package realm;
?
import java.util.ArrayList;
import java.util.List;
?
import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
import org.apache.commons.lang3.builder.ToStringStyle;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
?
import utils.StrUtils;
?
import com.jxzg.mvc.web.entitys.user.Role;
import com.jxzg.mvc.web.entitys.user.RoleRight;
import com.jxzg.mvc.web.entitys.user.User;
import com.jxzg.mvc.web.service.user.IUserManager;
?
public
class MyRealm extends AuthorizingRealm {
?
???@Autowired
???private IUserManager userManager;
?
???/**
????* 为当前登录的Subject授予角色和权限
????* @see 经测试:本例中该方法的调用时机为用户登录后,被调用
????*/
???@Override
???protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
??????// 获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next()
??????String currentUsername = (String) super.getAvailablePrincipal(principals);
??????List<String> roleList = new ArrayList<String>();
??????List<String> permissionList = new ArrayList<String>();
??????// 从数据库中获取当前登录用户的详细信息
??????User user = userManager.getByUsername(currentUsername);
??????if (null != user) {
?????????// 实体类User中包含有用户角色的实体类信息
?????????if (null != user.getRole()) {
????????????// 获取当前登录用户的角色
????????????Role role = user.getRole();
????????????roleList.add(role.getName());
????????????//如果是超级管理员直接赋予所有权限
????????????if(role.getName().equals("admin")){
???????????????permissionList.add("user");
???????????????permissionList.add("school");
????????????}
?
????????????else{
???????????????// 实体类Role中包含有角色权限的实体类信息
???????????????if (null != role.getRights() && role.getRights().size() > 0) {
??????????????????// 获取权限
??????????????????for (RoleRight pmss : role.getRights()) {
?????????????????????if(pmss.isFlag()){
????????????????????????if (!StrUtils.isNullOrEmpty(pmss.getRight())) {
???????????????????????????permissionList.add(pmss.getRight().getName());
????????????????????????}
?????????????????????}
??????????????????}
???????????????}
????????????}
?????????}
??????} else {
?????????throw
new AuthorizationException();
??????}
??????// 为当前用户设置角色和权限
??????SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
??????simpleAuthorInfo.addRoles(roleList);
??????simpleAuthorInfo.addStringPermissions(permissionList);
??????return simpleAuthorInfo;
???}
?
???/**
????* 验证当前登录的Subject
????* @see 经测试:本例中该方法的调用时机为LoginController.login()方法中执行Subject.login()时
????*/
???@Override
???protected AuthenticationInfo doGetAuthenticationInfo(
?????????AuthenticationToken authcToken) throws AuthenticationException {
??????// 获取基于用户名和密码的令牌
??????// 实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
??????// 两个token的引用都是一样的
??????UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
??????System.out.println("验证当前Subject时获取到token为"
????????????+ ReflectionToStringBuilder.toString(token,
??????????????????ToStringStyle.MULTI_LINE_STYLE));
??????User user = userManager.getByUsername(token.getUsername());
??????if (null != user) {
?????????AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(
???????????????user.getUserName(), user.getPass(), user.getNickName());
?????????this.setSession("currentUser", user);
?????????return authcInfo;
??????} else {
?????????return
null;
??????}
???}
?
???/**
????* 将一些数据放到ShiroSession中,以便于其它地方使用
????* @see 比如Controller,使用时直接用HttpSession.getAttribute(key)就可以取到
????*/
???private
void setSession(Object key, Object value) {
??????Subject currentUser = SecurityUtils.getSubject();
??????if (null != currentUser) {
?????????Session session = currentUser.getSession();
?????????if (null != session) {
????????????session.setAttribute(key, value);
?????????}
??????}
???}
?
}