添加依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.9.0</version>
</dependency>
在springMVC.xml配置文件中添加配置
<!--整合shiro-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realm"/>
</bean>
<!--创建自定义的realm对象-->
<bean id="realm" class="com.ytr.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!--创建密码匹配器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"/>
<property name="hashIterations" value="1024"/>
</bean>
<!--shiro过滤工厂: 设置过滤的规则-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!--如果没有登录,跳转的路径-->
<property name="loginUrl" value="/login.jsp"/>
<!--没有权限,跳转的路径-->
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<value>
/login=anon
/**=authc
</value>
</property>
</bean>
部分值
修改web.xml文件让过滤器让过滤器
<!--shiro过滤器的代理-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
连接数据库
修改交互层文件
创建自定义的realm文件
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
/*授权方法 当执行权限校验时执行此方法*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
/*拿到信息转为user类*/
User user = (User) principalCollection.getPrimaryPrincipal();
/*根据账号查询该用户具有哪些权限*/
List<String> list=userService.findPerByuserid(user.getUserid());
System.out.println(list.toString()+"权限泪飙");
/*判断用户有没有权限*/
if(list!=null&&list.size()>0){
/*获取权限判断对象*/
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
/*将当前用户的权限放入判断,shiro会自动判断*/
info.addStringPermissions(list);
return info;
}
return null;
}
/*认证方法*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("/***/*/*/*//*/*/*/*");
/*根据token获取账号*/
String username = (String) authenticationToken.getPrincipal();
/*根据账号查询用户信息*/
User user = userService.findByUsername(username);
System.out.println(user+"ceshi1");
if(user!=null){
/*获取盐*/
ByteSource byteSource=ByteSource.Util.bytes(user.getSalt());
System.out.println(byteSource+"盐");
/*从数据库获取密码*/
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user,user.getUserpwd(),byteSource,this.getName());
return info;
}
return null;
}
}
定义dao层
权限管理
拦截器
我们可以自定义一个,但spring整合shiro时提供了一个拦截器注解:可以加载相应方法上。
public class Interceptor implements HandlerInterceptor {
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
Subject subject = SecurityUtils.getSubject();
//获取请求路径
String path = request.getServletPath();
//判断有没有这个路径
boolean permitted = subject.isPermitted(path);
if(permitted){
return true;
}else {
response.sendRedirect("/aaa.jsp");
return false;
}
}
}
使用拦截器注解
使用注解就不需要再进行上面的自定义拦截器了
先添加配置
<!-- 启动Shrio的注解 -->
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
使用注解
全局异常处理
没有权限的话会在前端报错,不合适,我们要在后台处理。
@ControllerAdvice
public class MyException {
@ExceptionHandler(value = UnauthorizedException.class)
public String auth(UnauthorizedException e){
e.printStackTrace();
/*跳转到权限不足页面*/
return "redirect:/unauthorized.jsp";
}
}