我們項目中用的是shiro而且允許一個用戶多個地方同時登錄。在後臺修改權限後,讓用戶登錄,發現用戶登錄後,用戶的角色還是以前的那個角色,這個問題出現了,我發現只有去看看源代碼才能知道如何解決這個問題?
經過幾天的查看,以及週末在家看源代碼,我終於在源代碼中找到了shiro對角色的管理的流程,首先我們從DelegatingSubject這個類的public void checkRole(String role)這個檢查角色方法中,找到了AuthorizingRealm這個類,從public void checkRole(PrincipalCollection principal, String role)這個方法如下:
public void checkRole(PrincipalCollection principal, String role) throws AuthorizationException {
AuthorizationInfo info = getAuthorizationInfo(principal);
checkRole(role, info);
}
從getAuthorizationInfo(principal)這個方法中,源代碼如下:
protected AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
if (principals == null) {
return null;
}
AuthorizationInfo info = null;
if (log.isTraceEnabled()) {
log.trace("Retrieving AuthorizationInfo for principals [" + principals + "]");
}
Cache<Object, AuthorizationInfo> cache = getAvailableAuthorizationCache();
if (cache != null) {
if (log.isTraceEnabled()) {
log.trace("Attempting to retrieve the AuthorizationInfo from cache.");
}
Object key = getAuthorizationCacheKey(principals);
info = cache.get(key);
if (log.isTraceEnabled()) {
if (info == null) {
log.trace("No AuthorizationInfo found in cache for principals [" + principals + "]");
} else {
log.trace("AuthorizationInfo found in cache for principals [" + principals + "]");
}
}
}
if (info == null) {
info = doGetAuthorizationInfo(principals);
if (info != null && cache != null) {
if (log.isTraceEnabled()) {
log.trace("Caching authorization info for principals: [" + principals + "].");
}
Object key = getAuthorizationCacheKey(principals);
cache.put(key, info);
}
}
return info;
}
從這段代碼中,我發現,只要Cache<Object, AuthorizationInfo> cache = getAvailableAuthorizationCache()獲取到的cache中找到的 info = cache.get(key)這個info,如果這個info不爲空,我們就直接取緩存中的對應的AuthorizationInfo,如果這個爲空的話,程序就調用info = doGetAuthorizationInfo(principals)去刷新權限,如果之前登錄過,再次登錄時,如果不清除緩存中的AuthorizationInfo,那麼就不會調用重寫的real的 doGetAuthorizationInfo()方法去刷新權限,所以在登錄後,一定要把緩存中的AuthorizationInfo清除,這樣就可以把權限刷新了。解決方法如下:
//先登錄
subject.login(token);
//清除緩存中的角色信息
//這個可用注入的方式注入DefaultWebSecurityManager 對象
DefaultWebSecurityManager defaultWebSecurityManager= SpringContextUtil.getBean("securityManager");
Collection<Realm> reals= defaultWebSecurityManager.getRealms();
AccountAuthorizationRealm authorizingRealm= (AccountAuthorizationRealm) reals.toArray()[0];
PrincipalCollection principalCollection= SecurityUtils.getSubject().getPrincipals();
authorizingRealm.getAuthorizationCache().remove(principalCollection);
//刪除成功
這樣就刪除了緩存中的權限信息。注意一定要在登錄前,執行一下SecurityUtils.getSubject().logout(),目的是防止ThreadContext中有多個DefaultWebSecurityManager ,就這樣解決了這個問題。