ShiroDbRealm.java 代码如下
public class ShiroDbRealm extends AuthorizingRealm {
@Resource
private UserService userService;
/**
* 认证回调函数,登录时调用.
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
User currentUser = userService.findByUserName(token.getUsername());
if (currentUser != null) {
if (currentUser.getStatus()==User.STATUS_DISABLED) {
throw new DisabledAccountException("用户已注销");
}else if(currentUser.getStatus()==User.STATUS_NOT_ACTIVE){
throw new DisabledAccountException("用户未激活");//这里需要编写一个用户未激活异常
}
return new SimpleAuthenticationInfo(currentUser.getUsername(),currentUser.getUserpwd(), "");
}
return null;
}
/**
* 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用.
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
// Cache<Object, AuthenticationInfo> authenticationCache =
// getAuthenticationCache();
String primaryPrincipal = (String) principals.getPrimaryPrincipal();
System.out.println("-----------*************************------------>"+ primaryPrincipal);
List<String> roles = new ArrayList<String>();
List<String> permissions = new ArrayList<String>();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
User user = userService.findByUserName(primaryPrincipal);
if(user != null){
for (Role role : user.getRoles()) {
roles.add(role.getName());
for (Permission p : role.getPermissions()) {
permissions.add(p.getPrivilege());
}
}
}else{
throw new AuthorizationException();
}
//给当前用户设置角色
info.addRoles(roles);
//给当前用户设置权限
info.addStringPermissions(permissions);
return info;
}
}
applicationContext-shiro.xml配置
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
<description>Shiro安全配置</description>
<!-- Shiro's main business-tier object for web-enabled applications -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="shiroDbRealm"/>
<property name="cacheManager" ref="shiroEhcacheManager"/>
</bean>
<!-- 項目自定义的Realm -->
<bean id="shiroDbRealm" class="com.wsq.app.service.common.ShiroDbRealm">
<!-- <property name="userService" ref="userService"/> 这里我在项目中只用了注解注入-->
</bean>
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 这个属性是必须的 -->
<property name="securityManager" ref="securityManager"/>
<!-- 没有登录的用户请求需要登录的页面时自动跳转到登录页面,不是必须的属性,不输入地址的话会自动寻找项目web项目的根目录下的”/login.jsp”页面 -->
<property name="loginUrl" value="/login"/>
<!-- 登录成功默认跳转页面,不配置则跳转至”/”。如果登陆前点击的一个需要登录的页面,则在登录自动跳转到那个需要登录的页面。不跳转到此 -->
<property name="successUrl" value="/"/>
<!-- 没有权限默认跳转的页面 -->
<property name="unauthorizedUrl" value=""/>
<!-- 就是需要验证的地址的列表,常用的包含anon、authc、perms、roles、user、logout。 -->
<property name="filterChainDefinitions">
<value>
/static/** = anon
/login = anon
/login/** = anon
/logout = user
/** = authc
</value>
</property>
</bean>
<!-- 用户授权信息Cache, 采用EhCache -->
<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:resource/ehcache-shiro.xml"/>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- AOP式方法级权限检查 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true"/>
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
</beans>
web.xml配置
<!-- Shiro Security filter -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
集成以后,项目可以正常启动,登陆时也可以正常调用登录验证,可就是在验证授权时,不掉用。求解答~也没分了,不好意思。