shiro是一个轻量级用户角色,权限管理框架(根据路径管理),功能简单,配置简单。
导入依赖
<!-- Shiro整合Spring -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.5.3</version>
</dependency>
创建Realm
public class MyRealm extends AuthorizingRealm {
//授权,只有成功通过doGetAuthenticationInfo方法的认证后才会执行
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//角色认证
info.addRoles(roles);
//权限认证
info.addStringPermissions(perms);
return info;
}
//认证,从数据库获根据用户名取用户密码
//这里认证的是token中的用户名对应数据库中的密码和接收到的密码一致
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String userName = (String) token.getPrincipal();
String password = mapper.getPasswordByUserName(userName);
if(password != null){
return new SimpleAuthentictionInfo(userName,pasword,getName());
}
return null;
}
配置Shiro
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean filterFactoryBean(@Qualifier("manager") DefaultWebSecurityManager manager) {
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(manager);
Map<String, String> map = new HashMap<>();
map.put("/avatar/user/add", "roles[admin]");
map.put("/avatar/user/add", "perms[insert]");
map.put("/**","authc");
map.put("/avatar/user/login", "anon");
factoryBean.setFilterChainDefinitionMap(map);
factoryBean.setLoginUrl("/avatar/user/login");
//认证成功默认跳转页面
factoryBean.setSuccessUrl("/avatar/user/login");
//没有权限默认跳转的页面
factoryBean.setUnauthorizedUrl("/avatar/defult");
return factoryBean;
}
@Bean
public DefaultWebSecurityManager manager(@Qualifier("myRealm") MyRealm myRealm) {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(myRealm);
return manager;
}
@Bean
public MyRealm myRealm() {
return new MyRealm();
}
}