springBoot整合shiro

最新推荐文章于 2024-12-05 14:49:43 发布

antigenMHC

最新推荐文章于 2024-12-05 14:49:43 发布

阅读量227

点赞数

分类专栏： SpringBoot 文章标签： java

本文链接：https://blog.csdn.net/weixin_43437546/article/details/104343076

版权

本文详细介绍了如何在SpringBoot项目中整合Shiro进行权限管理，包括Shiro的常用方法、配置、Realm创建、过滤器设置、用户认证与授权，以及与Mybatis的集成过程。同时，文章还涵盖了Thymeleaf模板引擎与Shiro的整合，展示了如何根据用户权限动态显示页面内容。

摘要由CSDN通过智能技术生成

springBoot整合shiro

~~shiro的认证授权，config等基本都是死代码。~~

shiro常用方法

//controller层

//获取当前用户
Subject subject = SecurityUtils.getSubject();
        
//封装用户的登陆数据,生成token
UsernamePasswordToken Token = new UsernamePasswordToken(username, password);

//利用令牌进行登录
try {
   
    //登录成功，返回首页
    subject.login(token);
    return "index";
    //登陆失败，返回登录页
} catch (UnknownAccountException uae) {
   
    model.addAttribute("msg", "用户名不正确");
    return "login";
} catch (IncorrectCredentialsException ice) {
   
    model.addAttribute("msg", "密码错误");
    return "login";
} catch (LockedAccountException lae) {
   
    model.addAttribute("msg", "账号被锁定");
    return "login";
}

----------------------------------------------------------
    
//realm的认证
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
   

    //用户名和密码，这里是写死的，也可以整合mybaties来进行
    String username = "antigen";
    String password = "1234";

    //取出token
    UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;

    //用户名认证
    if(!token.getUsername().equals(username)){
   
        return null;    //返回null就会在controller层抛出UnknownAccountException
    }
    //密码认证
    return new SimpleAuthenticationInfo("", password, "");
}

//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
   

    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

    //获取当前用户对象，需要在认证方法中进行传递
    Subject subject = SecurityUtils.getSubject();
    Manager currentUser = (Manager)subject.getPrincipal();

    //设置当前用户权限，一般是从表中取出，因为管理员表一般有权限属性
    info.addStringPermission(currentUser.getPerms());

    return info;
}

导入spring-shiro依赖

<dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.5.0</version>
        </dependency>

配置shiro.ini

这个是官网案例

[users]
# user 'root' with password 'secret' and the 'admin' role
root = secret, admin
# user 'guest' with the password 'guest' and the 'guest' role
guest = guest, guest
# user 'presidentskroob' with password '12345' ("That's the same combination on
# my luggage!!!" ;)), and role 'president'
presidentskroob = 12345, president
# user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
darkhelmet = ludicrousspeed, darklord, schwartz
# user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
lonestarr = vespa, goodguy, schwartz

# -----------------------------------------------------------------------------
# Roles with assigned permissions
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
# -----------------------------------------------------------------------------
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
# The 'schwartz' role can do anything (*) with any lightsaber:
schwartz = lightsaber:*
# The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with
# license plate 'eagle5' (instance specific id)
goodguy = winnebago:drive:eagle5

配置log4j(可选)

log4j.rootLogger=INFO, stdout

log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n

# General Apache libraries
log4j.logger.org.apache=WARN

# Spring
log4j.logger.org.springframework=WARN

# Default Shiro logging
log4j.logger.org.apache.shiro=INFO

# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN

ShiroConfig三大方法

shiro三大对象：shiroFilterFactroyBean，DefaultWebSecurityManager，Realm

1. 创建Realm的对象

继承 AuthorizingRealm

public class UserRealm extends AuthorizingRealm

并复写 AuthorizingRealm 的两个方法

    //授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
   }
    
    //认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
   }

自动装配

在ShiroConfig中进行装配

@Bean
public UserRealm userRealm(){
   
    return new UserRealm();
}

2.DefaultWebSecurityManager

DefaultWebSecurityManager用来绑定Realm对象

//@Qualifier("返回Realm对象的方法的方法名")
@Bean
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
   

    DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
    //关联Realm
    defaultWebSecurityManager.setRealm(userRealm);

    return defaultWebSecurityManager;
}