第一步:引入相关的JAR包,本文使用的html模板引擎,所以引入thymeleaf-extras-shiro包
第二步:编写shiro配置
@Configuration
public class ShiroConfiguration {
//将自己的验证方式加入容器
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
return myShiroRealm;
}
//权限管理,配置主要是Realm的管理认证
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
//Filter工厂,设置对应的过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String,String> map = new HashMap<String, String>();
//登出
map.put("/sysLogin/loginOut","logout");
//配置
map.put("/sysLogin/loginVerify", "anon"); //排除静态资源
map.put("/static/**", "anon"); //排除静态资源
map.put("/**","authc");
//登录
shiroFilterFactoryBean.setLoginUrl("/sysLogin/index");
//首页
shiroFilterFactoryBean.setSuccessUrl("/wcIndex/index");
//错误页面,认证不通过跳转
shiroFilterFactoryBean.setUnauthorizedUrl("/sysLogin/toError");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
//加入注解的使用,不加入这个注解不生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
第三步:编写登陆认证方法
public class MyShiroRealm extends AuthorizingRealm {
@Autowired
private SysLoginService sysLoginService;
private HttpServletRequest request;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取登录用户名
String loginName= (String) principalCollection.getPrimaryPrincipal();
SysUserEntity sysUser = sysLoginService.getSysUserByLoginName(loginName);
Map<String,Object> role = sysLoginService.getRole(sysUser.getId(),1); //获取用户相关的角色信息
//添加角色和权限
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
if(role != null){
List<String> roleId = new ArrayList<>();
roleId.add(role.get("roleId").toString());
List<Map<String,Object>> menuBtnList = sysLoginService.getMenuBtnList(roleId);
for(Map<String,Object> menuBtn : menuBtnList){
simpleAuthorizationInfo.addStringPermission(menuBtn.get("perms").toString());
}
}
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//加这一步的目的是在Post请求的时候会先进认证,然后在到请求
if (authenticationToken.getPrincipal() == null) {
return null;
}
//获取用户信息
String loginName = authenticationToken.getPrincipal().toString();
SysUserEntity sysUser = sysLoginService.getSysUserByLoginName(loginName);
if (sysUser == null) {
return null;
} else {
//这里验证authenticationToken和simpleAuthenticationInfo的信息
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(loginName, sysUser.getPassword(), getName());
return simpleAuthenticationInfo;
}
}
}
第四步:权限验证(分前端模块判断和后端模块判断)
前端模块:
//引入对应包
<html lang="en" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro" xmlns:th="http://www.thymeleaf.org">
<shiro:hasPermission name="sysUser:getPage">
<button class="btn btn-primary" type="button" onclick="selBycondition();">查询</button>
</shiro:hasPermission>
后端模块判断(主要加上RequiresPermissions注解):
@RequiresPermissions("sysUser:getPage")
@ResponseBody
@RequestMapping("/getPage")
public Map<String,Object> getPage(@RequestParam(value = "limit") Integer limit, @RequestParam(value = "offset") Integer offset,
@RequestParam(value = "loginName", required = false) String loginName,
@RequestParam(value = "name", required = false) String name){
return sysUserService.getPage(loginName,name,offset,limit);
}
备注:
sysUser:getPage为自定义参数,对应用户权限操作,需要保存数据库中,在第三步的时候将这些参数传入,数据库参考如下: