dsfsefesfsffsfsfsfsfesfsfsfsfsfsfspackage realm;
?
import java.util.ArrayList;
import java.util.List;
?
import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
import org.apache.commons.lang3.builder.ToStringStyle;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
?
import utils.StrUtils;
?
import com.jxzg.mvc.web.entitys.user.Role;
import com.jxzg.mvc.web.entitys.user.RoleRight;
import com.jxzg.mvc.web.entitys.user.User;
import com.jxzg.mvc.web.service.user.IUserManager;
?
public class MyRealm extends AuthorizingRealm {
?
[email protected]
????private IUserManager userManager;
?
????/**
???? * 为当前登录的Subject授予角色和权限
???? * @see 经测试:本例中该方法的调用时机为用户登录后,被调用
???? */
[email protected]
????protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
????????// 获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next()
????????String currentUsername = (String) super.getAvailablePrincipal(principals);
????????List<String> roleList = new ArrayList<String>();
????????List<String> permissionList = new ArrayList<String>();
????????// 从数据库中获取当前登录用户的详细信息
????????User user = userManager.getByUsername(currentUsername);
????????if (null != user) {
????????????// 实体类User中包含有用户角色的实体类信息
????????????if (null != user.getRole()) {
????????????????// 获取当前登录用户的角色
????????????????Role role = user.getRole();
????????????????roleList.add(role.getName());
????????????????//如果是超级管理员直接赋予所有权限
????????????????if(role.getName().equals("admin")){
????????????????????permissionList.add("user");
????????????????????permissionList.add("school");
????????????????}
????????????????
????????????????else{
????????????????????// 实体类Role中包含有角色权限的实体类信息
????????????????????if (null != role.getRights() && role.getRights().size() > 0) {
????????????????????????// 获取权限
????????????????????????for (RoleRight pmss : role.getRights()) {
????????????????????????????if(pmss.isFlag()){
????????????????????????????????if (!StrUtils.isNullOrEmpty(pmss.getRight())) {
????????????????????????????????????permissionList.add(pmss.getRight().getName());
????????????????????????????????}
????????????????????????????}
????????????????????????}
????????????????????}
????????????????}
????????????}
????????} else {
????????????throw new AuthorizationException();
????????}
????????// 为当前用户设置角色和权限
????????SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
????????simpleAuthorInfo.addRoles(roleList);
????????simpleAuthorInfo.addStringPermissions(permissionList);
????????return simpleAuthorInfo;
????}
?
????/**
???? * 验证当前登录的Subject
???? * @see 经测试:本例中该方法的调用时机为LoginController.login()方法中执行Subject.login()时
???? */
[email protected]
????protected AuthenticationInfo doGetAuthenticationInfo(
????????????AuthenticationToken authcToken) throws AuthenticationException {
????????// 获取基于用户名和密码的令牌
????????// 实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
????????// 两个token的引用都是一样的
????????UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
????????System.out.println("验证当前Subject时获取到token为"
????????????????+ ReflectionToStringBuilder.toString(token,
????????????????????????ToStringStyle.MULTI_LINE_STYLE));
????????User user = userManager.getByUsername(token.getUsername());
????????if (null != user) {
????????????AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(
????????????????????user.getUserName(), user.getPass(), user.getNickName());
????????????this.setSession("currentUser", user);
????????????return authcInfo;
????????} else {
????????????return null;
????????}
????}
?
????/**
???? * 将一些数据放到ShiroSession中,以便于其它地方使用
???? * @see 比如Controller,使用时直接用HttpSession.getAttribute(key)就可以取到
???? */
????private void setSession(Object key, Object value) {
????????Subject currentUser = SecurityUtils.getSubject();
????????if (null != currentUser) {
????????????Session session = currentUser.getSession();
????????????if (null != session) {
????????????????session.setAttribute(key, value);
????????????}
????????}
????}
?
}