Shiro使用过滤器拦截用户的请求

Shiro使用过滤器拦截用户的请求

拦截配置信息在spring.xml配置文件中配置

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager"></property>
        <property name="loginUrl" value="login.html"></property>
        <property name="unauthorizedUrl" value="403.html"></property>
        <property name="filterChainDefinitions">
            <value>
                /login.html=anon
                /userLogin=anon
                /testRoleByFilter=roles["admin"]
                /testRole1ByFilter=roles["admin","admin1"]
                /testPermissionByFilter=perms["user:select"]
                /testPermission1ByFilter=perms["user:select","user:update"]
                /*=authc
            </value>
        </property>
    </bean>

拦截的url在controller编写

    //过滤器的使用
    @RequestMapping(value = "testRoleByFilter",method = RequestMethod.GET)
    @ResponseBody
    public String testRoleByFilter(){
        return "testRoleByFilter";
    }
    //过滤器的使用
    @RequestMapping(value = "testRole1ByFilter",method = RequestMethod.GET)
    @ResponseBody
    public String testRole1ByFilter(){
        return "testRoleByFilter";
    }
    //过滤器的使用
    @RequestMapping(value = "testPermissionByFilter",method = RequestMethod.GET)
    @ResponseBody
    public String testPermissionByFilter(){
        return "testPermissionByFilter";
    }
    //过滤器的使用
    @RequestMapping(value = "testPermission1ByFilter",method = RequestMethod.GET)
    @ResponseBody
    public String testPermission1ByFilter(){
        return "testPermission1ByFilter";
    }

自定义的Filter

自定义的Filter,编写过滤只含有其中任意的role就可以访问，需要继承AuthorizationFilter,并实现接口方法

public class RolesOrFilter extends AuthorizationFilter {
    @Override
    protected boolean isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response,
              Object o) throws Exception {
        //获得主体
        Subject subject = getSubject(request,response);
        String [] roles = (String[]) o;
        //如果不需要任何role，则直接返回true
        if (roles == null || roles.length == 0) {
            return true;
        }
        //如果含其中一role，则直接返回true
        for (String role:roles){
            if (subject.hasRole(role)){
                return true;
            }
        }
        //都没有返回false
        return false;
    }
}

在speing.xml文件中配置自定义的Filter Bean

    <!--配置自定义的FilterBean-->
    <bean id="rolesOrFilter" class="com.jiuyue.filter.RolesOrFilter"></bean>

在shiroFilter中配置自定义的Filetr

        <property name="filters">
            <util:map>
                <entry key="rolesOr" value-ref="rolesOrFilter"/>
            </util:map>
        </property>

配置需要过滤的url请求, /testRole1ByFilter=rolesOr[“admin”,“admin1”],使用自定义的Filter角色中只含有admin,admin1其中之一就可以访问。testRole2ByFilter=roles[“admin”,“admin1”]，需要请求主体同时满足admin和admin2才可以访问。

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager"></property>
        <property name="loginUrl" value="login.html"></property>
        <property name="unauthorizedUrl" value="403.html"></property>
        <property name="filterChainDefinitions">
            <value>
                /login.html=anon
                /userLogin=anon
                <!--/testRoleByFilter=roles["admin"]-->
                <!--/testRole1ByFilter=roles["admin","admin1"]-->
                <!--/testPermissionByFilter=perms["user:select"]-->
                <!--/testPermission1ByFilter=perms["user:select","user:update"]-->
                /testRole1ByFilter=rolesOr["admin","admin1"]
                /testRole2ByFilter=roles["admin","admin1"]

                /*=authc
            </value>
        </property>
        <property name="filters">
            <util:map>
                <entry key="rolesOr" value-ref="rolesOrFilter"/>
            </util:map>
        </property>
    </bean>