Springboot整合Shiro笔记

SpringBoot相关文章 

• SpringBoot整合Shiro笔记
• SpringBoot日志使用
• SpringBoot快速建立单元测试(IDEA版本)
• SpringBoot统一异常处理与统一响应结果集(使用笔记)
• SpringBoot+Layui开发
• SpringBoot自动配置原理解读
• SpringBoot基础入门与配置

目录

 

1.导入依赖

2.自定义Realm

3.编写Shiro配置类

 4.编写登录Controller

---

1.导入依赖

此处需要建立一个SpringBoot工程，勾选web、thymeleaf(可选)，以下除了shiro与Springboot的相关依赖必须外，其他可有选择地导入

        <!-- thymeleaf 模板引擎 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-java8time</artifactId>
        </dependency>

        <!-- Web应用支持 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        
        <!-- shiro启动器  -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring-boot-web-starter</artifactId>
            <version>1.5.3</version>
        </dependency>
        <dependency>
            <groupId>com.github.theborakompanioni</groupId>
            <artifactId>thymeleaf-extras-shiro</artifactId>
            <version>2.0.0</version>
        </dependency>

2.自定义Realm

@Component("authorizer")
public class CustomRealm extends AuthorizingRealm {

    private static final Logger log= LoggerFactory.getLogger(CustomRealm.class);

    @Autowired
    private EntranceService entranceService;

    /**
     * 授权
     * @param principals
     * @return
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        System.out.println("————权限认证————");
        String username = (String) SecurityUtils.getSubject().getPrincipal();
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        //获得该用户角色
        String role = userMapper.getRole(username);
        Set<String> set = new HashSet<>();
        //需要将 role 封装到 Set 作为 info.setRoles() 的参数
        set.add(role);
        //设置该用户拥有的角色
        info.setRoles(set);
        return info;
    }

    /**
     * 认证
     * @param token
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        log.info("MyShiroRealm.doGetAuthenticationInfo()");

        String username = (String)token.getPrincipal();

        UserDO user = entranceService.getUserByUserName(username);
        if (user==null) {
            return null;
        }
        return new SimpleAuthenticationInfo(username, user.getPassword(), getName());
    }
}

3.编写Shiro配置类

一般如果你用配置类配置了，就不需要再在application.yml或者application.properties文件中配置了，需要注意的是，做登录认证时，记得开放提交登录的url

@Configuration
public class ShiroConfiguration {

    private static final Logger log= LoggerFactory.getLogger(ShiroConfiguration.class);

    /**
     * 注入过滤器工厂
     * 在此处可以配置的认证路径
     * @param securityManager
     * @return
     */
    @Bean(name="shiroFilterFactoryBean")
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {

        log.info("ShiroConfiguration.shirFilter()");

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        //拦截器.
        Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
        //配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
        filterChainDefinitionMap.put("/logout", "logout");
        // 配置不会被拦截的链接 顺序判断
        filterChainDefinitionMap.put("/static/**", "anon");
        filterChainDefinitionMap.put("/login.do","anon");
        //<!-- 过滤链定义，从上向下顺序执行，一般将/\*\*放在最为下边 -->:这是一个坑呢，一不小心代码就不好使了;
        //<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
        filterChainDefinitionMap.put("/**", "authc");
        // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
        shiroFilterFactoryBean.setLoginUrl("/");
        // 登录成功后要跳转的链接
        shiroFilterFactoryBean.setSuccessUrl("/index");

        //未授权界面;
        shiroFilterFactoryBean.setUnauthorizedUrl("/error");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        return shiroFilterFactoryBean;
    }

    /**
     * 注入自定义Realm
     * @return
     */
    @Bean(name = "customRealm")
    CustomRealm customRealm() {
        return new CustomRealm();
    }

    /**
     * 注入安全管理器
     * @param customRealm
     * @return
     */
    @Bean(name = "securityManager")
    SessionsSecurityManager securityManager(@Qualifier("customRealm") CustomRealm customRealm) {
        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
        manager.setRealm(customRealm);
        return manager;
    }

    /**
     * shiro整合thymeleaf
     * @return
     */
    @Bean(name = "shiroDialect")
    public ShiroDialect shiroDialect() {
        return new ShiroDialect();
    }
}

 4.编写登录Controller

@PostMapping("/login.do")
    public String login(String username, String password, Model model) {
        log.info("登录了");
        if (StringUtils.isBlank(username) || StringUtils.isBlank(password)) {
            model.addAttribute("errMsg", "账号或密码不能为空");
            return "login";
        }
        Subject subject = SecurityUtils.getSubject();
        try {
            subject.login(new UsernamePasswordToken(username, password));
            subject.getSession(true).setAttribute("user",username);
            return "redirect:index";
        } catch (UnknownAccountException | CredentialsException e) {
            log.error("账号或密码错误！："+e.getMessage());
            model.addAttribute("errMsg", "账号或密码错误！");
        }catch (Exception e){
            model.addAttribute("errMsg", "登陆失败！请稍后重试");
            log.error("登陆失败！"+e.getCause());
        }
        return "login";
    }