因为在开发环境,测试环境,有时候需要跳过shiro的权限验证.所以想写个简单的配置跳过shiro的权限验证.
跳过权限验证的原理就是重写**@RequiresPermissions**的实现,然后在配置文件中写一个开关,最后通过Aop注入进去就大功告成.
在 org.apache.shiro.authz.aop.PermissionAnnotationHandler 中处理这个注解,这就是我们要
覆写的类.我准备将它替换成log日志.
public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler {
public void assertAuthorized(Annotation a) throws AuthorizationException {
if (!(a instanceof RequiresPermissions)) return;
RequiresPermissions rpAnnotation = (RequiresPermissions) a;
//获取注解的值
String[] perms = getAnnotationValue(a);
//获取主体
Subject subject = getSubject();
//如果只有一个需要权限
if (perms.length == 1) {
subject.checkPermission(perms[0]);
return;
}
//与的处理
if (Logical.AND.equals(rpAnnotation.logical())) {
getSubject().checkPermissions(perms);
return;
}
//或的处理
if (Logical.OR.equals(rpAnnotation.logical())) {
// Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
boolean hasAtLeastonePermission = false;
for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastonePermission = true;
// Cause the exception if none of the role match, note that the exception message will be a bit misleading
if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);
}
}
}
通过 AopAllianceAnnotationsAuthorizingMethodInterceptor 加入拦截处理,通过Shiro starter 的 Conguration配置到将AuthorizationAttributeSourceAdvisor注入到 Spring Bean中.AuthorizationAttributeSourceAdvisor 实现了 StaticMethodMatcherPointcutAdvisor
破解既然找到了实现的方法,那么注入一个自己实现类就可以跳过shiro的权限了.
但是为了只在测试和开发环境破解,需要使用配置来实现
首先在spring的配置中加入 spring.profiles.active ,同时配置 xfs.shiro.skipShiro为true.
破解时根据当前运行环境和skipShiro来判断是否要跳过shiro
spring:
# 环境 dev|test|prod
profiles:
active: dev
application:
name: system
xfs:
shiro:
skipShiro: true #危险配置,跳过shiro权限控制,用于开发和测试环境调试,慎用
2.重写自己的@RequiresPermissions处理方法
在日志上打log,防止严重的生产问题
package cn.lanhi.auth.starter.interceptor;
import com.alibaba.fastjson.JSON;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.aop.PermissionAnnotationHandler;
import java.lang.annotation.Annotation;
@Slf4j
public class ShiroPermissionHandler extends PermissionAnnotationHandler {
public ShiroPermissionHandler() {
super();
log.warn("使用了自定义的PermissionHandler,如果是生产环境,使用这个类将会导致权限控制模块失效");
}
@Override
public void assertAuthorized(Annotation a) throws AuthorizationException {
if (!(a instanceof RequiresPermissions)) return;
//如果是数组,打印效果不好,使用json序列化
log.warn("警告!! 跳过了权限:{}", JSON.toJSonString(getAnnotationValue(a)));
}
}
3.设置注解处理器
在 AnnotationsAuthorizingMethodInterceptor 这个抽象类的实现类中,添加了对注解的拦截器
package org.apache.shiro.spring.security.interceptor;
public class AopAllianceAnnotationsAuthorizingMethodInterceptor
extends AnnotationsAuthorizingMethodInterceptor implements MethodInterceptor {
//Shiro拦截器
public AopAllianceAnnotationsAuthorizingMethodInterceptor() {
List interceptors =
new ArrayList(5);
AnnotationResolver resolver = new SpringAnnotationResolver();
interceptors.add(new RoleAnnotationMethodInterceptor(resolver));
//注入了我们要破解的权限控制拦截器,
interceptors.add(new PermissionAnnotationMethodInterceptor(resolver));
interceptors.add(new AuthenticatedAnnotationMethodInterceptor(resolver));
interceptors.add(new UserAnnotationMethodInterceptor(resolver));
interceptors.add(new GuestAnnotationMethodInterceptor(resolver));
setMethodInterceptors(interceptors);
}
........
}
那么破解一下,自己继承一下AopAllianceAnnotationsAuthorizingMethodInterceptor,然后获取自身属性,修改值
package cn.lanhi.auth.starter.shiro;
import com.xfs.auth.starter.interceptor.ShiroPermissionHandler;
import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
import org.apache.shiro.authz.aop.PermissionAnnotationMethodInterceptor;
import org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor;
import java.util.List;
import java.util.stream.Collectors;
public class ShiroMethodInterceptor extends AopAllianceAnnotationsAuthorizingMethodInterceptor {
public ShiroMethodInterceptor() {
super();
}
public ShiroMethodInterceptor skipPremissionHandler() {
List interceptors = this.getMethodInterceptors().stream()
.filter(authorizingAnnotationMethodInterceptor ->
!(authorizingAnnotationMethodInterceptor instanceof PermissionAnnotationMethodInterceptor))
.collect(Collectors.toList());
PermissionAnnotationMethodInterceptor interceptor = new PermissionAnnotationMethodInterceptor();
//设置成自己的注解处理器!
interceptor.setHandler(new ShiroPermissionHandler());
interceptors.add(interceptor);
setMethodInterceptors(interceptors);
return this;
}
}
4.重写shiroAop
package org.apache.shiro.spring.config;
@Configuration
public class ShiroAnnotationProcessorConfiguration extends AbstractShiroAnnotationProcessorConfiguration{
@Bean
@DependsOn("lifecycleBeanPostProcessor")
protected DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
return super.defaultAdvisorAutoProxyCreator();
}
@Bean
protected AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
return super.authorizationAttributeSourceAdvisor(securityManager);
}
}
--------------------
--------------------
--------------------
这个 AuthorizationAttributeSourceAdvisor 提供了AOP的拦截器实现.接下来我们要覆盖他,
public AuthorizationAttributeSourceAdvisor() {
setAdvice(new AopAllianceAnnotationsAuthorizingMethodInterceptor());
}
--------------------
--------------------
--------------------
5.覆盖Shiro Bean
判断了一下环境,跳过Shiro 权限验证,仅在测试和开发环境生效,且需要开启配置
注意bean要设置成@primary
@Bean("authorizationAttributeSourceAdvisor")
@Primary
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(
SecurityManager securityManager,
Environment environment,
@Value("${xfs.shiro.skipShiro:false}") boolean skipShiro) {
//获取当前运行环境
String profile = environment.getRequiredProperty("spring.profiles.active");
//创建要生成的Bean
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
//判断是否可以跳过shiro
if (skipShiro && ("dev".equals(profile) || "test".equals(profile))) {
//运行跳过shiro权限验证方法
advisor.setAdvice(new ShiroMethodInterceptor().skipPremissionHandler());
}
return advisor;
}
到此为止,就大功告成啦.
转载请注明出处!!!
