shiro基础的三大对象
Realm : 进行用户认证和授权
SecurityManager :管理所有用户
Subjcet : 当前登录用户
shiro和springboot的整合依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
创建自定义认证授权类,继承AuthorizingRealm
用户的认证和授权都在这个类中实现
public class MyRealm extends AuthorizingRealm {
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("AuthorizationInfo-->进行了身份认证");
//转换为封装的对象
//UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
//当前登录取用户名
String curName = authenticationToken.getPrincipal().toString();
//数据库中取用户名
String name = "root";
String password = "123456";
//验证用户名
if(curName.equals(name)){
//返回null 会自动抛出UnknownAccountException异常
return null;
}
//验证密码交给shiro
// 参数:1.用户信息会保存到principal,授权验证将会使用,2.数据库密码,3.数据库用户名
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(name,
password,name);
return info;
}
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("AuthorizationInfo-->进行了授权");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Set<String> stringSet = new HashSet<>();
//添加当前用户的授权信息
stringSet.add("user:add");
info.setStringPermissions(stringSet);
return info;
}
}
shiro的配置
//注册ShiroFilterFactoryBean ,需要 SecurityManager
@Bean
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean filter = new ShiroFilterFactoryBean();
filter.setSecurityManager(securityManager);
//路径的设置
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
// authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问
filterChainDefinitionMap.put("/,/index", "anon");
//权限认证 perms[] 添加对应的权限信息
filterChainDefinitionMap.put("/user/add","perms[user:add]");
filterChainDefinitionMap.put("/user/update","perms[user:update]");
filterChainDefinitionMap.put("/user/**", "authc");
//认证失败,跳转登录页面
filter.setLoginUrl("/toLogin");
//未授权界面
filter.setUnauthorizedUrl("/unauth");
filter.setFilterChainDefinitionMap(filterChainDefinitionMap);
return filter;
}
//注册SecurityManager ,需要Realm
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager defaultSecurityManager = new DefaultWebSecurityManager();
defaultSecurityManager.setRealm(myRealm());
return defaultSecurityManager;
}
//注册Realm
@Bean
public MyRealm myRealm() {
MyRealm myRealm = new MyRealm();
return myRealm;
}
controller
@RequestMapping("/login")
public String login(@RequestParam("username") String username,
@RequestParam("password")String password){
System.out.println(username + ":" + password);
//获取subject对象
Subject subject = SecurityUtils.getSubject();
//封装对象
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
//执行登录操作,会交给realm验证授权
//会抛出用户名不存在等异常
try {
subject.login(token);
return "redirect:/index";
} catch (UnknownAccountException uae) {
//未知账户
return "toLogin";
} catch (IncorrectCredentialsException ice) {
//密码不正确
return "toLogin";
} catch (LockedAccountException lae) {
//账户已锁定
return "toLogin";
} catch (ExcessiveAttemptsException eae) {
//用户名或密码错误次数过多
return "toLogin";
} catch (AuthenticationException ae) {
//用户名或密码不正确
return "toLogin";
}