Shiro授权

深蓝有点懒
64 阅读2分钟

在MyRealm的doGetAuthorizationInfo方法中定义授权方法

//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    System.out.println("执行了授权的方法");
    //username是从doGetAuthenticationInfo返回中取到的 username
    String username = (String) principals.iterator().next();
    //获取用户的角色
    Set<String> roles = roleService.getRoleUsername(username);
    //获取用户的权限
    Set<String> permissions = permissionService.getPermissionsByUsername(username);
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    //添加角色和权限 设置权限
    info.setRoles(roles);
    info.setStringPermissions(permissions);
    //设置权限
    return info;
}

在RBAC模型中,通常是用户关联角色,角色关联权限,通过这种方式来间接赋予用户权限,而不是直接赋予用户权限

image.png 通常情况下,一个系统中可能有多个用户具有相同的操作权限。在给这些用户分配权限时,需要逐个进行指定,并且在权限发生变化时也需要逐一对这些用户的权限进行修改。而如果引入角色的概念,则只需要将相关权限分配给角色即可,对于拥有该角色的所有用户,其权限的变更都只需要对角色进行修改,从而提高了效率,减少了权限漏洞的风险。

在MyRealm的doGetAuthorizationInfo方法中定义授权方法就可以更改为通过获取用户的角色来进一步获取用户的权限

//自定义授权方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    Subject subject = SecurityUtils.getSubject();
    User currentUser = (User) subject.getPrincipal();
    String username = currentUser.getName();
    //获取用户的角色
    Set<String> roles = roleService.getRoleUsername(username);
    //获取用户的权限
    Set<String> permissions = permissionService.getPermissionsByUsername(username);
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    //添加角色和权限 设置权限
    info.setRoles(roles);
    info.setStringPermissions(permissions);
    //设置权限
    return info;
}

自定义根据用户名查询用户的角色和权限

获取用户的角色

  • RoleMapper
@Mapper
public interface RoleMapper extends BaseMapper<Role> {

    Set<String> RolesByUsername(String username);
}
  • xml
<select id="RolesByUsername" resultType="string">
    select role_name
    from user natural join user_role natural join role
    where username = #{username}
</select>
  • RoleServiceImpl
@Service
public class RoleServiceImpl extends ServiceImpl<RoleMapper, Role> implements RoleService {

    @Autowired
    private RoleMapper roleMapper;


    @Override
    public Set<String> getRoleUsername(String username) {
        //获取用户角色名称
        return roleMapper.RolesByUsername(username);
    }
}

获取用户的权限

  • PermissionMapper
@Mapper
public interface PermissionMapper extends BaseMapper<Permission> {
    //获取用户的权限
    Set<String> PermissionByUsername(String username);


}
  • xml
<select id="PermissionByUsername" resultType="string">
    select perms
    from user natural join user_role natural join role_permission natural join permission
    where username=#{username} and father_id != 0
</select>
  • PermissionServiceImpl
@Service
public class PermissionServiceImpl extends ServiceImpl<PermissionMapper, Permission> implements PermissionService {

    @Autowired
    private PermissionMapper permissionMapper;


    @Override
    public Set<String> getPermissionsByUsername(String username) {
        return permissionMapper.PermissionByUsername(username);
    }
}
avatar
文章
阅读
粉丝