spring boot 学习笔记— shirosrping boot整合shiro
2020-06-29 04:31
555 查看
spring boot — shirosrping boot 整合 shiro
一、搭建环境
必需依赖 spring boot 集成 shiro
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.3.2</version> </dependency>
创建配置类 ShiroConfig.java
以下都写在
ShiroConfig.java中
注意:
ShiroConfig.java使用@Configuration注解
- Shiro过滤器配置
@Bean(name = "shiroFilter") public ShiroFilterFactoryBean shiroFilter() { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager()); shiroFilterFactoryBean.setLoginUrl("/login"); shiroFilterFactoryBean.setUnauthorizedUrl("/notRole"); Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); // <!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问--> filterChainDefinitionMap.put("/webjars/**", "anon"); filterChainDefinitionMap.put("/login", "anon"); filterChainDefinitionMap.put("/admin/**", "authc"); filterChainDefinitionMap.put("/user/**", "authc"); //主要这行代码必须放在所有权限设置的最后,不然会导致所有 url 都被拦截 剩余的都需要认证 filterChainDefinitionMap.put("/**", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactoryBean; }
- 创建SecurityManager 安全管理器
@Bean public DefaultWebSecurityManager securityManager() { DefaultWebSecurityManager defaultSecurityManager = new DefaultWebSecurityManager(); //将自定义realm 给SecurityManager 管理 defaultSecurityManager.setRealm(customRealm()); return defaultSecurityManager; }
- 创建自定义realm
@Bean public CustomRealm customRealm( ) { CustomRealm customRealm = new CustomRealm(); customRealm.setCredentialsMatcher(hashedCredentialsMatcher());//密码管理器 return customRealm; }
- 密码管理器配置
@Bean public HashedCredentialsMatcher hashedCredentialsMatcher() { //Shiro自带加密 HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(); //散列算法使用md5 credentialsMatcher.setHashAlgorithmName("md5"); //散列次数,2表示md5加密两次 credentialsMatcher.setHashIterations(2); //是否存储为16进制 credentialsMatcher.setStoredCredentialsHexEncoded(true); return credentialsMatcher; }
- 使用thymeleaf shiro标签
@Bean(name = "shiroDialect") public ShiroDialect shiroDialect(){ return new ShiroDialect(); }
- 开启shiro注解 导入依赖
<dependency> <groupId>com.github.theborakompanioni</groupId> <artifactId>thymeleaf-extras-shiro</artifactId> <version>2.0.0</version> </dependency>
@Bean public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(SecurityManager securityManager){ AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; }
创建自定义realm
public class CustomRealm extends AuthorizingRealm { @Autowired UserService userService; @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { ActiveUser activeUser= (ActiveUser) principalCollection.getPrimaryPrincipal(); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //设置角色 info.addRoles(activeUser.getRoles()); //设置权限 info.addStringPermissions(activeUser.getFunctions()); return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { String userName = (String) authenticationToken.getPrincipal(); ************************************************************************** //通过username 在数据库中查询到 user User user= userService.findUsers(userName); //用户列表 List<String> user_roles=new ArrayList<String>(); //权限列表 List<String> function_roles=new ArrayList<String>(); ActiveUser activeUser=null; if(null!=user){ List<Role> roles=user.getRoleList(); //获取用户 权限列表 for(int i=0;i<roles.size();i++){ Role role=roles.get(i); user_roles.add(role.getRole_name()); List<Function> functions=role.getFunctionList(); for (int j=0;j<functions.size();j++){ Function function=functions.get(j); function_roles.add(function.getPermission()); } } activeUser=new ActiveUser(user,user_roles,function_roles); *************************************************************************** ByteSource salt= ByteSource.Util.bytes(user.getSalt()); return new SimpleAuthenticationInfo(activeUser, user.getPassword(),salt,getName()); }else{ throw new AccountException("用户名不正确"); } } }
这里的相关只是参考shiro 入门
shiro在thymeleaf中的常用标签
- 引入shiro 标签
<html xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
- 验证当前用户是否为“访客”,即未认证(包含未记住)的用户
<p shiro:guest="">Please <a href="login.html">login</a></p>
- 认证通过或已记住的用户
<p shiro:user=""> Welcome back John! Not John? Click <a href="login.html">here</a> to login. </p>
- 已认证通过的用户。不包含已记住的用户,这是与user标签的区别所在
<p shiro:authenticated=""> Hello, <span shiro:principal=""></span>, how are you today? </p> <a shiro:authenticated="" href="updateAccount.html">Update your contact information</a>
- 输出当前用户信息,通常为登录帐号信息
<p>Hello, <shiro:principal/>, how are you today?</p>
- 未认证通过用户,与authenticated标签相对应。与guest标签的区别是,该标签包含已记住用户
<p shiro:notAuthenticated=""> Please <a href="login.html">login</a> in order to update your credit card information. </p>
- 验证当前用户是否属于该角色
<a shiro:hasRole="admin" href="admin.html">Administer the system</a>
拥有该角色才显示a 标签
- 与hasRole标签逻辑相反,当用户不属于该角色时验证通过
<p shiro:lacksRole="developer"><!-- 没有该角色 --> Sorry, you are not allowed to developer the system. </p>
- 验证当前用户是否属于以下所有角色
<p shiro:hasAllRoles="developer, admin"><!-- 角色与判断 --> You are a developer and a admin. </p>
- 验证当前用户是否属于以下任意一个角色
<p shiro:hasAnyRoles="admin, vip, developer"><!-- 角色或判断 --> You are a admin, vip, or developer. </p>
- 验证当前用户是否拥有指定权限
<a shiro:hasPermission="userInfo:add" href="createUser.html">添加用户</a>
- 与hasPermission标签逻辑相反,当前用户没有制定权限时,验证通过
<p shiro:lacksPermission="userInfo:del"><!-- 没有权限 --> Sorry, you are not allowed to delete user accounts. </p>
- 验证当前用户是否拥有以下所有角色
<p shiro:hasAllPermissions="userInfo:view, userInfo:add"><!-- 权限与判断 --> You can see or add users. </p>
- 验证当前用户是否拥有以下任意一个权限
<p shiro:hasAnyPermissions="userInfo:view, userInfo:del"><!-- 权限或判断 --> You can see or delete users. </p>
这里相关参考 shiro在thymeleaf中的常用标签
使用
@Controller public class UserController { @RequestMapping(value = "/login", method = RequestMethod.GET) public String login(@RequestParam("username") String username, @RequestParam("password") String password) { // 从SecurityUtils里边创建一个 subject Subject subject = SecurityUtils.getSubject(); // 在认证提交前准备 token(令牌) UsernamePasswordToken token = new UsernamePasswordToken(username, password); // 执行认证登陆 try { subject.login(token); } catch (AuthenticationException ae) { return "error"; }//可以多个catch 详细判断 if (subject.isAuthenticated()) { return "redirect:/index"; } else { token.clear(); return "error"; } } }
相关文章推荐
- springboot学习笔记-5 springboot整合shiro
- apache shiro学习笔记--03(与spring整合)
- Spring Boot 学习笔记--整合Redis
- SpringBoot整合Redis——学习笔记
- Spring Securit学习笔记之整合Spring Boot
- SpringBoot整合SpringMVC学习笔记
- Spring Boot学习笔记:(四)整合Mybatis
- SpringBoot+shiro整合学习之登录认证和权限控制
- Springboot学习笔记之springboot+shiro+cas
- Spring-Boot学习笔记-整合Mybatis-Druid-PageHelper
- 简单的秒杀商品实现,SpringBoot整合redis和RabbitMQ学习笔记
- SpringBoot学习笔记 (八) 整合前端UI框架Layui之Layer
- SpringBoot学习:整合shiro(rememberMe记住我功能)
- 关于shiro和spring的整合学习笔记(一)框架搭建
- SpringBoot整合Mybatis学习笔记
- SpringBoot学习笔记 (八) 整合hebinate
- spring boot 学习笔记(2) 整合mybatis
- Springboot学习笔记1之Springboot整合Swagger2
- SpringBoot学习笔记 (七)项目结构划分和整合mybatis
- SpringBoot学习:整合shiro(身份认证和权限认证),使用EhCache缓存