1. Development goals
in the permissions assigned Shiro, there @RequiresPermissions annotation control authority, which specifies the method annotated notes are carried out only by certain people have rights to access, and is between & permissions relationship. The access control is not consistent with the permissions we need to control demand. (What we need is one user has access to certain privileges, and has a child of these permissions can also have access to the area in both cases these rights itself and its parent permission to visit separately).
Our rights as described in this blog in control, Shiro is a similar comment permissions control. Use @ExistPermissions and @HasPermissions to achieve the purpose of access control.
Configuration 2. Configuration interceptor
configured when a class SpringMVC interceptors, only need to add the following code to the SpringMVC.xml:
mvc:interceptors
mvc:interceptor
<mvc:mapping path="/**"/>
<mvc:exclude-mapping path="/user/login.do"/>
</mvc:interceptor>
mvc:interceptor
</mvc:interceptors>
Wherein the interface code run preHandle access controller to the front layer interface, and the interface is postHandle afterCompletion with the controller layer after finished running, the code will not run. When we deal with making authority, to access control code written in preHandle method. In the XML configuration, the process performed as SecurityFilter of interceptors. The interceptor will need to implement the interface HandlerInterceptor. There are three methods in the interface, respectively afterCompletion, postHandle, preHandle.
3. Notes configuration
where we also need to define two notes @ExistPermissions and @HasPermissions.
/**
*
- @author Administrator
- The annotation is used to control the authority,
- When the sub-rights change that permissions or rights of the user's presence, then to be released
- See the relevant code required SecurityFilter of
/
@Target (ElementType.METHOD value = {})
@Retention (RetentionPolicy.RUNTIME)
public @interface ExistPermissions {
/ *- Can access an array of object permissions conducted annotated,
- When the child has rights to any objects in the array of authority, can be accessed
* /
String [] Permissions ();
}
/**
*
- @author Administrator
- The annotation is used to control the authority,
- When the user must hold a certain permissions before they are to be released
- See the relevant code required SecurityFilter of
/
@Target (value = ElementType.METHOD)
@Retention (RetentionPolicy.RUNTIME)
public @interface HasPermissions {
/ *- Can access an array of object permissions conducted annotated,
- When the array has any rights object, can be accessed
* /
String [] Permissions ();
}
We define these two annotation Permissions one method, this method returns the String class behavior [], for multi-processing privileges. So that we can judge one time for multiple permission. @Target annotations define this method can be used in those places, @ Retention annotation defines the method to use at what time.
4. The method preHandle
@Override
public Boolean preHandle (the HttpServletRequest Request, Response the HttpServletResponse, Object Handler) throws Exception {
}
has three parameters, request, response, handler in the process of preHandle. The first two parameters we are all very familiar, not described, with emphasis on the third parameter handler.
handler object is an object object, so we need to see specific types of this method by handler.getclass () method.
through
system.out.println(handler.getclass());
It can be found in the type of the object itself is
org.springframework.web.method.HandlerMethod
So this time, we cast this object, it strongly into its own type.
5. HandlerMethod class
HandlerMethod, see EENOW name, which is a method associated with the class, this class is a class defined SpringMVC relevant information for a method of carrying. We can obtain information about the process being carried out @requestMapping annotated by instances of this class.
We need to use part of the contents of notes section. @HasPermissions get notes from HandlerMethod we need, and then get permission string we want to verify from the annotation.
HasPermissions hasPermissions = handlerMethod.getMethodAnnotation(HasPermissions.class);
for(String permission : hasPermissions.permissions()){
}
6. preHandle processing method of logic
Of course, in a similar way, we can also get additional comment on this approach, such as requestMapping comment.
@Override
public Boolean The preHandle (the HttpServletRequest Request, Response the HttpServletResponse, Object Handler) throws Exception {
// get the user authority information listing
the UserInfo = User (the UserInfo) Request.getSession () the getAttribute ( "the userInfo");.
IF (User == null ) {
return to false;
}
the Set permissions user.getPermissions = ();
// to get permission annotation information
HandlerMethod handlerMethod = (HandlerMethod) handler;
if the // user verification wherein a hold permission
hasPermissions hasPermissions = handlerMethod.getMethodAnnotation (HasPermissions.class );
Boolean = hasPer to false;
IF (hasPermissions = null) {!
for (String permission: hasPermissions.permissions ()) {
IF (this.hasPermission (Permissions, permission)) {
hasPer = to true;
break;
}
}
}else{
hasPer = true;
}
//验证用户是否持有其中一个权限,或者其中一个权限的子权限
ExistPermissions existPermissions = handlerMethod.getMethodAnnotation(ExistPermissions.class);
boolean existPer = false;
if(existPermissions != null){
for(String permission : existPermissions.permissions()){
if(this.hasPermission(permissions, permission)){
existPer = true;
break;
}
}
}else{
existPer = true;
}
if(hasPer && existPer){
return true;
}else{
System.out.println("用户 "+user.getUserName()+" 越权访问:"+request.getRequestURL().toString());
return false;
}
}
/ *
If * verify the user holds a privilege, a privilege or a child rights
* @param the Permissions
* @param permission
* @return
/
public boolean hasPermission (the Set the Permissions, String permission) {
for (String UserPermission: the Permissions) {
IF (. permission.substring (0, userPermission.length ()) the equals (UserPermission)) {
return to true;
}
}
return to false;
}
/ *
* verify that the user holds a privilege
* @param permissions
* @param permission
* @return
* /
public boolean existPermission (the Set the Permissions, String permission) {
for (String UserPermission: the Permissions) {
if(userPermission.substring(0, permission.length()).equals(permission)){
return true;
}else if(permission.substring(0, userPermission.length()).equals(userPermission)){
return true;
}
}
return false;
----------------
Disclaimer: This article is the original article CSDN bloggers "Zhou Chong Zhi", and follow CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source link and this statement. .
Original link: https: //blog.csdn.net/qq_35427785/article/details/72956472
