Spring boot 加入shiro支持

2019-11-21 来源: 默闻120 发布在  https://www.cnblogs.com/mowen120/p/11908061.html

在项目添加依赖

       <!-- shiro spring. -->
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-spring</artifactId>
		<version>1.4.0</version>
	</dependency>
	<!-- shiro core -->
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-core</artifactId>
		<version>1.4.0</version>
	</dependency>

配置文件目录下新建spring文件夹,在文件夹内新建spring-shiro.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		<!-- ref对应我们写的realm myRealm -->
		<property name="realm" ref="AuthRealm" />
		<!-- 使用下面配置的缓存管理器 -->
		<!-- <property name="cacheManager" ref="shiroEncacheManager" /> -->
	</bean>

	<!-- 安全认证过滤器 -->
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<!-- 调用我们配置的权限管理器 -->
		<property name="securityManager" ref="securityManager" />
		<!-- 配置我们的登录请求地址 -->
		<property name="loginUrl" value="/toLogin" />
		<!-- 配置我们在登录页登录成功后的跳转地址,如果你访问的是非/login地址,则跳到您访问的地址 -->
		<property name="successUrl" value="/" />
		<!-- 如果您请求的资源不再您的权限范围,则跳转到/403请求地址 -->
		<property name="unauthorizedUrl" value="/html/403.html" />
		<property name="filterChainDefinitions">
			<value>
			<!-- anon是允许通过  authc相反 -->
				/statics/**=anon
				/login=anon
				/** = authc
			</value>
		</property>
	</bean>

	<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

	<!-- AOP式方法级权限检查 -->
	<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
		<property name="proxyTargetClass" value="true" />
	</bean>
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
		<property name="securityManager" ref="securityManager" />
	</bean>

</beans>

在主入口加载spring-shiro.xml

@ImportResource({ "classpath:spring/spring-shiro.xml" })

在登录Controller内更改成

		//构造登录参数
		UsernamePasswordToken token = new UsernamePasswordToken(name, pwd);
		try {
			//交给Realm类处理
			SecurityUtils.getSubject().login(token);
		} catch (UnknownAccountException uae) {
			map.put("msg", "未知用户");
			return "login";
		} catch (IncorrectCredentialsException ice) {
			map.put("msg", "密码错误");
			return "login";
		} catch (AuthenticationException ae) {
			// unexpected condition? error?
			map.put("msg", "服务器繁忙");
			return "login";
		}

		return "redirect:/toIndex";

看5行就知道登录交给了Realm类处理了,所以我们要有Realm类

在可以被主入口扫描到的地方新建AuthRealm类并且继承AuthorizingRealm,重写doGetAuthenticationInfo(登录逻辑),重写doGetAuthorizationInfo(授权逻辑)

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

public class AuthRealm extends AuthorizingRealm {

	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		// TODO Auto-generated method stub
		return null;
	}

	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		// TODO Auto-generated method stub
		return null;
	}

}

登录验证在doGetAuthenticationInfo方法写入

		// 获取Token
		UsernamePasswordToken token2 = (UsernamePasswordToken) token;
		//获取用户名
		String userName = token2.getUsername();
		//获取密码
		String pwd = new String(token2.getPassword());
		//下面我使用的是MyBatis-puls3.0
		//查询条件对象
		QueryWrapper<User> queryWrapper = new QueryWrapper();
		//查询该用户
		queryWrapper.eq("name", userName).or().eq("phone", userName);
		//查询
		User user = iUserService.getOne(queryWrapper);
		//查回的对象为空
		if (CommonUtil.isBlank(user)) {
			//抛出未知的账户异常
			throw new UnknownAccountException();
		}
		//查回的对象密码和输入密码不相等
		if (!CommonUtil.isEquals(user.getPwd(), pwd)) {
			//抛出凭证不正确异常
			throw new IncorrectCredentialsException();
		}
		//上面都通过了就说明该用户存在并且密码相等
		// 验证成功了
		SecurityUtils.getSubject().getSession().setAttribute(Constant.SESSION_USER_KEY, user);
		// 返回shiro用户信息
		// token传过来的密码,一定要跟验证信息传进去的密码一致,加密的密码一定要加密后传过来

		return new SimpleAuthenticationInfo(user, user.getPwd(), getName());

如果要设置权限,就在对应的Controllerf方法加上

@RequiresPermissions("/system/user/list")

再doGetAuthorizationInfo方法内写

//创建简单的授权信息对象
SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo();
//授予权限
simpleAuthorizationInfo.addStringPermission("/system/user/list");return simpleAuthorizationInfo;

当所有Controller都加了@RequiresPermissions注解后,如果访问到没有授权的Controller会报错。

相关文章