1、导入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.0</version>
</dependency>
2、创建配置文件
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
//ShiroFilterFactoryBean3
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("getDefaultWebSercurityManger")DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
/**
* authc: 必须认证了才能访问
* user: 必须拥有记住我 才能访问
* perms: 必须拥有对某个资源的访问权限
* role: 拥有某个角色权限才能访问
*/
Map filterMap = new LinkedHashMap();
//没有usera权限的用户不能访问a接口
filterMap.put("/zy/a","perms[usera]");
//拦截所有zy下的controller请求
filterMap.put("/zy/*","authc");
bean.setFilterChainDefinitionMap(filterMap);
//未登录指定去登录页
bean.setLoginUrl("/tologin");
//没有权限访问的接口
bean.setUnauthorizedUrl("/notAble");
return bean;
}
//DefaultWebSercurityManger2
@Bean
public DefaultWebSecurityManager getDefaultWebSercurityManger(@Qualifier("userRealm")UserRealm userRealm){
DefaultWebSecurityManager securityManger = new DefaultWebSecurityManager();
securityManger.setRealm(userRealm);
return securityManger;
}
//创建 realm 对象1
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
}
import com.zyf.mbg.model.User;
import com.zyf.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
public class UserRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权---");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// info.addStringPermission("user:a");
//拿到当前用户
Subject subject = SecurityUtils.getSubject();
//下面的user是从SimpleAuthenticationInfo(user,user.getPassword(),""); 得到的
User curruser = (User)subject.getPrincipal();
//设置当前用户的权限 例如 usera 权限
info.addStringPermission(curruser.getPerms());
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了认证-----");
UsernamePasswordToken usertoken = (UsernamePasswordToken) token;
//获取数据库的user
User user = userService.getUserByName(usertoken.getUsername());
if(user==null){
return null;//自动走异常处理 controller层的login写好了
}
//参数1: 传递对象 参数2: 传递密码
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}
}
Controller层
@RequestMapping("/zy/a")
public String a(){
return "/zyf/a.html";
}
@RequestMapping("/zy/b")
public String b(){
return "/zyf/b";
}
@RequestMapping("/tologin")
public String tologin(){
return "/login.html";
}
@RequestMapping("/login")
public String login(String username, String password, Model model){
//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登录数据
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try{
subject.login(token);
return "index";
}catch (UnknownAccountException e){
model.addAttribute("msg","用户名错误");
return "login";
}catch (IncorrectCredentialsException e){
model.addAttribute("msg","密码错误");
return "login";
}
}
@RequestMapping("/notAble")
@ResponseBody
public String notABLE(){
return "未授权状态";
}
@RequestMapping("/logout")
@ResponseBody
public String logout(){
Subject currentUser = SecurityUtils.getSubject();
currentUser.logout();
return "注销成功";
}
}