在使用shiro框架时,可以通过继承AuthorizingRealm类中,并重写
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)和
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)这两个方法来实现登录验证和权限获取。
1 @Override 2 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) { 3 4 UsernamePasswordToken token = (UsernamePasswordToken) authcToken; 5 String username = token.getUsername(); 6 Session session = UserUtils.getSession(); 7 session.setAttribute("loginFailType", null); 8 session.setAttribute("loginFailMessage", null); 9 int activeSessionSize = getSystemService().getSessionDao().getActiveSessions(false).size(); 10 User user = UserUtils.getByLoginName2(username); 11 if (user == null) { 12 session.setAttribute("loginFailType", "UserNotExist"); 13 session.setAttribute("loginFailMessage", "用户名不存在,请输入正确的用户名."); 14 throw new AuthenticationException("msg:用户名不存在,请输入正确的用户名."); 15 } 16 String sessionid = user.getSessionid(); 17 if (!Global.TRUE.equals(Global.getConfig("sameAccountLogin")) && !"1".equals(user.getId())){ 18 Collection<Session> sessions = getSystemService().getSessionDao().getActiveSessions(true, null, session); 19 if (sessions != null && sessions.size() > 0){ 20 for (Session sessioni : sessions){ 21 Object siid = sessioni.getId(); 22 if(siid.equals(sessionid)){ 23 getSystemService().getSessionDao().delete(sessioni); 24 } 25 } 26 } 27 } 28 int maxSessionSize = Integer.valueOf(Global.getConfig("maxSessionSize")); 29 if(activeSessionSize > maxSessionSize){ 30 session.setAttribute("loginFailType", "usersOverload"); 31 session.setAttribute("loginFailMessage", "登陆人数过多,服务器繁忙,请稍后重试."); 32 throw new AuthenticationException("msg:登陆人数过多,服务器繁忙,请稍后重试."); 33 } 34 if (logger.isDebugEnabled()){ 35 logger.debug("login submit, active session size: {}, username: {}", activeSessionSize, username); 36 } 37 if (Global.TRUE.equals(Global.getConfig("validateCodeLogin")) && LoginController.isValidateCodeLogin(username, false, false)){ 38 String code = (String)session.getAttribute(ValidateCodeServlet.VALIDATE_CODE); 39 if (token.getCaptcha() == null || !token.getCaptcha().toUpperCase().equals(code)){ 40 session.setAttribute("loginFailType", "verificationCodeError"); 41 session.setAttribute("loginFailMessage", "验证码错误, 请重试."); 42 throw new AuthenticationException("msg:验证码错误, 请重试."); 43 } 44 } 45 46 String message = UserUtils.isForbidLogin(username); 47 if (StringUtils.isNoneBlank(message)){ 48 session.setAttribute("loginFailType", "forbidLogin"); 49 session.setAttribute("loginFailMessage", message); 50 throw new AuthenticationException("msg:"+message,new Throwable()); 51 } 52 return new SimpleAuthenticationInfo(new Principal(user, token.isMobileLogin()), 53 user.getPassword().toLowerCase(), getName()); 54 55 } 56 }
1 /** 2 * 获取权限授权信息,如果缓存中存在,则直接从缓存中获取,否则就重新获取, 登录成功后调用 3 */ 4 protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) { 5 if (principals == null) { 6 return null; 7 } 8 9 AuthorizationInfo info = null; 10 11 info = (AuthorizationInfo)UserUtils.getCache(UserUtils.CACHE_AUTH_INFO); 12 13 if (info == null) { 14 info = doGetAuthorizationInfo(principals); 15 if (info != null) { 16 UserUtils.putCache(UserUtils.CACHE_AUTH_INFO, info); 17 } 18 } 19 20 return info; 21 } 22 23 /** 24 * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用 25 */ 26 @Override 27 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { 28 Principal principal = (Principal) getAvailablePrincipal(principals); 29 // 获取当前已登录的用户 30 if (!Global.TRUE.equals(Global.getConfig("user.multiAccountLogin"))){ 31 Collection<Session> sessions = getSystemService().getSessionDao().getActiveSessions(true, principal, UserUtils.getSession()); 32 if (sessions.size() > 0){ 33 // 如果是登录进来的,则踢出已在线用户 34 if (UserUtils.getSubject().isAuthenticated()){ 35 for (Session session : sessions){ 36 getSystemService().getSessionDao().delete(session); 37 } 38 } 39 // 记住我进来的,并且当前用户已登录,则退出当前用户提示信息。 40 else{ 41 UserUtils.getSubject().logout(); 42 throw new AuthenticationException("msg:账号已在其它地方登录,请重新登录。"); 43 } 44 } 45 } 46 User user = getSystemService().getUserByLoginName(principal.getLoginName()); 47 if (user != null) { 48 SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); 49 List<Menu> list = UserUtils.getMenuList(); 50 for (Menu menu : list){ 51 if (StringUtils.isNotBlank(menu.getPermission())){ 52 // 添加基于Permission的权限信息 53 for (String permission : StringUtils.split(menu.getPermission(),",")){ 54 info.addStringPermission(permission); 55 } 56 } 57 } 58 // 添加用户权限 59 info.addStringPermission("user"); 60 // 添加用户角色信息 61 for (Role role : user.getRoleList()){ 62 info.addRole(role.getEnname()); 63 } 64 // 更新登录IP和时间 65 getSystemService().updateUserLoginInfo(user); 66 // 记录登录日志 67 LogUtils.saveLog(Servlets.getRequest(), "系统登录"); 68 return info; 69 } else { 70 return null; 71 } 72 }