- 我们仅仅通过配置文件指定授权是非常的不灵活的
- 在实际的应用中我们是将用户的信息和合权限信息保存到数据库中,我们是从数据库中获得用户的信息 ,使用 JDBCRealm 进行授权 。
- 使用 JDBCRealm 操作的时候也不是很灵活。所以我们一般使用自定义 Realm 实现授权。
代码实现:
package com.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class TestB {
public static void main(String[] args) {
/*Realm*/
//[1]解析shiro.ini文件
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-jdbc2.ini");
//[2]通过SecurityManager工厂获得SecurityManager实例
SecurityManager securityManager = factory.getInstance();
//[3]把SecurityManager对象设置到运行环境中
SecurityUtils.setSecurityManager(securityManager);
//[4]通过SecurityUtils获得主体subject
Subject subject = SecurityUtils.getSubject();
//[5]书写自己输入的账号和密码---相当于用户自己输入的账号和密码
//我们拿着自己书写用户名密码去和shiro.ini 文件中的账号密码比较
UsernamePasswordToken token = new UsernamePasswordToken("DQCGM", "123");
try {
//[6]进行身份的验证
subject.login(token);
//[7]通过方法判断是否登录成功
if (subject.isAuthenticated()) {
System.out.println("登录成功");
//授权的校验
System.out.println("是否存在该菜单:" + subject.isPermitted("updateUser2123"));
}
} catch (IncorrectCredentialsException e) {
System.out.println("登录失败");
} catch (UnknownAccountException e) {
System.out.println("用户名不正确");
}
}
}
package com.shiro;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.List;
public class UserRealm extends AuthorizingRealm {
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//System.out.println(authenticationToken.getPrincipal());
try {
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/shiro", "root", "Root");
PreparedStatement prepareStatement = conn.prepareStatement("select pwd from admin where uname =? ");
prepareStatement.setObject(1, authenticationToken.getPrincipal());
ResultSet rs = prepareStatement.executeQuery();
while (rs.next()) {
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(authenticationToken.getPrincipal(), rs.getString("pwd"), "userRealm");
return info;
}
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = principalCollection.getPrimaryPrincipal().toString();
//获得username 然后去数据库查询这个用户对应的角色,在根据角色查询出指定角色下对应的菜单,
//返回给指定角色下的所有菜单--List集合
System.out.println("username=" + username);
//模拟数据库查的菜单
List<String> list = new ArrayList<>();
list.add("updateUser");
list.add("addUser");
list.add("deleteUser");
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
for (String l : list) {
simpleAuthorizationInfo.addStringPermission(l);
}
return simpleAuthorizationInfo;
}
}
[main]
#设置securityManager中realm
userRealm=com.shiro.UserRealm
securityManager.realms=$userRealm
运行结果:
