I. Brief Introduction
shiro as the basis of url permission management.
II. Authority Management
Privilege management includes: 1. User authentication 2. Authorization
User authentication:
Users access the system, the system needs to verify the legitimacy of users, after verifying the legitimacy, can access the system resources. (Of course, there are anonymous resources that can be accessed: there is no need to verify that the user is legitimate)
User Authorization:
After successful user authentication, the system will provide accessible resources according to the user's rights.
Key Objects of Verification and Authorization
Validate key objects:
subject:(subject object) can be understood as the user accessing the resource.
principal: (identity information) Each subject object has one or more identity information, such as identity card, driver's license, student's card and so on, but it has one main identity information.
Credential: (Credential information) Equivalent to account passwords, fingerprints, these are used as credential information to find your identity information.
Summary: Subjects need to provide identity information and credential information when they are authenticated.
(When landing, submit the credential information (fingerprint), will find your identity information in the database through the credential information, and if the match is successful, the landing will be successful!)
Authorization Key Objects
It can be understood as:
what (which) does how by subject
subject: User.
what: Resources.
how: For example, the operation of adding, deleting and modifying checks.
IV. Privilege Model
User - > User Role Relation Table - > Role - > Role Permission Relation Table - > Permission - > Resources
Users can find their roles through the user role relationship table, so as to find their own permissions (resources)
V. RBAC
1.RBAC(Role Based Access Control)
Role-based access control.
For example:
if(user.isRole("principal"){
crud
}
if(user.isRole("Teaching Director"){
Delete and censor
}
But one day, the authority of the teaching director has been revised, and it can also be added, deleted and revised.
if(user.isRole("Instructor") | | user.isRole("Principal"){
crud
}
We'll have to change the code.
So role-based authority management is not conducive to system expansion and maintenance.
2.RBAC (Resource-based Privilege Control)
Such as:
if(user.hasAccess("a resource"){
operation
}
In this way, if the role permissions change, we only need to operate in the database, without changing the code.
Recommended use: RBAC (resource-based)
6. Coarse and Fine Granularity of Permissions
Coarse granularity: for example, administrators can view user lists
Fine-grained: The administrator in the sales department has id 3, so he can only see the list of users in the sales department.
How to achieve coarse-grained and fine-grained rights management - ----> Important!!!!!!
Coarse granularity: implemented with spring MVC interceptor, url intercept
Fine-grained: Fine-grained can be processed at the business level
For example, an administrator with ID 3 logs in, gets his department based on his id, and then queries the user list of his department.
URL-based privilege management process
1. The privilege table in the database stores URLs and assigns them to roles.
2. After the user logs in, he has the corresponding role.
3. When a user accesses a resource, the filter filters the url. If you have access, you are not obliged to prohibit it.
7. Specific implementation process
1. After successful login
Create an ActiveUser to store login information
Store such objects in session s.
Because tomcat serializes session s on local hard disks, the Serializable interface is used
public class ActiveUser implements java.io.Serializable {
/** */
private static final long serialVersionUID = -4500748422849176791L;
/** User id (primary key) */
private String userid;
/** User account */
private String usercode;
/** User Name */
private String username;
// ##########################################
/** menu */
private List<SysPermission> menus;
/** Jurisdiction */
private List<SysPermission> permissions;
}
2. After the user enters the account and the password, he first finds the data of the account from the database and returns it as an object. (throws an exception if there is no such object)
3. Compare the password in the database with the password. (Failure throws an exception)
4. When the appeal operation is successful, the information is stored in the ActiveUser object and set in the session.
User Authentication and Authorization Interceptor
1.anonymousURL.properties configures URLs that can be accessed anonymously
2. Common url. properties configures a common url (accessible to anyone)
Configuration content is stored in the form of key-value pairs and read by reading tools
3. Read Tools
public class ResourcesUtil implements Serializable {
private static final long serialVersionUID = -7657898714983901418L;
/**
* System language environment, default is Chinese zh
*/
public static final String LANGUAGE = "zh";
/**
* System national environment, default to Chinese CN
*/
public static final String COUNTRY = "CN";
private static Locale getLocale() {
Locale locale = new Locale(LANGUAGE, COUNTRY);
return locale;
}
/**
* Get resource file values based on language, country, resource file name and key name
*
* @param language
* language
*
* @param country
* Country
*
* @param baseName
* Resource file name
*
* @param section
* key Name
*
* @return value
*/
private static String getProperties(String baseName, String section) {
String retValue = "";
try {
Locale locale = getLocale();
ResourceBundle rb = ResourceBundle.getBundle(baseName, locale);
retValue = (String) rb.getObject(section);
} catch (Exception e) {
e.printStackTrace();
// TODO Addition Processing
}
return retValue;
}
/**
* Read content from resource files by key
*
* @param fileName
* Resource file name
*
* @param key
* Indexes
*
* @return Index corresponding content
*/
public static String getValue(String fileName, String key) {
String value = getProperties(fileName,key);
return value;
}
public static List<String> gekeyList(String baseName) {
Locale locale = getLocale();
ResourceBundle rb = ResourceBundle.getBundle(baseName, locale);
List<String> reslist = new ArrayList<String>();
Set<String> keyset = rb.keySet();
for (Iterator<String> it = keyset.iterator(); it.hasNext();) {
String lkey = (String)it.next();
reslist.add(lkey);
}
return reslist;
}
/**
* Read the content from the resource file through key and format it
*
* @param fileName
* Resource file name
*
* @param key
* Indexes
*
* @param objs
* Formatting parameters
*
* @return Formatted content
*/
public static String getValue(String fileName, String key, Object[] objs) {
String pattern = getValue(fileName, key);
String value = MessageFormat.format(pattern, objs);
return value;
}
public static void main(String[] args) {
System.out.println(getValue("resources.messages", "101",new Object[]{100,200}));
//Acquiring Language Environment Based on Operating System Environment
/*Locale locale = Locale.getDefault();
System.out.println(locale.getCountry());//Output country code
System.out.println(locale.getLanguage());//Output language code s
//Load internationalized resources (messages.properties in the resources directory under classpath, messages_zh_CN.properties will be preferred in Chinese environment)
ResourceBundle rb = ResourceBundle.getBundle("resources.messages", locale);
String retValue = rb.getString("101");//101 Is the key in the messages.properties file
System.out.println(retValue);
//Information formatting, if there are {} parameters in the resource, MessageFormat formatting is needed. Object [] is the parameter passed. The number is determined by the number of {} in the resource file.
String value = MessageFormat.format(retValue, new Object[]{100,200});
System.out.println(value);
*/
}
}
Used to read configuration files.
4. Configure interceptors in spring MVC
<!--Interceptor --> <mvc:interceptors> <mvc:interceptor> <!-- User authentication interception --> <mvc:mapping path="/**" /> <bean class="frame.uitls.interceptor.LoginInterceptor"></bean> </mvc:interceptor> <mvc:interceptor> <!-- Authorized Interception --> <mvc:mapping path="/**" /> <bean class="frame.uitls.interceptor.PermissionInterceptor"></bean> </mvc:interceptor> </mvc:interceptors>
Write two interceptors as required.
5. Display permissions dynamically on front-end pages.