shiro直接对类进行注解,类似于@Controller的形式

因为我司项目重构,我负责编写了一些模块,而每个模块Controller都有list,add等相同的方法,他们并不需要处理业务逻辑,只是将请求转到Service层处理完后,根据返回结果再转到相应的视图。所以我编写了Controller层的抽象类,并且在抽象类中实现常用的方法的方法且标记此类的常用注解@RequestMapping("/list")。

然后其他的所有想要具有 普通CRUD功能的Controller都继承这个抽象类,那就完全不用再写一遍了,而且根据类上的@RequestMapping 注解即可自动分路径,节约大量工作时间,和维护时间,每个类只需要设置自己的视图地址即可,将转发功能再向上提了一层。

而在这里出了个问题,我司使用Shiro作为权限管理,而@RequiresPermissions注解目前还不能直接写在类上,只能针对某个方法进行注解,这就导致我的抽象类完不能工作了,于是有了本文。

首先我们先找到shiro进行权限处理的入口,可是我并不知道怎么找。。。于是我想到让他报错,然后看请求栈肯定能找到。

严重: Servlet.service() for servlet [spring] in context with path [] threw exception [Request processing failed; nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against.  A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager.  This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again.  Because an identity is currently not known due to any of these conditions, authorization is denied.] with root cause
org.apache.shiro.authz.AuthorizationException: Not authorized to invoke method: public com.component.response.RespJSON com.web.mvc.business.ProductController.listJson(java.util.Map,java.lang.Integer,java.lang.Integer)
	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(<span style="color:#FF0000;">AuthorizingAnnotationMethodInterceptor.java:90</span>)
	at org.apache.shiro.authz.aop.AnnotationsAuthorizingMethodInterceptor.assertAuthorized(AnnotationsAuthorizingMethodInterceptor.java:100)
	at org.apache.shiro.authz.aop.AuthorizingMethodInterceptor.invoke(AuthorizingMethodInterceptor.java:38)
	at org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor.invoke(AopAllianceAnnotationsAuthorizingMethodInterceptor.java:115)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:646)
	at com.web.mvc.business.ProductController$$EnhancerByCGLIB$$76eb0343.listJson(<generated>)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:214)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:748)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:876)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:931)
	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:822)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:807)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

我们直接进红色那个类里打个断点,可以得到如下请求栈:

看到好多AOP,想着也是,要判断权限肯定得AOP才方便。

我们一个一个的下去,看看他都经过了什么处理。

就在第二行:

AnnotationsAuthorizingMethodInterceptor,这个类里:
    protected void assertAuthorized(MethodInvocation methodInvocation) throws AuthorizationException {
        //default implementation just ensures no deny votes are cast:
        Collection<AuthorizingAnnotationMethodInterceptor> aamis = getMethodInterceptors();
        if (aamis != null && !aamis.isEmpty()) {
            for (AuthorizingAnnotationMethodInterceptor aami : aamis) {
                if (aami.supports(methodInvocation)) {
                    aami.assertAuthorized(methodInvocation);
                }
            }
        }
    }

在这里他获得了权限拦截器,并且逐个去验证,再去找他的实现类:AopAllianceAnnotationsAuthorizingMethodInterceptor

    public AopAllianceAnnotationsAuthorizingMethodInterceptor() {
        List<AuthorizingAnnotationMethodInterceptor> interceptors =
                new ArrayList<AuthorizingAnnotationMethodInterceptor>(5);

        //use a Spring-specific Annotation resolver - Spring's AnnotationUtils is nicer than the
        //raw JDK resolution process.
        AnnotationResolver resolver = new SpringAnnotationResolver();
        //we can re-use the same resolver instance - it does not retain state:
        interceptors.add(new RoleAnnotationMethodInterceptor(resolver));
        interceptors.add(new PermissionAnnotationMethodInterceptor(resolver));
        interceptors.add(new AuthenticatedAnnotationMethodInterceptor(resolver));
        interceptors.add(new UserAnnotationMethodInterceptor(resolver));
        interceptors.add(new GuestAnnotationMethodInterceptor(resolver));

        setMethodInterceptors(interceptors);
    }

确实,在这里将各个权限的拦截器放进了拦截器栈,此时找到这里我就找不到了。。但是我知道这个

AopAllianceAnnotationsAuthorizingMethodInterceptor

肯定是要被创建出来的,所以把断点打在构造器中,得到如下请求栈:

那明显第二个AuthorizationAttributeSourceAdvisor就是了嘛,Spring在启动的时候初始化的

public
    public AuthorizationAttributeSourceAdvisor() {
        setAdvice(new AopAllianceAnnotationsAuthorizingMethodInterceptor());
    }

Spring知道这东西,那肯定是我们配置的,搜索一下项目,发现有这个:

    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager"/>
    </bean>

哎,找了半天,却在眼前而不自知,然而此时根据上面的分析我们也知道了
1.shiro根据权限拦截器栈中的权限拦截器去验证权限(AopAllianceAnnotationsAuthorizingMethodInterceptor)
2.看名字就知道PermissionAnnotationMethodInterceptor这个是和我们所需的注解有关,他继承了AuthorizingAnnotationMethodInterceptor

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.shiro.authz.aop;

import org.apache.shiro.aop.AnnotationMethodInterceptor;
import org.apache.shiro.aop.AnnotationResolver;
import org.apache.shiro.aop.MethodInvocation;
import org.apache.shiro.authz.AuthorizationException;

/**
 * An <tt>AnnotationMethodInterceptor</tt> that asserts the calling code is authorized to execute the method
 * before allowing the invocation to continue by inspecting code annotations to perform an access control check.
 *
 * @since 0.1
 */
public abstract class AuthorizingAnnotationMethodInterceptor extends AnnotationMethodInterceptor
{

    /**
     * Constructor that ensures the internal <code>handler</code> is set which will be used to perform the
     * authorization assertion checks when a supported annotation is encountered.
     * @param handler the internal <code>handler</code> used to perform authorization assertion checks when a
     * supported annotation is encountered.
     */
    public AuthorizingAnnotationMethodInterceptor( AuthorizingAnnotationHandler handler ) {
        super(handler);
    }

    /**
     *
     * @param handler
     * @param resolver
     * @since 1.1
     */
    public AuthorizingAnnotationMethodInterceptor( AuthorizingAnnotationHandler handler,
                                                   AnnotationResolver resolver) {
        super(handler, resolver);
    }

    /**
     * Ensures the <code>methodInvocation</code> is allowed to execute first before proceeding by calling the
     * {@link #assertAuthorized(org.apache.shiro.aop.MethodInvocation) assertAuthorized} method first.
     *
     * @param methodInvocation the method invocation to check for authorization prior to allowing it to proceed/execute.
     * @return the return value from the method invocation (the value of {@link org.apache.shiro.aop.MethodInvocation#proceed() MethodInvocation.proceed()}).
     * @throws org.apache.shiro.authz.AuthorizationException if the <code>MethodInvocation</code> is not allowed to proceed.
     * @throws Throwable if any other error occurs.
     */
    public Object invoke(MethodInvocation methodInvocation) throws Throwable {
        assertAuthorized(methodInvocation);
        return methodInvocation.proceed();
    }

    /**
     * Ensures the calling Subject is authorized to execute the specified <code>MethodInvocation</code>.
     * <p/>
     * As this is an AnnotationMethodInterceptor, this implementation merely delegates to the internal
     * {@link AuthorizingAnnotationHandler AuthorizingAnnotationHandler} by first acquiring the annotation by
     * calling {@link #getAnnotation(MethodInvocation) getAnnotation(methodInvocation)} and then calls
     * {@link AuthorizingAnnotationHandler#assertAuthorized(java.lang.annotation.Annotation) handler.assertAuthorized(annotation)}.
     *
     * @param mi the <code>MethodInvocation</code> to check to see if it is allowed to proceed/execute.
     * @throws AuthorizationException if the method invocation is not allowed to continue/execute.
     */
<span style="color:#FF0000;">    public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
        try {
            ((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
        }
        catch(AuthorizationException ae) {
            // Annotation handler doesn't know why it was called, so add the information here if possible.
            // Don't wrap the exception here since we don't want to mask the specific exception, such as
            // UnauthenticatedException etc.
            if (ae.getCause() == null) ae.initCause(new AuthorizationException("Not authorized to invoke method: " + mi.getMethod()));
            throw ae;
        }
    }</span>
}

而红色部分就是我们第一次断点的地方,再进入assertAuthorized看看怎么认证的,他有5个实现,我们当然是进入PermissionAnnotationHandler,

    public void assertAuthorized(Annotation a) throws AuthorizationException {
        if (!(a instanceof RequiresPermissions)) return;

        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
        String[] perms = getAnnotationValue(a);
        Subject subject = getSubject();

        if (perms.length == 1) {
            subject.checkPermission(perms[0]);
            return;
        }
        if (Logical.AND.equals(rpAnnotation.logical())) {
            getSubject().checkPermissions(perms);
            return;
        }
        if (Logical.OR.equals(rpAnnotation.logical())) {
            // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
            boolean hasAtLeastOnePermission = false;
            for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission = true;
            // Cause the exception if none of the role match, note that the exception message will be a bit misleading
            if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);

        }
    }

OK,重点就是这里,他获得了方法上的注解,然后用注解value去判断是否有权限了,而我们想要组合该方法所属类上的注解,那我们肯定得改这个方法
,问题是看这个方法的签名,直接接收了一个注解,不给我们获取类注解的机会,那肯定又得重新写一个自己的类。于是有了如下:
MyPermissionAnnotationHandler

    public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
        RequiresPermissions methodAnnotation = mi.getMethod().getAnnotation(RequiresPermissions.class);
        String[] methodPerms = methodAnnotation.value();
        Subject subject = getSubject();
<span style="color:#FF0000;">        <strong>if (methodPerms.length == 1)</strong> {
            RequiresPermissions classAnnotation = mi.getThis().getClass().getAnnotation(RequiresPermissions.class);
            if(null != classAnnotation) {
                String[] classPerms = classAnnotation.value();
                subject.checkPermission(classPerms[0] + methodPerms[0]);
            } else {
                subject.checkPermission(methodPerms[0]);
            }
            return;
        }</span>
        if (Logical.AND.equals(methodAnnotation.logical())) {
            getSubject().checkPermissions(methodPerms);
            return;
        }
        if (Logical.OR.equals(methodAnnotation.logical())) {
            // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
            boolean hasAtLeastOnePermission = false;
            for (String permission : methodPerms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission = true;
            // Cause the exception if none of the role match, note that the exception message will be a bit misleading
            if (!hasAtLeastOnePermission) getSubject().checkPermission(methodPerms[0]);

        }
    }

红色部分即实现所属类注解value和方法注解value的拼接并验证,方法写完了,我们还得有地方调用,其实就是AuthorizingAnnotationMethodInterceptor的实现类去调用了assertAuthorized这个方法。
所以我们自己写一个并且继承他:
MyPermissionAnnotationMethodInterceptor

public class MyPermissionAnnotationMethodInterceptor  extends AuthorizingAnnotationMethodInterceptor {
    public MyPermissionAnnotationMethodInterceptor() {
        super(new PermissionAnnotationHandler());
    }

<span style="color:#FF0000;">    public MyPermissionAnnotationMethodInterceptor(AnnotationResolver resolver) {
        super(new MyPermissionAnnotationHandler(), resolver);
    }</span>

    @Override
    public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
        try {
<span style="color:#FF0000;">            AuthorizingAnnotationHandler handler = (AuthorizingAnnotationHandler) getHandler();
            if(handler instanceof MyPermissionAnnotationHandler) {
                ((MyPermissionAnnotationHandler) handler).assertAuthorized(mi);
            } else {
                handler.assertAuthorized(getAnnotation(mi));
            }</span>
        }
        catch(AuthorizationException ae) {
            // Annotation handler doesn't know why it was called, so add the information here if possible.
            // Don't wrap the exception here since we don't want to mask the specific exception, such as
            // UnauthenticatedException etc.
            if (ae.getCause() == null) ae.initCause(new AuthorizationException("Not authorized to invoke method: " + mi.getMethod()));
            throw ae;
        }
    }
}

红色部分的构造器,设置我们自己的Handler,下面的则是因为我们自己实现的Handler有一个在父类没有定义的函数,所以需要判断并强转才能执行我们需要的方法。
最后,在设置拦截器栈的地方(AopAllianceAnnotationsAuthorizingMethodInterceptor),我们肯定要写成自己的:
MyAop

public class MyAop extends AnnotationsAuthorizingMethodInterceptor implements MethodInterceptor {

    public MyAop() {
        List<AuthorizingAnnotationMethodInterceptor> interceptors =
                new ArrayList<AuthorizingAnnotationMethodInterceptor>(5);

        //use a Spring-specific Annotation resolver - Spring's AnnotationUtils is nicer than the
        //raw JDK resolution process.
        AnnotationResolver resolver = new SpringAnnotationResolver();
        //we can re-use the same resolver instance - it does not retain state:
        interceptors.add(new RoleAnnotationMethodInterceptor(resolver));
        <span style="color:#FF0000;">interceptors.add(new MyPermissionAnnotationMethodInterceptor(resolver));</span>
        interceptors.add(new AuthenticatedAnnotationMethodInterceptor(resolver));
        interceptors.add(new UserAnnotationMethodInterceptor(resolver));
        interceptors.add(new GuestAnnotationMethodInterceptor(resolver));

        setMethodInterceptors(interceptors);
    }

最后的最后,spring的配置文件中的定义要换成自己的入口

public class MyAuthorizationAttributeSourceAdvisor  extends StaticMethodMatcherPointcutAdvisor {

    private static final Logger log = LoggerFactory.getLogger(MyAuthorizationAttributeSourceAdvisor.class);

    private static final Class<? extends Annotation>[] AUTHZ_ANNOTATION_CLASSES =
            new Class[] {
                    RequiresPermissions.class, RequiresRoles.class,
                    RequiresUser.class, RequiresGuest.class, RequiresAuthentication.class
            };

    protected SecurityManager securityManager = null;

    /**
     * Create a new AuthorizationAttributeSourceAdvisor.
     */
<span style="color:#FF0000;">    public MyAuthorizationAttributeSourceAdvisor() {
        setAdvice(new MyAop());
    }</span>
<bean class="com.component.shiro.MyAuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager"/>
    </bean>

这样就大功搞成,直接把注解写在类上,多方便~~
回顾一下:
1.修改shiro入口,将原本spring提供的org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor换成自己的,修改其构造函数中new的对象,new成自己的aop实现
2.将spring提供的AopAllianceAnnotationsAuthorizingMethodInterceptor重写一个自己的,基本就是复制他的源码,然后修改权限验证拦截器栈的设置,想增加也可在这里增加,我现在只需要修改权限验证的拦截器。
3.实现自己的权限验证拦截器,因为我们需要类上的注解,所以要执行不同的方法。
4.实现自己的权限处理器,因为我们需要类上的注解,在这里我们需要接收到执行的方法,用该方法获取类上的注解,和该方法的注解,最后拼接出最终的权限修饰符去验证,到此就OK

shiro的流程还算简单,改起来也算容易,我这里是有一个小问题的,那就是拼接类注解是在方法注解的value只有一个的时候,如果有多个就不去拼类上的注解了,我想方法上的权限注解value也应该只有一个吧,毕竟直接针对某个权限,而不是角色了。

转载请注明原创地址

时间: 2024-12-15 08:57:18

shiro直接对类进行注解,类似于@Controller的形式的相关文章

Spring MVC中基于注解的 Controller

终于来到了基于注解的 Spring MVC 了.之前我们所讲到的 handler,需要根据 url 并通过 HandlerMapping 来映射出相应的 handler 并调用相应的方法以响应请求.实际上,ControllerClassNameHandlerMapping, MultiActionController 和选择恰当的 methodNameResolver(如 InternalPathMethodNameResolver) 就已经可以在很大程度上帮助我们省去不少的 XML 配置,谁让

SpringMVC 基于注解的Controller @RequestMapping @RequestParam

概述 继 Spring 2.0 对 Spring MVC 进行重大升级后,Spring 2.5 又为 Spring MVC 引入了注解驱动功能.如今你无须让 Controller 继承不论什么接口.无需在 XML 配置文件里定义请求和 Controller 的映射关系.只使用注解就能够让一个 POJO 具有 Controller 的绝大部分功能 -- Spring MVC 框架的易用性得到了进一步的增强.在框架灵活性.易用性和扩展性上.Spring MVC 已经全面超越了其他的 MVC 框架.伴

SpringMVC 基于注解的Controller详解

本文出处 http://blog.csdn.net/lufeng20/article/details/7598801 概述 继 Spring 2.0 对 Spring MVC 进行重大升级后,Spring 2.5 又为 Spring MVC 引入了注解驱动功能.现在你无须让 Controller 继承任何接口,无需在 XML 配置文件中定义请求和 Controller 的映射关系,仅仅使用注解就可以让一个 POJO 具有 Controller 的绝大部分功能 —— Spring MVC 框架的易

Spring MVC 中的基于注解的 Controller【转】

原文地址:http://my.oschina.net/abian/blog/128028 终于来到了基于注解的 Spring MVC 了.之前我们所讲到的 handler,需要根据 url 并通过 HandlerMapping 来映射出相应的 handler 并调用相应的方法以响应请求.实际上,ControllerClassNameHandlerMapping, MultiActionController 和选择恰当的 methodNameResolver(如 InternalPathMetho

Spring MVC 中的基于注解的 Controller(转载)

  终于来到了基于注解的 Spring MVC 了.之前我们所讲到的 handler,需要根据 url 并通过 HandlerMapping 来映射出相应的 handler 并调用相应的方法以响应请求.实际上,ControllerClassNameHandlerMapping, MultiActionController 和选择恰当的 methodNameResolver(如 InternalPathMethodNameResolver) 就已经可以在很大程度上帮助我们省去不少的 XML 配置,

01-hibernate注解:类级别注解准备工作

注解简介: 目的:为了简化繁琐的ORM映射文件(.hbm)的配置. JPA与hibernate的关系 JPA:全称 java Persistence API(java持久化API接口) JPA注解是JAVAEE的规范和标准 JPA和hibernate的关系: JPA是标准接口,hibernate是实现,但是其功能是JPA的超集. hibernate如何实现与JPA的关系: 通过hibernate-annotation,hibernate-entitymanager和hibernate-core三

[转]C#调用C++类(以COM组件的形式)

如果想用C#调用C/C++写的函数,可以先将C/C++的函数写成dll文件,由C#用DllImport的方式来调用,但是这种方法无法调用C++写的类,如果想调用C++类,可以先把C++类封装成COM组件,再由C#来调用.方法如下(以VS2008英文版为例说明) 一.新建一个Visual C++项目,类型为ATL Project,假设项目名为ComProject,直接点Finish即可. 二.在Solution Explorer的ComProject项目名上右击,选择Add->Class,选择AT

解决自定义Shiro.Realm扩展类不能用注解(@Resource或@Autowire)自动装配的问题

问题产生原因:加载Realm时其他Spring配置文件(xml)尚未加载,导致注入失败. 解决方法:编写一个设置类把注入工作提前完成. package com.xkt.shiro import org.apache.shiro.realm.Realm; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.beans.BeansException; import org.spri

安全框架 - Shiro与springMVC整合的注解以及JSP标签

Shiro想必大家都知道了,之前的文章我也有提过,是目前使用率要比spring security都要多的一个权限框架,本身spring自己都在用shiro,之前的文章有兴趣可以去扒一下 最近正好用到shiro,简单聊聊几个小tips吧 <!-- 对静态资源设置匿名访问,即可以未登录状态下访问 --> /images/** = anon /js/** = anon /styles/** = anon /css/** = anon /page/getOrders.action = perms[or