本文总结了在SpringBoot项目中使用Shiro进行用户认证与权限管理的经验,包括配置ShiroFilterFactoryBean、自定义Realm、登录认证流程及异常处理。通过自定义FormAuthenticationFilter实现前后端分离的JSON响应,利用Redis记录登录失败次数并锁定用户。项目源码链接已提供。
关于项目中使用shiro进行安全管理的总结
关于SpringBoot下使用shiro进行用户认证与权限管理
对于安全框架有一定了解的开发者一定对于shiro这款安全框架有一定的了解,这里我们不再对该框架进行其设计与知识的介绍,仅对于我的个人项目中所使用到的进行一个总结,并放上代码。
使用该框架的第一步,进行配置:
package com.libvirtjava.demo.vm.util.config;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
/**
* @Description Shiro配置
* @Author zhenxing.dong
* @Date 2019/12/20 16:07
*/
@Configuration
public class ShiroConfig {
/**
* 日志
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ShiroConfig.class);
/**
* 设置过滤器工厂
*
* @param securityManager 安全管理器
* @return 过滤器工厂
*/
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
LOGGER.info("ShiroConfiguration.shirFilter()");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
//注入自定义的过滤器
Map<String, Filter> map = new LinkedHashMap<String, Filter>();
map.put("authc", getFormAuthenticationFilter());
//配置过滤路径
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
filterChainDefinitionMap.put("/vm/allControl?getLogMsg", "anon");
//配置退出过滤器,其中的具体的退出代码Shiro已经实现了
// filterChainDefinitionMap.put("/logout", "logout");
//authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问
filterChainDefinitionMap.put("/**", "authc");
// 设置登录的接口
shiroFilterFactoryBean.setLoginUrl("/user/login");
//未授权界面;
//shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilters(map);
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
/**
* md5加密
*
* @return
*/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
//加密方式
hashedCredentialsMatcher.setHashAlgorithmName("md5");
//加密次数
hashedCredentialsMatcher.setHashIterations(2);
return hashedCredentialsMatcher;
}
/**
* 开启shiro aop注解支持.
* 使用代理方式;所以需要开启代码支持;
*
* @param securityManager 安全管理器
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
// 将md5密码比对器传给realm
myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
return myShiroRealm;
}
@Bean
SecurityManager securityManager() {
SecurityManager manager = new DefaultWebSecurityManager();
((DefaultWebSecurityManager) manager).setRealm(myShiroRealm());
return manager;
}
@Bean
@ConditionalOnMissingBean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAAP = new DefaultAdvisorAutoProxyCreator();
defaultAAP.setProxyTargetClass
最低0.47元/天 解锁文章
1115
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
