参考资料:
https://shiro.apache.org/
https://www.w3cschool.cn/shiro
本记录中,安全认证采用用户名、密码的认证方式。
第一种:使用shiro-spring包
在pom.xml文件中添加jar依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.6.0</version>
</dependency>
自定义shiro配置:根据需要自定义配置Realm、SecurityManager、Filter
@Configuration
public class MyShiroConfig {
public Realm myRealm() {
AuthorizingRealm realm = new AuthorizingRealm() {
// 认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
if (null == token.getPrincipal()) {
return null;
}
// 登陆用户名
String userName = token.getPrincipal().toString();
// 根据用户名查询用户(实际业务中,存储用户名、密码的sql)
User user = userDao.getUserByCode(userName);
if (null != user) {
return new SimpleAuthenticationInfo(userName, user.getPassword(), getName());;
} else {
return null;
}
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// TODO Auto-generated method stub
return null;
}
};
return realm;
}
@Bean
public DefaultWebSessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
// 请求跳转不带参数jsessionid
sessionManager.setSessionIdUrlRewritingEnabled(false);
return sessionManager;
}
//权限管理,配置主要是Realm的管理认证
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myRealm());
securityManager.setSessionManager(sessionManager());
return securityManager;
}
// Filter工厂,设置过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String, String> map = new HashMap<>();
map.put("/css/**", "anon");
map.put("/js/**", "anon");
map.put("/images/**", "anon");
......其他资源
//对所有用户认证
map.put("/**", "authc");
//登录
shiroFilterFactoryBean.setLoginUrl("/login");
//首页
shiroFilterFactoryBean.setSuccessUrl("/index");
//错误页面,认证不通过跳转
shiroFilterFactoryBean.setUnauthorizedUrl("/error");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
}
在登陆的时候,使用UsernamePasswordToken,进行登陆认证
Subject currentUser = SecurityUtils.getSubject();
UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(user.getUserName(), user.getPassword());
currentUser.login(usernamePasswordToken);
第一种:使用shiro-spring-boot-web-starter启动器
在pom.xml文件中添加jar依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.7.1</version>
</dependency>
和第一种方式的区别:shiro-starter会自动加载securityManager,不需要再次注入。
只需要注册Realm、Filter即可
@Bean
public Realm myRealm() {
.......
}
其他关于SecurityManager的代码就不需要了。