我似乎找不到一个例子来加载[users]和[urls]从我的JPA对象。我想使用shiro.ini只用于[main]部分。
到目前为止我实现的源代码是这样的:无法在自定义Apache Shiro AuthorizingRealm中@Inject我的DAO
是否有任何例子,其中[users] (user/pass)和[urls](角色,权限)完全从数据库加载?我好像哪儿都找不到。我已经找了一个星期了
经过长时间的研究,我想出的"最佳"解决方案是:
shiro.ini
[main]
jsfFilter = com.test.security.CustomAuthorizationFilter
jsfFilter.loginUrl = /login.jsf
[urls]
/** = jsfFilter
//您可以在此过滤器中添加BalusC描述的方法来过滤Ajax请求。CustomAuthorizationFilter.java
public class CustomAuthorizationFilter extends AuthorizationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (!httpRequest.getRequestURI().startsWith(httpRequest.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) {
Subject subject = SecurityUtils.getSubject();
AuthenticatingSecurityManager authenticatingSecurityManager = ((AuthenticatingSecurityManager) SecurityUtils.getSecurityManager());
PrincipalCollection principals = subject.getPrincipals();
JPARealm jpaRealm = (JPARealm) authenticatingSecurityManager.getRealms().iterator().next();
AuthorizationInfo authorizationInfo = jpaRealm.getAuthorizationInfo(principals);
for (String permission : authorizationInfo.getStringPermissions()) {
if (pathsMatch(permission, request)) {
return true;
}
}
} else {
return true;
}
return false;
}
}
pathsMatch(permission, request)方法将尝试验证/比较接收到的字符串权限与用户试图访问的路径。此过滤器依赖于始终具有经过身份验证的用户。如果subject.getPrincipal()为空,则需要进行更多编码。如果有人需要完整的代码,请告诉我。