引言
本文继续沿用上几篇博客的基础,在此之上整合Shiro,实现权限管理,具体环境搭建,请参考我之前的博客,在这里不做赘述。
(1)SpringBoot入门,快速搭建简单Web应用环境
(2)SpringBoot入门,整合Mybatis并使用Mybatis-Generator自动生成所需代码
(3)Spring Boot入门,整合Pagehelper分页插件
(4)SpringBoot入门,整合Redis实现缓存
1.引入Shrio依赖
pom文件下添加shiro依赖
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>2.配置shiro
在工程目录下新建一个config包用来存放Shrio配置类,新建一个ShiroConfig.java和CustomRealm.java两个类,具体代码如下:
package com.example.config.shiro;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager){
ShiroFilterFactoryBean shiroBean = new ShiroFilterFactoryBean();
//必须设置SecurityManager
shiroBean.setSecurityManager(securityManager);
//设置登录界面的url
shiroBean.setLoginUrl("/backend/");
//设置登录成功后跳转的url
shiroBean.setSuccessUrl("/backend/home");
//设置无权限时跳转的url
shiroBean.setUnauthorizedUrl("/backend/");
//拦截器
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
//可以直接访问的连接,不拦截
filterChainDefinitionMap.put("/backend/","anon");
filterChainDefinitionMap.put("/backend/login","anon");
filterChainDefinitionMap.put("/css/**","anon");
filterChainDefinitionMap.put("/js/**","anon");
filterChainDefinitionMap.put("/img/**","anon");
filterChainDefinitionMap.put("/frontend/**","anon");
//退出过滤器,shiro帮我们实现
filterChainDefinitionMap.put("/logout","logout");
//其余接口一律拦截,需要认证
filterChainDefinitionMap.put("/backend/**","authc");
shiroBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroBean;
}
@Bean
public SecurityManager securityManager(CustomRealm customRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(customRealm);
return securityManager;
}
@Bean
public CustomRealm customRealm(){
CustomRealm customRealm = new CustomRealm();
return customRealm;
}
}注意:上面的拦截地址需要自己根据实际情况手动配置,我这里只是根据我的项目进行的简单配置,权限设置的顺序应从上到下,由小到大。
shiro常用认证参数如下,具体其他参数,请查阅官方文档。
anno | 不需要认证就可直接访问 |
authc | 认证后才可访问 |
roles | 拥有某角色后才可以使用 |
logout | shiro帮我们实现的退出 |
package com.example.config.shiro;
import com.example.bean.Manager;
import com.example.bean.User;
import com.example.dao.ManagerMapper;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
public class CustomRealm extends AuthorizingRealm {
@Autowired
private ManagerMapper managerMapper;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String username = token.getUsername();
Manager manager = managerMapper.findManagerByName(username);
if(manager == null){
throw new AuthenticationException("用户名不存在!");
}
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(token.getPrincipal(),manager.getPassword(),this.getName());
super.clearCachedAuthenticationInfo(authcInfo.getPrincipals());
SecurityUtils.getSubject().getSession().setAttribute("manager",manager);
return authcInfo ;
}
}这里我们自定义处理登陆认证。ManagerMapper使我们自定义的一张登陆表,属性如下,创建完后使用mybatis-generator逆向工程生成就可以了。
manager表属性
id | int |
username | varchar |
password | varchar |
3.测试
新建LoginController类,并处理登陆/退出请求
package com.example.controller;
import com.example.bean.Manager;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Controller
@RequestMapping("/backend")
public class LoginController {
@PostMapping("/login")
public String login(Model model, Manager manager, HttpServletResponse response){
if (manager==null){
return "backend/index";
}
String username = manager.getUsername();
String password = manager.getPassword();
UsernamePasswordToken token = new UsernamePasswordToken(username,password,false);
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
} catch(IncorrectCredentialsException e){
model.addAttribute("errPassword", "密码错误!");
return "backend/index";
} catch (AuthenticationException e){
model.addAttribute("errAccount",e.getMessage());
return "backend/index";
}
try {
response.sendRedirect("/backend/home");
return null;
} catch (IOException e) {
return "backend/main/index";
}
}
@GetMapping("/logout")
public String logout(HttpServletResponse response){
try {
SecurityUtils.getSubject().logout();
}catch (Exception e){
System.out.println(e.getMessage());
}
try {
response.sendRedirect("/backend/home");
return null;
} catch (IOException e) {
return "backend/index";
}
}
}前端页面这里就不上代码了自行解决。之后我们就可以进行试验,如果输入的网页地址是登陆界面,不需要认证,那么我们就可以直接访问,而输入其他地址时,因需要认证操作,所以无法访问被拒接,跳转到我们预先设置好的登陆界面。登陆成功后跳转到home界面,由于在CustomRealm 中认证成功后我们将登陆信息放在了session中,因此我们可以在home界面中获取到登陆用户的信息。最后在home界面内添加退出的连接,调用controller中的logout方法,实现退出后跳转到登陆界面。
至此,springboot整合shiro就完成了,可能说的比较简短,但是核心的代码我基本已经给全,剩下少量操作需要你自己完成。如果有什么问题,可以跟我联系。欢迎大家批评指正,一起学习,一起进步。
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
