Shiro使用过滤器拦截用户的请求
拦截配置信息在spring.xml配置文件中配置
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<property name="loginUrl" value="login.html"></property>
<property name="unauthorizedUrl" value="403.html"></property>
<property name="filterChainDefinitions">
<value>
/login.html=anon
/userLogin=anon
/testRoleByFilter=roles["admin"]
/testRole1ByFilter=roles["admin","admin1"]
/testPermissionByFilter=perms["user:select"]
/testPermission1ByFilter=perms["user:select","user:update"]
/*=authc
</value>
</property>
</bean>
拦截的url在controller编写
//过滤器的使用
@RequestMapping(value = "testRoleByFilter",method = RequestMethod.GET)
@ResponseBody
public String testRoleByFilter(){
return "testRoleByFilter";
}
//过滤器的使用
@RequestMapping(value = "testRole1ByFilter",method = RequestMethod.GET)
@ResponseBody
public String testRole1ByFilter(){
return "testRoleByFilter";
}
//过滤器的使用
@RequestMapping(value = "testPermissionByFilter",method = RequestMethod.GET)
@ResponseBody
public String testPermissionByFilter(){
return "testPermissionByFilter";
}
//过滤器的使用
@RequestMapping(value = "testPermission1ByFilter",method = RequestMethod.GET)
@ResponseBody
public String testPermission1ByFilter(){
return "testPermission1ByFilter";
}
自定义的Filter
自定义的Filter,编写过滤只含有其中任意的role就可以访问,需要继承AuthorizationFilter,并实现接口方法
public class RolesOrFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response,
Object o) throws Exception {
//获得主体
Subject subject = getSubject(request,response);
String [] roles = (String[]) o;
//如果不需要任何role,则直接返回true
if (roles == null || roles.length == 0) {
return true;
}
//如果含其中一role,则直接返回true
for (String role:roles){
if (subject.hasRole(role)){
return true;
}
}
//都没有返回false
return false;
}
}
在speing.xml文件中配置自定义的Filter Bean
<!--配置自定义的FilterBean-->
<bean id="rolesOrFilter" class="com.jiuyue.filter.RolesOrFilter"></bean>
在shiroFilter中配置自定义的Filetr
<property name="filters">
<util:map>
<entry key="rolesOr" value-ref="rolesOrFilter"/>
</util:map>
</property>
配置需要过滤的url请求, /testRole1ByFilter=rolesOr[“admin”,“admin1”],使用自定义的Filter角色中只含有admin,admin1其中之一就可以访问。testRole2ByFilter=roles[“admin”,“admin1”],需要请求主体同时满足admin和admin2才可以访问。
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<property name="loginUrl" value="login.html"></property>
<property name="unauthorizedUrl" value="403.html"></property>
<property name="filterChainDefinitions">
<value>
/login.html=anon
/userLogin=anon
<!--/testRoleByFilter=roles["admin"]-->
<!--/testRole1ByFilter=roles["admin","admin1"]-->
<!--/testPermissionByFilter=perms["user:select"]-->
<!--/testPermission1ByFilter=perms["user:select","user:update"]-->
/testRole1ByFilter=rolesOr["admin","admin1"]
/testRole2ByFilter=roles["admin","admin1"]
/*=authc
</value>
</property>
<property name="filters">
<util:map>
<entry key="rolesOr" value-ref="rolesOrFilter"/>
</util:map>
</property>
</bean>