Springrain uses shiro to control permissions, configure filterChainDefinitions combined with database verification permissions.
Shiro configures a global filter in web.xml, and springrain configures a spring bean "shiroFilter". In this bean, different filters can be configured according to the access path.
Shiro comes with the following filters by default:
Filter Name ClassWhat we usually use is anon: anyone can access; authc: must be logged in to access, excluding rememberme; user: only logged in users can access, including rememberme; perms: specify filtering rules, which are generally used for extensions and will not be used Native, for example, springrain extends frameperms.
filterChainDefinitions is to specify filtering rules. Generally, configuration files are used for common configuration, such as js css img. These resource files are not intercepted, business-related urls are configured to the database, and there are filters to query the database for permission judgment.
Don't think about configuring all the urls to the configuration file, this is a misunderstanding!
The configuration of springrain is as follows:
The priority of interceptors is from top to bottom. If there is a matching interceptor, it will be returned. For example, if the first interceptor anon in /js/abc.js matches, it will return true and no longer match.
The last sentence is /**=user, frameperms which means that except for the above, everything else must go through user and frameperms. If there is no login user, it will be blocked and will not be executed to frameperms.
frameperms is our custom implemented filter, which queries the user's permissions from the database to determine whether the current user has permission to access the intercepted url.
What is the specific interception workflow?
The first step: the realm of authentication and authorization. For example, the shiroDbRealm extended by springrain, in the doGetAuthorizationInfo authorization method,
// Add role and permission information
SimpleAuthorizationInfo sazi = new SimpleAuthorizationInfo();
try {
sazi.addRoles (userRoleMenuService.getRolesAsString (userId));
sazi.addStringPermissions(userRoleMenuService
.getPermissionsAsString(userId));
} catch (Exception e) {
logger.error(e);
}
return sazi;
sazi.addRoles: Get all the roles of the current user, the shiro filter used to judge permissions based on roles, sazi.addStringPermissions is not used in
springrain: Get all the permissions of the current user, the permissions in springrain are url, so in springrain this is A collection of urls
Our interceptor will call doGetAuthorizationInfo every time the authorization is verified to obtain all authorizations of the current user.
Our authorization interceptor only needs to determine whether the url accessed by the current user is in his authorization collection, such as in springrain Verify url permissions for frameperms:
//The doGetAuthorizationInfo authorization method of realm will be called permitted= subject.isPermitted(uri);
This is basically the process of permission verification