优化命名

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/LoginExitListener.java

@@ -35,6 +35,6 @@ public class LoginExitListener implements AuthorizationListener<AuthorizationExi
 
     @Override
     public void on(AuthorizationExitEvent event) {
-        listenerAuthorizingRealm.loginOut(event.getAuthorization());
+        listenerAuthorizingRealm.loginOut(event.getAuthentication());
     }
 }

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/BoostAuthorizationAttributeSourceAdvisor.java

@@ -17,10 +17,13 @@
 
 package org.hswebframework.web.authorization.shiro.boost;
 
+import org.apache.shiro.aop.AnnotationResolver;
 import org.apache.shiro.authz.annotation.*;
 import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.spring.aop.SpringAnnotationResolver;
 import org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor;
 import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
+import org.hswebframework.web.AopUtils;
 import org.hswebframework.web.authorization.access.DataAccessController;
 import org.hswebframework.web.authorization.access.FieldAccessController;
 import org.hswebframework.web.authorization.annotation.Authorize;
@@ -28,6 +31,7 @@ import org.hswebframework.web.authorization.annotation.RequiresDataAccess;
 import org.hswebframework.web.authorization.annotation.RequiresExpression;
 import org.hswebframework.web.authorization.annotation.RequiresFieldAccess;
 import org.springframework.aop.support.StaticMethodMatcherPointcutAdvisor;
+import org.springframework.core.Ordered;
 import org.springframework.core.annotation.AnnotationUtils;
 
 import java.lang.annotation.Annotation;
@@ -43,8 +47,11 @@ public class BoostAuthorizationAttributeSourceAdvisor extends StaticMethodMatche
     @SuppressWarnings("unchecked")
     private static final Class<? extends Annotation>[] AUTHZ_ANNOTATION_CLASSES =
             new Class[]{
-                    RequiresPermissions.class, RequiresRoles.class,
-                    RequiresUser.class, RequiresGuest.class, RequiresAuthentication.class,
+                    RequiresPermissions.class,
+                    RequiresRoles.class,
+                    RequiresUser.class,
+                    RequiresGuest.class,
+                    RequiresAuthentication.class,
                     //自定义
                     RequiresExpression.class,
                     Authorize.class,
@@ -63,14 +70,15 @@ public class BoostAuthorizationAttributeSourceAdvisor extends StaticMethodMatche
     public BoostAuthorizationAttributeSourceAdvisor(DataAccessController dataAccessController,
                                                     FieldAccessController fieldAccessController) {
         AopAllianceAnnotationsAuthorizingMethodInterceptor interceptor = new AopAllianceAnnotationsAuthorizingMethodInterceptor();
+        AnnotationResolver resolver = new SpringAnnotationResolver();
         // @RequiresExpression support
-        interceptor.getMethodInterceptors().add(new ExpressionAnnotationMethodInterceptor());
+        interceptor.getMethodInterceptors().add(new ExpressionAnnotationMethodInterceptor(resolver));
         // @RequiresDataAccess support
-        interceptor.getMethodInterceptors().add(new DataAccessAnnotationMethodInterceptor(dataAccessController));
+        interceptor.getMethodInterceptors().add(new DataAccessAnnotationMethodInterceptor(dataAccessController, resolver));
         // @RequiresFieldAccess support
-        interceptor.getMethodInterceptors().add(new FieldAccessAnnotationMethodInterceptor(fieldAccessController));
+        interceptor.getMethodInterceptors().add(new FieldAccessAnnotationMethodInterceptor(fieldAccessController, resolver));
         // @Authorize support
-        interceptor.getMethodInterceptors().add(new SimpleAuthorizeMethodInterceptor());
+        interceptor.getMethodInterceptors().add(new SimpleAuthorizeMethodInterceptor(resolver));
         setAdvice(interceptor);
     }
 
@@ -82,65 +90,8 @@ public class BoostAuthorizationAttributeSourceAdvisor extends StaticMethodMatche
         this.securityManager = securityManager;
     }
 
-    /**
-     * Returns <tt>true</tt> if the method has any Shiro annotations, false otherwise.
-     * The annotations inspected are:
-     * <ul>
-     * <li>{@link org.apache.shiro.authz.annotation.RequiresAuthentication RequiresAuthentication}</li>
-     * <li>{@link org.apache.shiro.authz.annotation.RequiresUser RequiresUser}</li>
-     * <li>{@link org.apache.shiro.authz.annotation.RequiresGuest RequiresGuest}</li>
-     * <li>{@link org.apache.shiro.authz.annotation.RequiresRoles RequiresRoles}</li>
-     * <li>{@link org.apache.shiro.authz.annotation.RequiresPermissions RequiresPermissions}</li>
-     * </ul>
-     *
-     * @param method      the method to check for a Shiro annotation
-     * @param targetClass the class potentially declaring Shiro annotations
-     * @return <tt>true</tt> if the method has a Shiro annotation, false otherwise.
-     * @see org.springframework.aop.MethodMatcher#matches(java.lang.reflect.Method, Class)
-     */
     public boolean matches(Method method, Class targetClass) {
-        Method m = method;
-        if (isAuthzAnnotationPresent(m)) {
-            return true;
-        }
-        //The 'method' parameter could be from an interface that doesn't have the annotation.
-        //Check to see if the implementation has it.
-        if (targetClass != null) {
-            try {
-                //尝试解决由于被拦截的方法使用了泛型,并且重写了方法，导致无法获取父类方法的问题
-                Class[] parameter = Arrays
-                        .stream(m.getParameterTypes())
-                        .map(type -> {
-                            if (type.isInterface()) return type;
-                            Class<?>[] interfaces = type.getInterfaces();
-                            if (interfaces.length > 0) return interfaces[0];
-                            Class superclass = type.getSuperclass();
-                            if (null != superclass && superclass != Object.class) {
-                                return superclass;
-                            }
-                            return type;
-                        })
-                        .toArray(Class[]::new);
-                m = targetClass.getMethod(m.getName(), parameter);
-                if (isAuthzAnnotationPresent(m)) {
-                    return true;
-                }
-            } catch (NoSuchMethodException ignored) {
-                //default return value is false.  If we can't find the method, then obviously
-                //there is no annotation, so just use the default return value.
-            }
-        }
-
-        return false;
-    }
-
-    private boolean isAuthzAnnotationPresent(Method method) {
-        for (Class<? extends Annotation> annClass : AUTHZ_ANNOTATION_CLASSES) {
-            Annotation a = AnnotationUtils.findAnnotation(method, annClass);
-            if (a != null) {
-                return true;
-            }
-        }
-        return false;
+        return Arrays.stream(AUTHZ_ANNOTATION_CLASSES)
+                .anyMatch(aClass -> AopUtils.findAnnotation(targetClass, method, aClass) != null);
     }
 }

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/DataAccessAnnotationMethodInterceptor.java

@@ -17,27 +17,23 @@
 
 package org.hswebframework.web.authorization.shiro.boost;
 
+import org.apache.shiro.aop.AnnotationResolver;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
-import org.hsweb.expands.script.engine.DynamicScriptEngine;
-import org.hsweb.expands.script.engine.DynamicScriptEngineFactory;
 import org.hswebframework.web.ApplicationContextHolder;
-import org.hswebframework.web.BusinessException;
-import org.hswebframework.web.authorization.Authorization;
-import org.hswebframework.web.authorization.AuthorizationHolder;
+import org.hswebframework.web.authorization.Authentication;
+import org.hswebframework.web.authorization.AuthenticationHolder;
 import org.hswebframework.web.authorization.Permission;
-import org.hswebframework.web.authorization.access.DataAccess;
+import org.hswebframework.web.authorization.access.DataAccessConfig;
 import org.hswebframework.web.authorization.access.DataAccessController;
-import org.hswebframework.web.authorization.access.ParamContext;
 import org.hswebframework.web.authorization.annotation.Logical;
 import org.hswebframework.web.authorization.annotation.RequiresDataAccess;
-import org.hswebframework.web.authorization.annotation.RequiresExpression;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorHolder;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 import org.hswebframwork.utils.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.ApplicationContext;
 
 import java.lang.annotation.Annotation;
 import java.util.*;
@@ -48,7 +44,7 @@ import java.util.stream.Collectors;
 /**
  * 数据级权限控制实现 <br>
  * 通过在方法上注解{@link RequiresDataAccess}，标识需要进行数据级权限控制<br>
- * 控制的方式和规则由 {@link Permission#getDataAccesses()}实现<br>
+ * 控制的方式和规则由 {@link Permission#getDataAccessConfigs()}实现<br>
  *
  * @author zhouhao
  * @see DefaultDataAccessController
@@ -57,8 +53,8 @@ import java.util.stream.Collectors;
  */
 public class DataAccessAnnotationMethodInterceptor extends AuthorizingAnnotationMethodInterceptor {
 
-    public DataAccessAnnotationMethodInterceptor(DataAccessController controller) {
-        super(new DataAccessAnnotationHandler(controller));
+    public DataAccessAnnotationMethodInterceptor(DataAccessController controller,AnnotationResolver resolver) {
+        super(new DataAccessAnnotationHandler(controller),resolver);
     }
 
     private static final Logger logger = LoggerFactory.getLogger(DataAccessAnnotationMethodInterceptor.class);
@@ -82,8 +78,8 @@ public class DataAccessAnnotationMethodInterceptor extends AuthorizingAnnotation
                 return;
             }
             //无权限信息
-            Authorization authorization = AuthorizationHolder.get();
-            if (authorization == null) {
+            Authentication authentication = AuthenticationHolder.get();
+            if (authentication == null) {
                 throw new AuthorizationException("{no_authorization}");
             }
             RequiresDataAccess accessAnn = ((RequiresDataAccess) a);
@@ -107,20 +103,20 @@ public class DataAccessAnnotationMethodInterceptor extends AuthorizingAnnotation
             }
             DataAccessController finalAccessController = accessController;
 
-            ParamContext context = holder.createParamContext();
+            MethodInterceptorParamContext context = holder.createParamContext();
             String permission = accessAnn.permission();
-            Permission permissionInfo = authorization.getPermission(permission);
+            Permission permissionInfo = authentication.getPermission(permission);
             List<String> actionList = Arrays.asList(accessAnn.action());
             //取得当前登录用户持有的控制规则
-            Set<DataAccess> accesses = permissionInfo
-                    .getDataAccesses()
+            Set<DataAccessConfig> accesses = permissionInfo
+                    .getDataAccessConfigs()
                     .stream()
                     .filter(access -> actionList.contains(access.getAction()))
                     .collect(Collectors.toSet());
             //无规则,则代表不进行控制
             if (accesses.isEmpty()) return;
             //单个规则验证函数
-            Function<Predicate<DataAccess>, Boolean> function =
+            Function<Predicate<DataAccessConfig>, Boolean> function =
                     accessAnn.logical() == Logical.AND ?
                             accesses.stream()::allMatch : accesses.stream()::anyMatch;
             //调用控制器进行验证

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/DefaultDataAccessController.java

@@ -1,12 +1,12 @@
 package org.hswebframework.web.authorization.shiro.boost;
 
-import org.hswebframework.web.authorization.access.DataAccess;
+import org.hswebframework.web.authorization.access.DataAccessConfig;
 import org.hswebframework.web.authorization.access.DataAccessController;
 import org.hswebframework.web.authorization.access.DataAccessHandler;
-import org.hswebframework.web.authorization.access.ParamContext;
 import org.hswebframework.web.authorization.shiro.boost.handler.CustomDataAccessHandler;
 import org.hswebframework.web.authorization.shiro.boost.handler.OwnCreatedDataAccessHandler;
 import org.hswebframework.web.authorization.shiro.boost.handler.ScriptDataAccessHandler;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 
 import java.util.LinkedList;
 import java.util.List;
@@ -35,7 +35,7 @@ public final class DefaultDataAccessController implements DataAccessController {
     }
 
     @Override
-    public boolean doAccess(DataAccess access, ParamContext params) {
+    public boolean doAccess(DataAccessConfig access, MethodInterceptorParamContext params) {
         if (parent != null) parent.doAccess(access, params);
         return handlers.parallelStream()
                 .filter(handler -> handler.isSupport(access))

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/DefaultFieldAccessController.java

@@ -2,9 +2,9 @@ package org.hswebframework.web.authorization.shiro.boost;
 
 import org.apache.commons.beanutils.BeanUtilsBean;
 import org.hswebframework.web.authorization.Permission;
-import org.hswebframework.web.authorization.access.FieldAccess;
+import org.hswebframework.web.authorization.access.FieldAccessConfig;
 import org.hswebframework.web.authorization.access.FieldAccessController;
-import org.hswebframework.web.authorization.access.ParamContext;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 import org.hswebframework.web.commons.entity.Entity;
 import org.hswebframework.web.commons.entity.RecordCreationEntity;
 import org.hswebframework.web.commons.entity.param.QueryParamEntity;
@@ -27,7 +27,7 @@ public class DefaultFieldAccessController implements FieldAccessController {
     private Logger logger = LoggerFactory.getLogger(DefaultFieldAccessController.class);
 
     @Override
-    public boolean doAccess(String action, Set<FieldAccess> accesses, ParamContext params) {
+    public boolean doAccess(String action, Set<FieldAccessConfig> accesses, MethodInterceptorParamContext params) {
         //控制转发
         switch (action) {
             case Permission.ACTION_QUERY:
@@ -51,12 +51,12 @@ public class DefaultFieldAccessController implements FieldAccessController {
      * @see BeanUtilsBean
      * @see org.apache.commons.beanutils.PropertyUtilsBean
      */
-    protected boolean doUpdateAccess(Set<FieldAccess> accesses, ParamContext params) {
+    protected boolean doUpdateAccess(Set<FieldAccessConfig> accesses, MethodInterceptorParamContext params) {
         Object supportParam = params.getParams().values().stream()
                 .filter(param -> (param instanceof Entity) | (param instanceof Model))
                 .findAny().orElse(null);
         if (null != supportParam) {
-            for (FieldAccess access : accesses) {
+            for (FieldAccessConfig access : accesses) {
                 try {
                     //设置值为null,跳过修改
                     BeanUtilsBean.getInstance()
@@ -84,13 +84,13 @@ public class DefaultFieldAccessController implements FieldAccessController {
      * @param params   参数上下文
      * @return true
      */
-    protected boolean doQueryAccess(Set<FieldAccess> accesses, ParamContext params) {
+    protected boolean doQueryAccess(Set<FieldAccessConfig> accesses, MethodInterceptorParamContext params) {
         QueryParamEntity paramEntity = params.getParams().values().stream()
                 .filter(QueryParamEntity.class::isInstance)
                 .map(QueryParamEntity.class::cast)
                 .findAny().orElse(null);
         if (paramEntity != null) {
-            paramEntity.excludes(accesses.stream().map(FieldAccess::getField).toArray(String[]::new));
+            paramEntity.excludes(accesses.stream().map(FieldAccessConfig::getField).toArray(String[]::new));
         } else {
             logger.warn("doQueryAccess skip ,because can not found any QueryParamEntity in param!");
         }

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/ExpressionAnnotationMethodInterceptor.java

@@ -17,14 +17,16 @@
 
 package org.hswebframework.web.authorization.shiro.boost;
 
+import org.apache.shiro.aop.AnnotationResolver;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
 import org.hsweb.expands.script.engine.DynamicScriptEngine;
 import org.hsweb.expands.script.engine.DynamicScriptEngineFactory;
 import org.hswebframework.web.BusinessException;
-import org.hswebframework.web.authorization.Authorization;
+import org.hswebframework.web.authorization.Authentication;
 import org.hswebframework.web.authorization.annotation.RequiresExpression;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorHolder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -42,6 +44,10 @@ public class ExpressionAnnotationMethodInterceptor extends AuthorizingAnnotation
         super(new ExpressionAnnotationHandler());
     }
 
+    public ExpressionAnnotationMethodInterceptor(AnnotationResolver resolver) {
+        super(new ExpressionAnnotationHandler(), resolver);
+    }
+
     private static final Logger logger = LoggerFactory.getLogger(ExpressionAnnotationMethodInterceptor.class);
 
     static class ExpressionAnnotationHandler extends AuthorizingAnnotationHandler {
@@ -71,7 +77,7 @@ public class ExpressionAnnotationMethodInterceptor extends AuthorizingAnnotation
                 }
             }
             Map<String, Object> var = new HashMap<>(holder.getArgs());
-            var.put("auth", getSubject().getSession().getAttribute(Authorization.class.getName()));
+            var.put("auth", getSubject().getSession().getAttribute(Authentication.class.getName()));
             Object success = engine.execute(holder.getId(), var).get();
             if (!(success instanceof Boolean) || !((Boolean) success)) {
                 throw new AuthorizationException();

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/FieldAccessAnnotationMethodInterceptor.java

@@ -17,17 +17,18 @@
 
 package org.hswebframework.web.authorization.shiro.boost;
 
+import org.apache.shiro.aop.AnnotationResolver;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
-import org.hswebframework.web.authorization.Authorization;
-import org.hswebframework.web.authorization.AuthorizationHolder;
+import org.hswebframework.web.authorization.Authentication;
+import org.hswebframework.web.authorization.AuthenticationHolder;
 import org.hswebframework.web.authorization.Permission;
-import org.hswebframework.web.authorization.access.FieldAccess;
+import org.hswebframework.web.authorization.access.FieldAccessConfig;
 import org.hswebframework.web.authorization.access.FieldAccessController;
-import org.hswebframework.web.authorization.access.ParamContext;
-import org.hswebframework.web.authorization.annotation.RequiresDataAccess;
 import org.hswebframework.web.authorization.annotation.RequiresFieldAccess;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorHolder;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -42,8 +43,8 @@ import java.util.stream.Collectors;
  */
 public class FieldAccessAnnotationMethodInterceptor extends AuthorizingAnnotationMethodInterceptor {
 
-    public FieldAccessAnnotationMethodInterceptor(FieldAccessController controller) {
-        super(new DataAccessAnnotationHandler(controller));
+    public FieldAccessAnnotationMethodInterceptor(FieldAccessController controller,AnnotationResolver resolver) {
+        super(new DataAccessAnnotationHandler(controller),resolver);
     }
 
     private static final Logger logger = LoggerFactory.getLogger(FieldAccessAnnotationMethodInterceptor.class);
@@ -65,15 +66,15 @@ public class FieldAccessAnnotationMethodInterceptor extends AuthorizingAnnotatio
                 return;
             }
             RequiresFieldAccess accessAnn = ((RequiresFieldAccess) a);
-            ParamContext context = holder.createParamContext();
-            Authorization authorization = AuthorizationHolder.get();
-            if (authorization == null) {
+            MethodInterceptorParamContext context = holder.createParamContext();
+            Authentication authentication = AuthenticationHolder.get();
+            if (authentication == null) {
                 throw new AuthorizationException("{no_authorization}");
             }
             String permission = accessAnn.permission();
-            Permission permissionInfo = authorization.getPermission(permission);
+            Permission permissionInfo = authentication.getPermission(permission);
 
-            Set<FieldAccess> accesses = permissionInfo
+            Set<FieldAccessConfig> accesses = permissionInfo
                     .getFieldAccesses()
                     .stream()
                     .filter(access -> access.getActions().contains(accessAnn.action()))

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/SimpleAuthorizeMethodInterceptor.java

@@ -19,18 +19,20 @@
 package org.hswebframework.web.authorization.shiro.boost;
 
 import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.shiro.aop.AnnotationResolver;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.authz.UnauthenticatedException;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationHandler;
 import org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor;
 import org.hswebframework.expands.script.engine.DynamicScriptEngine;
 import org.hswebframework.expands.script.engine.DynamicScriptEngineFactory;
-import org.hswebframework.web.authorization.Authorization;
-import org.hswebframework.web.authorization.AuthorizationHolder;
+import org.hswebframework.web.authorization.Authentication;
+import org.hswebframework.web.authorization.AuthenticationHolder;
 import org.hswebframework.web.authorization.Permission;
 import org.hswebframework.web.authorization.Role;
 import org.hswebframework.web.authorization.annotation.Authorize;
 import org.hswebframework.web.authorization.annotation.Logical;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorHolder;
 import org.hswebframwork.utils.ClassUtils;
 import org.hswebframwork.utils.StringUtils;
 import org.slf4j.Logger;
@@ -48,8 +50,8 @@ import java.util.stream.Collectors;
  * @author zhouhao
  */
 public class SimpleAuthorizeMethodInterceptor extends AuthorizingAnnotationMethodInterceptor {
-    public SimpleAuthorizeMethodInterceptor() {
-        super(new AuthorizeAnnotationHandler());
+    public SimpleAuthorizeMethodInterceptor(AnnotationResolver resolver) {
+        super(new AuthorizeAnnotationHandler(), resolver);
     }
 
     private static final Logger logger = LoggerFactory.getLogger(SimpleAuthorizeMethodInterceptor.class);
@@ -78,14 +80,14 @@ public class SimpleAuthorizeMethodInterceptor extends AuthorizingAnnotationMetho
             }
             authorizeConfig.put(authorize);
 
-            Authorization authorization = AuthorizationHolder.get();
-            if (null == authorization) throw new UnauthenticatedException(authorizeConfig.message);
+            Authentication authentication = AuthenticationHolder.get();
+            if (null == authentication) throw new UnauthenticatedException(authorizeConfig.message);
             boolean access = true;
             Logical logical = authorizeConfig.logical == Logical.DEFAULT ? Logical.OR : authorizeConfig.logical;
             boolean logicalIsOr = logical == Logical.OR;
             // 控制权限
             if (!authorizeConfig.permission.isEmpty()) {
-                List<Permission> permissions = authorization.getPermissions().stream()
+                List<Permission> permissions = authentication.getPermissions().stream()
                         .filter(permission -> {
                             // 未持有任何一个权限
                             if (!authorizeConfig.permission.contains(permission.getId())) return false;
@@ -105,8 +107,8 @@ public class SimpleAuthorizeMethodInterceptor extends AuthorizingAnnotationMetho
             //控制角色
             if (!authorizeConfig.role.isEmpty()) {
                 Function<Predicate<Role>, Boolean> func = logicalIsOr
-                        ? authorization.getRoles().stream()::anyMatch
-                        : authorization.getRoles().stream()::allMatch;
+                        ? authentication.getRoles().stream()::anyMatch
+                        : authentication.getRoles().stream()::allMatch;
                 access = func.apply(role -> authorizeConfig.role.contains(role.getId()));
             }
             //控制用户
@@ -114,7 +116,7 @@ public class SimpleAuthorizeMethodInterceptor extends AuthorizingAnnotationMetho
                 Function<Predicate<String>, Boolean> func = logicalIsOr
                         ? authorizeConfig.user.stream()::anyMatch
                         : authorizeConfig.user.stream()::allMatch;
-                access = func.apply(authorization.getUser().getUsername()::equals);
+                access = func.apply(authentication.getUser().getUsername()::equals);
             }
             if (!access) {
                 throw new AuthorizationException(authorizeConfig.message);

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/handler/CustomDataAccessHandler.java

@@ -19,6 +19,7 @@
 package org.hswebframework.web.authorization.shiro.boost.handler;
 
 import org.hswebframework.web.authorization.access.*;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 
 /**
  * 当配置为自定义处理器时(实现{@link CustomDataAccess }接口),此处理器生效
@@ -29,12 +30,12 @@ import org.hswebframework.web.authorization.access.*;
 public class CustomDataAccessHandler implements DataAccessHandler {
 
     @Override
-    public boolean isSupport(DataAccess access) {
+    public boolean isSupport(DataAccessConfig access) {
         return access instanceof CustomDataAccess;
     }
 
     @Override
-    public boolean handle(DataAccess access, ParamContext context) {
+    public boolean handle(DataAccessConfig access, MethodInterceptorParamContext context) {
         CustomDataAccess custom = ((CustomDataAccess) access);
         return custom.getController().doAccess(access, context);
     }

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/handler/OwnCreatedDataAccessHandler.java

@@ -1,13 +1,13 @@
 package org.hswebframework.web.authorization.shiro.boost.handler;
 
 import org.hsweb.ezorm.core.param.Term;
-import org.hswebframework.web.authorization.AuthorizationHolder;
+import org.hswebframework.web.authorization.AuthenticationHolder;
 import org.hswebframework.web.authorization.Permission;
-import org.hswebframework.web.authorization.access.DataAccess;
+import org.hswebframework.web.authorization.access.DataAccessConfig;
 import org.hswebframework.web.authorization.access.DataAccessHandler;
-import org.hswebframework.web.authorization.access.OwnCreatedDataAccess;
-import org.hswebframework.web.authorization.access.ParamContext;
+import org.hswebframework.web.authorization.access.OwnCreatedDataAccessConfig;
 import org.hswebframework.web.authorization.annotation.RequiresDataAccess;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 import org.hswebframework.web.commons.entity.Entity;
 import org.hswebframework.web.commons.entity.RecordCreationEntity;
 import org.hswebframework.web.commons.entity.param.QueryParamEntity;
@@ -29,13 +29,13 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
     private static final Logger logger = LoggerFactory.getLogger(OwnCreatedDataAccessHandler.class);
 
     @Override
-    public boolean isSupport(DataAccess access) {
-        return access instanceof OwnCreatedDataAccess;
+    public boolean isSupport(DataAccessConfig access) {
+        return access instanceof OwnCreatedDataAccessConfig;
     }
 
     @Override
-    public boolean handle(DataAccess access, ParamContext context) {
-        OwnCreatedDataAccess own = ((OwnCreatedDataAccess) access);
+    public boolean handle(DataAccessConfig access, MethodInterceptorParamContext context) {
+        OwnCreatedDataAccessConfig own = ((OwnCreatedDataAccessConfig) access);
         Object controller = context.getTarget();
         if (controller != null) {
             switch (access.getAction()) {
@@ -57,14 +57,14 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
         return true;
     }
 
-    public boolean putCreatorId(OwnCreatedDataAccess access, ParamContext context) {
+    public boolean putCreatorId(OwnCreatedDataAccessConfig access, MethodInterceptorParamContext context) {
         RecordCreationEntity entity = context.getParams()
                 .values().stream()
                 .filter(RecordCreationEntity.class::isInstance)
                 .map(RecordCreationEntity.class::cast)
                 .findAny().orElse(null);
         if (entity != null) {
-            entity.setCreatorId(AuthorizationHolder.get().getUser().getId());
+            entity.setCreatorId(AuthenticationHolder.get().getUser().getId());
         } else {
             logger.warn("try put creatorId property,but not found any RecordCreationEntity!");
         }
@@ -72,7 +72,7 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
     }
 
     @SuppressWarnings("unchecked")
-    protected boolean doRWAccess(OwnCreatedDataAccess access, ParamContext context, Object controller) {
+    protected boolean doRWAccess(OwnCreatedDataAccessConfig access, MethodInterceptorParamContext context, Object controller) {
         //获取注解
         RequiresDataAccess dataAccess = context.getAnnotation(RequiresDataAccess.class);
         Object id = context.<String>getParameter(dataAccess.idParamName()).orElse(null);
@@ -85,7 +85,7 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
                 QueryService<RecordCreationEntity, Object> queryService =
                         ((QueryController<RecordCreationEntity, Object, Entity>) controller).getService();
                 RecordCreationEntity oldData = queryService.selectByPk(id);
-                if (oldData != null && !AuthorizationHolder.get().getUser().getId().equals(oldData.getCreatorId())) {
+                if (oldData != null && !AuthenticationHolder.get().getUser().getId().equals(oldData.getCreatorId())) {
                     return false;
                 }
             }
@@ -93,7 +93,7 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
         return true;
     }
 
-    protected boolean doQueryAccess(OwnCreatedDataAccess access, ParamContext context) {
+    protected boolean doQueryAccess(OwnCreatedDataAccessConfig access, MethodInterceptorParamContext context) {
         Entity entity = context.getParams()
                 .values().stream()
                 .filter(Entity.class::isInstance)
@@ -113,11 +113,11 @@ public class OwnCreatedDataAccessHandler implements DataAccessHandler {
             queryParamEntity.setTerms(new ArrayList<>());
             //添加一个查询条件
             queryParamEntity
-                    .where("creatorId", AuthorizationHolder.get().getUser().getId())
+                    .where("creatorId", AuthenticationHolder.get().getUser().getId())
                     //客户端提交的参数 作为嵌套参数
                     .nest().setTerms(oldParam);
         } else if (entity instanceof RecordCreationEntity) {
-            ((RecordCreationEntity) entity).setCreatorId(AuthorizationHolder.get().getUser().getId());
+            ((RecordCreationEntity) entity).setCreatorId(AuthenticationHolder.get().getUser().getId());
         } else {
             logger.warn("try validate query access,but entity not support, QueryParamEntity and RecordCreationEntity support now!");
         }

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/handler/ScriptDataAccessHandler.java

@@ -1,11 +1,11 @@
 package org.hswebframework.web.authorization.shiro.boost.handler;
 
 import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.shiro.authz.AuthorizationException;
 import org.hswebframework.expands.script.engine.DynamicScriptEngine;
 import org.hswebframework.expands.script.engine.DynamicScriptEngineFactory;
 import org.hswebframework.web.BusinessException;
 import org.hswebframework.web.authorization.access.*;
+import org.hswebframework.web.boost.aop.context.MethodInterceptorParamContext;
 import org.hswebframwork.utils.StringUtils;
 
 /**
@@ -15,13 +15,13 @@ import org.hswebframwork.utils.StringUtils;
  */
 public class ScriptDataAccessHandler implements DataAccessHandler {
     @Override
-    public boolean isSupport(DataAccess access) {
-        return access instanceof ScriptDataAccess;
+    public boolean isSupport(DataAccessConfig access) {
+        return access instanceof ScriptDataAccessConfig;
     }
 
     @Override
-    public boolean handle(DataAccess access, ParamContext context) {
-        ScriptDataAccess dataAccess = ((ScriptDataAccess) access);
+    public boolean handle(DataAccessConfig access, MethodInterceptorParamContext context) {
+        ScriptDataAccessConfig dataAccess = ((ScriptDataAccessConfig) access);
         DynamicScriptEngine engine = DynamicScriptEngineFactory.getEngine(dataAccess.getScriptLanguage());
         if (engine == null) throw new UnsupportedOperationException(dataAccess.getScriptLanguage() + " {not_support}");
         String scriptId = DigestUtils.md5Hex(dataAccess.getScript());

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/remember/DefaultRememberStorage.java

@@ -0,0 +1,55 @@
+/*
+ *  Copyright 2016 http://www.hswebframework.org
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *
+ */
+
+package org.hswebframework.web.authorization.shiro.remember;
+
+import org.apache.shiro.subject.PrincipalCollection;
+import org.hswebframework.web.id.IDGenerator;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * @author zhouhao
+ */
+public class DefaultRememberStorage implements RememberStorage {
+    private Map<String, RememberInfo> storage = new ConcurrentHashMap<>(256);
+
+    @Override
+    public RememberInfo create(PrincipalCollection collection) {
+        SimpleRememberInfo info = new SimpleRememberInfo(collection);
+        info.setCreateTime(System.currentTimeMillis());
+        info.setKey(IDGenerator.MD5.generate());
+        return info;
+    }
+
+    @Override
+    public RememberInfo get(String key) {
+        return storage.get(key);
+    }
+
+    @Override
+    public RememberInfo remove(String key) {
+        return storage.remove(key);
+    }
+
+    @Override
+    public void put(RememberInfo rememberInfo) {
+        storage.put(rememberInfo.getKey(), rememberInfo);
+    }
+}

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/remember/RememberInfo.java

@@ -0,0 +1,41 @@
+/*
+ *  Copyright 2016 http://www.hswebframework.org
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *
+ */
+
+package org.hswebframework.web.authorization.shiro.remember;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.io.Serializable;
+import java.util.Optional;
+
+/**
+ * @author zhouhao
+ */
+public interface RememberInfo extends Serializable {
+
+    String getKey();
+
+    <T> Optional<T> getProperty(String name);
+
+    <T> T setProperty(String name, T value);
+
+    PrincipalCollection getPrincipal();
+
+    Long getCreateTime();
+
+}

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/remember/RememberStorage.java

@@ -0,0 +1,38 @@
+/*
+ *  Copyright 2016 http://www.hswebframework.org
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *
+ */
+
+package org.hswebframework.web.authorization.shiro.remember;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public interface RememberStorage {
+
+    RememberInfo create(PrincipalCollection collection);
+
+    RememberInfo get(String key);
+
+    RememberInfo remove(String key);
+
+    void put(RememberInfo rememberInfo);
+
+}

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/remember/SimpleRememberInfo.java

@@ -0,0 +1,76 @@
+/*
+ *  Copyright 2016 http://www.hswebframework.org
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *
+ */
+
+package org.hswebframework.web.authorization.shiro.remember;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class SimpleRememberInfo implements RememberInfo {
+    private PrincipalCollection principal;
+    private Map<String, Object> properties = new HashMap<>();
+
+    private String key;
+
+    private Long createTime;
+
+    public SimpleRememberInfo(PrincipalCollection principal) {
+        this.principal = principal;
+    }
+
+    public void setKey(String key) {
+        this.key = key;
+    }
+
+    @Override
+    public String getKey() {
+        return key;
+    }
+
+    @Override
+    public <T> Optional<T> getProperty(String name) {
+        return Optional.ofNullable((T) properties.get(name));
+    }
+
+    @Override
+    public <T> T setProperty(String name, T value) {
+        return (T) properties.put(name, value);
+    }
+
+    @Override
+    public PrincipalCollection getPrincipal() {
+        return principal;
+    }
+
+    @Override
+    public Long getCreateTime() {
+        return createTime;
+    }
+
+    public void setCreateTime(Long createTime) {
+        this.createTime = createTime;
+    }
+}

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/remember/SimpleRememberMeManager.java

@@ -0,0 +1,124 @@
+/*
+ *  Copyright 2016 http://www.hswebframework.org
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *
+ */
+
+package org.hswebframework.web.authorization.shiro.remember;
+
+import org.apache.shiro.authc.*;
+import org.apache.shiro.mgt.RememberMeManager;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.SubjectContext;
+import org.apache.shiro.web.servlet.Cookie;
+import org.apache.shiro.web.servlet.SimpleCookie;
+import org.apache.shiro.web.subject.WebSubject;
+import org.apache.shiro.web.subject.WebSubjectContext;
+import org.apache.shiro.web.util.WebUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * TODO 完成注释
+ *
+ * @author zhouhao
+ */
+public class SimpleRememberMeManager implements RememberMeManager {
+
+    public static final String DEFAULT_REMEMBER_ME_COOKIE_NAME = "rememberMe";
+
+    private Cookie cookie;
+
+    private RememberStorage rememberStorage = new DefaultRememberStorage();
+
+    public SimpleRememberMeManager() {
+        Cookie cookie = new SimpleCookie(DEFAULT_REMEMBER_ME_COOKIE_NAME);
+        cookie.setHttpOnly(true);
+        //One year should be long enough - most sites won't object to requiring a user to log in if they haven't visited
+        //in a year:
+        cookie.setMaxAge(Cookie.ONE_YEAR);
+        this.cookie = cookie;
+    }
+
+    public void setRememberStorage(RememberStorage rememberStorage) {
+        this.rememberStorage = rememberStorage;
+    }
+
+    public Cookie getCookie() {
+        return cookie;
+    }
+
+    public void setCookie(Cookie cookie) {
+        this.cookie = cookie;
+    }
+
+    protected String getRememberKey(SubjectContext context) {
+        if (!(context instanceof WebSubjectContext)) return null;
+        WebSubjectContext webSubjectContext = ((WebSubjectContext) context);
+        HttpServletRequest request = WebUtils.getHttpRequest(webSubjectContext);
+        HttpServletResponse response = WebUtils.getHttpResponse(webSubjectContext);
+        return getCookie().readValue(request, response);
+    }
+
+    @Override
+    public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext) {
+        String key = getRememberKey(subjectContext);
+        if (null == key) return null;
+        RememberInfo info = rememberStorage.get(key);
+        if (info == null) return null;
+        return info.getPrincipal();
+    }
+
+    @Override
+    public void forgetIdentity(SubjectContext subjectContext) {
+        String key = getRememberKey(subjectContext);
+        if (null == key) return;
+        rememberStorage.remove(key);
+    }
+
+    @Override
+    public void onSuccessfulLogin(Subject subject, AuthenticationToken token, AuthenticationInfo info) {
+        if (!(subject instanceof WebSubject)) return;
+        if (!(token instanceof RememberMeAuthenticationToken) || !((RememberMeAuthenticationToken) token).isRememberMe()) return;
+        PrincipalCollection principalCollection = info.getPrincipals();
+        HttpServletRequest request = WebUtils.getHttpRequest(subject);
+        HttpServletResponse response = WebUtils.getHttpResponse(subject);
+
+        getCookie().removeFrom(request, response);
+        RememberInfo rememberInfo = rememberStorage.create(principalCollection);
+        SimpleCookie simpleCookie = new SimpleCookie(getCookie());
+        simpleCookie.setValue(rememberInfo.getKey());
+        simpleCookie.saveTo(request, response);
+        rememberStorage.put(rememberInfo);
+    }
+
+    @Override
+    public void onFailedLogin(Subject subject, AuthenticationToken token, AuthenticationException ae) {
+        if (!(subject instanceof WebSubject)) return;
+        HttpServletRequest request = WebUtils.getHttpRequest(subject);
+        HttpServletResponse response = WebUtils.getHttpResponse(subject);
+        getCookie().removeFrom(request, response);
+    }
+
+    @Override
+    public void onLogout(Subject subject) {
+        if (!(subject instanceof WebSubject)) return;
+        HttpServletRequest request = WebUtils.getHttpRequest(subject);
+        HttpServletResponse response = WebUtils.getHttpResponse(subject);
+        getCookie().removeFrom(request, response);
+    }
+}

hsweb-authorization/hsweb-authorization-shiro/src/main/java/org/hswebframework/web/authorization/shiro/boost/MethodInterceptorHolder.java

@@ -1,35 +1,33 @@
 /*
- * Copyright 2016 http://www.hswebframework.org
+ *  Copyright 2016 http://www.hswebframework.org
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *       http://www.apache.org/licenses/LICENSE-2.0
+ *        http://www.apache.org/licenses/LICENSE-2.0
  *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
  *
+ *
  */
 
-package org.hswebframework.web.authorization.shiro.boost;
+package org.hswebframework.web.boost.aop.context;
 
-import org.apache.shiro.util.Assert;
+import org.hswebframework.web.AopUtils;
 import org.hswebframework.web.ThreadLocalUtils;
-import org.hswebframework.web.authorization.access.ParamContext;
-import org.hswebframwork.utils.ClassUtils;
 
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Method;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 
 /**
- * TODO 完成注释
- *
  * @author zhouhao
  */
 public class MethodInterceptorHolder {
@@ -59,10 +57,11 @@ public class MethodInterceptorHolder {
     }
 
     public MethodInterceptorHolder(String id, Method method, Object target, Map<String, Object> args) {
-        Assert.notNull(id);
-        Assert.notNull(method);
-        Assert.notNull(target);
-        Assert.notNull(args);
+        Objects.requireNonNull(id);
+        Objects.requireNonNull(id);
+        Objects.requireNonNull(method);
+        Objects.requireNonNull(target);
+        Objects.requireNonNull(args);
         this.id = id;
         this.method = method;
         this.target = target;
@@ -85,8 +84,8 @@ public class MethodInterceptorHolder {
         return args;
     }
 
-    public ParamContext createParamContext() {
-        return new ParamContext() {
+    public MethodInterceptorParamContext createParamContext() {
+        return new MethodInterceptorParamContext() {
             @Override
             public Object getTarget() {
                 return target;
@@ -104,11 +103,8 @@ public class MethodInterceptorHolder {
             }
 
             @Override
-            public <T extends Annotation> T getAnnotation(Class<T> type) {
-                T ann = ClassUtils.getAnnotation(method, type);
-                if (ann == null)
-                    ann = ClassUtils.getAnnotation(target.getClass(), type);
-                return ann;
+            public <T extends Annotation> T getAnnotation(Class<T> annClass) {
+                return AopUtils.findAnnotation(target.getClass(), method, annClass);
             }
 
             @Override