1.导入需要(shiro)的依赖
<!--shiro依赖-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<!--shiro和thymeleaf整合-->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
2.代码演示
package com.zte.mds.web.config.security;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import java.util.HashMap;
import java.util.Map;
public class RealmConfig extends AuthorizingRealm {
// 授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行授权");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 拿到当前登录的对象
Subject subject = SecurityUtils.getSubject();
// 拿到User对象,这个是认证方法返回的
User principal = (User) subject.getPrincipal();
// 设置当前用户数据
info.addStringPermission(principal.getUserName());
return info;
}
// 认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行认证");
// 演练比如数据库取到数据 ---PS:可以自行连接数据库测试
String userName = "1437";
String passWord = "201437";
String roles = "user:delete";
User user = new User();
user.setUserName(userName);
user.setPassWord(passWord);
user.setRoles(roles);
UsernamePasswordToken userToken = (UsernamePasswordToken) authenticationToken;
if (!userToken.getUsername().equals(userName)) {
return null; // 抛出异常
}
// 将当前用户存入session
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
session.setAttribute("index", user);
// 密码认证shiro帮我们做了
return new SimpleAuthenticationInfo(user, passWord, "");
}
}
package com.zte.mds.web.config.security;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
@SuppressWarnings({"all"})
public class ShiroConfig {
// 创建shiro过滤工厂Bean
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(
@Qualifier("securityManagerBean") DefaultWebSecurityManager defaultWebSecurityManager) {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(defaultWebSecurityManager);
/**
* anon: 无需认证就可以访问
* authc: 必须认证了才能访问
* user: 必须拥有记住我才能访问
* perms: 拥有对某个资源的权限才能访问
* role: 拥有某个角色权限才能访问
*/
Map<String, String> filterMap = new LinkedHashMap<>();
// 表示home页面下的所有请求都需要认证才能访问
filterMap.put("/home/*", "authc");
// 表示下面请求都需要认证才能访问
filterMap.put("/user/delete", "authc");
filterMap.put("/user/update", "authc");
// 将过滤的设置添加进bean
bean.setFilterChainDefinitionMap(filterMap);
// 如果没有认证 就跳转去登录页面
bean.setLoginUrl("/login");
// 授权,一般情况下,没有授权会跳转到未授权页面
filterMap.put("/user/delete", "perms[user:delete]");
filterMap.put("/user/update", "perms[user:update]");
// 如果没有授权
bean.setUnauthorizedUrl("/unauthorized");
return bean;
}
// 创建安全管理员
@Bean(name = "securityManagerBean")
public DefaultWebSecurityManager defaultWebSecurityManager(
@Qualifier("realmConfigBean") RealmConfig realmConfig) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realmConfig);
return securityManager;
}
// 创建realm对象
@Bean(name = "realmConfigBean")
public RealmConfig realmConfig() {
return new RealmConfig();
}
// 整合shiroDialect --用来整合shiro和thymelaef
@Bean(name = "shiroDialectBean")
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
}
package com.zte.mds.web.config.security;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("/user")
public class UserController {
@RequestMapping("/login")
@ResponseBody
public String login(String userName, String passWord, Model model) {
// 获取当前的用户
Subject subject = SecurityUtils.getSubject();
// 封装用户的登录数据
UsernamePasswordToken token = new UsernamePasswordToken(userName, passWord);
try {
subject.login(token);
return "index"; // 登录成功去index页面
}catch (UnknownAccountException e) { // 用户名不存在
model.addAttribute("msg", "用户名不存在!");
return "login"; // 停在登录页面
}catch (IncorrectCredentialsException e) { // 密码错误
model.addAttribute("msg", "密码错误!");
return "login"; // 停在登录页面
}
}
// 未授权页面
@RequestMapping("/unauthorized")
@ResponseBody
public String unauthorized() {
return "未经授权,无法访问此页面!";
}
}
package com.zte.mds.web.config.security;
public class User {
private String userName;
private String passWord;
private String roles;
public User() {
}
public User(String userName, String passWord, String roles) {
this.userName = userName;
this.passWord = passWord;
this.roles = roles;
}
public String getUserName() {
return userName;
}
public void setUserName(String userName) {
this.userName = userName;
}
public String getPassWord() {
return passWord;
}
public void setPassWord(String passWord) {
this.passWord = passWord;
}
public String getRoles() {
return roles;
}
public void setRoles(String roles) {
this.roles = roles;
}
@Override
public String toString() {
return "User{" +
"userName='" + userName + '\'' +
", passWord='" + passWord + '\'' +
", roles='" + roles + '\'' +
'}';
}
}
PS:用作参考