一.Shiro简介
二.Subject解析
首先在Github中找到quickstart文件夹,观察其Quickstart类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Subject currentUser = SecurityUtils.getSubject(); Session session = currentUser.getSession(); currentUser.isAuthenticated() currentUser.getPrincipal() currentUser.hasRole("schwartz" ) currentUser.isPermitted("lightsaber:wield" ) currentUser.logout()
三.SpringBoot整合Shiro
第一步:添加依赖
1 2 3 4 5 <dependency > <groupId > org.apache.shiro</groupId > <artifactId > shiro-spring</artifactId > <version > 1.5.3</version > </dependency >
第二步:编写配置类
ShiroConfig类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 @Configuration public class ShiroConfig { @Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean (@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager) { ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); bean.setSecurityManager(defaultWebSecurityManager); return bean; } @Bean(name="securityManager") public DefaultWebSecurityManager getDefaultWebSecurityManager (@Qualifier("userRealm") UserRealm userRealm) { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(userRealm); return securityManager; } @Bean public UserRealm userRealm () { return new UserRealm(); } }
第三步:编写Realm,在认证方法中取数据库信息进行比对
UserRealm类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 public class UserRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo (PrincipalCollection principalCollection) { System.out.println("执行了 授权doGetAuthorizationInfo" ); return null ; } @Override protected AuthenticationInfo doGetAuthenticationInfo (AuthenticationToken token) throws AuthenticationException { System.out.println("执行了 认证doGetAuthenticationInfo" ); String name = "root" ; String password = "123456" ; UsernamePasswordToken userToken = (UsernamePasswordToken) token; if (!userToken.getUsername().equals(name)){ return null ; } return new SimpleAuthenticationInfo("" ,password,"" ); } }
第四步:在登录接口中使用subject
登录Controller
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 @RequestMapping("/login") public String login (String username, String password, Model model) { Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(username, password); try { subject.login(token); return "index" ; }catch (UnknownAccountException e){ model.addAttribute("msg" ,"用户名错误" ); return "login" ; }catch (IncorrectCredentialsException e){ model.addAttribute("msg" ,"密码错误" ); return "login" ; } }
当然,以上只完成了shiro中的认证操作,下面来实现授权(不同身份)
在ShiroConfig类的拦截方法中,可以参考下列代码进行拦截配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 @Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean (@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager) { ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); bean.setSecurityManager(defaultWebSecurityManager); Map<String,String> filterMap = new LinkedHashMap<>(); filterMap.put("/user/add" ,"perms[user:add]" ); filterMap.put("/user/*" ,"authc" ); bean.setFilterChainDefinitionMap(filterMap); bean.setLoginUrl("/toLogin" ); bean.setUnauthorizedUrl("/toLogin" ); return bean; }
在UserRealm中,写授权方法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 @Override protected AuthorizationInfo doGetAuthorizationInfo (PrincipalCollection principalCollection) { System.out.println("执行了 授权doGetAuthorizationInfo" ); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); Subject subject = SecurityUtils.getSubject(); User user = (User)subject.getPrincipal(); info.addStringPermission(user.getPerms()); return info; }
后期再将SpringBoot+Shiro+jwt+Redis的整合方法补上~