了解shiro是什么?
一个java的安全框架,下面进行简单实现
创建springboot项目,通过maven导入shiro包
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.11.0</version>
</dependency>
创建一个自定义类realm继承AuthorizingRealm并实现两个方法
![](https://img-blog.csdnimg.cn/img_convert/439167131a330abfa9c7cc36f60b6cc0.png)
doGetAuthorizationInfo是用来給用户授权方法的,doGetAuthenticationInfo是用来认证用户的。
在doGetAuthorizationInfo中给用户授权权限
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取当前用户信息
Subject subject= SecurityUtils.getSubject();
Users users = (Users) subject.getPrincipal();
//设置角色
Set<String> roles = new HashSet<>();
roles.add(users.getRole());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
//设置权限
info.addStringPermission(users.getPers());
return info;
}
在doGetAuthenticationInfo中认证用户权限
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
Users users = usersService.findusername(token.getUsername());
if (users !=null){
return new SimpleAuthenticationInfo(users,users.getPassword(),getName());
}
return null;
}
最重要的一点就是配置配置类,创建一个软件包config,以及一个config类
Configuration
public class ShiroConfig {
/**
* 将userrealm注入bean中
* @return
*/
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(userRealm);
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
//权限设置
HashMap<String, String> map = new HashMap<>();
map.put("/main","authc");
map.put("/manage","perms[manage]");
map.put("/administrator","roles[administrator]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
//设置登录页面
shiroFilterFactoryBean.setLoginUrl("/login");
//未授权无法登录
shiroFilterFactoryBean.setUnauthorizedUrl("/unauth");
return shiroFilterFactoryBean;
数据库除了用户的登录所需要的username,password以外,还需要设定用户权限以及职位,就是代表不同用户的不同权限,数据库表设计如图:
![](https://img-blog.csdnimg.cn/img_convert/d84d6be94b681dffac85efe36b6ce852.png)
把用户分成三个等级的话,低级中级和高级,低级用户没有任何访问权限,中级用户不具有role,高级用户具有所有的访问权限,这就跟配置文件中的过滤器扯上关系了,识别用户的各级权限,然后进行用户的开放的权限和关闭权限。
下面是comtroller一些接口
package com.example.shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.*;
@Controller
public class UserController {
@GetMapping("/{url}")
public String redirect(@PathVariable("url") String url){
return url;
}
@PostMapping("/login")
public String login(String username, String password, Model model){
Subject subject= SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
return "index";
}
//未知用户
catch(UnknownAccountException e){
e.printStackTrace();
model.addAttribute("msg","用户错误");
return "login";
}
//非法密码
catch (IncorrectCredentialsException e){
e.printStackTrace();
}
model.addAttribute("msg","密码错误");
return "login";
}
@GetMapping("/unauth")
@ResponseBody
public String unauth(){
return "未授权,无法访问";
}
}
接下来对接前端项目进行测验之后检验结果