.com/yun/69190.html
