View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.shiro.samples.sprhib.security;
20  
21  import org.apache.shiro.authc.*;
22  import org.apache.shiro.authc.credential.Sha256CredentialsMatcher;
23  import org.apache.shiro.authz.AuthorizationInfo;
24  import org.apache.shiro.authz.SimpleAuthorizationInfo;
25  import org.apache.shiro.realm.AuthorizingRealm;
26  import org.apache.shiro.samples.sprhib.dao.UserDAO;
27  import org.apache.shiro.samples.sprhib.model.Role;
28  import org.apache.shiro.samples.sprhib.model.User;
29  import org.apache.shiro.subject.PrincipalCollection;
30  import org.springframework.beans.factory.annotation.Autowired;
31  import org.springframework.stereotype.Component;
32  
33  /**
34   * The Spring/Hibernate sample application's one and only configured Apache Shiro Realm.
35   *
36   * <p>Because a Realm is really just a security-specific DAO, we could have just made Hibernate calls directly
37   * in the implementation and named it a 'HibernateRealm' or something similar.</p>
38   *
39   * <p>But we've decided to make the calls to the database using a UserDAO, since a DAO would be used in other areas
40   * of a 'real' application in addition to here. We felt it better to use that same DAO to show code re-use.</p>
41   */
42  @Component
43  public class SampleRealm extends AuthorizingRealm {
44  
45      protected UserDAO userDAO = null;
46  
47      public SampleRealm() {
48          setName("SampleRealm"); //This name must match the name in the User class's getPrincipals() method
49          setCredentialsMatcher(new Sha256CredentialsMatcher());
50      }
51  
52      @Autowired
53      public void setUserDAO(UserDAO userDAO) {
54          this.userDAO = userDAO;
55      }
56  
57      protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
58          UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
59          User user = userDAO.findUser(token.getUsername());
60          if( user != null ) {
61              return new SimpleAuthenticationInfo(user.getId(), user.getPassword(), getName());
62          } else {
63              return null;
64          }
65      }
66  
67  
68      protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
69          Long userId = (Long) principals.fromRealm(getName()).iterator().next();
70          User user = userDAO.getUser(userId);
71          if( user != null ) {
72              SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
73              for( Role role : user.getRoles() ) {
74                  info.addRole(role.getName());
75                  info.addStringPermissions( role.getPermissions() );
76              }
77              return info;
78          } else {
79              return null;
80          }
81      }
82  
83  }
84