shiro安全框架用户传递更多信息的方法（用实体）

shiro安全框架用户传递更多信息的方法（用实体）

只要在认证的方法中传入bo那么以后从安全框架拿的就是bo,传的是string，安全框架拿的就是string

/*

 * Licensed to the Apache Software Foundation (ASF) under one

 * or more contributor license agreements.  See the NOTICE file

 * distributed with this work for additional information

 * regarding copyright ownership.  The ASF licenses this file

 * to you under the Apache License, Version 2.0 (the

 * "License"); you may not use this file except in compliance

 * with the License.  You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing,

 * software distributed under the License is distributed on an

 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

 * KIND, either express or implied.  See the License for the

 * specific language governing permissions and limitations

 * under the License.

 */

package com.common.shrio;

import java.io.Serializable;

import java.util.ArrayList;

import java.util.List;

import org.acegisecurity.userdetails.UserDetails;

import org.acegisecurity.userdetails.UserDetailsService;

import org.acegisecurity.userdetails.UsernameNotFoundException;

import org.apache.commons.lang.StringUtils;

import org.apache.shiro.SecurityUtils;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authc.AuthenticationInfo;

import org.apache.shiro.authc.AuthenticationToken;

import org.apache.shiro.authc.SimpleAuthenticationInfo;

import org.apache.shiro.authc.UsernamePasswordToken;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.session.Session;

import org.apache.shiro.subject.PrincipalCollection;

import org.apache.shiro.subject.Subject;

import org.apache.shiro.util.ByteSource;

import org.springframework.beans.factory.annotation.Autowired;

/**

   http://shiro.apache.org/java-authentication-guide.html

 * 

 * Subject Security specific user 'view' of an application user. It can be a human being, a third-party process, 

 * a server connecting to you application application, or even a cron job. Basically, it is anything or 

 * anyone communicating with your application.

 * 

 * PrincipalsA subjects identifying attributes. First name, last name, social security number, username

 * 

 * Credentialssecret data that are used to verify identities. Passwords, Biometric data, x509 certificates,

 * 

 * RealmsSecurity specific DAO, data access object, software component that talkts to a backend data source. 

 * If you have usernames and password in LDAP, then you would have an LDAP Realm that would communicate 

 * with LDAP. The idea is that you would use a realm per back-end data source and Shiro would know how 

 * to coordinate with these realms together to do what you have to do.

 * 

 * @author fq1798

 *

 */

public class ShiroDbRealm extends AuthorizingRealm {

@Autowired

private UserDetailsService userDetailsService;

@Override

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

System.out.println(" 由于加入了缓�?, 此处只会load�?次：doGetAuthorizationInfo.................");

//得到 doGetAuthenticationInfo 方法中传入的凭证，下面认证的时候传的就是实体

UserDetails shiroUser = (UserDetails) principals.fromRealm(getName()).iterator().next();

List<String> roleList = new ArrayList<String>();

List<String> permissionList = new ArrayList<String>();

String userName = shiroUser.getUsername();

SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

//这个确定页面�?<shiro:hasRole>标签的name的�??

roleList.add("admin");

info.addRoles(roleList);

//这个就是页面�? <shiro:hasPermission> 标签的name的�??

permissionList.add("/flex/rbac/getSkillMenuAndSkillsForShow.action");

permissionList.add("/flex/uifrm/index.jsp");

info.addStringPermissions(permissionList);

return info;

}

/**

* AuthenticationInfo represents a Subject's (aka user's) stored account information 

* relevant to the authentication/log-in process only. 

*/

@Override

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

                // 获取基于用户名和密码的令牌

UsernamePasswordToken token1 = (UsernamePasswordToken) token;

UserDetails userDetails;

                try {

                    userDetails = this.userDetailsService.loadUserByUsername(token1.getUsername());

                } catch (UsernameNotFoundException notFound) {

                    return null;

                }

try {

//这里构造函数传的是UserDetails，所以Subject currentUser = SecurityUtils.getSubject();

                                //UserDetailsBean shiroUser = (UserDetailsBean) currentUser.getPrincipal()拿到的是实体，如果传的是string就是string

AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(

userDetails, userDetails.getPassword(),

getName());

this.setSession("currentUser", userDetails);

return authcInfo;

} catch (Exception e) {

e.printStackTrace();

}

return null;// null时会在LoginController中抛出UnknownAccountException异常

}

private void setSession(Object key, Object value) {

Subject currentUser = SecurityUtils.getSubject();

if (null != currentUser) {

Session session = currentUser.getSession();

if (null != session) {

session.setAttribute(key, value);

} 

}

}

/**

* 自定义Authentication对象，使得Subject除了携带用户的登录名外还可以携带更多信息.

*/

public static class ShiroUser implements Serializable {

private static final long serialVersionUID = -1373760761780840081L;

public String loginName;

public String name;

public ShiroUser(String loginName, String name) {

this.loginName = loginName;

this.name = name;

}

public String getName() {

return name;

}

/**

* 本函数输出将作为默认�?<shiro:principal/>输出.

*/

@Override

public String toString() {

return loginName;

}

}

}