javaEE shiro框架,許可權控制。通過註解的方式為方法配置訪問許可權
阿新 • • 發佈:2018-12-10
applicationContext.xml(Spring的核心配置檔案,開啟shiro框架的註解支援):
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:soap="http://cxf.apache.org/bindings/soap" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd http://cxf.apache.org/bindings/soap http://cxf.apache.org/schemas/configuration/soap.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd "> <!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --> <!-- 配置shiro框架的過濾器工廠物件。"shiroFilter"要和web.xml中配置的過濾器名保持相同 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- 注入安全管理器物件 --> <property name="securityManager" ref="securityManager"/> <!-- 注入訪問相關頁面的URL --> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/index.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> <!-- 許可權不足的錯誤提示頁 --> <!--注入URL攔截規則 --> <property name="filterChainDefinitions"> <value> /css/** = anon <!-- anon是過濾器的別名(簡稱)。 兩個*表示遞迴所有層子目錄 --> /js/** = anon <!-- 過濾器有次序之分,依次匹配過濾器 --> /images/** = anon /validatecode.jsp* = anon /login.jsp = anon /userAction_login.action = anon /page_base_staff.action = perms["staff-list"] <!-- 必須先認證(登入)後,才會進行授權(許可權分配)。"staff-list"是自定義的許可權名 --> /* = authc <!-- authc表示是否已認證(已登入) --> </value> </property> </bean> <!-- 註冊安全管理器物件 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="bosRealm"/> <!-- 將Realm注入安全管理器 --> </bean> <!-- 註冊realm --> <bean id="bosRealm" class="com.xxx.bos.realm.BOSRealm"></bean> <!-- ========================================================================= --> <!-- 開啟shiro框架註解支援 --> <bean id="defaultAdvisorAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"> <!-- 必須使用cglib代理方式(繼承的方式)為Action物件建立代理物件,代理物件會有父類的所有方法。如果值設為false會使用JDK的動態代理,代理物件只有介面(ModelDriven)中的方法,不能滿足要求 --> <property name="proxyTargetClass" value="true"/> </bean> <!-- 配置shiro框架提供的切面類,用於建立代理物件 --> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/> </beans>
StaffAction.java(Struts2的Action,通過註解為Action的方法配置所需許可權):
package com.xxx.bos.web.action; import java.io.IOException; import java.util.List; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authz.annotation.RequiresPermissions; import org.apache.shiro.subject.Subject; import org.apache.struts2.ServletActionContext; import org.hibernate.criterion.DetachedCriteria; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Controller; import com.xxx.bos.domain.Staff; import com.xxx.bos.service.IStaffService; import com.xxx.bos.utils.PageBean; import com.xxx.bos.web.action.base.BaseAction; import net.sf.json.JSONArray; import net.sf.json.JSONObject; import net.sf.json.JsonConfig; //取派員管理 @Controller @Scope("prototype") public class StaffAction extends BaseAction<Staff>{ @Autowired private IStaffService staffService; //取派員批量刪除 //通過註解配置所需許可權。 @RequiresPermissions("staff-delete") //執行這個方法,需要當前使用者具有staff-delete這個許可權 public String deleteBatch(){ staffService.deleteBatch(ids); return LIST; } //修改取派員資訊 @RequiresPermissions("staff-edit") public String edit(){ //Subject subject = SecurityUtils.getSubject(); //subject.checkPermission("staff-edit"); //顯查詢資料庫,根據id查詢原始資料 Staff staff = staffService.findById(model.getId()); //使用頁面提交的資料進行覆蓋 staff.setName(model.getName()); staff.setTelephone(model.getTelephone()); staff.setHaspda(model.getHaspda()); staff.setStandard(model.getStandard()); staff.setStation(model.getStation()); staffService.update(staff); return LIST; } }
struts.xml(Struts2的核心配置檔案,配置全域性異常。使用者訪問未授權的方法時會拋異常):
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN" "http://struts.apache.org/dtds/struts-2.3.dtd"> <struts> <constant name="struts.devMode" value="false" /> <package name="basicstruts2" extends="struts-default"> <!-- 全域性結果集定義 --> <global-results> <result name="unauthorized">/unauthorized.jsp</result> </global-results> <!-- 全域性異常處理。使用者訪問未授權的方法時,shiro框架會丟擲異常 --> <global-exception-mappings> <exception-mapping result="unauthorized" exception="org.apache.shiro.authz.UnauthorizedException"></exception-mapping> </global-exception-mappings> <!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --> <!-- 取派員管理 --> <action name="staffAction_*" class="staffAction" method="{1}"> <result name="list">/WEB-INF/pages/base/staff.jsp</result> </action> </package> </struts>