SpringBoot整合shiro——简单的demo

**

结构目录

**

前端页面代码部分
index.html

<!DOCTYPE html>
<html>
<head>
	<meta charset="UTF-8">
	<title>首页</title>
</head>
<body>
	<h1>首页</h1>
	<p th:text="@{msg}">
	<hr>
	<a th:href="@{/user/add}">add</a>
	<a th:href="@{/user/update}">update</a>
</body>
</html>

add.html

<!DOCTYPE html>
<html>
<head>
	<meta charset="UTF-8">
	<title>添加</title>
</head>
<body>
	<h1>add</h1>
</body>
</html>

update.html

<!DOCTYPE html>
<html>
<head>
	<meta charset="UTF-8">
	<title>Insert title here</title>
</head>
<body>
	<h1>update</h1>
</body>
</html>

login.html

<!DOCTYPE html>
<html>
<head>
	<meta charset="UTF-8">
	<title>Insert title here</title>
</head>
<body>
	<h1>登录</h1>
	<p th:text="${msg}" style="color:red"></p>
	<form th:action="@{/login}">
		<p>用户名: <input type="text" name="username"></p>
		<p>密码: <input type="text" name="password"></p>
	<p><input type="submit"></p>

</form>
</body>
</html>

第一步：导入依赖

<!-- 导入shiro整合spring的包 -->
		<dependency>
		     <groupId>org.apache.shiro</groupId>
		     <artifactId>shiro-spring</artifactId>
		     <version>1.4.1</version>
		 </dependency>

<!-- thymeleaf模板引擎 -->
		<dependency>
		    <groupId>org.springframework.boot</groupId>
		    <artifactId>spring-boot-starter-thymeleaf</artifactId>
		</dependency>
		<dependency>

第二步：编写UserRealm类，ShiroConfig配置类、ShiroController控制器

只要进行登陆操作就会执行doGetAuthenticationInfo方法

package com.lx.util;

import org.apache.shiro.authz.AuthorizationInfo;

//自定义的UserRealm   extends AuthorizingRealm
public class UserRealm extends AuthorizingRealm{

	//授权
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		// TODO Auto-generated method stub
		System.out.println("执行了 => 授权");
		return null;
	}

	//认证
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		// TODO Auto-generated method stub
		System.out.println("执行了 => 认证");
		return null;
	}

}

编写配置类ShrioConfig

思路：ShiroFilterFactoryBean会拦截前端请求交给DefaultWebSecurityManager，再交给userRealm进行认证和授权处理
主要编写 userRealm、DefaultWebSecurityManager、ShiroFilterFactoryBean 三个bean对象

注意：我们可以从下往上写，逐步添加

package com.lx.config;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import com.lx.util.UserRealm;

@Configuration
public class ShrioConfig {

	//ShiroFilterFactoryBean （第三步:连接到前端）
	@Bean
	public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("SecurityManager") DefaultWebSecurityManager defaultWebSecurityManager) {
		ShiroFilterFactoryBean filterFactory = new ShiroFilterFactoryBean();
		//设置安全管理器
		filterFactory.setSecurityManager(defaultWebSecurityManager);
		return filterFactory;		
	}
	
	//DefaultWebSecurityManager （第二步：管理realm对象）
	@Bean(name="SecurityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm) {
    	DefaultWebSecurityManager SecurityManager = new DefaultWebSecurityManager();
    	//关联realm
    	SecurityManager.setRealm(userRealm);
		return SecurityManager;	
    }
	
	// 创建realm对象，需要自定义类 (第一步:创建realm对象)
    @Bean(name="userRealm")  //@Bean注解后便被spring托管,不加name属性，默认name值为方法名,这里就加一下吧
	public UserRealm userRealm() {
		return new UserRealm();
	}
}

在ShiroFilterFactoryBean方法内添加过滤器，设置访问权限，如果没权限则进入登陆界面

	    //添加shiro的内置过滤器
		/*
		anon:  无需认证就可以访问
		authc: 必须认证了才能访问
		user:  必须拥有 记住我 功能才能用
		perms: 拥有对某个资源的权限才能访问
		role:  拥有某个角色权限才能访问
		*/
		//拦截
		Map<String, String> filterMap = new LinkedHashMap<String, String>();
		
		//filterMap.put("/user/add", "authc");
		//filterMap.put("/user/update", "authc");
		filterMap.put("/user/*", "authc");
		
		filterFactory.setFilterChainDefinitionMap(filterMap);
		//设置登录请求
		filterFactory.setLoginUrl("/toLogin");
		//设置未授权请求页面
		filterFactory.setUnauthorizedUrl("/index");
		return filterFactory;

编写Controller进行测试

@Controller
public class ShrioController {
	
	@RequestMapping({"/", "/index"})
    public String toIndex(Model model){
        model.addAttribute("msg", "hello");
        return "index";
    }

    @RequestMapping("/user/add")
    public String add(){
        return "user/add";
    }

    @RequestMapping("/user/update")
    public String update(){
        return "user/update";
    }

    @RequestMapping("/toLogin")
    public String toLogin(){
        return "login";
    }
 }

第三步、编写登录认证

整体流程：当我们在登陆页面输入账号密码，会执行ShrioController 的login登陆操作，在使用subject.login(token)时会执行shiro里的UserRealm里的认证方法doGetAuthenticationInfo。

在ShrioController 中添加登陆认证方法

@RequestMapping("/login")
    public String login(String username,String password,Model model) {
    	//获取当前的用户
    	Subject subject = SecurityUtils.getSubject();
    	//封装用户登录数据
    	UsernamePasswordToken token = new UsernamePasswordToken(username,password);
    	try {
        	subject.login(token);//执行登录的方法，如果没有异常就说明ok了
        	return "index";
		} catch (UnknownAccountException e) {//用户名不存在
			model.addAttribute("msg","用户名错误");
			return "login";
		}catch (IncorrectCredentialsException e) {//密码不存在
			model.addAttribute("msg","密码错误");
			return "login";
			
			// TODO: handle exception
		}
    	
    }

当我们执行 subject.login登陆操作时，Shiro会执行UserRealm里的认证方法doGetAuthenticationInfo

    //认证
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		// TODO Auto-generated method stub
		System.out.println("执行了 => 认证");
		
		//用户名 密码~ 数据中取
		String name = "root";
		String password = "123456";
		
		UsernamePasswordToken userToken = (UsernamePasswordToken)token;
		
		if(!userToken.getUsername().equals(name)) {
			return null; //抛出异常 UnknowAccountException
		}
		
		//密码认证 shiro做~ SimpleAuthenticationInfo
		return new SimpleAuthenticationInfo("",password,"");
	}