1:配置pom.xml
1 <!--导入shiro包--> 2 <dependency> 3 <groupId>org.apache.shiro</groupId> 4 <artifactId>shiro-all</artifactId> 5 <version>1.4.0</version> 6 </dependency> 7 <!--导入shiro-spring--> 8 <dependency> 9 <groupId>org.apache.shiro</groupId> 10 <artifactId>shiro-spring</artifactId> 11 <version>1.4.0</version> 12 </dependency>
2:web.xml中的配置
1 <!-- shiro的过滤器(帮我们拦截请求)-》什么事情都不做 2 Delegating:授(权); 把(工作、权力等)委托(给下级); 选派(某人做某事) 3 Proxy:代理 -> 需要通过名称(shiroFilter)去找真正的过滤器 4 --> 5 <filter> 6 <filter-name>shiroFilter</filter-name> 7 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 8 <init-param> 9 <param-name>targetFilterLifecycle</param-name> 10 <param-value>true</param-value> 11 </init-param> 12 </filter> 13 <filter-mapping> 14 <filter-name>shiroFilter</filter-name> 15 <url-pattern>/*</url-pattern> 16 </filter-mapping>
3:配置applictionContest-shiro.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation=" 5 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> 6 <!-- 7 Shiro的核心对象(权限管理器) 8 DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); 9 securityManager.setRealm(jpaRealm) 10 --> 11 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> 12 <property name="realm" ref="jpaRealm"/> 13 </bean> 14 <!-- 15 JpaRealm jpaRealm = new JpaRealm(); 16 配置咱们的自定义realm 17 --> 18 <bean id="jpaRealm" class="com.logo.aisell.web.shiro.JpaRealm"> 19 <!--Realm的名称--> 20 <property name="name" value="jpaRealm"/> 21 <property name="credentialsMatcher"> 22 <!-- 配置哈希密码匹配器 --> 23 <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> 24 <!--加密方式:MD5--> 25 <property name="hashAlgorithmName" value="MD5"/> 26 <!--迭代次数--> 27 <property name="hashIterations" value="10" /> 28 </bean> 29 </property> 30 </bean> 31 <!-- 这三个配置好,可以支持注解权限 --> 32 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> 33 <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" 34 depends-on="lifecycleBeanPostProcessor"/> 35 <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> 36 <property name="securityManager" ref="securityManager"/> 37 </bean> 38 <!-- 39 shiro真正的过滤器(功能就是它完成的) 40 这个bean的名称必需和web.xml里的的代理过滤器名字相同 41 --> 42 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 43 <!--必需要用到权限管理器--> 44 <property name="securityManager" ref="securityManager"/> 45 <!--如果你没有登录,你会进入这个页面--> 46 <property name="loginUrl" value="/login"/> 47 <!--登录成功后,进入的页面(一般没什么用)--> 48 <property name="successUrl" value="/main"/> 49 <!--如果你没有权限,你会进入这个页面--> 50 <property name="unauthorizedUrl" value="/s/unauthorized.jsp"/> 51 <property name="filterChainDefinitionMap" ref="filterChainDefinitionMap" /> 52 <property name="filters"> 53 <map> 54 <entry key="aiSellPerms" value-ref="aiSellPermissionsAuthorizationFilter"></entry> 55 </map> 56 </property> 57 </bean> 58 59 <!--拿到shiroFilterMapFactory里面的createMap方法的值 --> 60 <bean id="filterChainDefinitionMap" factory-bean="shiroFilterMapFactory" factory-method="creatMap" /> 61 <bean id="shiroFilterMapFactory" class="com.logo.aisell.web.shiro.ShiroFilterMapFactory"/> 62 <!--配置我们的自定义权限过滤器--> 63 <bean id="aiSellPermissionsAuthorizationFilter" 64 class="com.logo.aisell.web.shiro.AiSellPremissiAuthorizationFilter"> 65 </bean> 66 </beans>
4:配置applictionContext.xml
<import resource="classpath:applicationContext-shiro.xml" />
5:准备自定义Realm 用于做身份认证和权限
1 public class JpaRealm extends AuthorizingRealm { 2 @Autowired 3 private IEmployeeService employeeService; 4 @Autowired 5 private IPermissionService permissionService; 6 7 @Override//授权 8 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { 9 //拿到授权对象 10 SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); 11 //从数据库中获取权限并放且放到授权对象中 12 Set<String> permission = permissionService.findByLoginUser(); 13 authorizationInfo.setStringPermissions(permission); 14 return authorizationInfo; 15 } 16 @Override//身份认证 17 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { 18 //拿到令牌(UsernamePasswordToken) 19 UsernamePasswordToken taken = (UsernamePasswordToken) authenticationToken; 20 //拿到用户名,判断这个用户是否存在 21 String username = taken.getUsername(); 22 //根据用户名从数据库中拿到用户对象 23 Employee employee = employeeService.findByUsername(username); 24 //如果没有拿到密码(没有通过用户名拿到相应的用户->用户不存在) 25 if(employee==null){ 26 return null; 27 } 28 //拿到咱们的盐值对象(ByteSource) 29 ByteSource source = ByteSource.Util.bytes("itsource"); 30 SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(username, employee.getPassword(), source, "JpaRealm"); 31 return authenticationInfo; 32 } 33 }
applictionContest-shiro.xml中的配置
<bean id="jpaRealm" class="com.logo.aisell.web.shiro.JpaRealm"> <!--Realm的名称--> <property name="name" value="jpaRealm"/> <property name="credentialsMatcher"> <!-- 配置哈希密码匹配器 --> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <!--加密方式:MD5--> <property name="hashAlgorithmName" value="MD5"/> <!--迭代次数--> <property name="hashIterations" value="10" /> </bean> </property> </bean>
6:自定义过滤器用于过滤请求 修改过滤路径后需要重新启动服务器
public class ShiroFilterMapFactory { @Autowired private IPermissionService permissionService; public Map<String,String> creatMap(){ LinkedHashMap<String, String> map = new LinkedHashMap<>(); //anon:需要放行的路径 map.put("/login","anon"); map.put("/easyui/**","anon"); map.put("/images/**","anon"); map.put("/js/**","anon"); map.put("/s/**","anon"); map.put("*.js","anon"); //permissions:权限拦截 动态的从数据库中获取 map.put("*.css","anon"); List<Permission> permissions = permissionService.findAll(); permissions.forEach(p -> { map.put(p.getUrl(),"aiSellPerms["+p.getSn()+"]"); }); //authc:拦截 map.put("/**","authc"); return map; } }
applictionContext.shiro.xml中的配置
<property name="filters">
<map>
<entry key="aiSellPerms" value-ref="aiSellPermissionsAuthorizationFilter"></entry>
</map>
</property>
7:重写请求过滤器 shiro自带的请求过滤器会过滤掉AJax请求 重写过滤器 对AJax请求放行
1 public class AiSellPremissiAuthorizationFilter extends PermissionsAuthorizationFilter { 2 3 protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException { 4 Subject subject = this.getSubject(request, response); 5 //装换request response 6 7 if (subject.getPrincipal() == null) { 8 //没有登录的操作 9 this.saveRequestAndRedirectToLogin(request, response); 10 } else { 11 //登录成功后没有权限的操作 12 //1.转成http的请求与响应操作 13 HttpServletRequest httpRequest =(HttpServletRequest)request; 14 HttpServletResponse httpResponse=(HttpServletResponse)response; 15 ////2.根据请求确定是什么请求 16 String xRequestedWith = httpRequest.getHeader("X-Requested-With"); 17 if(xRequestedWith != null &&"XMLHttpRequest".equals(xRequestedWith)){ 18 //3.在这里就代表是ajax请求 19 //表示ajax请求 {"success":false,"message":"没有权限"} 20 httpResponse.setContentType("text/json; charset=UTF-8"); 21 httpResponse.getWriter().print("{\"success\":false,\"msg\":\"没有权限\"}"); 22 }else { 23 //普通请求的返回方式 24 String unauthorizedUrl = this.getUnauthorizedUrl(); 25 if (StringUtils.hasText(unauthorizedUrl)) { 26 WebUtils.issueRedirect(request, response, unauthorizedUrl); 27 } else { 28 WebUtils.toHttp(response).sendError(401); 29 } 30 } 31 32 } 33 34 return false; 35 } 36 }
applictionContext.shiro.xml中的配置
<!--配置我们的自定义权限过滤器-->
<bean id="aiSellPermissionsAuthorizationFilter"
class="com.logo.aisell.web.shiro.AiSellPremissiAuthorizationFilter">
</bean>
