shiro简单使用
1、导入依赖
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring-boot-web-starter</artifactId> <version>1.9.1</version> </dependency>
2、建立配置类
ShiroConfig:
package cn.laoyao.config; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; @Configuration public class ShiroConfig { //ShiroFilterFactoryBean @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Autowired DefaultWebSecurityManager defaultWebSecurityManager){ ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager); //添加shiro的内置过滤器 /* anon: 无需认证就可以访问 authc: 必须认证 了才能访问 user: 必须拥有 记住我 功能才能用 perms: 拥有对某个资源的权限才能访问 role: 拥有某个角色权限才能访问 */ //拦截 Map<String, String> filterMap = new LinkedHashMap<>(); //权限拦截 要写在authc上面,不然无效 filterMap.put("/user/add","perms[user:add]"); //认证拦截 必须认证才能访问的地址 // filterMap.put("/user/add","authc"); // filterMap.put("/user/update","authc"); filterMap.put("/user/*","authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap); //设置登录页,拦截后会自动跳转 shiroFilterFactoryBean.setLoginUrl("/toLogin"); //设置未授权跳转 shiroFilterFactoryBean.setUnauthorizedUrl("/noAut"); return shiroFilterFactoryBean; } //DefaultWebSecurityManager @Bean public DefaultWebSecurityManager defaultWebSecurityManager(@Autowired UserRealm userRealm){ DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //关联realm securityManager.setRealm(userRealm); return securityManager; } //创建 realm 对象,需自定义类 @Bean public UserRealm userRealm(){ return new UserRealm(); } }
UserRealm:
package cn.laoyao.config; import cn.laoyao.pojo.User; import cn.laoyao.service.UserService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import javax.annotation.Resource; public class UserRealm extends AuthorizingRealm { @Resource UserService userService; //授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println("shouquan"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //拿到当前登录的user对象 获取的是doGetAuthenticationInfo返回的user Subject subject = SecurityUtils.getSubject(); User user = (User) subject.getPrincipal(); //设置权限 info.addStringPermission() info.addStringPermission(user.getPerms()); return info; } //认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { System.out.println("renzheng"); UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; //查询用户 User user = userService.queryUserByName(token.getUsername()); if(user == null){ return null; //抛出异常 UnknownAccountException } //密码认证 return new SimpleAuthenticationInfo(user,user.getPwd(),""); } }
controller:
package cn.laoyao.controller; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.IncorrectCredentialsException; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; @Controller public class MyController { @RequestMapping({"/","/index"}) public String method(){ return "index"; } @RequestMapping("/user/add") public String add(){ return "user/add"; } @RequestMapping("/user/update") public String update(){ return "user/update"; } @RequestMapping("/toLogin") public String toLogin(){ return "login"; } @RequestMapping("/login") public String login(String username, String password, Model model){ //获取当前用户 Subject subject = SecurityUtils.getSubject(); //封装用户数据 UsernamePasswordToken token = new UsernamePasswordToken(username,password); try { subject.login(token); return "index"; } catch (UnknownAccountException e) { //用户名不存在 model.addAttribute("msg","用户名不存在"); return "login"; }catch (IncorrectCredentialsException e){//密码错误 model.addAttribute("msg","密码错误"); return "login"; } } @RequestMapping("/noAut") @ResponseBody public String unAuthorised(){ return "未授权"; } }
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 阿里最新开源QwQ-32B,效果媲美deepseek-r1满血版,部署成本又又又降低了!
· AI编程工具终极对决:字节Trae VS Cursor,谁才是开发者新宠?
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!