springboot整合shrio配置

springboot整合shiro框架

1. 导入依赖

<!-- 导入shiro框架-->
<dependency>
     <groupId>org.apache.shiro</groupId>
     <artifactId>shiro-spring-boot-web-starter</artifactId>
     <version>1.4.0-RC2</version>
</dependency>

2. shiro的启动配置

2.1 创建一个配置类，进行配置

package com.example;

import com.example.realm.DemoRealm;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;

@Configuration
public class ShiroConfiguration {

    /**
     * shiro过滤器
     *
     * @return
     */
    @Bean
    public ShiroFilterChainDefinition shiroFilterChainDefinition() {
        DefaultShiroFilterChainDefinition chain = new DefaultShiroFilterChainDefinition();
        //哪些请求可以匿名访问
        chain.addPathDefinition("/plugins/**", "anon");
        chain.addPathDefinition("/demo/hello", "anon");
        chain.addPathDefinition("/login/login","anon");
        //除了以上的请求外，其它请求都需要登录
        chain.addPathDefinition("/**", "authc");
        return chain;
    }

    @Bean
    public DemoRealm demoRealm(){
        return new DemoRealm();
    }
    @Bean
    public DefaultWebSecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        securityManager.setRealm(demoRealm());
        return securityManager;
    }

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }
    /**
     * setUsePrefix(false)用于解决一个奇怪的bug。在引入spring aop的情况下。
     * 在@Controller注解的类的方法中加入@RequiresRole等shiro注解，会导致该方法无法映射请求，
     * 导致返回404。加入这项配置能解决这个bug
     */
    @Bean
    @DependsOn("lifecycleBeanPostProcessor")
    public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator(){
        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator=new DefaultAdvisorAutoProxyCreator();
        defaultAdvisorAutoProxyCreator.setUsePrefix(true);
        return defaultAdvisorAutoProxyCreator;
    }
}

2.2 创建认证实现类

package com.example.realm;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.crypto.hash.Sha256Hash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

public class DemoRealm extends AuthorizingRealm {


    //告诉shiro如何根据获取到的用户信息中的密码和盐值来校验密码
    {
        //设置用于匹配密码的CredentialsMatcher
        HashedCredentialsMatcher hashMatcher = new HashedCredentialsMatcher();
        hashMatcher.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
        hashMatcher.setStoredCredentialsHexEncoded(false);
        hashMatcher.setHashIterations(56);
        this.setCredentialsMatcher(hashMatcher);
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        System.out.println("=============进入授权方法========");
        return null;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        System.out.println("==========进入认证==========");
        return null;
    }
}

2.3 配置application.yml

shiro:
  web:
    enabled: true
  loginUrl: /login.html

• 关于yml中对shiro的配置，还有下面这些参数可以配置

shiro.enabled                                        true      启用Shiro的Spring模块
shiro.web.enabled                                    true      启用Shiro的Spring Web模块
shiro.annotations.enabled                            true      为Shiro的注释启用Spring支持
shiro.sessionManager.deleteInvalidSessions           true      从会话存储中删除无效会话
shiro.sessionManager.sessionIdCookieEnabled          true      启用会话ID到cookie，用于会话跟踪
shiro.sessionManager.sessionIdUrlRewritingEnabled    true      启用会话URL重写支持
shiro.userNativeSessionManager                       false     如果启用，Shiro将管理HTTP会话而不是容器
shiro.sessionManager.cookie.name                  JSESSIONID   会话cookie名称
shiro.sessionManager.cookie.maxAge                     -1      会话cookie最大年龄
shiro.sessionManager.cookie.domain                    空值      会话cookie域
shiro.sessionManager.cookie.path                      空值      会话cookie路径
shiro.sessionManager.cookie.secure                  false      会话cookie安全标志
shiro.rememberMeManager.cookie.name            rememberMe      RememberMe cookie名称
shiro.rememberMeManager.cookie.maxAge                一年       RememberMe cookie最大年龄
shiro.rememberMeManager.cookie.domain                空值       RememberMe cookie域名
shiro.rememberMeManager.cookie.path                  空值       RememberMe cookie路径
shiro.rememberMeManager.cookie.secure               false      RememberMe cookie安全标志
shiro.loginUrl                                 /login.jsp      未经身份验证的用户重定向到登录页面时使用的登录URL
shiro.successUrl                                       /      用户登录后的默认登录页面（如果在当前会话中找不到替代）
shiro.unauthorizedUrl                                空值      页面将用户重定向到未授权的位置（403页）