apache shiro 实战
因为公司用到了shiro,所以自己抽空写了个小例子,方便下次查阅:1.这是项目大致构架图(至于类的实际内容会在后面有贴出):
2.数据结构说明:
User:用户,包含 userName,password
Role:角色,包含roleName
Permission:权限,包含premissionName
SecurityService 是数据访问接口,实现类内容如下:
package org.pan.service.impl;
import org.pan.bean.Permission;
import org.pan.bean.Role;
import org.pan.bean.User;
import org.pan.service.SecurityService;
import java.util.HashSet;
import java.util.Set;
/**
* Created by panmingzhi on 2014/6/25.
*/
public class SecurityServiceImpl implements SecurityService {
@Override
public Set findPermissionsByRoleName(String roleName) {
HashSet result = new HashSet();
if(roleName.equals("admin")){
result.add(new Permission("carpark:*"));
}
if(roleName.equals("manager")){
result.add(new Permission("carpark:view"));
}
return result;
}
@Override
public Set findRoleByUserName(String userName) {
if(userName.equals("pan")){
HashSet roles = new HashSet();
roles.add(new Role("admin"));
return roles;
}
if(userName.equals("fang")){
HashSet roles = new HashSet();
roles.add(new Role("manager"));
return roles;
}
return new HashSet();
}
@Override
public User findUserByUserName(String username) {
if(username.equals("pan")){
return new User("pan","1234");
}
if(username.equals("fang")){
return new User("fang","1234");
}
return null;
}
}
3. shiro最终权限控制实现MyRealm.class
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.pan.bean.Permission;
import org.pan.bean.Role;
import org.pan.bean.User;
import org.pan.service.SecurityService;
import org.pan.service.impl.SecurityServiceImpl;
import java.util.Iterator;
import java.util.Set;
/**
* Created by panmingzhi on 2014/6/24.
*/
public class MyRealm extends AuthorizingRealm {
private SecurityService securityService = new SecurityServiceImpl();
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo sai = new SimpleAuthorizationInfo();
String userName = (String)principalCollection.fromRealm(getName()).iterator().next();
//查找所拥有角色
Set roleSet = securityService.findRoleByUserName(userName);
Iterator iterator = roleSet.iterator();
while(iterator.hasNext()){
Role role = iterator.next();
sai.addRole(role.getRoleName());
//查找资源操作权限
Set permissionsByRoleName = securityService.findPermissionsByRoleName(role.getRoleName());
Iterator permissionIterator = permissionsByRoleName.iterator();
while(permissionIterator.hasNext()){
sai.addStringPermission(permissionIterator.next().getPremissionName());
}
}
return sai;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
User user = securityService.findUserByUserName(token.getUsername());
if (user != null) {
return new SimpleAuthenticationInfo(user.getUserName(), user.getPassword(), getName());
} else {
return null;
}
}
}
4.功能测试ShiroTest.class
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
/**
* Created by panmingzhi on 2014/6/25.
*/
public class ShiroTest {
@BeforeClass
public static void before(){
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(new MyRealm());
SecurityUtils.setSecurityManager(defaultSecurityManager);
}
@Test
public void loginTestSuccess(){
UsernamePasswordToken upt = new UsernamePasswordToken("pan","1234");
SecurityUtils.getSubject().login(upt);
}
@Test(expected = IncorrectCredentialsException.class)
public void loginTestFaile(){
UsernamePasswordToken upt = new UsernamePasswordToken("pan","12345");
SecurityUtils.getSubject().login(upt);
}
@Test
public void premissionTest(){
//管理员用户登陆
UsernamePasswordToken upt = new UsernamePasswordToken("pan","1234");
SecurityUtils.getSubject().login(upt);
//断断是否有管理员角色
boolean admin = SecurityUtils.getSubject().hasRole("admin");
Assert.assertEquals(true,admin);
//判断是否有普通管理员角色
boolean manager = SecurityUtils.getSubject().hasRole("manager");
Assert.assertEquals(false,manager);
//premission中写道:carpark.* 代表停车场中所有权限
//判断是否有停车场修改权限
boolean permitted = SecurityUtils.getSubject().isPermitted("carpark:edit");
Assert.assertEquals(true,permitted);
//判断是否有停车场查看权限
boolean permitted2 = SecurityUtils.getSubject().isPermitted("carpark:view");
Assert.assertEquals(true,permitted2);
}
@Test
public void premissionTest2(){
//管理员用户登陆
UsernamePasswordToken upt = new UsernamePasswordToken("fang","1234");
SecurityUtils.getSubject().login(upt);
//断断是否有管理员角色
boolean admin = SecurityUtils.getSubject().hasRole("admin");
Assert.assertEquals(false,admin);
//判断是否有普通管理员角色
boolean manager = SecurityUtils.getSubject().hasRole("manager");
Assert.assertEquals(true,manager);
//判断是否有停车场修改权限
boolean permitted = SecurityUtils.getSubject().isPermitted("carpark:edit");
Assert.assertEquals(false,permitted);
//判断是否有停车场查看权限
boolean permitted2 = SecurityUtils.getSubject().isPermitted("carpark:view");
Assert.assertEquals(true,permitted2);
}
}
在实际的项目中,判断角色与权限我一般喜欢用shiro自带的注解进行完成,这样可以使权限控制与业务代码分离。
项目源码:https://github.com/panmingzhi815/shiro.git
页:
[1]