package org.linlinjava.litemall.admin.shiro;

import com.alibaba.druid.util.StringUtils;

import org.apache.shiro.web.servlet.ShiroHttpServletRequest;

import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;

import org.apache.shiro.web.util.WebUtils;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import java.io.Serializable;

public class AdminWebSessionManager extends DefaultWebSessionManager {

    public static final String LOGIN_TOKEN_KEY = "X-Litemall-Admin-Token";

    private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";

    @Override

    protected Serializable getSessionId(ServletRequest request, ServletResponse response) {

        String id = WebUtils.toHttp(request).getHeader(LOGIN_TOKEN_KEY);

        if (!StringUtils.isEmpty(id)) {

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, id);

            request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);

            return id;

        } else {

            return super.getSessionId(request, response);

        }

    }

}
package org.linlinjava.litemall.admin.shiro;

import org.apache.shiro.authc.*;

import org.apache.shiro.authz.AuthorizationException;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;

import org.linlinjava.litemall.db.domain.LitemallAdmin;

import org.linlinjava.litemall.db.service.LitemallAdminService;

import org.linlinjava.litemall.db.service.LitemallPermissionService;

import org.linlinjava.litemall.db.service.LitemallRoleService;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.util.Assert;

import org.springframework.util.StringUtils;

import java.util.List;

import java.util.Set;

public class AdminAuthorizingRealm extends AuthorizingRealm {

    @Autowired

    private LitemallAdminService adminService;

    @Autowired

    private LitemallRoleService roleService;

    @Autowired

    private LitemallPermissionService permissionService;

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        if (principals == null) {

            throw new AuthorizationException("PrincipalCollection method argument cannot be null.");

        }

        LitemallAdmin admin = (LitemallAdmin) getAvailablePrincipal(principals);

        Integer[] roleIds = admin.getRoleIds();

        Set<String> roles = roleService.queryByIds(roleIds);

        Set<String> permissions = permissionService.queryByRoleIds(roleIds);

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

        info.setRoles(roles);

        info.setStringPermissions(permissions);

        return info;

    }

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        UsernamePasswordToken upToken = (UsernamePasswordToken) token;

        String username = upToken.getUsername();

        String password = new String(upToken.getPassword());

        if (StringUtils.isEmpty(username)) {

            throw new AccountException("用户名不能为空");

        }

        if (StringUtils.isEmpty(password)) {

            throw new AccountException("密码不能为空");

        }

        List<LitemallAdmin> adminList = adminService.findAdmin(username);

        Assert.state(adminList.size() < 2, "同一个用户名存在两个账户");

        if (adminList.size() == 0) {

            throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息");

        }

        LitemallAdmin admin = adminList.get(0);

        BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();

        if (!encoder.matches(password, admin.getPassword())) {

            throw new UnknownAccountException("找不到用户(" + username + ")的帐号信息");

        }

        return new SimpleAuthenticationInfo(admin, password, getName());

    }

}
package org.linlinjava.litemall.admin.config;

import org.apache.shiro.mgt.SecurityManager;

import org.apache.shiro.realm.Realm;

import org.apache.shiro.session.mgt.SessionManager;

import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;

import org.apache.shiro.web.mgt.DefaultWebSecurityManager;

import org.linlinjava.litemall.admin.shiro.AdminAuthorizingRealm;

import org.linlinjava.litemall.admin.shiro.AdminWebSessionManager;

import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.context.annotation.DependsOn;

import java.util.LinkedHashMap;

import java.util.Map;

@Configuration

public class ShiroConfig {

    @Bean

    public Realm realm() {

        return new AdminAuthorizingRealm();

    }

    @Bean

    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();

        filterChainDefinitionMap.put("/admin/auth/login", "anon");

        filterChainDefinitionMap.put("/admin/auth/401", "anon");

        filterChainDefinitionMap.put("/admin/auth/index", "anon");

        filterChainDefinitionMap.put("/admin/auth/403", "anon");

        filterChainDefinitionMap.put("/admin/index/index", "anon");

        filterChainDefinitionMap.put("/admin/**", "authc");

        shiroFilterFactoryBean.setLoginUrl("/admin/auth/401");

        shiroFilterFactoryBean.setSuccessUrl("/admin/auth/index");

        shiroFilterFactoryBean.setUnauthorizedUrl("/admin/auth/403");

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return shiroFilterFactoryBean;

    }

    @Bean

    public SessionManager sessionManager() {

        return new AdminWebSessionManager();

    }

    @Bean

    public DefaultWebSecurityManager defaultWebSecurityManager() {

        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

        securityManager.setRealm(realm());

        securityManager.setSessionManager(sessionManager());

        return securityManager;

    }

    @Bean

    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {

        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor =

                new AuthorizationAttributeSourceAdvisor();

        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);

        return authorizationAttributeSourceAdvisor;

    }

    @Bean

    @DependsOn("lifecycleBeanPostProcessor")

    public static DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {

        DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();

        creator.setProxyTargetClass(true);

        return creator;

    }

}
package org.linlinjava.litemall.admin.config;

import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authz.AuthorizationException;

import org.linlinjava.litemall.core.util.ResponseUtil;

import org.springframework.core.Ordered;

import org.springframework.core.annotation.Order;

import org.springframework.web.bind.annotation.ControllerAdvice;

import org.springframework.web.bind.annotation.ExceptionHandler;

import org.springframework.web.bind.annotation.ResponseBody;

@ControllerAdvice

@Order(value = Ordered.HIGHEST_PRECEDENCE)

public class ShiroExceptionHandler {

    private final Log logger = LogFactory.getLog(ShiroExceptionHandler.class);

    @ExceptionHandler(AuthenticationException.class)

    @ResponseBody

    public Object unauthenticatedHandler(AuthenticationException e) {

        logger.warn(e.getMessage(), e);

        return ResponseUtil.unlogin();

    }

    @ExceptionHandler(AuthorizationException.class)

    @ResponseBody

    public Object unauthorizedHandler(AuthorizationException e) {

        logger.warn(e.getMessage(), e);

        return ResponseUtil.unauthz();

    }

}

最新文章

  1. js图片变换
  2. VS2010设置C++包含目录和库目录
  3. 用Quartz处理定时执行的任务
  4. Codeforces 447 C DZY Loves Sequences【DP】
  5. Create Dynamic Modal Dialog Form in AdminLTE Bootstrap template
  6. IOS中的NSTimer定时器详解
  7. Newtonsoft.Json 与 DataTable的相互转换
  8. angularjs-ngModel传值问题
  9. jquery实现带左右箭头和数字焦点的图片轮播手写代码
  10. 17.2?Replication Implementation 复制实施:
  11. hibernate 增改查后对象的三种状态转换
  12. 安装weblogic
  13. 利用history.pushState()实现页面无刷新更新
  14. 【刷题】AtCoder Regular Contest 002
  15. extjs6入门:用sencha cmd搭建简单的extjs6项目
  16. SpringBoot 集成 Mybatis 使用 Druid数据源 MySQL数据库
  17. Netcat使用方法
  18. node.js+express+mongodb
  19. POJ 3304 Segments 基础线段交判断
  20. unity, ugui button 禁止重复点击

热门文章

  1. redis(三)----连接池配置
  2. Mybatis实现条件查询(三)
  3. pyecharts绘制地图可视化
  4. PL/SQL 连接oracle步骤
  5. mint linux的几个问题
  6. 自动化运维工具ansible中常用模块总结
  7. 同行评审|keywords
  8. java 练习题带答案
  9. 标准库模块——shutil模块
  10. 离群点检测(Novelty Detection, Outlier Detenction)