shior核心对象
- Subject:用户
- SecurityManager:管理所有用户
- Realm:连接数据
导入shiro整合springboot整合依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.8.0</version>
</dependency>
**
- 编写配置类 ShiroConfig。配置类添加@Configuration注解!!!切记
- ShiroFilterFactoryBean
- DefaultWebSecurityManager
- 创建realm对象,需要自定义类
以上三点对应shiro三大对象,从下向上配置
- 自定义的userRealm
- extends AuthorizingRealm
- 重写两个方法 1.授权 2.认证
public class UserRealm extends AuthorizingRealm {
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权");
return null;
}
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了=>认证");
return null;
}
}
3.在ShiroConfig将UserRealm对象配置进spirng
/创建UserRealm,对象
(name = "userRealm")
public UserRealm userRealm(){
return new UserRealm();
}
4.配置DafaultWebSecurityManager
//DefaultWebSecurityManager
(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联UserRealm
securityManager.setRealm(userRealm);
return securityManager;
}
5.创建ShiroFilterFactoryBean
//ShiroFilterFactoryBean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
return bean;
}
实现对用户的授权操作
在ShiroFilterFactoryBean中添加shiro的内置过滤器
- anno:无需认证就可以访问
- authc:必须认证了才能访问
- user: 必须拥有 记住我功能才能访问
- perms:拥有对某个资源的权限才能访问
- role:拥有某个角色才能访问
//ShiroFilterFactoryBean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
//如何实现对用户的授权操作
//在ShiroFilterFactoryBean中添加shiro的内置过滤器
Map<String,String> filterMap = new LinkedHashMap<>();
// /user/add /update 为定义接口
filterMap.put("/user/add","authc");
filterMap.put("/user/update","authc");
bean.setFilterChainDefinitionMap(filterMap);
System.err.println("[debug] shiro");
return bean;
}
设置登录拦截,在上面的代码中添加。(需要认证则跳转)
bean.setLogUrl(/toLogin);
用户认证操作,放在UserRealm中
获取当前的用户(SecurityUtils为shiro中的类)
Subject subject = SecurityUtils.getSubject();
封装用户的登录数据 (封装username和password)-- > Token令牌
//封装用户登录数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);//执行登录方法,没有异常说明ok
捕获上一步的异常
try {
//执行登录方法
subject.login(token);
return "index";
}
catch (UnknownAccountException uae) {//用户名不存在
model.addAttribute("msg","用户名不存在");
return "login";
}
catch (IncorrectCredentialsException ice) {//密码错误
model.addAttribute("msg","密码错误");
return "login";
}
UserRealm
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了=>认证");
//用户名,密码 ,正常应从数据库中取。这里为了方便,在这里伪造数据
String username = "root";
String password = "123456";
UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
if(!token.getUsername().equals(username)){
return null;//return null 抛出异常,UnknownAccountExecption
}
return new SimpleAuthenticationInfo("",passsword,"");
}