1、Shiro实现授权
实现步骤:
- 在数据库的user表中添加perm字段用于权限的判断
-
修改实体类 mapper、service、controller接口同上
-
编写shiro配置类
package com.gjy.config; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.LinkedHashMap; import java.util.Map; @Configuration public class ShiroConfig { //ShiroFilterFactoryBean 3 @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); //设置安全管理器 bean.setSecurityManager(securityManager); //添加shiro的内置过滤器 /* anon:无需认证就可以访问 authc:必须认证才能访问 user:必须拥有记住我功能才能用 perms:拥有对某个资源的权限才能访问 role:拥有对某个角色的权限才能访问 */ Map<String, String> filterMap = new LinkedHashMap<>(); //授权, 正常情况下,没有授权会跳到未授权页面 filterMap.put("/user/add","perms[user:add]"); filterMap.put("/user/update","perms[user:update]"); filterMap.put("/user/*", "authc"); bean.setFilterChainDefinitionMap(filterMap); bean.setLoginUrl("/toLogin");//设置登录请求 bean.setUnauthorizedUrl("/unauthorized");//设置未授权请求 return bean; } //DefaultWebSecurityManager 2 @Bean(name = "securityManager") public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm) { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //关联userRealm securityManager.setRealm(userRealm); return securityManager; } //创建realm对象 1 @Bean(name = "userRealm") public UserRealm userRealm() { return new UserRealm(); } }
-
编写Realm类
package com.gjy.config; import com.gjy.pojo.User; import com.gjy.service.UserService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; //自定义的realm extends AuthorizingRealm public class UserRealm extends AuthorizingRealm { @Autowired UserService userService; //授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println("执行了=》授权doGetAuthorizationInfo"); //为用户进行授权 SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //获取当前登录的对象 Subject subject = SecurityUtils.getSubject(); User currentUser = (User) subject.getPrincipal();//获取当前user对象 //设置当前用户的权限 info.addStringPermission(currentUser.getPerm()); //return info return info; } //认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { System.out.println("执行了=》认证doGetAuthorizationInfo"); UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken; //连接真实的数据库 User user = userService.queryUserByName(usernamePasswordToken.getUsername()); if (user == null) { return null;//UnknownAccountException } //密码认证,shiro来做 //可以对密码进行加密: MD5加密 MD5盐值加密 return new SimpleAuthenticationInfo(user, user.getPwd(), ""); } }
-
测试:根据用户的权限进行判断能否进行访问