文章目录
shiro集成spring-boot项目简介
1.引入依赖
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.12.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-starter</artifactId>
<version>1.5.3</version>
</dependency>
2.自定义类继承AuthorizingRealm
AuthorizingRealm类时shiro提供的父类,用于自定义认证和授权逻辑。
public class ShiroRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo();
authInfo.addStringPermission("test");
//System.out.println("执行授权+++++++++");
return authInfo;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
UserEntity user = userService.findUserByName(userToken.getUsername());
//System.out.println("执行认证+++++++++");
if (user!=null){
//匹配从数据库获取的到密码与前端传递的密码时候相同
return new SimpleAuthenticationInfo(user,user.getPwd(),this.getName());
}
return null;
}
}
2.1 ShiroRealm 类解释
2.1.1 认证方法doGetAuthenticationInfo
在controller中从前端获取了用户名和密码并封装到UsernamePasswordToken对象中。
UsernamePasswordToken token = new UsernamePasswordToken(userVO.getUserName(), userVO.getPwd());
doGetAuthenticationInfo方法中的形参(AuthenticationToken token)可以取出封装后的对象,然后做以下工作:
- 通过username查询数据库中是否有该对象如果没有则返回null并抛出UnknownAccountException异常,在controller层的login请求中处理。
- 查到该用户后通过SimpleAuthenticationInfo()对象自动比较前端传递的密码与数据库中的密码是否相同,相同则认证通过(登录成功),否则抛出IncorrectCredentialsException异常,在controller中的login请求处理。
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//取出UsernamePasswordToken对象
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
//查询数据库中的用户
UserEntity user = userService.findUserByName(userToken.getUsername());
if (user!=null){
//匹配从数据库获取的到密码与前端传递的密码是否相同
return new SimpleAuthenticationInfo(user,user.getPwd(),this.getName());
}
return null;
}
2.1.2 授权方法doGetAuthorizationInfo
用于给当前登录的用户授予某些访问权限,但前提是在ShiroFilterFactoryBean中添加了一些权限限制
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo();
//给所有登录后的用户授予test权限
authInfo.addStringPermission("test");
System.out.println("执行授权+++++++++");
return authInfo;
}
3.ShiroConfig
@Configuration
public class ShiroConfig {
//3.创建ShiroFilterFactoryBean绑定securityManager
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("getSecurityManager")DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
factoryBean.setSecurityManager(securityManager);
//添加shiro内置过滤器
/*
anon:无需认证就可以访问
authc:必须认证了才能访问
user:必须拥有 记住我 这个功能才能访问
role:拥有某个角色权限才能访问
* */
//拦截
Map<String,String> filterMap = new LinkedHashMap<>();
//设置权限
System.out.println("授权前");
filterMap.put("/user/test","perms[user:test]");
System.out.println("授权后");
filterMap.put("/user/login","anon");
//filterMap.put("/user/test","authc");
factoryBean.setFilterChainDefinitionMap(filterMap);
factoryBean.setLoginUrl("/user/login");
return factoryBean;
}
//2.创建Manage绑定Realm对象
@Bean
public DefaultWebSecurityManager getSecurityManager(@Qualifier("userRealm") ShiroRealm shiroRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(shiroRealm);
return securityManager;
}
//1.创建Realm对象,需要自定义类继承AuthorizingRealm
@Bean
public ShiroRealm userRealm(){
return new ShiroRealm();
}
}
4. 在Controller中写login请求
@PostMapping("/login")
@ApiOperation(value = "登录")
public Result<UserReturnVO> login(@RequestBody UserVO userVO){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(userVO.getUserName(), userVO.getPwd());
String sessionId =null;
try {
subject.login(token);
if(subject.getSession()!=null){
sessionId=(String) subject.getSession().getId();
log.info("session=====>"+sessionId);
}
}catch (UnknownAccountException e){
e.printStackTrace();
log.info("用户名错误");
return Result.build(CodeEnum.USER_ERROR);
}catch (IncorrectCredentialsException e){
e.printStackTrace();
log.info("密码错误");
return Result.build(CodeEnum.USER_ERROR);
}
//认证成功,返回登录对象
UserEntity userEntity = userService.findUserByName(userVO.getUserName());
long roleId = authRelationService.getRoleId(userEntity.getId());
RoleEntity roleEntity = roleService.queryRoleById(roleId);
UserReturnVO userReturnVO = new UserReturnVO(userEntity.getId(), userEntity.getUserName(), userEntity.getPwd(),
userEntity.getTel(),userEntity.getGender(), userEntity.getIdentityCard(),roleEntity.getTitle(),sessionId);
return Result.ok(userReturnVO);
}
5. 认证流程
6.授权流程
由于在ShiroConfig方法中的ShiroFilterFactoryBean getShiroFilterFactoryBean()下添加了需要授权的资源。
所以在用户登录时会执行doGetAuthorizationInfo方法,通过数据库查询其角色和权限然后与受限资源需要的权限比较,如果权限满足则放行,否则不放行。