理解:
(1) Subject : 主体,可以代表当前用户;
(2) SecurityManager:安全管理器,所有的安全操作需要经过此部分
(3) Realm:授权和认证功能,用来判断是否具有某种权限/角色
(4) 调用过程:代码->Subject->SecurityManager->Realm
一、创建一个springboot项目,导入依赖。(使用thymeleaf作为模板引擎,不了解的可以看我的博客)
<!--thymeleaf-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!--shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.2</version>
</dependency>
二、application.yml配置
#thymeleaf
spring:
thymeleaf:
prefix: classpath:/templates/
check-template-location: true
suffix: .html
encoding: utf-8
servlet:
content-type: text/html
mode: HTML5
cache: false
server:
port: 8081
三、编写一个shiro配置类ShiroConfig
package com.zjl.shiro;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* shiro配置类
*/
@Configuration
public class ShiroConfig {
/**
* 创建ShiroFilterFactoryBean
*/
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
final ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
//设置Shiro内置过滤器
/**
* 1. anon: 无需认证即可访问
* 2. authc: 必须认证才可以访问
* 3. user: 使用记住我功能才可以访问
* 4. perms: 该资源必须得到资源权限才可以访问
* 5. role: 该资源必须得到角色权限才可以访问
*/
//创建一个filterMap 设置页面权限
final Map<String, String> filterMap = new LinkedHashMap<>();
//拦截某路径下的所有
// filterMap.put("/certain/*","authc");
filterMap.put("/buy","authc");
filterMap.put("/sold","anon");
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);
return shiroFilterFactoryBean;
}
/**
* 创建DefaultWebSecurityManager
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(MyRealm realm){
final DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
//关联realm
defaultWebSecurityManager.setRealm(realm);
return defaultWebSecurityManager;
}
/**
* 创建自定义的Realm
*/
@Bean
public MyRealm getRealm(){
final MyRealm realm = new MyRealm();
return realm;
}
}
四、编写一个MyRealm
package com.zjl.shiro;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class MyRealm extends AuthorizingRealm {
/**
* 执行授权逻辑
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行授权逻辑");
return null;
}
/**
* 执行认证逻辑
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行认证逻辑");
String username = "java";
String password = "123456";
//1、判断用户名
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
if (!token.getUsername().equals(username)){
//用户名不存在
return null; //shiro底层会抛出UnKnowAccountException
}
//2、判断密码
return new SimpleAuthenticationInfo("",password,"");
}
}
五、编写一个控制类
package com.zjl.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class IndexController {
@RequestMapping("/")
public ModelAndView index(){
final ModelAndView modelAndView = new ModelAndView();
modelAndView.addObject("name","阿良");
modelAndView.setViewName("/index");
return modelAndView;
}
@RequestMapping("/toLogin")
public String tologin(){
return "/login";
}
@RequestMapping("/buy")
public String buy(){
return "/computer/buy";
}
@RequestMapping("/sold")
public String sold(){
return "/computer/sold";
}
/**
* 登录方法
* @return
*/
@RequestMapping("/login")
public String login(String userName, String passWord, Model model){
//shiro认证操作
// 1、获取Subject
final Subject subject = SecurityUtils.getSubject();
//2、封装用户账号密码
UsernamePasswordToken token = new UsernamePasswordToken(userName,passWord);
//3、执行登录方法(无异常即为登录成功)
try {
subject.login(token);
return "redirect:/";
} catch (UnknownAccountException e) {
model.addAttribute("msg","用户名不存在");
}catch (IncorrectCredentialsException e) {
model.addAttribute("msg","密码错误");
}
return "/login";
}
}
六、编写前端页面
(1)首页index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1 th:text="${name}"></h1>
<h3>---------------------------------------------------------</h3>
<a href="/buy">买电脑</a>
<a href="/sold">卖电脑</a>
</body>
</html>
(2)登录页面 login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>登录页面</h1>
<h2 style="color: red" th:text="${msg}"></h2>
<form action="/login">
用户名:<input type="text" name="userName"></br>
密码:<input type="password" name="passWord">
<input type="submit" value="登录">
</form>
</body>
</html>
(3)computer下的两个页面buy.html和sold.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>买电脑</h1>
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>卖电脑</h1>
</body>
</html>
七、访问
http://localhost:8081/
结果
点击买电脑会跳转到登录页面,点击卖电脑会正常跳转,输入java,123456登录后可以正常查看