参考此教程前请先阅读 2.springboot+shiro+redis(单机redis版)整合教程,此教程是在其基础上进行修改添加动态角色权限的。
本教程整合环境: java8 maven redis(单机)
开发工具: idea
版本: springboot 1.5.15.RELEASE
注:
1.本教程数据操作是模拟数据库操作,并没有真正进行持久化,自行修改即可。
项目结构,在 springboot+shiro+redis(单机redis版)整合教程 基础上进行的添加和修改结构如下:
首先添加角色权限实体类RolesPermissions.java
package webapp.model;
import lombok.Data;
import java.io.Serializable;
@Data
public class RolesPermissions implements Serializable {
private static final long serialVersionUID = 1L;
/**
* @备注:
* @字段:id BIGINT(19)
*/
private Long id;
/**
* @备注:创建时间
* @字段:create_time DATETIME(19)
*/
private java.util.Date createTime;
/**
* @备注:更新时间
* @字段:update_time DATETIME(19)
*/
private java.util.Date updateTime;
/**
* @备注:角色id
* @字段:roles_id BIGINT(19)
*/
private Long rolesId;
/**
* @备注:权限id
* @字段:permissions_id BIGINT(19)
*/
private Long permissionsId;
/**
* @备注:角色名称
* @字段:roles_name VARCHAR(100)
*/
private String rolesName;
/**
* @备注:api接口
* @字段:url VARCHAR(512)
*/
private String url;
}
添加service层 RolesPermissionsService.java和 RolesPermissionsServiceImpl.java
RolesPermissionsService.java:
package webapp.service;
import webapp.model.RolesPermissions;
import java.util.List;
public interface RolesPermissionsService {
List<RolesPermissions> selectList();
List<RolesPermissions> selectByAuserName(String auserName);
}
RolesPermissionsServiceImpl.java:
package webapp.service.impl;
import org.springframework.stereotype.Service;
import webapp.model.RolesPermissions;
import webapp.service.RolesPermissionsService;
import java.util.LinkedList;
import java.util.List;
@Service
public class RolesPermissionsServiceImpl implements RolesPermissionsService {
@Override
public List<RolesPermissions> selectList() {
List<RolesPermissions> rolesPermissionsList = new LinkedList<>();
RolesPermissions rolesPermissions = new RolesPermissions();
rolesPermissions.setId(1L);
rolesPermissions.setPermissionsId(1L);
rolesPermissions.setRolesId(1L);
rolesPermissions.setRolesName("超级管理员");
rolesPermissions.setUrl("/index.html");
rolesPermissionsList.add(rolesPermissions);
RolesPermissions rolesPermissions2 = new RolesPermissions();
rolesPermissions2.setId(2L);
rolesPermissions2.setPermissionsId(1L);
rolesPermissions2.setRolesId(2L);
rolesPermissions2.setRolesName("管理员");
rolesPermissions2.setUrl("/test.html");
rolesPermissionsList.add(rolesPermissions2);
RolesPermissions rolesPermissions3 = new RolesPermissions();
rolesPermissions3.setId(3L);
rolesPermissions3.setPermissionsId(1L);
rolesPermissions3.setRolesId(2L);
rolesPermissions3.setRolesName("超级管理员");
rolesPermissions3.setUrl("/test.html");
rolesPermissionsList.add(rolesPermissions3);
RolesPermissions rolesPermissions4 = new RolesPermissions();
rolesPermissions4.setId(4L);
rolesPermissions4.setPermissionsId(3L);
rolesPermissions4.setRolesId(1L);
rolesPermissions4.setRolesName("超级管理员");
rolesPermissions4.setUrl("/core/user/findUser");
rolesPermissionsList.add(rolesPermissions4);
return rolesPermissionsList;
}
@Override
public List<RolesPermissions> selectByAuserName(String auserName) {
List<RolesPermissions> rolesPermissionsList = new LinkedList<>();
RolesPermissions rolesPermissions = new RolesPermissions();
rolesPermissions.setId(1L);
rolesPermissions.setPermissionsId(1L);
rolesPermissions.setRolesId(1L);
rolesPermissions.setRolesName("运营管理员");
rolesPermissions.setUrl("/index.html");
rolesPermissionsList.add(rolesPermissions);
return rolesPermissionsList;
}
}
修改登录相关接口 UserController.java:
package webapp.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.web.bind.annotation.*;
import webapp.service.UserService;
import javax.annotation.Resource;
import java.io.Serializable;
/**
* Created by Administrator on 2018/9/5.
*/
@RestController
@RequestMapping("/core/user")
public class UserController {
@Autowired
private UserService userService;
/**
* 登录
* @param
* @return
*/
@GetMapping("/login")
public String login(String userName, String password) {
System.out.println("登录" + userName);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken("admin-pc==" + userName, password);
subject.login(token);
Session session = subject.getSession();
Serializable sessionId = session.getId();
System.out.println("登录成功 -> " + sessionId);
return userName + "[" + sessionId + "]";
}
@GetMapping("/logout")
public String logout() {
SecurityUtils.getSubject().logout();
return "退出登录成功";
}
/**
* 获取当前登录用户
* @return
*/
@GetMapping("/findUser")
public String findUser() {
Subject subject = SecurityUtils.getSubject();
PrincipalCollection collection = subject.getPrincipals();
if (null != collection && !collection.isEmpty()) {
String userName = (String) collection.iterator().next();
System.out.println("获取当前登录用户" + userName);
return userService.findOneByUserName(userName).toString();
}
return "{\n" +
" \"codeEnum\": \"OVERTIME\",\n" +
" \"code\": 0,\n" +
" \"data\": null,\n" +
" \"msg\": \"未登陆/登陆超时\",\n" +
" \"success\": false\n" +
"}";
}
}
修改授权相关 UserShiroRealm.java:
package webapp.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.subject.support.DefaultSubjectContext;
import org.springframework.beans.factory.annotation.Autowired;
import webapp.model.RolesPermissions;
import webapp.model.User;
import webapp.service.RolesPermissionsService;
import webapp.service.UserService;
import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;
/**
* Created by Administrator on 2018/9/5.
*/
public class UserShiroRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Autowired
private SessionDAO sessionDAO;
@Autowired
private RolesPermissionsService rolesPermissionsService;
/**
* 角色权限和对应权限添加
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String userName = (String) principalCollection.getPrimaryPrincipal();
if (userName == null || "".equals(userName)) {
return null;
}else{
userName = userName.split("==")[1];
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
try{
List<RolesPermissions> rolesPermissions = rolesPermissionsService.selectByAuserName(userName);
//当前用户具有的权限
List<String> roles = rolesPermissions.stream().map(RolesPermissions::getRolesName).collect(Collectors.toList());
authorizationInfo.addRoles(roles);
}catch(Exception e){
e.printStackTrace();
}
return authorizationInfo;
}
}
/**
* 用户认证
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//加这一步的目的是在Post请求的时候会先进认证,然后在到请求
if (authenticationToken.getPrincipal() == null) {
return null;
}
String userName = authenticationToken.getPrincipal().toString();
//只允许同一账户单个登录
Subject subject = SecurityUtils.getSubject();
Session nowSession = subject.getSession();
Collection<Session> sessions = sessionDAO.getActiveSessions();
if(sessions != null && sessions.size() > 0) {
for (Session session : sessions) {
if (!nowSession.getId().equals(session.getId()) && (session.getTimeout() == 0
|| userName.equals(String.valueOf(session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY))))) {
sessionDAO.delete(session);
}
}
}
User user = userService.findOneByUserName(userName.contains("admin-pc==") ? userName.split("==")[1] : userName);
if (user == null) {
return null;
} else {
//这里验证authenticationToken和simpleAuthenticationInfo的信息
return new SimpleAuthenticationInfo(userName, user.getPassword(), getName());
}
}
}
自定义角色权限校验器roleOrFilter(注:默认的roles为and关系,由于实际项目需要更多为或者关系,故自定义此类) CustomRolesAuthorizationFilter.java:
package webapp.shiro;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import webapp.model.RolesPermissions;
import webapp.redis.RedisCache;
import webapp.service.RolesPermissionsService;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
public class CustomRolesAuthorizationFilter extends AuthorizationFilter {
//项目名-用于多项目共用redis缓存时区分项目
private static final String PROJECTNAME = "shiro5";
private RolesPermissionsService rolesPermissionsService;
private RedisCache redisCache;
public CustomRolesAuthorizationFilter(RolesPermissionsService rolesPermissionsService, RedisCache redisCache) {
this.rolesPermissionsService = rolesPermissionsService;
this.redisCache = redisCache;
}
@Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
Subject subject = getSubject(request, response);
PrincipalCollection principals = subject.getPrincipals();
//未登录情况
if (null == principals) {
return false;
}
String userName = principals.toString();
String userName0 = userName.split("==")[0];
String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
return true;
}
//当前请求URI所需要的角色
List<String> rolesList = Arrays.asList(rolesArray);
String userName1 = "";
//redis缓存中当前登录用户的角色(注:更改用户角色时需要更新此缓存)
Object cache = redisCache.getCache(PROJECTNAME + "==isAccessAllowed==" + userName);
if ("admin-pc".equals(userName0)) {
if (null != cache) {
Set<String> cache1 = (Set<String>) cache;
boolean disjoint = Collections.disjoint(cache1, rolesList);
return !disjoint;
}
userName1 = userName.split("==")[1];
}
List<RolesPermissions> rolesPermissions;
if ("admin-pc".equals(userName0)) {
rolesPermissions = rolesPermissionsService.selectByAuserName(userName1);
} else {
return true;
}
//当前用户具有的权限
Set<String> roles = rolesPermissions.stream().map(RolesPermissions::getRolesName).collect(Collectors.toSet());
//往redis缓存中存储当前登录用户的角色(注:更改用户角色时需要更新此缓存)
redisCache.putCacheWithExpireTime(PROJECTNAME + "==isAccessAllowed==" + userName, roles, 86400); //24小时过期
boolean disjoint = Collections.disjoint(roles, rolesList);
return !disjoint;
}
}
使用自定义的角色权限校验器roleOrFilter,ShiroPermissionFactory.java:
package webapp.shiro;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.config.IniFilterChainResolverFactory;
import org.springframework.util.CollectionUtils;
import webapp.model.RolesPermissions;
import webapp.service.RolesPermissionsService;
import java.util.*;
public class ShiroPermissionFactory extends ShiroFilterFactoryBean {
/**记录配置中的过滤链*/
public static String definition = "";
private RolesPermissionsService rolesPermissionsService;
public ShiroPermissionFactory(RolesPermissionsService rolesPermissionsService){
this.rolesPermissionsService = rolesPermissionsService;
}
/**
* 初始化设置过滤链
*/
@Override
public void setFilterChainDefinitions(String definitions) {
definition = definitions;//记录配置的静态过滤链
List<RolesPermissions> rolesPermissions = rolesPermissionsService.selectList();
Set<String> urls = new LinkedHashSet<>();
for (RolesPermissions rolesPermission : rolesPermissions) {
urls.add(rolesPermission.getUrl());
}
Map<String,String> otherChains = new HashMap<>();
for (String url : urls) {
StringBuilder roleOrFilters = new StringBuilder();
int j = 0;
for (int i = 0; i < rolesPermissions.size(); i++) {
if (Objects.equals(url, rolesPermissions.get(i).getUrl())) {
if (j == 0) {
j = 1;
roleOrFilters.append(rolesPermissions.get(i).getRolesName());
} else {
roleOrFilters.append(",").append(rolesPermissions.get(i).getRolesName());
}
}
}
String rolesStr = roleOrFilters.toString();
if (!"".equals(rolesStr)) {
otherChains.put(url, "roleOrFilter[" + rolesStr + "]");
}
}
//加载配置默认的过滤链
Ini ini = new Ini();
ini.load(definitions);
Ini.Section section = ini.getSection(IniFilterChainResolverFactory.URLS);
if (CollectionUtils.isEmpty(section)) {
section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
}
//加上数据库中过滤链
section.putAll(otherChains);
setFilterChainDefinitionMap(section);
}
}
shiro配置类ShiroConfig.java修改如下:
package webapp.conf;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import webapp.redis.RedisCache;
import webapp.redis.RedisSessionDAO;
import webapp.service.impl.RolesPermissionsServiceImpl;
import webapp.shiro.CustomRolesAuthorizationFilter;
import webapp.shiro.ShiroPermissionFactory;
import webapp.shiro.UserShiroRealm;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.Map;
/**
* shiro配置类
* Created by Administrator on 2018/9/5.
*/
@Configuration
public class ShiroConfig {
//将自己的验证方式加入容器
@Bean
public UserShiroRealm userShiroRealm() {
return new UserShiroRealm();
}
@Bean
public SimpleCookie getSimpleCookie() {
SimpleCookie simpleCookie = new SimpleCookie();
simpleCookie.setName("SHRIOSESSIONID");
return simpleCookie;
}
//保证实现了Shiro内部lifecycle函数的bean执行
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
//配置shiro session 的一个管理器
@Bean(name = "sessionManager")
public DefaultWebSessionManager getDefaultWebSessionManager(RedisSessionDAO redisSessionDAO) {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionDAO(redisSessionDAO);
sessionManager.setGlobalSessionTimeout(-1000); //session有效期 默认值1800000 30分钟 1800000毫秒 -1000表示永久
SimpleCookie simpleCookie = getSimpleCookie();
simpleCookie.setHttpOnly(true); //设置js不可读取此Cookie
simpleCookie.setMaxAge(3 * 365 * 24 * 60 * 60); //3年 cookie有前期
sessionManager.setSessionIdCookie(simpleCookie);
return sessionManager;
}
//配置核心安全事务管理器
@Bean(name="securityManager")
public SecurityManager securityManager(@Qualifier("userShiroRealm") UserShiroRealm userShiroRealm,
@Qualifier("sessionManager") DefaultWebSessionManager sessionManager) {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(userShiroRealm);
manager.setSessionManager(sessionManager);
return manager;
}
//权限管理,配置主要是Realm的管理认证
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userShiroRealm());
return securityManager;
}
//Filter工厂,设置对应的过滤条件和跳转条件
@Bean
public ShiroPermissionFactory shiroPermissionFactory(RedisCache redisCache) {
ShiroPermissionFactory shiroFilter = new ShiroPermissionFactory(new RolesPermissionsServiceImpl());
shiroFilter.setSecurityManager(securityManager());
//登录认证不通过跳转
shiroFilter.setLoginUrl("/loginUnAuth");
//权限认证不通过跳转
shiroFilter.setUnauthorizedUrl("/authorUnAuth");
Map<String, Filter> filters = new HashMap<>();
filters.put("roleOrFilter", new CustomRolesAuthorizationFilter(new RolesPermissionsServiceImpl(), redisCache));
shiroFilter.setFilters(filters);
shiroFilter.setFilterChainDefinitions("/###/@@@/** = authc");
return shiroFilter;
}
//加入注解的使用,不加入这个注解不生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager());
return authorizationAttributeSourceAdvisor;
}
}
角色权限刷新器FilterChainDefinitions.java:
package webapp.shiro;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.CollectionUtils;
import java.util.Map;
/**
* 当修改用户角色权限时候需要调用reloadFilterChains()来刷新角色权限
*/
@Component
public class FilterChainDefinitions {
@Autowired
private ShiroPermissionFactory permissFactory;
public void reloadFilterChains() {
synchronized (permissFactory) { //强制同步,控制线程安全
AbstractShiroFilter shiroFilter = null;
try {
shiroFilter = (AbstractShiroFilter) permissFactory.getObject();
PathMatchingFilterChainResolver resolver = (PathMatchingFilterChainResolver) shiroFilter
.getFilterChainResolver();
// 过滤管理器
DefaultFilterChainManager manager = (DefaultFilterChainManager) resolver.getFilterChainManager();
// 清除权限配置
manager.getFilterChains().clear();
permissFactory.getFilterChainDefinitionMap().clear();
// 重新设置权限
permissFactory.setFilterChainDefinitions(ShiroPermissionFactory.definition);//传入配置中的filterchains
Map<String, String> chains = permissFactory.getFilterChainDefinitionMap();
//重新生成过滤链
if (!CollectionUtils.isEmpty(chains)) {
chains.forEach((url, definitionChains) -> {
manager.createChain(url, definitionChains.trim().replace(" ", ""));
});
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
角色权限刷新器FilterChainDefinitions.java的使用示例TestController.java:
package webapp.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import webapp.shiro.FilterChainDefinitions;
@RestController
@RequestMapping("/core/test")
public class TestController {
@Autowired
private FilterChainDefinitions filterChainDefinitions;
@GetMapping("/test")
public void test() {
//设置用户权限
//...
//刷新权限
filterChainDefinitions.reloadFilterChains();
}
}
然后启动项目,RolesPermissionsServiceImpl.java类中的获取数据库(模拟)中所有角色权限和获取用户角色权限可自行修改测试。实际应用于项目也只需要修改这个类为查询实际数据库数据即可。