1.pom.xml引入shiro相关依赖
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
2.然后需要自定义Reaml和shrio的配置类
2.1 创建MyShiroReal包
package com.xiaoer.manage.util;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.xiaoer.manage.pojo.Permission;
import com.xiaoer.manage.pojo.Role;
import com.xiaoer.manage.pojo.User;
import com.xiaoer.manage.server.UserServer;
@Component("authorizer")
public class MyShiroRealm extends AuthorizingRealm{
@Autowired
private UserServer userservice;
//授权方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo authorizationInfo =new SimpleAuthorizationInfo();
User user=(User)userservice.findUser(String.valueOf(principals.getPrimaryPrincipal()));
for(Role role:user.getRoles()){
authorizationInfo.addRole(role.getId());
for(Permission p:role.getPermissions()){
authorizationInfo.addStringPermission(p.getId());
}
}
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username=(String)token.getPrincipal();
User user=userservice.findUser(username);
if(user==null) {
throw new UnknownAccountException();
};
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
user.getId(), //用户名
user.getPwd(), //密码
getName() //realm name
);
return authenticationInfo;
}
}
在这个包继承了AuthorizingRealm需要对里面的两个方法重写,第一个方法是用来授权的,先获取用户信息,通过AuthorizationInfo.的add()方法把用户所拥角色和权限信息存到AuthorizationInfo。然后在controller层的接口上注解@Requirepermission(“存入的权限信息”)。两者比对从而控制访问权限。有第二个方法是用来验证身份的,在第二方法种先通过service层调用dao层访问数据库获取用户信息与前端传来的数据对比进行判断。在第二个方法中token.getPricipal()是获取controller层传来的第一个数据(一般第一个数据是id所以根据id进行查询)。
2.2创建ShrioConfig类
@Configuration //注解这是配置类
public class ShiroConfig {
@Bean("shiroFilterFactoryBean") //实例化
public ShiroFilterFactoryBean shiroFilterFactoryBean(org.apache.shiro.mgt.SecurityManager securitymanager) {
ShiroFilterFactoryBean shiroFilterFactoryBean =new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securitymanager);
//创建拦截器
Map<String,String> filterChainDefinitionMap =new LinkedHashMap<String,String>();
filterChainDefinitionMap.put("/static/**", "anon"); //anon 表面static下是不需要权限验证的
filterChainDefinitionMap.put("/logout","logout");//退出
filterChainDefinitionMap.put("/**","authc"); //authc表面需要权限验证
shiroFilterFactoryBean.setLoginUrl("/login"); //设置登陆,没通过验证会自动跳转此页面
shiroFilterFactoryBean.setSuccessUrl("/index");
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean(name="defaultWebSecurityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")MyShiroRealm userRealm) {
DefaultWebSecurityManager defaultWebSecurityManager =new DefaultWebSecurityManager();
defaultWebSecurityManager.setRealm(userRealm);
return defaultWebSecurityManager;
}
//创建Realm
@Bean(name="userRealm")
public MyShiroRealm getUserRealm() {
return new MyShiroRealm();
}
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
}
注意的是:/**一定要放在最下面,拦截器是从上往下顺序拦截的。
3.展示controller层
@RequestMapping(value="/login",method=RequestMethod.POST)
public String login2(Model model,HttpServletRequest request) {
String name=request.getParameter("id");
String pass=request.getParameter("pass");
//添加用户认证信息
Subject subject =SecurityUtils.getSubject();
UsernamePasswordToken namepassToken =new UsernamePasswordToken(name,pass); //创建token
//一般有错误可以把异常在控制台输出来看看
try{
subject.login(namepassToken); //调用此方法就会调用MythrioRealm的第二个方法
return "test";
}catch(UnknownAccountException e) {
model.addAttribute("msg", "用户名不存在");
System.out.println(e);
return "login";
}catch(IncorrectCredentialsException e) {
System.out.println(e);
model.addAttribute("msg", "密码错误");
return "login";
}
}
@RequiresPermissions("001") //权限验证和MyShiroRealm里的setStringPermission一致才能访问,在调用这个方法时才会调用dogetAuthorizationInfo(PrincipalCollection principal)
@RequestMapping(value="/form",method=RequestMethod.GET)
public String index3(Model model) {
return "form";
}
相关代码地址:https://github.com/liujun1173727203/collagesystem/tree/master/Manage