本文档展示了如何在Spring Boot应用中集成Shiro框架进行权限管理。配置了Shiro的相关依赖,并创建了自定义Realm以处理认证和授权逻辑。此外,还配置了ShiroFilterFactoryBean以定义访问控制,并在Thymeleaf模板中使用Shiro标签进行权限判断。文章还提供了一个简单的控制层示例,展示了如何使用Shiro注解进行权限检查。
所需依赖
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Shiro集成SpringBoot核心 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
<!-- 开启切面管理(可不用) -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.9.6</version>
</dependency>
<!-- thymeleaf使用shiro标签 -->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
配置类
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import com.entor.realm.UserRealm;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
@Configuration
public class ShiroConfig {
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(realm());
return manager;
}
@Bean
public Realm realm() {
//自定义的Realm
UserRealm userRealm = new UserRealm();
userRealm.setCacheManager(cacheManager());
return userRealm;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(securityManager);
//必须创建有序的map,用来存放请求地址和对应的拦截器,按照顺序进行拦截
LinkedHashMap<String, String> map = new LinkedHashMap<>();
//anon拦截器是不需要用户登录可以访问的,
map.put("/css/**", "anon");
map.put("/js/**", "anon");
map.put("/img/**", "anon");
map.put("/login*", "anon");
//authc拦截器需要用户登录才能访问
map.put("/**", "authc");
bean.setFilterChainDefinitionMap(map);
//默认登录的地址
bean.setLoginUrl("/login");
//默认登录成功的地址
bean.setSuccessUrl("/index");
//访问没有权限的资源,跳转的请求
bean.setUnauthorizedUrl("/unauthorizedUrl");
return bean;
}
@Bean
public CacheManager cacheManager() {
return new MemoryConstrainedCacheManager();
}
/* //开启切面代理或者在启动类使用注解开启切面管理EnableAspectJAutoProxy这时就需要切面的包
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
daap.setProxyTargetClass(true);
return daap;
}*/
/**
* 开启shrio注解支持
*/
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(securityManager());
return aasa;
}
/**
* 用于thymeleaf使用shiro标签
* @return
*/
@Bean
public ShiroDialect shiroDialect(){
return new ShiroDialect();
}
}
自定义的Realm
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import java.util.ArrayList;
import java.util.List;
/**
* 自定义通话认证授权逻辑
* ,目前是写死用户名zhangsan,密码:123456,
* 拥有角色admin,
* 权限add,update,delete
*/
public class UserRealm extends AuthorizingRealm {
/**
* 处理用户授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String) principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
List<String> roles = new ArrayList<>();
roles.add("admin");
List<String> permission = new ArrayList<>();
permission.add("user:add");
permission.add("user:update");
permission.add("user:delete");
//添加权限
info.addStringPermissions(permission);
//添加角色
info.addRoles(roles);
return info;
}
/**
* 处理用户认证,不发生异常代表成功
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String username = token.getUsername();
String password = new String(token.getPassword());
if (username == null || !username.equals("zhangsan")) {
throw new UnknownAccountException("帐号不存在");
}
if (!password.equals("123456")) {
throw new IncorrectCredentialsException("密码错误");
}
return new SimpleAuthenticationInfo(username, password, getName());
}
}
控制层
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class UserController {
@RequestMapping("/login")
public String login() {
return "login";
}
@RequestMapping(value = "/loginCheck")
public String loginCheck(String username, String password) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);
return "index";
}
@RequestMapping("/index")
public String index() {
return "index";
}
@RequestMapping("/unauthorizedUrl")
public String unauthorizedUrl() {
return "unauthorizedUrl";
}
@RequestMapping("/logOut")
public String logOut() {
Subject subject = SecurityUtils.getSubject();
//用户注销,清空会话信息
subject.logout();
return "redirect:login";
}
@RequestMapping("/add")
@ResponseBody
//检测是否拥有角色
@RequiresRoles(value = {"admin", "user"}, logical = Logical.OR)
public String add() {
return "新增用户";
}
@RequestMapping("/delete")
@ResponseBody
//检测是否拥有权限
@RequiresPermissions(value = {"user:delete"})
public String delete() {
return "删除用户";
}
@RequestMapping("/update")
@ResponseBody
@RequiresPermissions(value = {"user:update"})
public String update() {
return "修改用户";
}
@RequestMapping("/query")
@ResponseBody
@RequiresRoles(value = {"user"}, logical = Logical.OR)
public String query() {
return "查询用户";
}
}
Shiro的标签简单使用
注意在头部导入shiro标签
<!DOCTYPE html>
<html lang="en" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<head>
<meta charset="UTF-8">
<title>主页</title>
</head>
<body>
<!-- 拿到该用户的用户名 -->
登录成功欢迎:<shiro:principal/><a href="logOut">注销</a>
<div>
<!-- 检测该用户是否拥有该角色有则该标签生效否则无效 -->
<shiro:hasRole name="admin">
<a href="add">新增用户</a><br>
</shiro:hasRole>
<!-- 检测该用户是否拥有该权限有则该标签生效否则无效 -->
<shiro:hasPermission name="user:delete">
<a href="delete">删除用户</a><br>
</shiro:hasPermission>
<shiro:hasPermission name="user:update">
<a href="update">修改用户</a><br>
</shiro:hasPermission>
<shiro:hasPermission name="user:query">
<a href="query">查找用户</a><br>
</shiro:hasPermission>
</div>
</body>
</html>
扫一扫
1236
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
