简介:文章主要目的是为了理解shiro的基本使用,在项目开发中,这里的内容大体都会用到,基础知识需要在其他网站查阅哦。
一、在pom.xml 导入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.5.1</version>
<scope>compile</scope>
</dependency>
二、创建shiro配置类
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* Shiro的配置类
*/
@Configuration
public class ShiroConfig {
/**
* 过滤工厂
*/
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置 web安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
//添加Shiro内置过滤器
/**
* Shiro内置过滤器,可以实现权限相关的拦截器
* 常用的过滤器:
* anon: 无需认证(登录)可以访问
* authc: 必须认证才可以访问
* user: 如果使用rememberMe的功能可以直接访问
* perms: 该资源必须得到资源权限才可以访问
* role: 该资源必须得到角色权限才可以访问
*/
Map<String,String> filterMap = new LinkedHashMap<String,String>();
// filterMap.put("/user/to_login", "anon");
// filterMap.put("/*", "authc");
//修改调整的登录页面
shiroFilterFactoryBean.setLoginUrl("/user/to_login");
//设置未授权提示页面
shiroFilterFactoryBean.setUnauthorizedUrl("/noAuth");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);
return shiroFilterFactoryBean;
}
/**
* web 安全管理器
*/
@Bean(name="securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联realm
securityManager.setRealm(userRealm);
return securityManager;
}
/**
* 用户的userRealm
*/
@Bean(name="userRealm")
public UserRealm getRealm(){
return new UserRealm();
}
/**
* 配置授权属性
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager")DefaultWebSecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
三、
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.List;
/**
* 自定义Realm
*/
public class UserRealm extends AuthorizingRealm {
@Autowired
UserMapper userMapper;
@Autowired
RoleMapper roleMapper;
@Autowired
PermissionMapper permissionsMapper;
/**
* 执行授权逻辑
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) {
//给资源进行授权
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//获取当前登录用户
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getSession().getAttribute(UserConstant.current_user);
//获取用户的角色
List<Role> roleList = roleMapper.findRoleByUser(user.getId());
for (Role role : roleList) {
info.addRole(role.getName());
}
//获取用户的权限信息
List<Permission> permissionsList = permissionsMapper.findUserMenu(user.getId());
for (Permission permission : permissionsList) {
if (StringUtils.isNoneBlank(permission.getUrl())) {
info.addStringPermission(permission.getUrl());
}
}
return info;
}
/**
* 执行认证逻辑
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) throws AuthenticationException {
//编写shiro判断逻辑,判断用户名和密码
//1.判断用户名
UsernamePasswordToken token = (UsernamePasswordToken) arg0;
User user = userMapper.findByName(token.getUsername());
if (user == null) {
//用户名不存在
return null;//shiro底层会抛出UnKnowAccountException
} else {
SecurityUtils.getSubject().getSession().setAttribute(UserConstant.current_user, user);
}
//2.判断密码,密码不正确会抛出相关异常
return new SimpleAuthenticationInfo(user, user.getPassword(), "");
}
}
四、常用注解和方法,如下示例
//获取session
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getSession().getAttribute(UserConstant.current_user);
//获取当前登录的用户,这个和realm类有关
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getPrincipal();
//权限注解,如果没有这个user:list权限会抛出相关异常
@RequiresPermissions("user:list")
//意思是需要身份验证,常用于判断有没有登录,未登录会抛出相关异常
@RequiresAuthentication
内容不是很详细,如果有可以补充的,欢迎留言补充,让更多人学习到,谢谢