[Shiro] - 基于URL配置动态权限

package com.how2java.service.impl; import java.util.ArrayList;import java.util.HashSet;import java.util.List;import java.util.Set; import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Service; import com.how2java.mapper.PermissionMapper;import com.how2java.mapper.RolePermissionMapper;import com.how2java.pojo.Permission;import com.how2java.pojo.PermissionExample;import com.how2java.pojo.Role;import com.how2java.pojo.RolePermission;import com.how2java.pojo.RolePermissionExample;import com.how2java.service.PermissionService;import com.how2java.service.RoleService;import com.how2java.service.UserService; @Servicepublic class PermissionServiceImpl implements PermissionService { ????@Autowired ???PermissionMapper permissionMapper; ???@Autowired ???UserService userService; ???@Autowired ???RoleService roleService; ???@Autowired ???RolePermissionMapper rolePermissionMapper; ????@Override ???public Set<String> listPermissions(String userName) { ???????Set<String> result = new HashSet<>(); ???????List<Role> roles = roleService.listRoles(userName); ????????List<RolePermission> rolePermissions = new ArrayList<>(); ????????for (Role role : roles) { ???????????RolePermissionExample example = new RolePermissionExample(); ???????????example.createCriteria().andRidEqualTo(role.getId()); ???????????List<RolePermission> rps = rolePermissionMapper.selectByExample(example); ???????????rolePermissions.addAll(rps); ???????} ????????for (RolePermission rolePermission : rolePermissions) { ???????????Permission p = permissionMapper.selectByPrimaryKey(rolePermission.getPid()); ???????????result.add(p.getName()); ???????} ????????return result; ???} ????@Override ???public void add(Permission u) { ???????permissionMapper.insert(u); ???} ????@Override ???public void delete(Long id) { ???????permissionMapper.deleteByPrimaryKey(id); ???} ????@Override ???public void update(Permission u) { ???????permissionMapper.updateByPrimaryKeySelective(u); ???} ????@Override ???public Permission get(Long id) { ???????return permissionMapper.selectByPrimaryKey(id); ???} ????@Override ???public List<Permission> list() { ???????PermissionExample example = new PermissionExample(); ???????example.setOrderByClause("id desc"); ???????return permissionMapper.selectByExample(example); ????} ????@Override ???public List<Permission> list(Role role) { ???????List<Permission> result = new ArrayList<>(); ???????RolePermissionExample example = new RolePermissionExample(); ???????example.createCriteria().andRidEqualTo(role.getId()); ???????List<RolePermission> rps = rolePermissionMapper.selectByExample(example); ???????for (RolePermission rolePermission : rps) { ???????????result.add(permissionMapper.selectByPrimaryKey(rolePermission.getPid())); ???????} ????????return result; ???} ????@Override ???public boolean needInterceptor(String requestURI) { ???????List<Permission> ps = list(); ???????for (Permission p : ps) { ???????????if (p.getUrl().equals(requestURI)) ???????????????return true; ???????} ???????return false; ???} ????@Override ???public Set<String> listPermissionURLs(String userName) { ???????Set<String> result = new HashSet<>(); ???????List<Role> roles = roleService.listRoles(userName); ????????List<RolePermission> rolePermissions = new ArrayList<>(); ????????for (Role role : roles) { ???????????RolePermissionExample example = new RolePermissionExample(); ???????????example.createCriteria().andRidEqualTo(role.getId()); ???????????List<RolePermission> rps = rolePermissionMapper.selectByExample(example); ???????????rolePermissions.addAll(rps); ???????} ????????for (RolePermission rolePermission : rolePermissions) { ???????????Permission p = permissionMapper.selectByPrimaryKey(rolePermission.getPid()); ???????????result.add(p.getUrl()); ???????} ????????return result; ???} }

package com.how2java.filter; import java.util.Set; import javax.servlet.ServletRequest;import javax.servlet.ServletResponse; import org.apache.shiro.SecurityUtils;import org.apache.shiro.authz.UnauthorizedException;import org.apache.shiro.subject.Subject;import org.apache.shiro.web.filter.PathMatchingFilter;import org.apache.shiro.web.util.WebUtils;import org.springframework.beans.factory.annotation.Autowired; import com.how2java.service.PermissionService; public class URLPathMatchingFilter extends PathMatchingFilter { ???@Autowired ???PermissionService permissionService; ????@Override ???protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) ???????????throws Exception { ???????String requestURI = getPathWithinApplication(request); ????????System.out.println("requestURI:" + requestURI); ????????Subject subject = SecurityUtils.getSubject(); ???????// 如果没有登录，就跳转到登录页面 ???????if (!subject.isAuthenticated()) { ???????????WebUtils.issueRedirect(request, response, "/login"); ???????????return false; ???????} ????????// 看看这个路径权限里有没有维护，如果没有维护，一律放行(也可以改为一律不放行) ???????boolean needInterceptor = permissionService.needInterceptor(requestURI); ???????if (!needInterceptor) { ???????????return true; ???????} else { ???????????boolean hasPermission = false; ???????????String userName = subject.getPrincipal().toString(); ???????????Set<String> permissionUrls = permissionService.listPermissionURLs(userName); ???????????for (String url : permissionUrls) { ???????????????// 这就表示当前用户有这个权限 ???????????????if (url.equals(requestURI)) { ???????????????????hasPermission = true; ???????????????????break; ???????????????} ???????????} ????????????if (hasPermission) ???????????????return true; ???????????else { ???????????????UnauthorizedException ex = new UnauthorizedException("当前用户没有访问路径 " + requestURI + " 的权限"); ????????????????subject.getSession().setAttribute("ex", ex); ????????????????WebUtils.issueRedirect(request, response, "/unauthorized"); ???????????????return false; ???????????} ????????} ????}}

requestURI:/requestURI:/listProductrequestURI:/deleteProductrequestURI:/deleteOrderrequestURI:/deleteOrderrequestURI:/deleteOrderrequestURI:/unauthorizedrequestURI:/deleteProductrequestURI:/listProduct