The first way to use shiro's annotations:
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true" />
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
In configuration, it is enough to add annotations to the method header. There is a lot of information on the Internet, so I won't go into details.
Use custom annotations
First on the custom annotation:
package com.isoftstone.common.permission;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})//Where applicable, there are methods on the class, etc.
public @interface CheckPermission {
String [] permission();//Multiple permission signs can be passed
}
Annotation use:
/**
* keep
* @param basic user information
* @param role id
* @return
* @author {huzhe}
*/
@RequestMapping(value = "/saveUser")
@CheckPermission(permission={BusinessPermissionLabel.permission_addChildAccount})
public OperationPrompt saveUser(UserBasicInfo userbaseInfo,String addRoleIds) {
Multiple permission labels are separated by commas;
The second: use the spring aop method to verify the customization based on the above
Use shiro to verify whether you have permission
currentUser.isPermitted (per)
package com.isoftstone.common.permission;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.subject.Subject;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.stereotype.Component;
@Aspect
@Component
//This method performs permission verification according to the spring aop paste method
public class PermissionInterceptor {
@Around("execution(* com.isoftstone.dcf.portal..*(..)) && @annotation(checkPermission)")
public Object doInterceptor(ProceedingJoinPoint pjp,CheckPermission checkPermission) throws Throwable{
long time = new java.util.Date().getTime();
boolean isPermissioin = false;
Subject currentUser = SecurityUtils.getSubject();
//No annotations and no permissions required -- run directly
if(null!=checkPermission){
String [] permission = checkPermission.permission();
for(String per:permission){
//The current login has permission
if (currentUser.isPermitted (per)) {
isPermissioin = true;
break;
}
}
}else{
isPermissioin = true;
}
System.out.println("(AOP) intercepted: "+pjp.getSignature().getName()+" method time: "+time+" to "+new java.util.Date().getTime()) ;
if (isPermissioin) {
//Do not intercept if there is an execution method or permission
return pjp.proceed ();
}else{
//Throw no permission exception
throw new AuthorizationException();
}
}
}
You need to start the aop annotation in the spring configuration file:
<!-- Open aop and use aop for permission verification-->
<aop:aspectj-autoproxy />
Way 3: Use spring mvc to intercept all url validations:
<!-- Use spring mvc interceptor for permission verification -->
<mvc:interceptors>
<bean class="com.isoftstone.common.permission.PermissionInterceptorAdapter" />
</mvc:interceptors>
This method achieves roughly the same:
package com.isoftstone.common.permission;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.subject.Subject;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
//This method performs permission verification according to the spring mvc interceptor
public class PermissionInterceptorAdapter extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
HandlerMethod handler2 = (HandlerMethod) handler;
CheckPermission checkPermission = handler2.getMethodAnnotation(CheckPermission.class);
long time = new java.util.Date().getTime();
boolean isPermissioin = false;
Subject currentUser = SecurityUtils.getSubject();
//No annotations and no permissions required -- run directly
if(null!=checkPermission){
String [] permission = checkPermission.permission();
for(String per:permission){
//The current login has permission
if (currentUser.isPermitted (per)) {
isPermissioin = true;
break;
}
}
}else{
isPermissioin = true;
}
System.out.println("Intercepted mvc method: "+handler2.getMethod()+" method time: "+time+" to "+new java.util.Date().getTime());
if (isPermissioin) {
//Do not intercept if there is an execution method or permission
return true;
}else{
//Run out of permissionless exception
throw new AuthorizationException();
}
}
}
In addition to the packages used by spring and shiro:
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>1.8.0</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.8.0</version>
</dependency>
Spring custom exception interception:
package com.isoftstone.common.exception;
import java.io.IOException;
import java.sql.SQLException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.UnauthorizedException;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.ModelAndView;
import com.isoftstone.common.bo.PermissioinPage;
/**
* Custom permission exception handling
* @author Administrator
*
*/
@Component
public class MyHandlerExceptionResolver implements HandlerExceptionResolver {
@Override
public ModelAndView resolveException(HttpServletRequest request,
HttpServletResponse response, Object object, Exception exception) {
//Whether it is an ajax request
String requestType = request.getHeader("X-Requested-With");
if(exception instanceof AuthorizationException){
response.setStatus(413);//No permission exception is mainly used for ajax request return
response.addHeader("Error-Json", "{code:413,msg:'nopermission',script:''}");
response.setContentType("text/html;charset=utf-8");
if("XMLHttpRequest".equals(requestType)){
return new ModelAndView();
}
return new ModelAndView("redirect:/html/413.html");
}
return null;
}