package realm;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
import org.apache.commons.lang3.builder.ToStringStyle;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import utils.StrUtils;
import com.jxzg.mvc.web.entitys.user.Role;
import com.jxzg.mvc.web.entitys.user.RoleRight;
import com.jxzg.mvc.web.entitys.user.User;
import com.jxzg.mvc.web.service.user.IUserManager;
public
class MyRealm extends AuthorizingRealm {
@Autowired
private IUserManager userManager;
/**
* 为当前登录的Subject授予角色和权限
* @see 经测试:本例中该方法的调用时机为用户登录后,被调用
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// 获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next()
String currentUsername = (String) super.getAvailablePrincipal(principals);
List<String> roleList = new ArrayList<String>();
List<String> permissionList = new ArrayList<String>();
// 从数据库中获取当前登录用户的详细信息
User user = userManager.getByUsername(currentUsername);
if (null != user) {
// 实体类User中包含有用户角色的实体类信息
if (null != user.getRole()) {
// 获取当前登录用户的角色
Role role = user.getRole();
roleList.add(role.getName());
//如果是超级管理员直接赋予所有权限
if(role.getName().equals("admin")){
permissionList.add("user");
permissionList.add("school");
}
else{
// 实体类Role中包含有角色权限的实体类信息
if (null != role.getRights() && role.getRights().size() > 0) {
// 获取权限
for (RoleRight pmss : role.getRights()) {
if(pmss.isFlag()){
if (!StrUtils.isNullOrEmpty(pmss.getRight())) {
permissionList.add(pmss.getRight().getName());
}
}
}
}
}
}
} else {
throw
new AuthorizationException();
}
// 为当前用户设置角色和权限
SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
simpleAuthorInfo.addRoles(roleList);
simpleAuthorInfo.addStringPermissions(permissionList);
return simpleAuthorInfo;
}
/**
* 验证当前登录的Subject
* @see 经测试:本例中该方法的调用时机为LoginController.login()方法中执行Subject.login()时
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
// 获取基于用户名和密码的令牌
// 实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
// 两个token的引用都是一样的
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
System.out.println("验证当前Subject时获取到token为"
+ ReflectionToStringBuilder.toString(token,
ToStringStyle.MULTI_LINE_STYLE));
User user = userManager.getByUsername(token.getUsername());
if (null != user) {
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(
user.getUserName(), user.getPass(), user.getNickName());
this.setSession("currentUser", user);
return authcInfo;
} else {
return
null;
}
}
/**
* 将一些数据放到ShiroSession中,以便于其它地方使用
* @see 比如Controller,使用时直接用HttpSession.getAttribute(key
)就可以取到
*/
private
void setSession(Object key, Object value) {
Subject currentUser = SecurityUtils.getSubject();
if (null != currentUser) {
Session session = currentUser.getSession();
if (null != session) {
session.setAttribute(key, value);
}
}
}
}