Shiro总结

在pom.xml文件中介入响应的shiro依赖

<!--shiro与spring的整合依赖-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>

配置ShiroConfig类

package com.xa.wx_program.shiro;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.jpa.repository.Query;

import java.util.LinkedHashMap;
import java.util.Map;

/**
* shiro的配置类
*/
@Configuration
public class ShiroConfig {
/**
* 创建ShiroFilterFactoryBean
*/
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);

//添加一个shiro内置过滤器
/**
* shiro内置过滤器,可以实现权限相关的拦截器
*  常用的过滤器:
*          anon: 无需认证(登录)可以访问
*          authc:必须认证才可以访问
*          user:如果使用rememberMe的功能可以直接访问
*          perms:该资源必须得到资源权限才可以访问
*          role:该资源必须得到角色权限才可以访问
*/

Map<String,String> filterMap = new LinkedHashMap<String,String>();
/*filterMap.put("/add","authc");
filterMap.put("/update","authc");*/

filterMap.put("/checkLogin","anon");

//授权过滤器
//注意:当前授权拦截后,shiro会自动跳转到未授权页面
filterMap.put("/add","perms[user:add]");
filterMap.put("/update","perms[user:update]");
filterMap.put("/*","authc");
//修改调整的登录页面
shiroFilterFactoryBean.setLoginUrl("/login");
//设置未授权提示页面
shiroFilterFactoryBean.setUnauthorizedUrl("/noAuth");

shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);

return shiroFilterFactoryBean;
}

/**
* 创建DefaultWebSecurityManager
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
//关联realm
defaultWebSecurityManager.setRealm(userRealm);
return defaultWebSecurityManager;
}

/**
* 创建Realm
*/
@Bean(name = "userRealm")
public UserRealm getRealm(){
return new UserRealm();
}
}

里面需要注意的有:
1.@Bean注解必须有,要把组件放入spring容器中
2.在进行shiroFilterFactory.setFilterChainDefinitionMap(filterMap)的方式时传入的map进行url的拦截与放行,anon必须放在authc之前(前提是authc的url具有覆盖anon的url)
3.@Configuration注解必须要有

配置UserRealm

package com.xa.wx_program.shiro;

import com.xa.wx_program.pojo.User;
import com.xa.wx_program.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;

/**
* 自定义Realm
*/
public class UserRealm extends AuthorizingRealm {

@Autowired
private UserService userService;

/**
*
1b024
执行授权逻辑
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行授权逻辑");

//给资源进行授权
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

//添加资源的授权字符串
//info.addStringPermission("user:add");

//到数据库查询当前登录用户的授权字符串
//获得当前登录用户
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getPrincipal();

User dbUser = userService.findById(user.getId());

info.addStringPermission(dbUser.getPerms());

return info;
}

/**
* 执行认证逻辑
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行认证逻辑");

UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;

User user  = userService.checkLogin(usernamePasswordToken.getUsername());
if(user == null){
//用户不存在
return null;//shiro会返回UnknowAccountException
}
//判断密码
//使用SimpleAuthentication的构造方法,三个参数分别为principal   credentials   realmName   将从数据库中得到的密码赋给credentials
// ,该对象将自动进行判断密码是否与该从数据库中获得的密码相同
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(user,user.getPassword(),"");

//返回的AuthenticationInfo   ,但是该AuthenticationInfo是接口,所以需要返回实现该接口的对象即SimpleAuthenticationInfo
return simpleAuthenticationInfo;
}
}

在realm中编写储存认证和授权代码
注意:
1.SimplaAuthenticationInfo()方法中三个变量分别为Object principal, Object credentials, String realmName
其中principal可以通过上面的
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getPrincipal();来获得 realmName

@RequestMapping("/checkLogin")
public String login(@RequestParam("username")String username, @RequestParam("password")String password, Model model){

/**
* 使用shiro编写认证操作
*/
//1.获取subject
Subject subject = SecurityUtils.getSubject();

//2.封装用户数据
UsernamePasswordToken token = new UsernamePasswordToken(username,password);

//3.执行登录方法
try {
subject.login(token);
//登录成功
return "/main";
}catch (UnknownAccountException e){
//登录失败:代表用户名不存在
model.addAttribute("msg","用户名不存在");
return "/login";
}catch (IncorrectCredentialsException e){
//登录失败:密码错误
model.addAttribute("msg","密码错误");
return "/login";
}
}

springmvc接收数据进行登录验证

thymeleaf对shiro的扩展坐标

加入thymeleaf整合shiro标签的依赖

<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>

在ShiroConfig中加入一个组件

/**
* 配置ShiroDialect,用户thymeleaf和shiro标签配合使用
*/
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}

页面中的标签语法

<div shiro:hasPermission="user:add">
进入用户添加功能: <a th:href="@{/add}">用户添加</a>
</div>
<div shiro:haspermission="user:update">
进入用户更新功能: <a th:href="@{/update}">用户更新</a>
</div>

可以在标签中加入shiro:haspermission=""来进行判断是否有权限
如果没有权限就不显示标签中的内容
反之则显示