第一步:导入依赖
<!--Shiro依赖-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.2</version>
</dependency>
<!--Shiro和Thymeleaf集成的扩展以来,为了能在页面上使用xsln:shiro的标签-->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
2.编写权限控制类(除了第一个bean都是死代码)
package com.kw.drug.config;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* 权限控制Shiro配置类
*/
@Configuration
public class ShiroFilterConfiguration {
@Bean
//ShiroFilerFactoryBean:3
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean=new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
//添加内置过滤器
/*
* anon:无需认证就可以访问
* authc:必须认证了才能访问
* user:必须拥有 记住我 功能才能用
* perms: 拥有对某个资源的权限才能访问
*/
Map<String, String> filterMap = new LinkedHashMap<>();
filterMap.put("/static/**", "anon");
filterMap.put("/login", "anon");
filterMap.put("/toLogin", "anon");
filterMap.put("/**", "authc");
bean.setFilterChainDefinitionMap(filterMap);
//不登录自动转向的页面
bean.setLoginUrl("/login");
//登录后自动转向的页面
bean.setSuccessUrl("/index");
return bean;
}
//DafaultWebSecurityManager:2
@Bean(name="securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联UserRealm
securityManager.setRealm(userRealm);
return securityManager;
}
//创建realm对象,需要自定义类:1
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
//整合ShiroDialect
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
}
3编写权限认证类
package com.kw.drug.config;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.kw.drug.entity.User;
import com.kw.drug.mapper.UserMapper;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
/**
* 权限认证
*/
public class UserRealm extends AuthorizingRealm {
@Autowired
private UserMapper userMapper;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
/**
* 登录认证
*
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String username = token.getUsername();
User queryUser = new User();
queryUser.setUsername(username);
//根据用户名查询用户是否存在
QueryWrapper<User> wrapper = new QueryWrapper<>();
wrapper.eq("username", queryUser.getUsername());
User user = userMapper.selectOne(wrapper);
if (user == null) {
return null;
}
Subject currentSubject = SecurityUtils.getSubject();
Session session = currentSubject.getSession();
session.setAttribute("user",user);
//密码认证,shiro帮我们做
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}
}
4.编写controller
/**
* 判断登录是否成功
* */
@PostMapping("/toLogin")
@ResponseBody
public Map judge(@RequestParam String username, @RequestParam String password, HttpSession session){
//获取当前的用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登录数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token); //执行登录方法 如果没有异常就说明ok了
return ResultMapUtil.getHashMapLogin("登录成功","1");
}catch (UnknownAccountException e){
return ResultMapUtil.getHashMapLogin("用户名或者密码错", "2");
}catch (IncorrectCredentialsException e){
return ResultMapUtil.getHashMapLogin("用户名或者密码错误", "2");
}
}
这样就实现了登录拦截!!!