拦截器
1.结构架构图
2.Shiro拦截器
2.1.ShiroConfig
代码:
package com.auth;
import org.apache.shiro.mgt.DefaultSessionStorageEvaluator;
import org.apache.shiro.mgt.DefaultSubjectDAO;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Autowired
private LoginRealm loginRealm;
/**
* 配置安全管理器:哪种类型的管理器
* @return
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
/*
* 关闭shiro自带的session,详情见文档
* http://shiro.apache.org/session-management.html#SessionManagement-StatelessApplications%28Sessionless%29
*/
DefaultSubjectDAO subjectDAO = new DefaultSubjectDAO();
DefaultSessionStorageEvaluator defaultSessionStorageEvaluator = new DefaultSessionStorageEvaluator();
defaultSessionStorageEvaluator.setSessionStorageEnabled(false);
subjectDAO.setSessionStorageEvaluator(defaultSessionStorageEvaluator);
securityManager.setSubjectDAO(subjectDAO);
// 设置自定义 realm.
securityManager.setRealm(loginRealm);
return securityManager;
}
/**
* 配置拦截器
* @param securityManager
* @return
*/
@Bean
public ShiroFilterFactoryBean factory(SecurityManager securityManager) {
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(securityManager);
Map filterMap = new HashMap();
factoryBean.setFilters(filterMap);
// 设置无权限时跳转的 url;
Map<String, String> filterRuleMap = new HashMap();
//访问/login和/unauthorized 不需要经过过滤器
//设置我们自定义的JWT过滤器
filterMap.put("jwt", new JWTFilter());
//不登录就能访问的写这里
//filterRuleMap.put("/api2/**", "anon");
filterRuleMap.put("/api/**","jwt,authc");//此网页需要过滤判断以后才能通过
//必须要登录才能访问写这里
filterRuleMap.put("/**", "anon");
// 访问 /unauthorized/** 不通过JWTFilter
factoryBean.setFilterChainDefinitionMap(filterRuleMap);
return factoryBean;
}
}
2.1.1.该类是一个config类(配置类)
2.1.2.设置我们自定义的JWT过滤器,并命名为jwt
filterMap.put("jwt", new JWTFilter());
2.1.3.必须要登录才能访问(要验证令牌,使用"jwt,authc",一般用于删除、修改、查询等界面)
filterRuleMap.put("/api/**","jwt,authc");
2.1.4.不登录就能访问(直接放行,不需要去做验证,一般用于登录,首页等界面)
filterRuleMap.put("/**", "anon");
2.2.JWTFilter
代码:
package com.auth;
import org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;