Spring Boot+Shiro 权限管理 配置:
1.添加pom包依赖
Spring Boot 使用maven进行项目管理,直接在pom包添加Shiro的依赖即可。
<!--shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
2.Shiro配置类-ShiroConfig
/**
* shiro配置
*/
@Configuration
public class ShiroConfig {
//shiro拦截器
@Bean(name="shiroFilter")
public ShiroFilterFactoryBean shiroFilter(@Qualifier("securityManager") SecurityManager manager) {
System.err.println("--------------shiroFilter已经加载----------------");
ShiroFilterFactoryBean bean=new ShiroFilterFactoryBean();
//配置登录的url和登录成功的url
bean.setLoginUrl("/login.html"); //登录页面
bean.setSuccessUrl("/index.html"); //登录成功页面
//配置SecurityManager
bean.setSecurityManager(manager);
//配置访问权限
LinkedHashMap<String, String> filterChainDefinitionMap=new LinkedHashMap<>();
filterChainDefinitionMap.put("/loginUser","anon"); //"anon"表示任意请求都可以访问
filterChainDefinitionMap.put("/**", "authc"); //"authc"表示认证过的请求才能访问
bean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return bean;
}
//声明SecurityManager
//配置核心安全事务管理器
@Bean(name="securityManager")
public SecurityManager securityManager(@Qualifier("authRealm") AuthRealm authRealm) {
DefaultWebSecurityManager manager=new DefaultWebSecurityManager();
manager.setRealm(authRealm);
return manager;
}
//身份认证
//配置自定义的权限登录器
@Bean(name="authRealm")
public AuthRealm authRealm(@Qualifier("credentialsMatcher") CredentialsMatcher matcher) {
AuthRealm authRealm=new AuthRealm();
authRealm.setCredentialsMatcher(matcher);
return authRealm;
}
//配置自定义的密码比较器
@Bean(name="credentialsMatcher")
public CredentialsMatcher credentialsMatcher() {
return new CredentialsMatcher();
}
//保证实现了shiro内部lifecycle函数的bean执行
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor(){
return new LifecycleBeanPostProcessor();
}
//开启shiro,首先创建代理
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator creator=new DefaultAdvisorAutoProxyCreator();
creator.setProxyTargetClass(true);
return creator;
}
//加载securityManager
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") SecurityManager manager) {
AuthorizationAttributeSourceAdvisor advisor=new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(manager);
return advisor;
}
}
- shiro拦截器的url可以是静态页面、静态资源和请求接口路径;
- 登录和登录成功的url要配置在访问权限的前面;
- 拦截器配置的url从项目名后开始计算:http://localhost:8080/ShipInspec/login.html,其中”ShipInspec”为项目名。
存在问题:登录成功不能自动跳转,也就是说 bean.setSuccessUrl(“/index.html”); 的配置没有生效,暂时使用前端跳转。
3.Shiro认证授权类-AuthRealm(继承AuthorizingRealm)
/**
* 认证授权
*/
public class AuthRealm extends AuthorizingRealm {
@Autowired
private UserMapper userMapper;
//认证、登录
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.err.println("--------doGetAuthenticationInfo--------");
UsernamePasswordToken utoken=(UsernamePasswordToken) token;//获取用户输入的token
String username = utoken.getUsername();
ScsUser user = userMapper.findByUsername(username);
return new SimpleAuthenticationInfo(user, user.getPassword(),this.getClass().getName());//放入shiro.调用CredentialsMatcher检验密码
}
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principal){
System.err.println("--------doGetAuthorizationInfo--------");
ScsUser user=(ScsUser) principal.fromRealm(this.getClass().getName()).iterator().next();//获取session中的用户
//先获取用户的角色,在根据角色获取权限并放在List中
List<String> per=new ArrayList<>();
String role = userMapper.findRole(user.getUserid()).getRole();
List<ScsPermission> permissions = userMapper.findPermission(role);
if(permissions.size()>0) {
for(ScsPermission permission : permissions) {
per.add(permission.getPermissionname());
}
}
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
info.addStringPermissions(per);//将权限放入shiro中.
return info;
}
}
(1)登录和认证
@RequestMapping("/loginUser")
@ResponseBody
public Mess loginUser(String username, String password) {
//记录帐号密码,将password转成char[]类型,用于登录
UsernamePasswordToken usernamePasswordToken=new UsernamePasswordToken(username,password);
//创建主体subject
Subject subject = SecurityUtils.getSubject();
try {
subject.login(usernamePasswordToken); //完成登录;
//设置session过期时间
SecurityUtils.getSubject().getSession().setTimeout(-1000);
return Mess.info(0, "登录成功!");
} catch (Exception e) {
return Mess.info(0, "用户名密码错误!");//返回登录页面
}
}
subject.login(usernamePasswordToken)流程:
- 调用clearRunAsIdentitiesInternal()方法来清除之前连接的session;
- 使用安全管理器SecurityManager,调用Realm中登录方法doGetAuthenticationInfo()进行登录操作;
- 登录成功后,将用户信息用principals存放在主体subject中;
- 新建session,保存用户的会话信息。
(由于shiro会自动创建session,用户退出登录操作subject.logout()只能清除市容自动保存的session,如果在登录的时候自己创建session,则会在会话中保持两个session,退出登录也会失败!)
(2)授权
在spring boot中可以通过标签来为接口设置权限,在用户调用该接口的时候,shiro先判断角色是否是认证过的用户,再调用下面的doGetAuthorizationInfo()方法来进行授权操作,通过自己设置的方法来获取用户的权限表里的所有权限,在放到shiro中进行比较,如果用户拥有该权限,才能调用该接口,否则抛出未授权异常。
4.Shiro密码验证类-CredentialsMatcher(继承SimpleCredentialsMatcher)
public class CredentialsMatcher extends SimpleCredentialsMatcher {
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws NullPointerException{
UsernamePasswordToken utoken=(UsernamePasswordToken) token;
String inPassword = new String(utoken.getPassword());
//获得数据库中的密码 new String(utoken.getPassword());
String dbPassword=(String) info.getCredentials();
//进行密码的比对
return this.equals(inPassword, dbPassword);
}
}