<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.9.0</version>
<dependency>
配置文件
public class MyRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
//自定义登录认证方法
@override
public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken){
String name = authenticationToken.getPrincipal().toString();
User user = userService.getUserInfoByName(name);
if(user!=null){
//ByteSource.Util.bytes("salt值"),密码明文加密时拼接的盐值
AuthenticationInfo info = new SimpleAuthenticationInfo(authenticationToken.getPrncipal,user.getPwd(),ByteSource.Util.bytes("salt值"),authenticationToken.getPrincipal.toString());
return info;
}
}
}
@Configuration
public class ShiroConfig {
@Autowired
private MyRealm myRealm;
//配置SecurityManager,加密与密码匹配
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(){
//1创建defaultWebSecurityManager 对象
DefaultWebSecurityManager dwsm = new DefaultWebSeccurityManager();
//2创建加密对象,设置相关属性
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
//2.1 采用MD5算法加密
matcher.setHashAlgorithmName("md5);
//2.2 迭代加密次数
matcher.setHashIterations(3);
//3将加密对象存储到myRealm中,用于比对用户输入的密码与存储的是否一致
myRealm.setCredentialsMatcher(matcher);
//4将myRealm存入defaultWebSecurityManager对象
dwsm.setRealm(myRealm);
//5返回
return dwsm;
}
//配置Shiro内置过滤器拦截范围
@Bean
public DefaultShiroFilterChainDefinition shiroFilterChainDefinition(){
DefaultShiroFilterChainDefinition definition = new DefaultShiroFilterChainDefinition();
//配置不认证可以访问的资源 "anon",匿名用户,表示不需要认证
definition.addPathDefinition("/myController/userLogin","anon");
definition.addPathDefinition("/login","anon");
//配置需要进行登录认证的拦截范围 "authc",需要进行身份验证的用户,表示需要进行登录认证。
definition.addPathDefinition("/**","authc");
// 通过rememberMe不拦截,"user",已登录的用户,表示允许通过 rememberMe 功能进行身份验证的用户。
definition.addPathDefinition("/**","user");
// 配置登出,"logout",登出过滤器,表示用于处理用户登出的请求。
definition.addPathDefinition("/logout","logout");
return definition;
}
}
addPathDefinition() 方法的第二个参数是拦截器链中的一个过滤器(Filter),它将应用于与指定路径匹配的所有请求。
public String login(String name,String passwd,boolean rememberMe){
Subject subject = SecurityUtils.getSubject();
AuthenticationToken token = new UsernamePasswordToken(name,passwd,rememberMe);
try{
//登录
subject.login(token);
//登出
//subject.logout();
return "登陆成功";
}catch(AuthenticationException e){
e.printStackTrace();
return "登陆失败";
}
实现:
在ShiroConfig类配置SecurityManager时,
ModularRealmAuthenticator modularRealmAuthenticator = new ModularRealmAuthenticator();
//设置认证策略 AllSuccessfulStrategy
modularRealmAuthenticator.setAuthenticationStrategy(new AllSuccessfulStrategy());
dwsm.setAuthenticator(modularRealmAuthenticator);
//封装myRealm集合
List<Realm> list = new ArrayList<>();
list.add(myRealm);
list.add(myRealm2);
//将myRealm存入defaultWebSecurityManager
dwsm.setRealms(list);
return dwsm;
配置类ShiroConfig中配置
//配置defaultWebSecurityManager中添加
dwsm.setRememberMeManager(rememberMeManager());
//cookie 属性设置
public SimleCookie rememberMeCookie(){
SimleCookie cookie = new SimpleCookie("rememberMe");
//设置跨域
//cookie.setDomain(domain);
cookie.setPath("/");
cookie.setHttpOnly(true);
cookie.setMaxAge(30*24*60*60);
return cookie;
}
//创建Shiro的cookie管理对象
public CookieRememberMeManager rememberMeManager(){
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(rememberMeCookie());
cookieRememberMeManager.setCipherKey("RememberMe的16位的Key的Cookie数据加密密钥".getBytes());
return cookieRememberMeManager;
}
在配置类ShiroConfig中的过滤器配置方法shiroFilterChainDefinition()
中添加配置
//登出
definition.addPathDefinition("/logout","logout");
获取当前登录用户的角色、权限信息,返回给shiro用来进行授权认证
public class MyRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
//自定义授权方法
@override
public SimpleAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection){
//创建对象,封装当前登录用户的角色、权限信息
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//获取当前用户的身份信息
String principal = principalCollection.getPrimaryPrincipal().toString();
List<String> roles = userService.getUserRoleInfo(principal);
List<String> permissions= userService.getUserPermissionInfo(roles);
info.addRoles(roles);
info.addStringPermissions(permissions);
return info;
}
}
}
注解可以添加在类、方法、字段上,一般在Controller方法上
@SpringBootApplication
@EnableAspectJAutoProxy
@EnableWebMvc
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
@ControllerAdvice
public class PermissionsException{
@ResponseBody
@ExceptionHandler(UnauthorizedException.class)
public String unauthorizedException(Exception ex){
return "无权限";
}
@ResponseBody
@ExceptionHandler(AuthorizationException.class)
public String authorizationException(Exception ex){
return "权限认证失败";
}
}