shiro1 我只是想讓大家明白shiro的認證是很簡單的潮峦。
現(xiàn)在說一下shiro的前后端分離的權限問題
幾位朋友讓我寫Demo或者類似前后端分離相關辆床,這是很多初級程序員都不是太懂得問題:
先說一下原理仔引,其實shiro的權限分離唯一用到的是cookie芝薇。shiro是通過請求中的cookie存儲一個session會話的id搓幌,來進行區(qū)分用戶的權限,你要明白這一點豆茫,下面就是重寫shiro中獲取cookie中的sessionId的方法來獲取請求頭Authorization中的密鑰侨歉,而密鑰儲存的便是登錄是返回的sessionId,進而可以前后端分離的項目中使用shiro框架
首先看一下前后端分離的controller:
這里第一個標記是認證用戶登錄是否成功揩魂,如果成功繼續(xù)幽邓,第二個人標記就是cookie的id,之后你就要重寫SessionManager這個方法火脉,為什么要重寫這個方法說明一下:通過重寫不但可以拿到cookie的id同時可以讓shiro不走默認的cookie颊艳,默認的cookie里面什么都沒有,所以必須重寫拿到id密鑰這樣shiro就會知道這個請求的用戶的權限:
packagecom.neil.config;
importorg.apache.shiro.web.servlet.ShiroHttpServletRequest;
importorg.apache.shiro.web.session.mgt.DefaultWebSessionManager;
importorg.apache.shiro.web.util.WebUtils;
importorg.slf4j.Logger;
importorg.slf4j.LoggerFactory;
importorg.springframework.stereotype.Component;
importorg.springframework.stereotype.Service;
importjavax.servlet.ServletRequest;
importjavax.servlet.ServletResponse;
importjavax.servlet.http.HttpServletRequest;
importjava.io.Serializable;
/**
* Created by Palerock
*/
@Component
public classSessionManagerextendsDefaultWebSessionManager {
private static finalLoggerlog= LoggerFactory.getLogger(DefaultWebSessionManager.class);
privateStringauthorization="Authorization";
/**
* 重寫獲取sessionId的方法調用當前Manager的獲取方法
*/
@Override
protectedSerializable getSessionId(ServletRequest request, ServletResponse response) {
return this.getReferencedSessionId(request, response);
}
/**
* 獲取sessionId從請求中
*/
privateSerializable getReferencedSessionId(ServletRequest request, ServletResponse response) {
String id =this.getSessionIdCookieValue(request, response);
/* String id = request.getParameter("JSESSIONID");*/
if(id !=null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,"cookie");
}else{
id =this.getUriPathSegmentParamValue(request,"JSESSIONID");
if(id ==null) {
// 獲取請求頭中的session
id = WebUtils.toHttp(request).getHeader(this.authorization);
if(id ==null) {
String name =this.getSessionIdName();
id = request.getParameter(name);
if(id ==null) {
id = request.getParameter(name.toLowerCase());
}
}
}
if(id !=null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE,"url");
}
}
if(id !=null) {
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);
request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);
}
returnid;
}
privateString getSessionIdCookieValue(ServletRequest request, ServletResponse response) {
if(!this.isSessionIdCookieEnabled()) {
log.debug("Session ID cookie is disabled - session id will not be acquired from a request cookie.");
return null;
}else if(!(requestinstanceofHttpServletRequest)) {
log.debug("Current request is not an HttpServletRequest - cannot get session ID cookie.? Returning null.");
return null;
}else{
HttpServletRequest httpRequest = (HttpServletRequest) request;
return this.getSessionIdCookie().readValue(httpRequest, WebUtils.toHttp(response));
}
}
privateString getUriPathSegmentParamValue(ServletRequest servletRequest, String paramName) {
if(!(servletRequestinstanceofHttpServletRequest)) {
return null;
}else{
HttpServletRequest request = (HttpServletRequest) servletRequest;
String uri = request.getRequestURI();
if(uri ==null) {
return null;
}else{
intqueryStartIndex = uri.indexOf(63);
if(queryStartIndex >=0) {
uri = uri.substring(0, queryStartIndex);
}
intindex = uri.indexOf(59);
if(index <0) {
return null;
}else{
String TOKEN = paramName +"=";
uri = uri.substring(index +1);
index = uri.lastIndexOf(TOKEN);
if(index <0) {
return null;
}else{
uri = uri.substring(index + TOKEN.length());
index = uri.indexOf(59);
if(index >=0) {
uri = uri.substring(0, index);
}
returnuri;
}
}
}
}
}
privateString getSessionIdName() {
String name =this.getSessionIdCookie() !=null?this.getSessionIdCookie().getName() :null;
if(name ==null) {
name ="JSESSIONID";
}
returnname;
}
}
接下來在ShiroConfiguration注入一下就ok拉忘分,報錯是因為警告不能引入不影響代碼運行:
這里源碼資源不是前后端分離的棋枕,是前后端在一起的,前后端分離改一下就行啦:
http://pan.baidu.com/s/1mh9EGWC
需要本人同意:
qq:179061434??
