shiro的过滤,授权,认证
导包
<dependencies> <!--mysql--> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <scope>runtime</scope> </dependency> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> </dependency> <!--druid--> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid-spring-boot-starter</artifactId> <version>1.1.10</version> </dependency> <!--JDBC--> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId> </dependency> <!--引入log4j依赖--> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.12</version> </dependency> <!--mybatis--> <dependency> <groupId>org.mybatis.spring.boot</groupId> <artifactId>mybatis-spring-boot-starter</artifactId> <version>2.2.2</version> </dependency> <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-thymeleaf --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-thymeleaf</artifactId> <version>2.6.2</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <!----> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.5.2</version> </dependency> </dependencies>
具体内容在代码注释中已写
ShiroConfig
package com.Google.config; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.HashMap; import java.util.Map; @Configuration public class ShiroConfig { //通过@Qualifier()将这几个方法连接起来 其中的参数默认为方法名 //ShiroFilterFactoryBean @Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager getDefaultWebSecurityManager){ ShiroFilterFactoryBean shiroBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroBean.setSecurityManager(getDefaultWebSecurityManager); //1. 实现登录拦截 //添加shiro的内置过滤器 /* * anon:无需认证就可以访问 * authc :必须认证了才可以访问 * user: 必须拥有 记住我 功能才能用 * perms:拥有对某个资源权限才能访问 * role:拥有某个角色权限才能访问 * * */ //拦截 Map<String, String> filterMap = new HashMap<>(); filterMap.put("/user/add","perms[add]"); filterMap.put("/user/update","perms[update]"); //prems中的参数随便给没有要求 filterMap.put("/user/*","authc"); //前一个参数为请求地址,(认证需要放到权限的后面,否则有些需要权限访问的页面可以直接访问) shiroBean.setFilterChainDefinitionMap(filterMap); //设置登录请求 shiroBean.setLoginUrl("/toLogin"); //设置无权限页面 shiroBean.setUnauthorizedUrl("/unauthorized"); return shiroBean; } //DefaultWebSecurityManager @Bean(name = "securityManager") public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){ DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //设置安全数据库 securityManager.setRealm(userRealm); return securityManager; } //创建realm对象 @Bean public UserRealm userRealm(){ return new UserRealm(); } }
UserRealm(这个是数据层,需要我们自己配,主要执行认证和授权)
package com.Google.config; import com.Google.pojo.userPojo; import com.Google.service.UserServiceImpl; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; public class UserRealm extends AuthorizingRealm { @Autowired UserServiceImpl userService; @Override //授权 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println("执行了授权"); SimpleAuthorizationInfo Info = new SimpleAuthorizationInfo(); // Info.addStringPermission("add"); //给用户添加权限(这个是所有用户都会被赋予) Subject subject = SecurityUtils.getSubject();//获取当前用户 userPojo currentUser = (userPojo)subject.getPrincipal();//获取当前用户的信息 Info.addStringPermission(currentUser.getPerms()); return Info; } @Override //认证 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("执行了认证"); //用户名,密码 UsernamePasswordToken userToken = (UsernamePasswordToken) token; userPojo user = userService.getUserByName(userToken.getUsername()); //获取用户 if(user==null){ //如果没有查询到用户,就报错 return null;//null的意思就是抛出一个异常 UnknownAccountException (很牛逼) } //密码认证。shiro做。shiro不放心让我们做,所以就帮我们做了 new SimpleAuthenticationInfo return new SimpleAuthenticationInfo(user,user.getPwd(),""); //将principal项赋予user,可以使授权获得当前用户信息 } }
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 【译】Visual Studio 中新的强大生产力特性
· 【设计模式】告别冗长if-else语句:使用策略模式优化代码结构
· 字符编码:从基础到乱码解决