예제 #1
0
 /**
  * 验证当前登录的Subject
  *
  * @see 经测试:本例中该方法的调用时机为LoginController.login()方法中执行Subject.login()时
  */
 @Override
 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)
     throws AuthenticationException {
   // 获取基于用户名和密码的令牌
   // 实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
   // 两个token的引用都是一样的
   UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
   System.out.println(
       "验证当前Subject时获取到token为"
           + ReflectionToStringBuilder.toString(token, ToStringStyle.MULTI_LINE_STYLE));
   User user = userService.getByUsername(token.getUsername());
   if (user == null) {
     throw new UnknownAccountException(); // 没找到帐号
   }
   if (UserUtil.STATUS_LOCK == user.getStatus()) {
     throw new LockedAccountException(); // 帐号锁定
   }
   // 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配
   AuthenticationInfo authenticationInfo =
       new SimpleAuthenticationInfo(
           user.getAccount(), // 用户名
           user.getPassword(), // 密码
           ByteSource.Util.bytes(user.getCredentialsSalt()), // salt=username+salt
           getName() // realm name
           );
   // AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user.getAccount(),
   // user.getPassword().toCharArray(), getName());
   this.setSession(WebConstant.SESSION_CURRRENT_USER, user);
   return authenticationInfo;
 }
예제 #2
0
 /**
  * 为当前登录的Subject授予角色和权限
  *
  * @see 经测试:本例中该方法的调用时机为需授权资源被访问时
  * @see 经测试:并且每次访问需授权资源时都会执行该方法中的逻辑,这表明本例中默认并未启用AuthorizationCache
  * @see 个人感觉若使用了Spring3.1开始提供的ConcurrentMapCache支持,则可灵活决定是否启用AuthorizationCache
  * @see 比如说这里从数据库获取权限信息时,先去访问Spring3.1提供的缓存,而不使用Shior提供的AuthorizationCache
  */
 @Override
 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
   // 获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next()
   String currentUsername = (String) super.getAvailablePrincipal(principals);
   List<String> roles = new ArrayList<String>();
   List<String> permissions = new ArrayList<String>();
   // 从数据库中获取当前登录用户的详细信息
   User user = userService.getByAccount(currentUsername);
   if (null != user) {
     List<Role> roleList = userService.getRolesByUserId(user.getUserId());
     List<Permission> permissionList = userService.getPermissionsByUserId(user.getUserId());
     // 实体类User中包含有用户角色的实体类信息
     if (null != roleList && roleList.size() > 0) {
       // 获取当前登录用户的角色
       for (Role role : roleList) {
         roles.add(role.getName());
       }
       // 实体类Role中包含有角色权限的实体类信息
       for (Permission permission : permissionList) {
         permissions.add(permission.getDescription());
       }
     }
   } else {
     throw new AuthorizationException();
   }
   // 为当前用户设置角色和权限
   SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
   simpleAuthorInfo.addRoles(roles);
   simpleAuthorInfo.addStringPermissions(permissions);
   return simpleAuthorInfo;
 }