依赖
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.4.1</version>
</dependency>
springboot中集成shiro相对简单,只需要两个类:一个是shiroConfig类,一个是UserRealm类
shiroConfig
package com.example.springmybatisshiro.common.config;
import com.example.springmybatisshiro.modules.sys.shiro.UserRealm;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
/**
* Shiro的配置文件
*
* @author Mark sunlightcs@gmail.com
*/
@Configuration
public class ShiroConfig {
@Bean("shiroFilterFactoryBean")
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(defaultWebSecurityManager);
factoryBean.setLoginUrl("/app/index"); //未登录跳转
factoryBean.setUnauthorizedUrl("/app/perms");//未授权 跳转地址
LinkedHashMap<String, String> linkedHashMap = new LinkedHashMap<>(); //放行--anon /拦截 authc
linkedHashMap.put("/app/login","anon");
linkedHashMap.put("/app/index","anon");
linkedHashMap.put("/app/**","anon");
linkedHashMap.put("/file/manage/**","anon");
// linkedHashMap.put("/sys/user/getAll","perms[sys:user:getAll]"); //没有配置注解可以这样配授权拦截
linkedHashMap.put("/**","authc");
factoryBean.setFilterChainDefinitionMap(linkedHashMap);
return factoryBean;
}
@Bean("securityManager")
public DefaultWebSecurityManager securityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager webSecurityManager = new DefaultWebSecurityManager();
webSecurityManager.setRealm(userRealm);
return webSecurityManager;
}
@Bean("userRealm")
public UserRealm userRealm(){return new UserRealm();}
/**
* 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证
* 配置以下两个bean(DefaultAdvisorAutoProxyCreator和AuthorizationAttributeSourceAdvisor)即可实现此功能
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator(); //默认顾问自动代理创建者
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager defaultWebSecurityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); //授权属性源顾问
authorizationAttributeSourceAdvisor.setSecurityManager(defaultWebSecurityManager);
return authorizationAttributeSourceAdvisor;
}
}
UserRealm
package com.example.springmybatisshiro.modules.sys.shiro;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.example.springmybatisshiro.modules.sys.entity.User;
import com.example.springmybatisshiro.modules.sys.mapper.UserMapper;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.HashSet;
/**
* 认证
*
* @author Mark sunlightcs@gmail.com
*/
public class UserRealm extends AuthorizingRealm {
@Autowired
private UserMapper userMapper;
/**
*
*权限认证
* 先进行认证 ,在进行授权。
*
*/
/**
* 授权 登录之后才会授权
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
User user = (User)SecurityUtils.getSubject().getPrincipal();
List<Permission> permissionList = permissionMapper.selectList(
new QueryWrapper<Permission>()
.eq("user_id", user.getUserId())
.isNotNull("url")
.ne("url","")
);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
HashSet<String> hashSet = new HashSet<String>();
for (Permission permission:permissionList) {
hashSet.add(permission.getUrl());
}
info.setStringPermissions(hashSet);
return info;
}
/**
* 认证
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
//查询用户信息
User user = userMapper.selectOne(new QueryWrapper<User>().eq("user_name", token.getUsername()));
//账号不存在
if(user == null) {
throw new UnknownAccountException("账号或密码不正确");
}
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(),"");
return info;
}
}
controller类:
package com.example.springmybatisshiro.modules.sys.controller;
import com.example.springmybatisshiro.common.utils.R;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.subject.Subject;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RequestMapping("/app")
@RestController
public class LoginController {
@GetMapping("/login")
public R login(String username,String password){
UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(username, password); //传入有户名和密码 生成Token
try {
Subject subject = SecurityUtils.getSubject();//获得当前用户
subject.login(usernamePasswordToken);
return R.ok().put("data","success");
}catch (UnknownAccountException e){
return R.error(e.getMessage());
}catch (IncorrectCredentialsException e) {
return R.error("账号或密码不正确");
}catch (LockedAccountException e) {
return R.error("账号已被锁定,请联系管理员");
}catch (AuthenticationException e) {
return R.error("账户验证失败");
}
}
/**
*未登录跳转控制器
*/
@GetMapping("/index")
public R index(String username,String password){
return R.ok().put("data","认证失败!");
}
/**
*未授权跳转控制器
*/
@GetMapping("/perms")
public R perms(String username,String password){
return R.ok().put("data","权限不足!");
}
}
进行登录测试
这是登录成功
登录失败
在创建一个控制器
package com.example.springmybatisshiro.modules.sys.controller;
import com.example.springmybatisshiro.common.utils.R;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
/**
* <p>
* 前端控制器
* </p>
*
* @author jobob
* @since 2019-10-28
*/
@RestController
@RequestMapping("/sys/user")
public class UserController {
@RequiresPermissions("sys:user") //跟ShiroConfig linkedHashMap.put("/sys/user/getAll","perms[sys:user:getAll]"); 一样 注解也可以 在ShiroConfig也行
@GetMapping("/getAll")
public R getAll(){
return R.ok().put("data","adasad");
}
@RequiresPermissions("sys:use")
@GetMapping("/getList")
public R getlist(){
return R.ok().put("data","getlist");
}
}
进行测试
登录后 权限认证后 成功进入
未登录 权限认证不通过 进入index页面
那两个类 我是最简单全部配置好了 ,你们先配置认证测试成功后再配置授权