package org.linlinjava.litemall.admin.shiro;

import com.alibaba.druid.util.StringUtils;

import org.apache.shiro.web.servlet.ShiroHttpServletRequest;

import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;

import org.apache.shiro.web.util.WebUtils;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import java.io.Serializable;

public class AdminWebSessionManager extends DefaultWebSessionManager {

    public static final String LOGIN_TOKEN_KEY = "X-Litemall-Admin-Token";

    private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";

    @Override

    protected Serializable getSessionId(ServletRequest request, ServletResponse response) {

        String id = WebUtils.toHttp(request).getHeader(LOGIN_TOKEN_KEY);

        if (!StringUtils.isEmpty(id)) {

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);

            return id;

        } else {

            return super.getSessionId(request, response);

        }

    }

}
package org.linlinjava.litemall.admin.shiro;

import org.apache.shiro.authc.*;

import org.apache.shiro.authz.AuthorizationException;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;

import org.linlinjava.litemall.db.domain.LitemallAdmin;

import org.linlinjava.litemall.db.service.LitemallAdminService;

import org.linlinjava.litemall.db.service.LitemallPermissionService;

import org.linlinjava.litemall.db.service.LitemallRoleService;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.util.Assert;

import org.springframework.util.StringUtils;

import java.util.List;

import java.util.Set;

public class AdminAuthorizingRealm extends AuthorizingRealm {

    @Autowired

    private LitemallAdminService adminService;

    @Autowired

    private LitemallRoleService roleService;

    @Autowired

    private LitemallPermissionService permissionService;

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        if (principals == null) {

            throw new AuthorizationException("PrincipalCollection method argument cannot be null.");

        }

        LitemallAdmin admin = (LitemallAdmin) getAvailablePrincipal(principals);

        Integer[] roleIds = admin.getRoleIds();

        Set<String> roles = roleService.queryByIds(roleIds);

        Set<String> permissions = permissionService.queryByRoleIds(roleIds);

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

        info.setRoles(roles);

        info.setStringPermissions(permissions);

        return info;

    }

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        UsernamePasswordToken upToken = (UsernamePasswordToken) token;

        String username = upToken.getUsername();

        String password = new String(upToken.getPassword());

        if (StringUtils.isEmpty(username)) {

            throw new AccountException("用户名不能为空");

        }

        if (StringUtils.isEmpty(password)) {

            throw new AccountException("密码不能为空");

        }

        List<LitemallAdmin> adminList = adminService.findAdmin(username);

        Assert.state(adminList.size() < 2, "同一个用户名存在两个账户");

        if (adminList.size() == 0) {

            throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息");

        }

        LitemallAdmin admin = adminList.get(0);

        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();

        if (!encoder.matches(password, admin.getPassword())) {

            throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息");

        }

        return new SimpleAuthenticationInfo(admin, password, getName());

    }

}
package org.linlinjava.litemall.admin.config;

import org.apache.shiro.mgt.SecurityManager;

import org.apache.shiro.realm.Realm;

import org.apache.shiro.session.mgt.SessionManager;

import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;

import org.apache.shiro.web.mgt.DefaultWebSecurityManager;

import org.linlinjava.litemall.admin.shiro.AdminAuthorizingRealm;

import org.linlinjava.litemall.admin.shiro.AdminWebSessionManager;

import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.context.annotation.DependsOn;

import java.util.LinkedHashMap;

import java.util.Map;

@Configuration

public class ShiroConfig {

    @Bean

    public Realm realm() {

        return new AdminAuthorizingRealm();

    }

    @Bean

    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();

        filterChainDefinitionMap.put("/admin/auth/login", "anon");

        filterChainDefinitionMap.put("/admin/auth/401", "anon");

        filterChainDefinitionMap.put("/admin/auth/index", "anon");

        filterChainDefinitionMap.put("/admin/auth/403", "anon");

        filterChainDefinitionMap.put("/admin/index/index", "anon");

        filterChainDefinitionMap.put("/admin/**", "authc");

        shiroFilterFactoryBean.setLoginUrl("/admin/auth/401");

        shiroFilterFactoryBean.setSuccessUrl("/admin/auth/index");

        shiroFilterFactoryBean.setUnauthorizedUrl("/admin/auth/403");

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return shiroFilterFactoryBean;

    }

    @Bean

    public SessionManager sessionManager() {

        return new AdminWebSessionManager();

    }

    @Bean

    public DefaultWebSecurityManager defaultWebSecurityManager() {

        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

        securityManager.setRealm(realm());

        securityManager.setSessionManager(sessionManager());

        return securityManager;

    }

    @Bean

    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {

        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor =

                new AuthorizationAttributeSourceAdvisor();

        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);

        return authorizationAttributeSourceAdvisor;

    }

    @Bean

    @DependsOn("lifecycleBeanPostProcessor")

    public static DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {

        DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();

        creator.setProxyTargetClass(true);

        return creator;

    }

}
package org.linlinjava.litemall.admin.config;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authz.AuthorizationException;

import org.linlinjava.litemall.core.util.ResponseUtil;

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.ExceptionHandler;

import org.springframework.web.bind.annotation.ResponseBody;

@ControllerAdvice

@Order(value = Ordered.HIGHEST_PRECEDENCE)

public class ShiroExceptionHandler {

    private final Log logger = LogFactory.getLog(ShiroExceptionHandler.class);

    @ExceptionHandler(AuthenticationException.class)

    @ResponseBody

    public Object unauthenticatedHandler(AuthenticationException e) {

        logger.warn(e.getMessage(), e);

        return ResponseUtil.unlogin();

    }

    @ExceptionHandler(AuthorizationException.class)

    @ResponseBody

    public Object unauthorizedHandler(AuthorizationException e) {

        logger.warn(e.getMessage(), e);

        return ResponseUtil.unauthz();

    }

}

AdminWebSessionManager AdminAuthorizingRealm ShiroConfig ShiroExceptionHandler的更多相关文章

  1. ShiroConfig配置文件无法通过@Value加载yml变量的解决办法

    /** * 配置Shiro生命周期处理器 * 使用springboot整合shiro时,@value注解无法读取application.yml中的配置 *解决方法:将LifecycleBeanPost ...

  2. 解决自定义Shiro.Realm扩展类不能用注解(@Resource或@Autowire)自动装配的问题

    问题产生原因:加载Realm时其他Spring配置文件(xml)尚未加载,导致注入失败. 解决方法:编写一个设置类把注入工作提前完成. package com.xkt.shiro import org ...

  3. Spring boot 基于Spring MVC的Web应用和REST服务开发

    Spring Boot利用JavaConfig配置模式以及"约定优于配置"理念,极大简化了基于Spring MVC的Web应用和REST服务开发. Servlet: package ...

  4. 【shiro】shiro学习笔记1 - 初识shiro

    [TOC] 认证流程 st=>start: Start e=>end: End op1=>operation: 构造SecurityManager环境 op2=>operati ...

  5. 跟开涛老师学shiro -- INI配置

    之前章节我们已经接触过一些INI配置规则了,如果大家使用过如spring之类的IoC/DI容器的话,Shiro提供的INI配置也是非常类似的,即可以理解为是一个IoC/DI容器,但是区别在于它从一个根 ...

  6. 将 Shiro 作为一个许可为基础的应用程序 五:password加密/解密Spring应用

    考虑系统password的安全,眼下大多数系统都不会把password以明文的形式存放到数据库中. 一把会採取下面几种方式对password进行处理 password的存储 "编码" ...

  7. springboot(十四):springboot整合shiro-登录认证和权限管理

    这篇文章我们来学习如何使用Spring Boot集成Apache Shiro.安全应该是互联网公司的一道生命线,几乎任何的公司都会涉及到这方面的需求.在Java领域一般有Spring Security ...

  8. springboot+shiro

    作者:纯洁的微笑 出处:http://www.ityouknow.com/ 这篇文章我们来学习如何使用Spring Boot集成Apache Shiro.安全应该是互联网公司的一道生命线,几乎任何的公 ...

  9. shiro权限控制的简单实现

    权限控制常用的有shiro.spring security,两者相比较,各有优缺点,此篇文章以shiro为例,实现系统的权限控制. 一.数据库的设计 简单的五张表,用户.角色.权限及关联表: CREA ...

随机推荐

  1. VUE常见的语法

    模版渲染{{msg}} v-html="" v-text="" v-bind:id=""  类似 attr 三元判断 {{ok?'yes': ...

  2. Mybatis实现增删改查(二)

    1. 准备 请先完成Mybatis基本配置(一)的基本内容 2. 查询多条商品信息 1)在com.mybatis.dao.PartDao中增加接口函数 public List<PartInfo& ...

  3. Mysql时间范围分区(RANGE COLUMNS方式)

    1.创建测试表 CREATE TABLE `t_test` ( `id` ), `dates` DATETIME ); ALTER TABLE t_test ADD PRIMARY KEY (id); ...

  4. js filter()用法小结

    /* filter() 对数组中的每个元素都执行一次指定的函数(callback),并且创建一个新的数组, 该数组元素是所有回调函数执行时返回值为 true 的原数组元素.它只对数组中的 非空元素执行 ...

  5. js获取指定日期n天之后的日期

    function addDays(date, days,seperator='-') { let oDate = new Date(date).valueOf(); let nDate = oDate ...

  6. UIWindow statusBar消失

    1.新建UIWindow 程序崩溃 报无根控制器错误 Xcode7环境下,新建UIWindow需添加rootViewController 2.新建UIWindow后 statusBar消失 Info. ...

  7. Physicoochemical|CG content|

    NCBI存在的问题: 数据用户的增长 软件开发受限 数据分析缺乏 有些传统束缚,仅用底层语言书写 Pangenome Open gene是随菌株数量增大而增大的gene,Closed gene是随菌株 ...

  8. 运行roscore出现unable to contact my own server无法启动小海龟的部分故障问题解决

    运行roscore后,出现下图这种情况(unable to contact my own server) 原因是找不到http://后面那些,ping不到域名或IP. 参考http://www.ros ...

  9. String,StringBuffer与StringBuilder的区别与选择

    三者的区别 String:不可变类,一旦一个对象被建立的时候,包含在这个对象中的字符串序列是不可变的,直到这个对象被销毁.StringBuffer:可变字符序列的字符串.当其对象被创建的时候,可以用a ...

  10. Dart异步编程-future

    Dart异步编程包含两部分:Future和Stream 该篇文章中介绍Future 异步编程:Futures Dart是一个单线程编程语言.如果任何代码阻塞线程执行都会导致程序卡死.异步编程防止出现阻 ...