Spring Boot中集成 Shiro
Shiro的概念
-
Shiro是一个强大且易用的Java安全框架,主要用来更便捷的认证、授权、加密、会话管理等等。可为任何应用提供安全保障。
-
Sinro有三大核心组件:Subject,SecurityManager和Realm。
- Subject:认证主体,Subject可以是一个人,也可以是第三方服务、守护进程账户、时钟守护任务或者其他当前和软件交互的任何事件。
- 就是需要认证的东西,最常见的就是⽤户名密码了,⽐如⽤户在登录的时候,Shiro 需要去进⾏⾝份认证,就需要 Subject 认证主体。
- 主要包含两个信息:Principals 和 Credentails。
- Principals:身份。可以是用户名、邮件,手机号等等,用来标识一个登录主体身份。
- Credentails:凭证。常见的有密码,数字证书等等。
- SecurityManager:安全管理员,管理所有Subject,SecurityManager是shiro框架的核心,配合内部安全组件共同组成安全伞。
- 在项⽬中⼀般都会配置SecurityManager,开发⼈员⼤部分精⼒主要是在 Subject 认证主体上⾯。我们在与 Subject 进⾏交互的时候,实际上是SecurityManager 在背后做⼀些安全操作。
- Realm:Realms 是⼀个域,它是连接 Shiro 和具体应⽤的桥梁。用于进行权限信息的校验,我们自己实现的部分。Realm本质上是一个特定的安全DAO:它封装与数据源连接的细节,得到Shiro 所需的相关的数据。在配置 Shiro 的时候,你必须指定至少一个Realm 来实现认证(authentication)和/或授权(authorization)。
- 当需要与安全数据交互的时候,⽐如⽤户账户、访问控制等,Shiro 就会从⼀个或多个 Realms 中去查找。
- Subject:认证主体,Subject可以是一个人,也可以是第三方服务、守护进程账户、时钟守护任务或者其他当前和软件交互的任何事件。
-
我们需要实现Realms的Authentication 和 Authorization。其中 Authentication 是用来验证用户身份,Authorization 是授权访问控制,用于对用户进行的操作授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等。
Shiro 身份认证
- 第一步:首先调用Subject.login(token)进行登录,会自动委托给SecurityManager,调用之前必须通过 SecurityUtils.setSecurityManager()设置。
- 第二步:SecurityManager 负责真正的身份验证逻辑,它会委托给Authenticator进行身份认证;
- 第三步:Authenticator 才是真正的身份验证者,Shiro API 中核心的身份认证入口点,此处可以自定义插入自己的实现;
- 第四步:Authenticator 可能会委托给相应的 AuthenticationStrategy 进行多 Realm 身份验证,默认 ModularRealmAuthenticator 会调用 AuthenticationStrategy 进行多 Realm 身份验证;
- 第五步:Authenticator 会把相应的 token 传入 Realm,从 Realm 获取身份验证信息,如果没有返回 / 抛出异常表示身份验证失败了。此处可以配置多个 Realm,将按照相应的顺序及策略进行访问。
public class AuthenticationTest {
SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();
@Before // 在方法开始前添加一个用户,让它具备admin和user两个角色
public void addUser() {
simpleAccountRealm.addAccount("wmyskxz", "123456", "admin", "user");
}
@Test
public void testAuthentication() {
// 1.构建SecurityManager环境
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
defaultSecurityManager.setRealm(simpleAccountRealm);
// 2.主体提交认证请求
SecurityUtils.setSecurityManager(defaultSecurityManager); // 设置SecurityManager环境
Subject subject = SecurityUtils.getSubject(); // 获取当前主体
UsernamePasswordToken token = new UsernamePasswordToken("wmyskxz", "123456");
subject.login(token); // 登录
// subject.isAuthenticated()方法返回一个boolean值,用于判断用户是否认证成功
System.out.println("isAuthenticated:" + subject.isAuthenticated()); // 输出true
// 判断subject是否具有admin和user两个角色权限,如没有则会报错
subject.checkRoles("admin","user");
// subject.checkRole("xxx"); // 报错
}
}
Shiro 权限认证
- 权限认证,也就是访问控制,即在应⽤中控制谁能访问哪些资源。在权限认证中,最核⼼的三个要素是:权限,⾓⾊和⽤户。
- 权限(permission):即操作资源的权利,⽐如访问某个页⾯,以及对某个模块的数据的添加,修改,删除,查看的权利;
- ⾓⾊(role):指的是⽤户担任的的⾓⾊,⼀个⾓⾊可以有多个权限;
- ⽤户(user):在 Shiro 中,代表访问系统的⽤户,即上⾯提到的 Subject 认证主体。
- ⼀个⽤户可以有多个⾓⾊,⽽不同的⾓⾊可以有不同的权限,也可由有相同的权限。⽐如说现在有三个⾓⾊,1是普通⾓⾊,2也是普通⾓
⾊,3是管理员,⾓⾊1只能查看信息,⾓⾊2只能添加信息,管理员都可以,⽽且还可以删除信息,类似于这样。
Spring Boot 集成 Shiro 实战
- 依赖导入:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.13.0</version>
</dependency>
配置 Sinro
- 创建配置类
@Configuration
public class ShiroConfig {
@Bean
public MyRealm userRealm() {
return new MyRealm();
}
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm());
return securityManager;
}
/**
* 路径过滤规则
* @return
*/
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setSuccessUrl("/");
Map<String, String> map = new LinkedHashMap<>();
// 有先后顺序
map.put("/login", "anon"); // 允许匿名访问
map.put("/**", "authc"); // 进行身份认证后才能访问
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
/**
* 开启Shiro注解模式,可以在Controller中的方法上添加注解
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") DefaultSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
- application.yml 文件中配置MyBatis 以及
spring:
application:
name: liu
datasource:
driver-class-name: com.mysql.jdbc.Driver
url: jdbc:mysql://127.0.0.1:3306/laboratory?charset=utf8
username: root
password: root
mybatis:
# 指定别名设置的包为所有entity
type-aliases-package: com.example.springboot_learn.entity
configuration:
map-underscore-to-camel-case: true # 驼峰命名规范
mapper-locations: # mapper映射⽂件位置
- classpath:mapper/*.xml
数据库表数据初始化
- 这⾥主要涉及到五张表:⽤户表、⾓⾊表、权限表、用户-角色、角色权限表,这种权限结构是非常常用的。
-- 用户表
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for user
-- ----------------------------
DROP TABLE IF EXISTS `t_user`;
CREATE TABLE `t_user` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`username` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`account` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO `t_user` VALUES (1, 'root', '超级用户', 'root');
INSERT INTO `t_user` VALUES (2, 'user', '普通用户', 'user');
INSERT INTO `t_user` VALUES (3, 'vip', 'VIP用户', 'vip');
SET FOREIGN_KEY_CHECKS = 1;
-- 角色表
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for t_role
-- ----------------------------
DROP TABLE IF EXISTS `t_role`;
CREATE TABLE `t_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`role` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`desc` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of t_role
-- ----------------------------
INSERT INTO `t_role` VALUES (1, 'admin', '超级管理员');
INSERT INTO `t_role` VALUES (2, 'user', '普通用户');
INSERT INTO `t_role` VALUES (3, 'vip_user', 'VIP用户');
SET FOREIGN_KEY_CHECKS = 1;
-- 权限表
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for t_permission
-- ----------------------------
DROP TABLE IF EXISTS `t_permission`;
CREATE TABLE `t_permission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`permission` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '权限名称',
`desc` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '权限描述',
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 5 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of t_permission
-- ----------------------------
INSERT INTO `t_permission` VALUES (1, 'add', '增加');
INSERT INTO `t_permission` VALUES (2, 'update', '更新');
INSERT INTO `t_permission` VALUES (3, 'select', '查看');
INSERT INTO `t_permission` VALUES (4, 'delete', '删除');
SET FOREIGN_KEY_CHECKS = 1;
-- 用户-角色表
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for user_role
-- ----------------------------
DROP TABLE IF EXISTS `user_role`;
CREATE TABLE `user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_id` int(11) NULL DEFAULT NULL,
`role_id` int(11) NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Fixed;
-- ----------------------------
-- Records of user_role
-- ----------------------------
INSERT INTO `user_role` VALUES (1, 1, 1);
INSERT INTO `user_role` VALUES (2, 2, 2);
INSERT INTO `user_role` VALUES (3, 3, 3);
SET FOREIGN_KEY_CHECKS = 1;
-- 角色-权限
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for role_permission
-- ----------------------------
DROP TABLE IF EXISTS `role_permission`;
CREATE TABLE `role_permission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`role_id` int(11) NULL DEFAULT NULL,
`permission_id` int(255) NULL DEFAULT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 9 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Fixed;
-- ----------------------------
-- Records of role_permission
-- ----------------------------
INSERT INTO `role_permission` VALUES (1, 1, 1);
INSERT INTO `role_permission` VALUES (2, 1, 2);
INSERT INTO `role_permission` VALUES (3, 1, 3);
INSERT INTO `role_permission` VALUES (4, 1, 4);
INSERT INTO `role_permission` VALUES (5, 2, 3);
INSERT INTO `role_permission` VALUES (6, 3, 3);
INSERT INTO `role_permission` VALUES (7, 3, 2);
INSERT INTO `role_permission` VALUES (8, 2, 1);
SET FOREIGN_KEY_CHECKS = 1;
- 其中,t_user,t_role 和 t_permission,分别存储⽤户信息,⾓⾊信息和权限信息
- 在表中创建相应的测试数据
初始化实体结构
- 两个实体类,因为用不到权限实体所以没有建立
- UserForSinro.java
@Data
@ToString
public class UserForSinro {
private static final long serialVersionUID = -6056125703075132981L;
private Integer id;
private String account;
private String password;
private String username;
}
- Role.java
@Data
@ToString
public class Role implements Serializable {
private static final long serialVersionUID = -1767327914553823741L;
private Integer id;
private String role;
private String desc;
}
- 创建DAO层的类
- PerimissionMapper.java
@Mapper
@Repository
public interface PermissionMapper {
List<String> findByRoleId(@Param("roleIds") List<Integer> roleIds);
}
- RoleMapper.java
@Mapper
@Repository
public interface RoleMapper {
List<Role> findRoleByUserId(@Param("userId") Integer userId);
}
- UserForSinroMapper.java
@Mapper
@Repository
public interface UserForSinroMapper extends BaseMapper<UserForSinro> {
UserForSinro findByAccount(@Param("account") String account);
}
- 创建DAO层类对应的xml文件
- PermissionMapper.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.example.springboot_learn.mapper.PermissionMapper">
<sql id="base_column_list">
id, permission, desc
</sql>
<select id="findByRoleId" parameterType="List" resultType="String">
select permission
from t_permission, role_permission rp
where rp.permission_id = t_permission.id and rp.role_id in
<foreach collection="roleIds" item="id" open="(" close=")" separator=",">
#{id}
</foreach>
</select>
</mapper>
- RoleMapper.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.example.springboot_learn.mapper.RoleMapper">
<sql id="base_column_list">
id, user_id, role_id
</sql>
<select id="findRoleByUserId" parameterType="Integer" resultType="com.example.springboot_learn.entity.Role">
select t_role.*
from t_role, t_user, user_role ur
where t_role.id = ur.role_id and ur.user_id = t_user.id and t_user.id = #{userId}
</select>
</mapper>
- UserForSinroMapper.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.example.springboot_learn.mapper.UserForSinroMapper">
<sql id="base_column_list">
id, account, password, username
</sql>
<select id="findByAccount" parameterType="Map" resultType="com.example.springboot_learn.entity.UserForSinro">
select
<include refid="base_column_list"/>
from t_user
where account = #{account}
</select>
</mapper>
- 创建Service层的类
- PermissionServiceImpl.java
@Service
public class PermissionServiceImpl implements PermissionService {
@Autowired
private PermissionMapper permissionMapper;
@Override
public List<String> findByRoleId(List<Integer> roleIds) {
return permissionMapper.findByRoleId(roleIds);
}
}
- RoleServiceImpl.java
@Service
public class RoleServiceImpl implements RoleService {
@Autowired
private RoleMapper roleMapper;
@Override
public List<Role> findRoleByUserId(Integer id) {
return roleMapper.findRoleByUserId(id);
}
}
- UserForSinroServiceImpl.java
@Service
public class UserForSinroServiceImpl implements UserForSinroService {
@Resource
private UserForSinroMapper userForSinroMapper;
@Override
public UserForSinro findByAccount(String account) {
return userForSinroMapper.findByAccount(account);
}
}
- 对应的业务接口自行补全。
- 创建对应存储提示信息的枚举
- ServerResponseEnum.enum
@AllArgsConstructor
@Getter
public enum ServerResponseEnum {
SUCCESS(0, "成功"),
ERROR(10, "失败"),
ACCOUNT_NOT_EXIST(11, "账号不存在"),
DUPLICATE_ACCOUNT(12, "账号重复"),
ACCOUNT_IS_DISABLED(13, "账号被禁用"),
INCORRECT_CREDENTIALS(14, "账号或密码错误"),
NOT_LOGIN_IN(15, "账号未登录"),
UNAUTHORIZED(16, "没有权限")
;
Integer code;
String message;
}
- 自定义响应实体
@Getter
@Setter
@NoArgsConstructor
public class ServerResponseVO<T> implements Serializable {
private static final long serialVersionUID = -1005863670741860901L;
// 响应码
private Integer code;
// 描述信息
private String message;
// 响应内容
private T data;
private ServerResponseVO(ServerResponseEnum responseCode) {
this.code = responseCode.getCode();
this.message = responseCode.getMessage();
}
private ServerResponseVO(ServerResponseEnum responseCode, T data) {
this.code = responseCode.getCode();
this.message = responseCode.getMessage();
this.data = data;
}
private ServerResponseVO(Integer code, String message) {
this.code = code;
this.message = message;
}
/**
* 返回成功信息
* @param data 信息内容
* @param <T>
* @return
*/
public static<T> ServerResponseVO success(T data) {
return new ServerResponseVO<>(ServerResponseEnum.SUCCESS, data);
}
/**
* 返回成功信息
* @return
*/
public static ServerResponseVO success() {
return new ServerResponseVO(ServerResponseEnum.SUCCESS);
}
/**
* 返回错误信息
* @param responseCode 响应码
* @return
*/
public static ServerResponseVO error(ServerResponseEnum responseCode) {
return new ServerResponseVO(responseCode);
}
}
- 自定义Json信息封装
@Setter
@Getter
public class JsonResult<T> {
private T data;
private String code;
private String message;
public JsonResult() {
this.code = StatusCode.SUCCESS.getCode();
this.message = "操作成功!";
}
public JsonResult(String code, String message) {
this.code = code;
this.message = message;
}
public JsonResult(T data){
this.data = data;
this.code = StatusCode.SUCCESS.getCode();
this.message = "操作成功!";
}
public JsonResult(T data, String code, String message){
this.data = data;
this.code = code;
this.message = message;
}
}
- 自定义异常处理
@ResponseBody
@ControllerAdvice
public class GlobalExceptionHandler {
private final static Logger logger = LoggerFactory.getLogger(GlobalExceptionHandler.class);
/**
* 拦截业务异常,返回业务异常信息
* @param ex
* @return
*/
@ExceptionHandler(BusinessErrorException.class)
@ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR)
public JsonResult handleBusinessError(BusinessErrorException ex) {
String code = ex.getCode();
String message = ex.getMessage();
return new JsonResult(code, message);
}
@ExceptionHandler(UnauthorizedException.class)
@ResponseStatus(HttpStatus.UNAUTHORIZED)
public ServerResponseVO UnAuthorizedExceptionHandler(UnauthorizedException e) {
return ServerResponseVO.error(ServerResponseEnum.UNAUTHORIZED);
}
}
自定义 Realm 处理权限
- 有了数据库表和数据之后,我们开始⾃定义 realm,⾃定义 realm 需要继承 AuthorizingRealm 类,因为该类封装了很多⽅法,它也是⼀
步步继承⾃ Realm 类的,继承了 AuthorizingRealm 类后,需要重写两个⽅法:- doGetAuthenticationInfo() ⽅法:⽤来验证当前登录的⽤户,获取认证信息
- doGetAuthorizationInfo() ⽅法:⽤来为当前登陆成功的⽤户授予权限和⾓⾊
public class MyRealm extends AuthorizingRealm {
@Resource
private UserForSinroService userService;
@Resource
private RoleService roleService;
@Resource
private PermissionService permissionService;
// 用户授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
UserForSinro user = (UserForSinro) principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
List<Role> roleList = roleService.findRoleByUserId(user.getId());
Set<String> roleSet = new HashSet<>();
List<Integer> roleIds = new ArrayList<>();
for (Role role : roleList) {
roleSet.add(role.getRole());
roleIds.add(role.getId());
}
// 放入角色信息
authorizationInfo.setRoles(roleSet);
// 放入权限信息
List<String> permissionList = permissionService.findByRoleId(roleIds);
authorizationInfo.setStringPermissions(new HashSet<>(permissionList));
return authorizationInfo;
}
// 用户认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authToken;
UserForSinro user = userService.findByAccount(token.getUsername());
if (user == null) {
return null;
}
return new SimpleAuthenticationInfo(user, user.getPassword(), getName());
}
}
测试
- 创建Controller进行测试
@RestController
@RequestMapping("")
public class TestSinroController {
@PostMapping("/login")
public ServerResponseVO login(@RequestParam(value = "account") String account,
@RequestParam(value = "password") String password) {
Subject userSubject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(account, password);
System.out.println("token:"+token);
try {
// 登录验证
userSubject.login(token);
return ServerResponseVO.success();
} catch (UnknownAccountException e) {
return ServerResponseVO.error(ServerResponseEnum.ACCOUNT_NOT_EXIST);
} catch (DisabledAccountException e) {
return ServerResponseVO.error(ServerResponseEnum.ACCOUNT_IS_DISABLED);
} catch (IncorrectCredentialsException e) {
return ServerResponseVO.error(ServerResponseEnum.INCORRECT_CREDENTIALS);
} catch (Throwable e) {
e.printStackTrace();
return ServerResponseVO.error(ServerResponseEnum.ERROR);
}
}
@GetMapping("/login")
public ServerResponseVO login() {
return ServerResponseVO.error(ServerResponseEnum.NOT_LOGIN_IN);
}
@GetMapping("/auth")
public JsonResult<String> auth() {
return new JsonResult<>("已成功登录");
}
@GetMapping("/role")
@RequiresRoles("vip")
public JsonResult<String> role() {
return new JsonResult<>("测试Vip角色");
}
@GetMapping("/permission")
@RequiresPermissions(value = {"add", "update"}, logical = Logical.AND)
public JsonResult<String> permission() {
return new JsonResult<>("测试Add和Update权限");
}
}
-- 访问:http://localhost:8001/login?account=user&password=user
- 结果:
{
"code": 0,
"message": "成功",
"data": null
}
-- 访问:http://localhost:8001/auth
- 结果:
{
"data": "已成功登录",
"code": "0",
"message": "操作成功!"
}
-- 访问:http://localhost:8001/role
- 结果:
{
"code": 16,
"message": "没有权限",
"data": null
}
-- 访问:http://localhost:8001/permission
- 结果:
{
"code": 16,
"message": "没有权限",
"data": null
}
-- 如果换成登录root,则访问http://localhost:8001/permission
- 结果:
{
"data": "测试Add和Update权限",
"code": "0",
"message": "操作成功!"
}
- 说明权限生效了。
- 这个例子只定义了一个Realm,可以定义多个Realm进行多层验证。
- 在Sinro配置类中还可以进行权限范围的控制,一起一些自定义的功能
- 可以参考下面新的例子:
@Configuration
public class ShiroConfig {
private static final Logger logger = LoggerFactory.getLogger(ShiroConfig.class);
/**
* 注⼊Shiro过滤器
* @param securityManager 安全管理器
* @return ShiroFilterFactoryBean
*/
@Bean
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
// 定义shiroFactoryBean
ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();
// 设置⾃定义的securityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 设置默认登录的url,⾝份认证失败会访问该url
shiroFilterFactoryBean.setLoginUrl("/login");
// 设置成功之后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/success");
// 设置未授权界⾯,权限认证失败会访问该url
shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");
// LinkedHashMap是有序的,进⾏顺序拦截器配置
Map<String,String> filterChainMap = new LinkedHashMap<>();
// 配置可以匿名访问的地址,可以根据实际情况⾃⼰添加,放⾏⼀些静态资源等,anon表⽰放⾏
filterChainMap.put("/css/**", "anon");
filterChainMap.put("/imgs/**", "anon");
filterChainMap.put("/js/**", "anon");
filterChainMap.put("/swagger-*/**", "anon");
filterChainMap.put("/swagger-ui.html/**", "anon");
// 登录url 放⾏
filterChainMap.put("/login", "anon");
// “/user/admin” 开头的需要⾝份认证,authc表⽰要⾝份认证
filterChainMap.put("/user/admin*", "authc");
// “/user/student” 开头的需要⾓⾊认证,是“admin”才允许
filterChainMap.put("/user/student*/**", "roles[admin]");
// “/user/teacher” 开头的需要权限认证,是“user:create”才允许
filterChainMap.put("/user/teacher*/**", "perms[\"user:create\"]");
// 配置logout过滤器
filterChainMap.put("/logout", "logout");
// 设置shiroFilterFactoryBean的FilterChainDefinitionMap
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainMap);
logger.info("====shiroFilterFactoryBean注册完成====");
return shiroFilterFactoryBean;
}
}
- 从上面的例子看出,配置一个Sinro需要配置这些东西
- 默认登录的 url:⾝份认证失败会访问该 url
- 认证成功之后要跳转的 url
- 权限认证失败会访问该 url
- 需要拦截或者放⾏的 url:这些都放在⼀个 map 中
- 在 map 中针对不同的url,有不同的权限要求,总结了已下权限:
Filter | 说明 |
---|---|
anon | 开放权限,可以理解为匿名⽤户或游客,可以直接访问的 |
authc | 需要⾝份认证的 |
logout | 注销,执⾏后会直接跳转到 shiroFilterFactoryBean.setLoginUrl(); 设置的 url,即登录页⾯ |
roles[admin] | 参数可写多个,表⽰是某个或某些⾓⾊才能通过,多个参数时写 roles[“admin,user”],当有多个参数时必须每个参数都通过才算通过 |
perms[user] | 参数可写多个,表⽰需要某个或某些权限才能通过,多个参数时写 perms[“user, admin”],当有多个参数时必须每个参数都通过才算通过 |