//shiro配置 package com.goodwe.admin.configure; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.HashMap; import java.util.Map; @Configuration public class ShiroConfigure { //加入Realm @Bean public ShiroRealm shiroRealm() { ShiroRealm shiroRealm = new ShiroRealm(); return shiroRealm; } @Bean public SecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(shiroRealm()); return securityManager; } //置对应的过滤条件和跳转条件 @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String, String> map = new HashMap<String, String>(); // authc:代表shiro框架提供的一个过滤器,这个过滤器用于判断当前用户是否已经完成认证, // 如果当前用户已经认证,就放行,如果当前用户没有认证,跳转到登录页面 // anon:代表shiro框架提供的一个过滤器,允许匿名访问--> //开放静态资源 map.put("/static/**", "anon"); map.put("/favicon.ico", "anon"); //开放登录页面 map.put("/admin/login", "anon"); //对所有用户认证 map.put("/**", "authc"); //登录 shiroFilterFactoryBean.setLoginUrl("/admin/login"); //首页 shiroFilterFactoryBean.setSuccessUrl("/admin/index"); //错误页面,认证不通过跳转 shiroFilterFactoryBean.setUnauthorizedUrl("/error"); shiroFilterFactoryBean.setFilterChainDefinitionMap(map); return shiroFilterFactoryBean; } //加入注解的使用,不加入这个注解不生效 @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; } }
shiro-realm构建
package com.goodwe.admin.config; import com.goodwe.daomain.plus.entity.User; import com.goodwe.service.Exception.ResultException; import com.goodwe.service.IndexService; import com.goodwe.service.StudentService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; public class ShiroRealm extends AuthorizingRealm { @Autowired private IndexService indexService; @Autowired private StudentService userService; //认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken; User user = null; try { String password = new String(usernamePasswordToken.getPassword()); user = indexService.shiroLogin(usernamePasswordToken.getUsername(), password); } catch (ResultException e) { throw new UnknownAccountException(e.getMessage()); } SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(user.getId(), usernamePasswordToken.getPassword(), usernamePasswordToken.getUsername()); Subject subject = SecurityUtils.getSubject(); subject.getSession().setAttribute("user", user); return simpleAuthenticationInfo; } //授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); Subject subject = SecurityUtils.getSubject(); User user = (User) subject.getSession().getAttribute("user");//获取认证的用户 authorizationInfo.addRole(user.getRole().toString());//获取认证后的用户的权限 return authorizationInfo; } }