使用shiro搭建一个简单的系统
搭建一个简单的系统框架
shiro环境搭建
导包
注意是整合soringboot的包
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.5.3</version>
</dependency>
三个 Bean
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager);
return bean;
}
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm);
return securityManager;
}
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
}
和一个自定义的Realm
public class UserRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
return null;
}
}
拦截,认证和授权
拦截
在刚刚搭建起来的环境中定制。
有一些还用不到的代码,先贴上
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager);
Map<String, String> filter = new LinkedHashMap<>();//拦截器
filter.put("/user/add", "perms[user:add]");//拦截"/user/add"请求,需要有[user:add]权限才可以进入
filter.put("/user/update", "perms[user:update]");
bean.setFilterChainDefinitionMap(filter);//设置烂机器
bean.setLoginUrl("/toLogin");//设置登录请求
//shiro没有像security的自带登录页面
bean.setUnauthorizedUrl("/noAuth");//设置没有权限显示的页面
return bean;
}
在filter
那里设置了拦截,然后运行测试是否拦截成功。如果没有设置登录请求会报404错误
认证
认证是写在刚刚自定义的Realm
里面。点击登录的时候,会走这个方法。
当然我们还需要一个处理登录的请求。
这是控制层的方法。正常流程应该是控制层调用服务层去执行操作
这些基本上都是死代码,固定的
@RequestMapping("/login")
public String login(String username,String password,Model model){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token);
return "index";
}catch (UnknownAccountException e) {
model.addAttribute("msg", "用户名错误!");
return "login";
}catch (IncorrectCredentialsException e) {
model.addAttribute("msg", "密码错误!");
return "login";
}
}
然后
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
//这里是链接数据库了,用的是mybatis链接
User user = userMapper.queryUserByName(userToken.getUsername());
if (user== null){
return null;//报错 UnknownAccountException:用户名不存在
}
Subject subject = SecurityUtils.getSubject();
subject.getSession().setAttribute("loginUser", user);//往session注入一个user
return new SimpleAuthenticationInfo(user, user.getPassword(), "");//返回一个简单认证
}
测试是否可以连接数据库进行认证
授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();//拿到当前登录用户
info.addStringPermission(currentUser.getPerms());//从数据库获取权限并授权
return info;
}
整合thyemleaf
导入整合包
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
需要配置,一同写在ShiroConfig
类里面
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
然后就是把一些用户没有权限的版块隐藏
<div shiro:haspermission="这里写权限,比如: user:add">
······
</div>
shiro学习简单记录到这里结束。