shiro
一、基础配置
- 导包
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-vJLpyflc-1652711418445)(C:\Users\70402\Desktop\笔记md\spring\shiro\res\导包.png)] - 配置ini文件
- ini文件在resource目录下
- 假数据
[users]
xiaochen=123
- 创建安全管理器对象
DefaultSecurityManager manager = new DefaultSecurityManager();
- 给安全管理器设置realm
securityManager.setRealm(new IniRealm("classpath:shiro.ini"));
- 给全局安全工具类设置安全管理器
SecurityUtils.setSecurityManager(securityManager);
- 获取主体subject,
Subject subject = SecurityUtils.getSubject();
- 创建令牌
UsernamePasswordToken token = new UsernamePasswordToken("xiaochen","123");
- 用户认证
try {
subject.login(token);
}catch (UnknownAccountException e){
System.out.println("用户名错误");
}catch (IncorrectCredentialsException e){
System.out.println("密码错误");
}
二、自定义reaml
- 自定义reaml继承AuthorizingRealm
- doGetAuthorizationInfo 授权
- doGetAuthenticationInfo 认证
- 认证操作
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
String username = userToken.getUsername();
Customer customer = mapper.selectByUsername(username);
//Shiro报错UnknownAccountException
if (customer==null){
return null;
}
return new SimpleAuthenticationInfo(customer,customer.getPassword(),"");
}
- 通过token获取用户名密码
- SimpleAuthenticationInfo中有3个参数:账户、密码、realm
二、shiro
-
Subject: shiro的一个抽象概念,包含了用户的信息
-
Realm: 开发者自定义的模块,根据项目的需求,验证和授权的逻辑全部写在Realm中
-
ShiroFilterFactoryBean:过滤工厂,shiro的基本运行机制是开发者制定规则,shiro去执行,具体执行操作就是由ShiroFilterFactoryBean创建的一个个Filter对象来完成
-
DefaultWebSecurityManager: 安全管理器。开发者自定义的Realm需要注入到DefaultWebSecurityManager进行管理才能生效
-
配置Realm类
-
Realm类继承AuthorizingRealm类
-
授权**(AuthorizationInfo,用户的权限信息集合,授权时使用)**
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); Subject subject = SecurityUtils.getSubject(); Customer user = (Customer) subject.getPrincipal(); info.addStringPermission(user.getPerms()); return info; }
-
认证**(AuthenticationInfo用户的角色信息结合,认证时使用)**
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken userToken = (UsernamePasswordToken) token; String username = userToken.getUsername(); Customer customer = mapper.selectByUsername(username); //Shiro报错UnknownAccountException if (customer==null){ return null; } return new SimpleAuthenticationInfo(username,customer.getPassword(),this.getName()); }
-
-
配置config类(需要加Configuration注解)
-
config类需要配置3个bean对象分别为:
-
UserRealm**(Ioc注入userRealm())**
@Bean public UserRealm userRealm(){ return new UserRealm(); }
-
DefaultWebSecurityManager**(userRealm()注入DefaultWebSecurityManager)**
@Bean public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm") UserReaml userRealm){ DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(userRealm); return securityManager; }
- @Qualifier(“userRealm”):通过方法名从IOC中获取bean对象
-
ShiroFilterFactoryBean
@Bean public ShiroFilterFactoryBean ShiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){ ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean(); bean.setSecurityManager(defaultWebSecurityManager); return factoryBean ; }
-
-
-
编写认证和授权规则
- 认证过滤器:
- [外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Cagq5qhX-1652711418448)(C:\Users\70402\AppData\Roaming\Typora\typora-user-images\image-20220322014419112.png)]
名称 作用 anon 无需认证就可以访问 authc 必须认证才能访问,get不用认证 user 必须拥有记住我功能才能用 authcBasic 需要通过HTTPBasic认证 - 授权过滤器
名称 作用 perms 必须拥有某个权限才能访问 role 必须拥有某个角色才能访问 port 请求的端口必须是指定值才能访问 rest 请求必须基于RESTful,即POST, PUT, GET, DELETE ssl 必须是安全的URL请求,协议HTTPS -
写入位置:ShiroFilterFactoryBean
@Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){ ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean(); factoryBean.setSecurityManager(defaultWebSecurityManager); //权限设置---------------------------------- Map<String,String> map = new HashMap<>(); map.put("/*","authc"); factoryBean.setFilterChainDefinitionMap(map); //----------------------------------------- return factoryBean ; }
-
登录验证
-
位置:controller/service
public String login(Map<String,String> map){ String username = map.get("username"); String password = map.get("password"); UsernamePasswordToken token = new UsernamePasswordToken(username,password); Subject subject = SecurityUtils.getSubject(); try { subject.login(token); } catch (UnknownAccountException e) { return "{\"status\":\"用户不存在\"}"; } catch (IncorrectCredentialsException e){ return "{\"status\":\"密码错误\"}"; } return "{\"status\":\"OK\"}"; }
-
-
退出
在logout方法中执行
Subject subject = SecurityUtils.getSubject(); subject.logout();