项目中有用到Shiro框架,但是只使用了身份认证,即登录功能,未用到授权 权限验证功能,在使用的时候对loginUrl和unauthorizedUrl没有区分太清,一直以为unauthorizedUrl是被拦截后要跳转到的页面,今天特意查了一下,才清楚loginUrl是登录页面,unauthorizedUrl是没有资源权限时跳转到的页面。即:
loginUrl:没有登录的用户请求需要登录的页面时自动跳转到登录页面。
unauthorizedUrl:没有权限默认跳转的页面,登录的用户访问了没有被授权的资源自动跳转到的页面。
其他的一些配置,如下:
successUrl:登录成功默认跳转页面,不配置则跳转至”/”,可以不配置,直接通过代码进行处理。
securityManager:这个属性是必须的,配置为securityManager就好了。
filterChainDefinitions:配置过滤规则,从上到下的顺序匹配。
在SpringBoot中通过Java代码来实现Shiro的配置。
示例:
package com.config;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* Created by
* Description
*/
@Configuration
public class ShiroConfiguration {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
//拦截器.
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
//登录界面
shiroFilterFactoryBean.setLoginUrl("/index.do");
//未授权界面
shiroFilterFactoryBean.setUnauthorizedUrl("/index");
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
filterChainDefinitionMap.put("/public/**", "anon");
。。。。
filterChainDefinitionMap.put("/logout", "logout");
filterChainDefinitionMap.put("/**", "authc");
// 登录成功后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/main.do");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
securityManager.setSessionManager(sessionManager());
return securityManager;
}
@Bean
public UserAuthenticationRealm myShiroRealm() {
//UserAuthenticationRealmo为认证和授权具体实现类
UserAuthenticationRealm myShiroRealm = new UserAuthenticationRealm();
return myShiroRealm;
}
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager manager = new DefaultWebSessionManager();
manager.setCacheManager(new MemoryConstrainedCacheManager());// 加入缓存管理器
manager.setSessionDAO(sessionDao());// 设置SessionDao
manager.setDeleteInvalidSessions(true);// 删除过期的session
manager.setGlobalSessionTimeout(sessionTimeOut);// 设置全局session超时时间
manager.setSessionValidationSchedulerEnabled(true);// 是否定时检查session、
manager.setSessionIdCookieEnabled(true);
manager.setSessionIdCookie(simpleCookie());
return manager;
}
@Bean
public CustomerSessionDao sessionDao() {
CustomerSessionDao sessionDao = new CustomerSessionDao(redisSessionRepository());
return sessionDao;
}
@Bean
public RedisSessionRepository redisSessionRepository() {
RedisSessionRepository shiroSessionRepository = new RedisSessionRepository();
return shiroSessionRepository;
}
@Bean
public SimpleCookie simpleCookie() {
SimpleCookie simpleCookie = new SimpleCookie(sessionName);
simpleCookie.setPath("/");
simpleCookie.setHttpOnly(true);
return simpleCookie;
}
}
其中UserAuthenticationRealm为认证和授权具体实现类, 需要继承AuthorizingRealm,并实现其doGetAuthenticationInfo和doGetAuthorizationInfo两个方法,doGetAuthenticationInfo为登录认证方法, doGetAuthorizationInfo为授权认证方法。
public class UserAuthenticationRealm extends AuthorizingRealm {
private Logger logger = LoggerFactory.getLogger(UserAuthenticationRealm.class);
@Resource
private IUserAuthenticationService userAuthenticationService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//具体实现, 若不使用授权管理,可以返回null
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
logger.info("用户登录验证开始");
//具体实现
return simpleAuthenticationInfo;
}