3. shiro- 权限认证

#在rememberMe的基础上修改CustomizeRealm

@Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        if (ObjectUtils.isEmpty(principals)){
            throw new UnknownAccountException();
        }
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        //从pricipals中获取登入的用户信息
        String username = principals.getPrimaryPrincipal().toString();
        User user = userService.queryUser(username);
        for (Role role : user.getRoles()) {
            //获取角色,并给用户添加角色
            info.addRole(role.getRole());
            for (Perm perm : role.getPerms()) {
                //获取角色对应的权限,并给用户添加权限
                info.addStringPermission(perm.getPerm());
            }
        }
        return info;
    }

#添加一个controller

/**
 * 在访问api时 shiro会根据@RequiresRoles和@RequiresPermission调用doGetAuthorizationInfo()
 */
@Slf4j
@RestController
//如果没有指定method,@RequestMapping会接收所有类型的请求
@RequestMapping("/user")
public class UserController {
    @Autowired
    private IUserService userService;
    @RequiresRoles("admin")
    @RequiresPermissions("user:add")
    @PostMapping
    public String save(User user) {
        userService.save(user);
        return "添加成功";
    }
    @RequiresPermissions("user:delete")
    @RequiresRoles("admin")
    @ResponseBody
    @DeleteMapping("/{id}")
    public String remove(@PathVariable("id") Integer id) {
        userService.removeById(id);
        return "删除成功";
    }
    @RequiresPermissions("user:update")
    //logical.OR表示二者中的一个即可
    @RequiresRoles(value = {"teacher","admin"},logical = Logical.OR)
    @ResponseBody
    @PutMapping
    public String update(User user) {
        userService.updateById(user);
        return "更新成功";
    }
    @RequiresPermissions("user:select")
    @ResponseBody
    @GetMapping
    public List<User> list() {
        List<User> list = userService.list();
        System.out.println(list);
        return list;
    }
    @RequiresPermissions("user:select")
    @RequiresRoles(value = {"teacher","student","admin"},logical = Logical.OR)
    @GetMapping("/{id}")
    public User get(@PathVariable("id") Integer id) {
        //这里调用的只是mybatis-plus封装的方法所以不会打印出集合的信息
        User user = userService.getById(id);
        System.out.println(user);
        return user;
    }
}

#修改yml

mvc:
    hiddenmethod:
      filter:
        enabled: true

#修改index.html

<!--templates下的只能通过controller访问-->
<a shiro:guest="" th:href="@{/login}">登入</a>

<form shiro:authenticated="" th:action="@{/user}" method="post">
    <input type="text" name="name" placeholder="用户名">
    <br>
    <input type="password" name="password" placeholder="密码">
    <br>
    <input type="submit" value="添加用户">
</form>
<hr>
<form shiro:authenticated="" th:action="@{/user/}" method="post">
    <input type="hidden" name="_method" value="delete">
    <input type="text" name="id" placeholder="id">
    <br>
    <input type="submit" value="删除用户">
</form>
<hr>
<form shiro:authenticated="" th:action="@{/user}" method="post">
    <input type="hidden" name="_method" value="PUT">
    <br>
    <input type="text" name="id" placeholder="id">
    <br>
    <input type="text" name="name" placeholder="用户名">
    <br>
    <input type="password" name="password" placeholder="密码">
    <input type="submit" value="更新用户">
</form>
<hr>
<form shiro:authenticated="" th:action="@{/user}" method="get">
    <input type="submit" value="查询所有用户">
</form>
<hr>
<form shiro:authenticated="" th:action="@{/user/}" method="get">
    <input type="text" name="id" placeholder="id">
    <br>
    <input type="submit" value="查询用户">
</form>
<a th:href="@{/logout}">注销</a>
</body>
<script>
    $("input[type=‘submit‘]").mousedown(function () {
        var parent = $(this).parent();
        var action = parent.attr("action");
        console.log(action);
        var children = parent.children("input[name=‘id‘]");
        //children是一个数组
        if (children.length == 0) {
            return;
        }
        //拼接获取到的值
        var jQuery = parent.attr("action", action + children.val());
        console.log(jQuery)
    });

#添加一个没有权限认证的异常处理器

@ControllerAdvice
public class ShiroHandler {
    @ExceptionHandler(AuthorizationException.class)
    private ModelAndView handleAuthorizationException(AuthorizationException e) {
        HashMap<String, Object> map = new HashMap<>();
        map.put("msg", "你没有权限这么做");
        //如果要自定义传属性到getAttributes()中必须通过这种方法,不能通过@RequestStatus
        map.put("javax.servlet.error.status_code", HttpStatus.FORBIDDEN.value());
        return new ModelAndView("forward:/error", map);
    }
}

相应的错误页面

<body>
<div>[[${msg}]]</div>
<a th:href="@{/index}">首页</a>
</body>