package org.linlinjava.litemall.admin.shiro;

import com.alibaba.druid.util.StringUtils;

import org.apache.shiro.web.servlet.ShiroHttpServletRequest;

import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;

import org.apache.shiro.web.util.WebUtils;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import java.io.Serializable;

public class AdminWebSessionManager extends DefaultWebSessionManager {

    public static final String LOGIN_TOKEN_KEY = "X-Litemall-Admin-Token";

    private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";

    @Override

    protected Serializable getSessionId(ServletRequest request, ServletResponse response) {

        String id = WebUtils.toHttp(request).getHeader(LOGIN_TOKEN_KEY);

        if (!StringUtils.isEmpty(id)) {

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);

            return id;

        } else {

            return super.getSessionId(request, response);

        }

    }

}
package org.linlinjava.litemall.admin.shiro;

import org.apache.shiro.authc.*;

import org.apache.shiro.authz.AuthorizationException;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;

import org.linlinjava.litemall.db.domain.LitemallAdmin;

import org.linlinjava.litemall.db.service.LitemallAdminService;

import org.linlinjava.litemall.db.service.LitemallPermissionService;

import org.linlinjava.litemall.db.service.LitemallRoleService;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.util.Assert;

import org.springframework.util.StringUtils;

import java.util.List;

import java.util.Set;

public class AdminAuthorizingRealm extends AuthorizingRealm {

    @Autowired

    private LitemallAdminService adminService;

    @Autowired

    private LitemallRoleService roleService;

    @Autowired

    private LitemallPermissionService permissionService;

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        if (principals == null) {

            throw new AuthorizationException("PrincipalCollection method argument cannot be null.");

        }

        LitemallAdmin admin = (LitemallAdmin) getAvailablePrincipal(principals);

        Integer[] roleIds = admin.getRoleIds();

        Set<String> roles = roleService.queryByIds(roleIds);

        Set<String> permissions = permissionService.queryByRoleIds(roleIds);

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

        info.setRoles(roles);

        info.setStringPermissions(permissions);

        return info;

    }

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        UsernamePasswordToken upToken = (UsernamePasswordToken) token;

        String username = upToken.getUsername();

        String password = new String(upToken.getPassword());

        if (StringUtils.isEmpty(username)) {

            throw new AccountException("用户名不能为空");

        }

        if (StringUtils.isEmpty(password)) {

            throw new AccountException("密码不能为空");

        }

        List<LitemallAdmin> adminList = adminService.findAdmin(username);

        Assert.state(adminList.size() < 2, "同一个用户名存在两个账户");

        if (adminList.size() == 0) {

            throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息");

        }

        LitemallAdmin admin = adminList.get(0);

        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();

        if (!encoder.matches(password, admin.getPassword())) {

            throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息");

        }

        return new SimpleAuthenticationInfo(admin, password, getName());

    }

}
package org.linlinjava.litemall.admin.config;

import org.apache.shiro.mgt.SecurityManager;

import org.apache.shiro.realm.Realm;

import org.apache.shiro.session.mgt.SessionManager;

import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;

import org.apache.shiro.web.mgt.DefaultWebSecurityManager;

import org.linlinjava.litemall.admin.shiro.AdminAuthorizingRealm;

import org.linlinjava.litemall.admin.shiro.AdminWebSessionManager;

import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.context.annotation.DependsOn;

import java.util.LinkedHashMap;

import java.util.Map;

@Configuration

public class ShiroConfig {

    @Bean

    public Realm realm() {

        return new AdminAuthorizingRealm();

    }

    @Bean

    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();

        filterChainDefinitionMap.put("/admin/auth/login", "anon");

        filterChainDefinitionMap.put("/admin/auth/401", "anon");

        filterChainDefinitionMap.put("/admin/auth/index", "anon");

        filterChainDefinitionMap.put("/admin/auth/403", "anon");

        filterChainDefinitionMap.put("/admin/index/index", "anon");

        filterChainDefinitionMap.put("/admin/**", "authc");

        shiroFilterFactoryBean.setLoginUrl("/admin/auth/401");

        shiroFilterFactoryBean.setSuccessUrl("/admin/auth/index");

        shiroFilterFactoryBean.setUnauthorizedUrl("/admin/auth/403");

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return shiroFilterFactoryBean;

    }

    @Bean

    public SessionManager sessionManager() {

        return new AdminWebSessionManager();

    }

    @Bean

    public DefaultWebSecurityManager defaultWebSecurityManager() {

        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

        securityManager.setRealm(realm());

        securityManager.setSessionManager(sessionManager());

        return securityManager;

    }

    @Bean

    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {

        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor =

                new AuthorizationAttributeSourceAdvisor();

        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);

        return authorizationAttributeSourceAdvisor;

    }

    @Bean

    @DependsOn("lifecycleBeanPostProcessor")

    public static DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {

        DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();

        creator.setProxyTargetClass(true);

        return creator;

    }

}
package org.linlinjava.litemall.admin.config;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authz.AuthorizationException;

import org.linlinjava.litemall.core.util.ResponseUtil;

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.ExceptionHandler;

import org.springframework.web.bind.annotation.ResponseBody;

@ControllerAdvice

@Order(value = Ordered.HIGHEST_PRECEDENCE)

public class ShiroExceptionHandler {

    private final Log logger = LogFactory.getLog(ShiroExceptionHandler.class);

    @ExceptionHandler(AuthenticationException.class)

    @ResponseBody

    public Object unauthenticatedHandler(AuthenticationException e) {

        logger.warn(e.getMessage(), e);

        return ResponseUtil.unlogin();

    }

    @ExceptionHandler(AuthorizationException.class)

    @ResponseBody

    public Object unauthorizedHandler(AuthorizationException e) {

        logger.warn(e.getMessage(), e);

        return ResponseUtil.unauthz();

    }

}

AdminWebSessionManager AdminAuthorizingRealm ShiroConfig ShiroExceptionHandler的更多相关文章

  1. ShiroConfig配置文件无法通过@Value加载yml变量的解决办法

    /** * 配置Shiro生命周期处理器 * 使用springboot整合shiro时,@value注解无法读取application.yml中的配置 *解决方法:将LifecycleBeanPost ...

  2. 解决自定义Shiro.Realm扩展类不能用注解(@Resource或@Autowire)自动装配的问题

    问题产生原因:加载Realm时其他Spring配置文件(xml)尚未加载,导致注入失败. 解决方法:编写一个设置类把注入工作提前完成. package com.xkt.shiro import org ...

  3. Spring boot 基于Spring MVC的Web应用和REST服务开发

    Spring Boot利用JavaConfig配置模式以及"约定优于配置"理念,极大简化了基于Spring MVC的Web应用和REST服务开发. Servlet: package ...

  4. 【shiro】shiro学习笔记1 - 初识shiro

    [TOC] 认证流程 st=>start: Start e=>end: End op1=>operation: 构造SecurityManager环境 op2=>operati ...

  5. 跟开涛老师学shiro -- INI配置

    之前章节我们已经接触过一些INI配置规则了,如果大家使用过如spring之类的IoC/DI容器的话,Shiro提供的INI配置也是非常类似的,即可以理解为是一个IoC/DI容器,但是区别在于它从一个根 ...

  6. 将 Shiro 作为一个许可为基础的应用程序 五:password加密/解密Spring应用

    考虑系统password的安全,眼下大多数系统都不会把password以明文的形式存放到数据库中. 一把会採取下面几种方式对password进行处理 password的存储 "编码" ...

  7. springboot(十四):springboot整合shiro-登录认证和权限管理

    这篇文章我们来学习如何使用Spring Boot集成Apache Shiro.安全应该是互联网公司的一道生命线,几乎任何的公司都会涉及到这方面的需求.在Java领域一般有Spring Security ...

  8. springboot+shiro

    作者:纯洁的微笑 出处:http://www.ityouknow.com/ 这篇文章我们来学习如何使用Spring Boot集成Apache Shiro.安全应该是互联网公司的一道生命线,几乎任何的公 ...

  9. shiro权限控制的简单实现

    权限控制常用的有shiro.spring security,两者相比较,各有优缺点,此篇文章以shiro为例,实现系统的权限控制. 一.数据库的设计 简单的五张表,用户.角色.权限及关联表: CREA ...

随机推荐

  1. part7 vuex实现数据共享

    vuex 是数据框架(一个插件)(单项数据的改变流程,组件改数据必须先调Action用dispatch方法) 大型项目vue只能承担视图层的主要内容 大量数据传递的时候,往往需要一个数据框架辅助 例子 ...

  2. go 的参数传递

    再go语言中没有引用传递,所有都是按照值拷贝的方式传递的. 数组:实际就是堆栈上的一段连续内存,和c类似.(可以更加反编译代码推断 go tool compile -S main.go > ma ...

  3. JS-语句四

    For 循环: for 循环是创建循环时常会用到的工具. 下面是 for 循环的语法: ; 语句 ; 语句 ) { 被执行的代码 } 其中语句1是初始值:语句2是.条件判断:语句3是状态改变:被执行的 ...

  4. Python说文解字_Python之多任务_05

    问:在Py3.5之前yield表现非常好,在Py3.5之后为了将予以变得更加明确,就引入了async和await关键词用于定义原生的协议. 答:async和await原生协程: async def d ...

  5. 翻译——3_Gaussian Process Regression

    使用不同的机器学习方法进行预测 续上篇2_Linear Regression and Support Vector Regression 高斯过程回归 %matplotlib inline impor ...

  6. HALCON形状匹配讲解

    HALCON形状匹配讲解 https://blog.csdn.net/linnyn/article/details/50663328 https://blog.csdn.net/u014608071/ ...

  7. Linux-线程同步之互斥锁

    1.互斥锁又叫互斥量(mutex) 2.相关函数:pthread_mutex_init  pthread_mutex_destroy   pthread_mutex_lock pthread_mute ...

  8. [CF百场计划]#2 Codeforces Round #618 (Div. 2)

    A. Non-zero Description: Guy-Manuel and Thomas have an array \(a\) of \(n\) integers [\(a_1, a_2, \d ...

  9. zookeeper以及集群的搭建

    今天我来写一写zookeeper集群的搭建流程 1.zookeeper的搭建不难,难的是对他的理解以及良好的使用.单机版的zookeeper只需要解压后直接命令 启动即可 解压zookeeper,ta ...

  10. 04 Spring:01.Spring框架简介&&02.程序间耦合&&03.Spring的 IOC 和 DI&&08.面向切面编程 AOP&&10.Spring中事务控制

    spring共四天 第一天:spring框架的概述以及spring中基于XML的IOC配置 第二天:spring中基于注解的IOC和ioc的案例 第三天:spring中的aop和基于XML以及注解的A ...