Shiro配置跳过权限验证

需求

因为在开发环境,测试环境,有时候需要跳过shiro的权限验证.所以想写个简单的配置跳过shiro的权限验证.跳过权限验证的原理就是重写**@RequiresPermissions**的实现,然后在配置文件中写一个开关,最后通过Aop注入进去就大功告成.

@RequiresPermissions 处理类

在 org.apache.shiro.authz.aop.PermissionAnnotationHandler 中处理这个注解,这就是我们要覆写的类.我准备将它替换成log日志.

/**

* 检查是否有@{@link org.apache.shiro.authz.annotation。注释是

*声明，如果是，执行权限检查，看是否允许调用Subject继续

*访问。

*

* @since 0.9.0

*/

public class PermissionAnnotationHandler extends AuthorizingAnnotationHandler {

/**

*确保调用Subject具有注释指定的权限，如果没有，则抛出

* AuthorizingException表示拒绝访问。

*

*/

public void assertAuthorized(Annotation a) throws AuthorizationException {

if (!(a instanceof RequiresPermissions)) return;

RequiresPermissions rpAnnotation = (RequiresPermissions) a;

//获取注解的值

String[] perms = getAnnotationValue(a);

//获取主体

Subject subject = getSubject();

//如果只有一个需要权限

if (perms.length == 1) {

subject.checkPermission(perms[0]);

return;

}

//与的处理

if (Logical.AND.equals(rpAnnotation.logical())) {

getSubject().checkPermissions(perms);

return;

}

//或的处理

if (Logical.OR.equals(rpAnnotation.logical())) {

// Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first

boolean hasAtLeastOnePermission = false;

for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission = true;

// Cause the exception if none of the role match, note that the exception message will be a bit misleading

if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);

}

}

}

通过 AopAllianceAnnotationsAuthorizingMethodInterceptor 加入拦截处理,通过Shiro starter 的 Conguration配置到将AuthorizationAttributeSourceAdvisor注入到 Spring Bean中.AuthorizationAttributeSourceAdvisor 实现了 StaticMethodMatcherPointcutAdvisor

破解

既然找到了实现的方法,那么注入一个自己实现类就可以跳过shiro的权限了.但是为了只在测试和开发环境破解,需要使用配置来实现

1.配置跳过shiro开关

首先在spring的配置中加入 spring.profiles.active ,同时配置 xfs.shiro.skipShiro为true.破解时根据当前运行环境和skipShiro来判断是否要跳过shiro

spring:

# 环境 dev|test|prod

profiles:

active: dev

application:

name: system

xfs:

shiro:

skipShiro: true #危险配置,跳过shiro权限控制,用于开发和测试环境调试,慎用

2.重写自己的@RequiresPermissions处理方法

在日志上打log,防止严重的生产问题

package cn.lanhi.auth.starter.interceptor;

import com.alibaba.fastjson.JSON;

import lombok.extern.slf4j.Slf4j;

import org.apache.shiro.authz.AuthorizationException;

import org.apache.shiro.authz.annotation.RequiresPermissions;

import org.apache.shiro.authz.aop.PermissionAnnotationHandler;

import java.lang.annotation.Annotation;

/**

*

*

* @author : snx cn.shennaixin@gmail.net

* @date : 2020-06-16 11:39

*/

@Slf4j

public class ShiroPermissionHandler extends PermissionAnnotationHandler {

public ShiroPermissionHandler() {

super();

log.warn("使用了自定义的PermissionHandler,如果是生产环境,使用这个类将会导致权限控制模块失效");

}

/**

* 重写权限认证方法,仅仅打印log,不做拦截处理

*

* @param a 注解

* @throws AuthorizationException 一个不可能抛出的异常

*/

@Override

public void assertAuthorized(Annotation a) throws AuthorizationException {

if (!(a instanceof RequiresPermissions)) return;

//如果是数组,打印效果不好,使用json序列化

log.warn("警告!! 跳过了权限:{}", JSON.toJSONString(getAnnotationValue(a)));

}

}

3.设置注解处理器

在 AnnotationsAuthorizingMethodInterceptor 这个抽象类的实现类中,添加了对注解的拦截器

package org.apache.shiro.spring.security.interceptor;

public class AopAllianceAnnotationsAuthorizingMethodInterceptor

extends AnnotationsAuthorizingMethodInterceptor implements MethodInterceptor {

//Shiro拦截器

public AopAllianceAnnotationsAuthorizingMethodInterceptor() {

List interceptors =

new ArrayList(5);

AnnotationResolver resolver = new SpringAnnotationResolver();

interceptors.add(new RoleAnnotationMethodInterceptor(resolver));

//注入了我们要破解的权限控制拦截器,

interceptors.add(new PermissionAnnotationMethodInterceptor(resolver));

interceptors.add(new AuthenticatedAnnotationMethodInterceptor(resolver));

interceptors.add(new UserAnnotationMethodInterceptor(resolver));

interceptors.add(new GuestAnnotationMethodInterceptor(resolver));

setMethodInterceptors(interceptors);

}

........

}

那么破解一下,自己继承一下AopAllianceAnnotationsAuthorizingMethodInterceptor,然后获取自身属性,修改值

package cn.lanhi.auth.starter.shiro;

import com.xfs.auth.starter.interceptor.ShiroPermissionHandler;

import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;

import org.apache.shiro.authz.aop.PermissionAnnotationMethodInterceptor;

import org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor;

import java.util.List;

import java.util.stream.Collectors;

/**

*

shiro 权限重定义

*

* @author : snx cn.shennaixin@gmail.net

* @date : 2020-06-16 11:34

*/

public class ShiroMethodInterceptor extends AopAllianceAnnotationsAuthorizingMethodInterceptor {

public ShiroMethodInterceptor() {

super();

}

/**

* 跳过shiro RequirePremissions 注解验证

*/

public ShiroMethodInterceptor skipPremissionHandler() {

List interceptors = this.getMethodInterceptors().stream()

.filter(authorizingAnnotationMethodInterceptor ->

!(authorizingAnnotationMethodInterceptor instanceof PermissionAnnotationMethodInterceptor))

.collect(Collectors.toList());

PermissionAnnotationMethodInterceptor interceptor = new PermissionAnnotationMethodInterceptor();

//设置成自己的注解处理器!

interceptor.setHandler(new ShiroPermissionHandler());

interceptors.add(interceptor);

setMethodInterceptors(interceptors);

return this;

}

}

4.重写shiroAop

package org.apache.shiro.spring.config;

/**

* shiro AOP

* @since 1.4.0

*/

@Configuration

public class ShiroAnnotationProcessorConfiguration extends AbstractShiroAnnotationProcessorConfiguration{

@Bean

@DependsOn("lifecycleBeanPostProcessor")

protected DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {

return super.defaultAdvisorAutoProxyCreator();

}

@Bean

protected AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {

return super.authorizationAttributeSourceAdvisor(securityManager);

}

}

--------------------

--------------------

--------------------

这个 AuthorizationAttributeSourceAdvisor 提供了AOP的拦截器实现.接下来我们要覆盖他,

/**

* Create a new AuthorizationAttributeSourceAdvisor.

*/

public AuthorizationAttributeSourceAdvisor() {

setAdvice(new AopAllianceAnnotationsAuthorizingMethodInterceptor());

}

--------------------

--------------------

--------------------

5.覆盖Shiro Bean

判断了一下环境,跳过Shiro 权限验证,仅在测试和开发环境生效,且需要开启配置注意bean要设置成@primary

/**

* 跳过Shiro 权限验证,仅在测试和开发环境生效

*

* @param securityManager

* @return

*/

@Bean("authorizationAttributeSourceAdvisor")

@Primary

public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(

SecurityManager securityManager,

Environment environment,

@Value("${xfs.shiro.skipShiro:false}") boolean skipShiro) {

//获取当前运行环境

String profile = environment.getRequiredProperty("spring.profiles.active");

//创建要生成的Bean

AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();

advisor.setSecurityManager(securityManager);

//判断是否可以跳过shiro

if (skipShiro && ("dev".equals(profile) || "test".equals(profile))) {

//运行跳过shiro权限验证方法

advisor.setAdvice(new ShiroMethodInterceptor().skipPremissionHandler());

}

return advisor;

}

到此为止,就大功告成啦.