shiro整合springboot(不连接数据库)
- 所有请求资源交给shiro的filter(ShiroFilterFactoryBean )
- 访问公共资源时不需要进行认证和授权直接放行
- 访问受限资源时filter调用SecurityManager SecurityManager 调用Realm查询数据库获取资源
- 任何用户请求都可以访问公共资源,访问受限资源时认证成功后进行授权,访问受限资源要看是否有权限,有则访问无则拒绝。
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-starter</artifactId>
<version>1.7.1</version>
</dependency>
</dependencies>
applicatoin.yaml
spring:
mvc:
view:
prefix: /
suffix: .jsp
shiroconfig配置
- shiroFilterFactoryBean需要DefaultWebSecurityManager,DefaultWebSecurityManager需要Realm,Reaml需要自定义Realm
package com.jing.config;
import com.jing.shiro.realms.CustomRealm;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
Map<String,String> filterChainDefinitionMap = new HashMap<String,String>();
// 不受限制的放在拦截所有资源的上面。公共资源
filterChainDefinitionMap.put("/user/login","anon");
// 拦截所有资源 必须通过shiro认证才可以通过, authc受限资源
filterChainDefinitionMap.put("/**","authc");
// 设置拦截的路径
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
// 被拦截后跳转到指定请求(默认就是login.jsp)
shiroFilterFactoryBean.setLoginUrl("/login.jsp");
return shiroFilterFactoryBean;
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(Realm realm){
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
defaultWebSecurityManager.setRealm(realm);
return defaultWebSecurityManager;
}
@Bean
public Realm realm(){
CustomRealm customRealm = new CustomRealm();
return customRealm;
}
}
-
anon 匿名访问 公共资源
-
authc shito提供的一个过滤器的简称
自定义Realm
package com.jing.shiro.realms;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class CustomRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("授权");
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// System.out.println("认证");
// 主身份 用户名
String principal = (String) token.getPrincipal();
if ("xiaojing".equals(principal)){
return new SimpleAuthenticationInfo(principal,"123456",this.getName());
}
return null;
}
}
返回一个随机盐的工具类
package com.jing.utils;
import java.util.Random;
public class SaltUtils {
public static String getSalt(int n){
char[] chars = "ABCDEFGHIJKLMNOPQRSTUVWSYZabcdefghijklmnopqrstuvwsyz!@#$$%^&*()0123456789-=".toCharArray();
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < n; i++) {
char aChar = chars[new Random().nextInt(chars.length)];
stringBuffer.append(aChar);
}
return stringBuffer.toString();
}
}
controller
package com.jing.contorller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/user")
public class UserController {
// 登录
@PostMapping("/login")
public String login(String username,String password){
// 获取主体信息
Subject subject = SecurityUtils.getSubject();
// 创建一个用户名密码token
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
// 登录
subject.login(token);
return "redirect:/index.jsp";
} catch (UnknownAccountException e) {
e.printStackTrace();
System.out.println("账号错误!");
} catch (IncorrectCredentialsException e){
e.printStackTrace();
System.out.println("密码错误!");
} catch (Exception e){
e.printStackTrace();
}
return "redirect:/login.jsp";
}
// 退出
@GetMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "redirect:/login.jsp";
}
}
login.jsp 公共资源 anon
<%@page contentType="text/html; UTF-8" pageEncoding="UTF-8" isELIgnored="false" %>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport"
content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<%--公共资源--%>
<h1>登录页面</h1>
<form action="${pageContext.request.contextPath}/user/login" method="post">
用户名:<input type="text" name="username"><br>
密 码:<input type="text" name="password"><br>
<input type="submit" value="登录">
</form>
</body>
</html>
index.jsp 受限资源 authc
<%@page contentType="text/html; UTF-8" pageEncoding="UTF-8" isELIgnored="false" %>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport"
content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<%--受限资源--%>
<a href="${pageContext.request.contextPath}/user/logout">退出登录</a>
<h1>后台管理页面</h1>
<ul>
<li>
<a href="#">物流管理</a>
</li>
<li>
<a href="#">商品管理</a>
</li>
<li>
<a href="#">人员管理</a>
</li>
<li>
<a href="#">货物管理</a>
</li>
</ul>
</body>
</html>
总结:
- 导入依赖
- 编写application.yaml配置文件
- 编写shiroconfig配置注入到springboot
- 自定义realm编写业务需求