依赖
<!--shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
配置类
MyRealm
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import java.util.HashSet;
import java.util.Set;
public class MyRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("————权限认证————");
Set<String> set = new HashSet<>();
String username = SecurityUtils.getSubject().getPrincipal().toString();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//这里就自己发挥了,查询数据库,把相关的角色加入到里面
if (username.equals("123")) {
set.add("tt");
}
//设置该用户拥有的权限
info.setRoles(set);
return info;
}
/**
* 用于验证登陆的
*
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//获取用户名
String username = token.getPrincipal().toString();
//获取密码
String password = new String((char[]) token.getCredentials());
System.out.println(username + "," + password);
if (!username.equals("123")) {
throw new UnknownAccountException("账户不存在!");
}
//注意这个很重要需要和登录的用户名和密码一样。不一样会报错
return new SimpleAuthenticationInfo(username, password, "");
}
}
ShiroConfig
@Configuration
public class ShiroConfig {
@Bean
MyRealm myRealm() {
return new MyRealm();
}
@Bean
DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(myRealm());
return manager;
}
/**
* 权限设置
* @return
*/
@Bean
ShiroFilterFactoryBean shiroFilterFactoryBean() {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager());
// bean.setLoginUrl("/shiro/to_shirologin");
// bean.setSuccessUrl("/index");
//无权限页面
bean.setUnauthorizedUrl("/shiro/unauthorizedurl");
Map<String, String> map = new LinkedHashMap<>();
//需要对应的角色才能访问
map.put("/shiro/test", "roles[tt]");//需要角色drug才能访问
map.put("/shiro/test2", "roles[tt2]");//需要角色drug才能访问
//不需要权限就可以访问
map.put("/shiro/login", "anon");
//设置需要权限才能访问的地址
map.put("/shiro/**", "authc");
bean.setFilterChainDefinitionMap(map);
return bean;
}
}
controllre
@RestController
@RequestMapping("/shiro")
public class ShiroController {
/**
* login
*
* @param name
* @return
*/
@RequestMapping(path = "/login", method = {RequestMethod.GET, RequestMethod.POST})
public @ResponseBody
Object login(@RequestParam(defaultValue = "name") String name) {
Subject subject = SecurityUtils.getSubject();
//登录
try {
subject.login(new UsernamePasswordToken(name, "password"));
return "登录成功";
} catch (AuthenticationException e) {
e.printStackTrace();
return "登录失败";
}
}
@RequestMapping(path = "/test", method = {RequestMethod.GET, RequestMethod.POST})
public @ResponseBody
Object test() {
return "test有权限!";
}
@RequestMapping(path = "/test2", method = {RequestMethod.GET, RequestMethod.POST})
public @ResponseBody
Object test2() {
return "test2---wu!";
}
@RequestMapping(path = "/unauthorizedurl", method = {RequestMethod.GET, RequestMethod.POST})
public @ResponseBody
Object unauthorizedurl() {
return "unauthorizedurl--无权限";
}
}
截图
登录接口已经开放,无权限用户也可以请求
登录成功
test请求有权限
test2无权限
shiro相关注解使用
@RequiresRoles
需要某个角色才能访问(不要把该请求设置为anon,否则无效)