The first way to use shiro's annotations:
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean>
In configuration, it is enough to add annotations to the method header. There is a lot of information on the Internet, so I won't go into details.
Use custom annotations
First on the custom annotation:
package com.isoftstone.common.permission; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; @Retention(RetentionPolicy.RUNTIME) @Target({ElementType.METHOD})//Where applicable, there are methods on the class, etc. public @interface CheckPermission { String [] permission();//Multiple permission signs can be passed }
Annotation use:
/** * keep * @param basic user information * @param role id * @return * @author {huzhe} */ @RequestMapping(value = "/saveUser") @CheckPermission(permission={BusinessPermissionLabel.permission_addChildAccount}) public OperationPrompt saveUser(UserBasicInfo userbaseInfo,String addRoleIds) {
Multiple permission labels are separated by commas;
The second: use the spring aop method to verify the customization based on the above
Use shiro to verify whether you have permission
currentUser.isPermitted (per)
package com.isoftstone.common.permission; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.subject.Subject; import org.aspectj.lang.ProceedingJoinPoint; import org.aspectj.lang.annotation.Around; import org.aspectj.lang.annotation.Aspect; import org.springframework.stereotype.Component; @Aspect @Component //This method performs permission verification according to the spring aop paste method public class PermissionInterceptor { @Around("execution(* com.isoftstone.dcf.portal..*(..)) && @annotation(checkPermission)") public Object doInterceptor(ProceedingJoinPoint pjp,CheckPermission checkPermission) throws Throwable{ long time = new java.util.Date().getTime(); boolean isPermissioin = false; Subject currentUser = SecurityUtils.getSubject(); //No annotations and no permissions required -- run directly if(null!=checkPermission){ String [] permission = checkPermission.permission(); for(String per:permission){ //The current login has permission if (currentUser.isPermitted (per)) { isPermissioin = true; break; } } }else{ isPermissioin = true; } System.out.println("(AOP) intercepted: "+pjp.getSignature().getName()+" method time: "+time+" to "+new java.util.Date().getTime()) ; if (isPermissioin) { //Do not intercept if there is an execution method or permission return pjp.proceed (); }else{ //Throw no permission exception throw new AuthorizationException(); } } }
You need to start the aop annotation in the spring configuration file:
<!-- Open aop and use aop for permission verification--> <aop:aspectj-autoproxy />
Way 3: Use spring mvc to intercept all url validations:
<!-- Use spring mvc interceptor for permission verification --> <mvc:interceptors> <bean class="com.isoftstone.common.permission.PermissionInterceptorAdapter" /> </mvc:interceptors>
This method achieves roughly the same:
package com.isoftstone.common.permission; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.subject.Subject; import org.springframework.web.method.HandlerMethod; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; //This method performs permission verification according to the spring mvc interceptor public class PermissionInterceptorAdapter extends HandlerInterceptorAdapter { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { HandlerMethod handler2 = (HandlerMethod) handler; CheckPermission checkPermission = handler2.getMethodAnnotation(CheckPermission.class); long time = new java.util.Date().getTime(); boolean isPermissioin = false; Subject currentUser = SecurityUtils.getSubject(); //No annotations and no permissions required -- run directly if(null!=checkPermission){ String [] permission = checkPermission.permission(); for(String per:permission){ //The current login has permission if (currentUser.isPermitted (per)) { isPermissioin = true; break; } } }else{ isPermissioin = true; } System.out.println("Intercepted mvc method: "+handler2.getMethod()+" method time: "+time+" to "+new java.util.Date().getTime()); if (isPermissioin) { //Do not intercept if there is an execution method or permission return true; }else{ //Run out of permissionless exception throw new AuthorizationException(); } } }
In addition to the packages used by spring and shiro:
<dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjrt</artifactId> <version>1.8.0</version> </dependency> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>1.8.0</version> </dependency>
Spring custom exception interception:
package com.isoftstone.common.exception; import java.io.IOException; import java.sql.SQLException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.UnauthorizedException; import org.springframework.stereotype.Component; import org.springframework.web.servlet.HandlerExceptionResolver; import org.springframework.web.servlet.ModelAndView; import com.isoftstone.common.bo.PermissioinPage; /** * Custom permission exception handling * @author Administrator * */ @Component public class MyHandlerExceptionResolver implements HandlerExceptionResolver { @Override public ModelAndView resolveException(HttpServletRequest request, HttpServletResponse response, Object object, Exception exception) { //Whether it is an ajax request String requestType = request.getHeader("X-Requested-With"); if(exception instanceof AuthorizationException){ response.setStatus(413);//No permission exception is mainly used for ajax request return response.addHeader("Error-Json", "{code:413,msg:'nopermission',script:''}"); response.setContentType("text/html;charset=utf-8"); if("XMLHttpRequest".equals(requestType)){ return new ModelAndView(); } return new ModelAndView("redirect:/html/413.html"); } return null; }