Description 对于访问后端服务器的所有请求,都要进行认证和鉴权
认证:当前用户是否登录,是否为系统的合法用户
鉴权:当前用户是否具有调用当前接口的权限
对于登录到系统的用户,首先要进行认证和授权。
根据用户输入的用户名密码进行身份验证
查找该用户所具有的Role和Permission,并将其赋给当前用户
protected AuthorizationInfo doGetAuthorizationInfo (PrincipalCollection principalCollection ) {
//获取当前用户
UserDto user = (UserDto ) SecurityUtils .getSubject ().getSession ().getAttribute ("user" );
//把principals放session中,key=userId value=principals
SecurityUtils .getSubject ().getSession ().setAttribute (String .valueOf (user .getId ()),SecurityUtils .getSubject ().getPrincipals ());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo ();
//赋予角色
for (RoleDto role :user .getRoles ()){
info .addRole (role .getName ());
}
//赋予权限
for (PermissionDto permission :user .getPermissions ()){
//System.out.println(permission.getName());
info .addStringPermission (permission .getName ());
}
return info ;
}
@ Override
protected AuthenticationInfo doGetAuthenticationInfo (AuthenticationToken authenticationToken ) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken ) authenticationToken ;
String userName = token .getUsername ();
User user = userDao .findUserByUsername (userName );
UserDto userDto = convertToDto (user );
if (user != null ){
//登陆成功
Session session = SecurityUtils .getSubject ().getSession ();
session .setAttribute ("user" ,userDto );
return new SimpleAuthenticationInfo (
userName , //用户
user .getPassword (), //密码
getName () //realm name
);
} else {
throw new UnknownAccountException ();
}
}
服务器要配置Filter链以进行认证和鉴权,对用户的访问和重定向等进行限制
认证失败、鉴权失败如何重定向
哪些接口需要哪些权限和角色才能够访问
Bean (name = "shiroFilter" )
public ShiroFilterFactoryBean shiroFilterFactoryBean (){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean ();
shiroFilterFactoryBean .setSecurityManager (securityManager ());
Map <String , Filter > filters = new LinkedHashMap <String ,Filter >();
LogoutFilter logoutFilter = new LogoutFilter ();
logoutFilter .setRedirectUrl ("/login" );
shiroFilterFactoryBean .setFilters (filters );
shiroFilterFactoryBean .setLoginUrl ("/notAuthc" );
Map <String ,String > filterChainDefinitionManager = new LinkedHashMap <String ,String >();
filterChainDefinitionManager .put ("/logout" ,"logout" );
filterChainDefinitionManager .put ("/userInfo" ,"authc" );
filterChainDefinitionManager .put ("/jobs/**" ,"perms[WORDCOUNT:CREATE]" );
filterChainDefinitionManager .put ("/admin/**" ,"roles[Admin]" );
shiroFilterFactoryBean .setFilterChainDefinitionMap (filterChainDefinitionManager );
shiroFilterFactoryBean .setSuccessUrl ("/" );
shiroFilterFactoryBean .setUnauthorizedUrl ("/notAuthz" );
return shiroFilterFactoryBean ;
}
一个用户访问后端接口的完整过程
Reactions are currently unavailable
You can’t perform that action at this time.
对于访问后端服务器的所有请求,都要进行认证和鉴权
对于登录到系统的用户,首先要进行认证和授权。
服务器要配置Filter链以进行认证和鉴权,对用户的访问和重定向等进行限制
一个用户访问后端接口的完整过程