官网有快速开始案例,需要的话直接去shiro官网取即可。
QuickStart
1、导入jar包
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>
2、配置Realm类
package com.chen.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class UserRealm extends AuthorizingRealm {
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权方法=>doGetAuthorizationInfo");
return null;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了认证方法=>doGetAuthenticationInfo");
return null;
}
}
3、配置shiroConfig配置类
package com.chen.config;
import com.chen.realm.UserRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ShrioConfig {
//3、ShiroFilterFactoryBean,指定securityManager对象
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
//指定manager
filterFactoryBean.setSecurityManager(securityManager);
return filterFactoryBean;
}
//2、DefaultWebSecurityManager对象,realm已经交给spring托管了,在此指定一下即可!
//注册bean
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("getUserRealm") UserRealm userRealm){
//创建DefaultWebSecurityManager对象
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//指定realm对象,把配置的realm对象bean注册进来
securityManager.setRealm(userRealm);
return securityManager;
}
//1、realm对象
@Bean
public UserRealm getUserRealm(){
return new UserRealm();
}
}
设置权限参数
我们在ShiroFilterFactoryBean中进行设置拦截,主要配置代码
//3、ShiroFilterFactoryBean,指定securityManager对象
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
//指定manager
filterFactoryBean.setSecurityManager(securityManager);
//设置权限参数
HashMap<String, String> map = new HashMap<>();
//设置有此权限才能访问
map.put("/user/add","perms[user:add]");
map.put("/user/update","perms[user:update]");
//设置认证过后才能访问
map.put("/user/*","authc");
filterFactoryBean.setFilterChainDefinitionMap(map);
//自定义登录页(shiro没有 自己的登录页,需要自己手动配置登录页!)
filterFactoryBean.setLoginUrl("/toLogin");
//未授权跳转的界面
filterFactoryBean.setUnauthorizedUrl("/unauth");
return filterFactoryBean;
}
登录验证
在登录的controller中进行判断并且验证用户名和密码,会自动调用配置类进行拦截
//登录验证
@RequestMapping("/login")
public String login(String username,String password,Model model){
//验证用户名和密码
Subject subject = SecurityUtils.getSubject();
//获取用户名和密码的token令牌,使用有参构造
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
//登录
try {
//捕捉异常,若用户名和密码错误则回滚,不出现错误则成功
subject.login(token);
}catch (UnknownAccountException e){
model.addAttribute("tipMsg","用户名错误");
return "login";
}catch (IncorrectCredentialsException e){
model.addAttribute("tipMsg","密码错误");
return "login";
}
return "index";
}
认证时,我们在Realm类中进行与用户输入的值进行比较,若相同则进行登录,若不相同则抛出异常,异常会提示用户名或密码异常
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了认证方法=>doGetAuthenticationInfo");
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
//获取用户对象
User user = userService.getUser(token.getUsername());
//如果错误,返回null,就是用户名异常UnknownAccountException
if (user==null){
return null;
}
//密码认证,shiro 自己来做
return new SimpleAuthenticationInfo(user,user.getPassword(), "");
}
在认证过后,我们会进入到授权方法,我们会判断用户是否具有相关的权限,权限这个分配在ShiroConfig中进行配置。授权操作在Realm中进行配置
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权方法=>doGetAuthorizationInfo");
//使用SimpleAuthorizationInfo对象为用户添加授权权限
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//info.addStringPermission("user:add");
//从subject对象中获取当前用户
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();
info.addStringPermission(currentUser.getPerms());
return info;
}
如果登陆成功并授权成功后,我们即可在不同的用户权限下,进行不同页面的访问。
总结:
我们的当前对象都是存放在Subject对象中的,并且一次配置全局有效。可以直接在配置类中获取当前对象。
我们访问页面的时候,首先要进行认证,认证是验证用户名和密码是否相同。是否可以登录,认证过后,就是授权。授权是在数据库中可以查询到此用户是具有哪些权限。若没有这个权限的话,是没办法进入本页面的。