shiro
shiro 核心组件
名称 | 含义 |
---|
usernamePassword | shiro用来封装用户登陆信息,使用用户的登录信息来创建Token |
SecurityManager | shiro的核心部分,负责安全认证和授权 |
subject | shiro的一个抽象概念,包含了用户信息 |
authenticationInfo | 用户角色信息集合,认证是使用 |
authorizationInfo | 角色权限信息集合,授权时使用 |
DefaultWebSecurityDMmanager | 安全管理器,开发者自定义的Realm需要注入到DefaultWebSecurityDMmanager才有效 |
ShiroFilterFactoryBean | 过滤器工厂,SHiro的基本运行机制是开发者定制规则,Shiro去执行,具体的执行操作就是由ShiroFilterFactoryBean创建的一个个Filter对象来完成 |
shiro流程
Realm
public class AccountRealm extends AuthorizingRealm {
@Autowired
private AccountService accountService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
Account account = accountService.findByUsername(token.getUsername());
if (account != null) {
return new SimpleAuthenticationInfo(account, account.getPassword(), getName());
}
return null;
}
}
配置类
@Configuration
public class ShiroConfig {
@Bean
public AccountRealm accountRealm() {
return new AccountRealm();
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("accountRealm") AccountRealm accountRealm) {
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
defaultWebSecurityManager.setRealm(accountRealm);
return defaultWebSecurityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(
@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
return shiroFilterFactoryBean;
}
}
编写认证和授权规则
认证过滤器
类型 | 含义 |
---|
anon | 无需认证 |
authc | 必须认证 |
authBasic | 需要通过HTTPBasic认证 |
user | 不一定通过认证,只要曾经shiro记录即可 |
授权过滤器
类型 | 含义 |
---|
perms | 必须拥有特定权限才能访问 |
role | 必须拥有某个角色才能访问 |
port | 请求的端口必须是指定端口 |
rest | 请求必须使用RESTful风格 |
ssl | 必须是HTTPS协议 |
创建三个页面
页面 | 内容 |
---|
main.html | 必须登录才能访问 |
manage.html | 用户必须有manager授权才能访问 |
administrator.html | 用户必须拥有admin角色才能访问 |
@Configuration
public class ShiroConfig {
@Bean
public AccountRealm accountRealm() {
return new AccountRealm();
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("accountRealm") AccountRealm accountRealm) {
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
defaultWebSecurityManager.setRealm(accountRealm);
return defaultWebSecurityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(
@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
Map<String, String> map = new HashMap<>(8);
map.put("/main", "authc");
map.put("/manage","perms[manage]");
map.put("/administrator","roles[admin]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
}
授权
public class AccountRealm extends AuthorizingRealm {
@Autowired
private AccountService accountService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
Subject subject = SecurityUtils.getSubject();
Account account = (Account) subject.getPrincipal();
Set<String> roles = new HashSet<>();
roles.add(account.getRole());
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(roles);
simpleAuthorizationInfo.addStringPermission(account.getPerms());
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
Account account = accountService.findByUsername(token.getUsername());
if (account != null) {
return new SimpleAuthenticationInfo(account, account.getPassword(), getName());
}
return null;
}
}
整合thymeleaf
导入依赖
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
添加依赖
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
类型 | 含义 |
---|
<div shiro:hasPermission="manager"></div> | 是否有manager授权 |
<div shiro:hasRole="admin"></div> | 是否有admin角色权限 |