目录一、Shiro简介核心角色核心理念二、整合SpringBoot2框架1、核心依赖2、Shiro核心配置3、域对象配置4、核心工具类5、自定义权限异常提示三、案例演示代码1、测试接口2、测试流程四、源代码地址
一、Shiro简介
核心角色
1)Subject:认证主体
代表当前系统的使用者,就是用户,在Shiro的认证中,认证主体通常就是userName和passWord,或者其他用户相关的唯一标识。
2)SecurityManager:安全管理器
Shiro架构中最核心的组件,通过它可以协调其他组件完成用户认证和授权。实际上,SecurityManager就是Shiro框架的控制器。
3)Realm:域对象
定义了访问数据的方式,用来连接不同的数据源,如:关系数据库,配置文件等等。
核心理念
Shiro自己不维护用户和权限,通过Subject用户主体和Realm域对象的注入,完成用户的认证和授权。
二、整合SpringBoot2框架
1、核心依赖
<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.4.0</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.4.0</version></dependency>
2、Shiro核心配置
@ConfigurationpublicclassShiroConfig{/*** Session Manager:会话管理*即用户登录后就是一次会话,在没有退出之前,它的所有信息都在会话中;*会话可以是普通JavaSE环境的,也可以是如Web环境的;*/@Bean("sessionManager")publicSessionManagersessionManager(){DefaultWebSessionManagersessionManager=newDefaultWebSessionManager();//设置session过期时间sessionManager.setGlobalSessionTimeout(60*60*1000);sessionManager.setSessionValidationSchedulerEnabled(true);//去掉shiro登录时url里的JSESSIONIDsessionManager.setSessionIdUrlRewritingEnabled(false);returnsessionManager;}/*** SecurityManager:安全管理器*/@Bean("securityManager")publicSecurityManagersecurityManager(UserRealmuserRealm,SessionManagersessionManager){DefaultWebSecurityManagersecurityManager=newDefaultWebSecurityManager();securityManager.setSessionManager(sessionManager);securityManager.setRealm(userRealm);returnsecurityManager;}/***ShiroFilter是整个Shiro的入口点,用于拦截需要安全控制的请求进行处理*/@Bean("shiroFilter")publicShiroFilterFactoryBeanshiroFilter(SecurityManagersecurityManager){ShiroFilterFactoryBeanshiroFilter=newShiroFilterFactoryBean();shiroFilter.setSecurityManager(securityManager);shiroFilter.setLoginUrl("/userLogin");shiroFilter.setUnauthorizedUrl("/");Map<String,String>filterMap=newLinkedHashMap<>();filterMap.put("/userLogin","anon");shiroFilter.setFilterChainDefinitionMap(filterMap);returnshiroFilter;}/***管理Shiro中一些bean的生命周期*/@Bean("lifecycleBeanPostProcessor")publicLifecycleBeanPostProcessorlifecycleBeanPostProcessor(){returnnewLifecycleBeanPostProcessor();}/***扫描上下文,寻找所有的Advistor(通知器)*将这些Advisor应用到所有符合切入点的Bean中。*/@BeanpublicDefaultAdvisorAutoProxyCreatordefaultAdvisorAutoProxyCreator(){DefaultAdvisorAutoProxyCreatorproxyCreator=newDefaultAdvisorAutoProxyCreator();proxyCreator.setProxyTargetClass(true);returnproxyCreator;}/***匹配所有加了Shiro认证注解的方法*/@BeanpublicAuthorizationAttributeSourceAdvisorauthorizationAttributeSourceAdvisor(SecurityManagersecurityManager){AuthorizationAttributeSourceAdvisoradvisor=newAuthorizationAttributeSourceAdvisor();advisor.setSecurityManager(securityManager);returnadvisor;}}
3、域对象配置
@ComponentpublicclassUserRealmextendsAuthorizingRealm{@ResourceprivateSysUserMappersysUserMapper;@ResourceprivateSysMenuMappersysMenuMapper;/***授权(验证权限时调用)*获取用户权限集合*/@OverridepublicAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionprincipals){SysUserEntityuser=(SysUserEntity)principals.getPrimaryPrincipal();if(user==null){thrownewUnknownAccountException("账号不存在");}List<String>permsList;//默认用户拥有最高权限List<SysMenuEntity>menuList=sysMenuMapper.selectList();permsList=newArrayList<>(menuList.size());for(SysMenuEntitymenu:menuList){permsList.add(menu.getPerms());}//用户权限列表Set<String>permsSet=newHashSet<>();for(Stringperms:permsList){if(StringUtils.isEmpty(perms)){continue;}permsSet.addAll(Arrays.asList(perms.trim().split(",")));}SimpleAuthorizationInfoinfo=newSimpleAuthorizationInfo();info.setStringPermissions(permsSet);returninfo;}/***认证(登录时调用)*验证用户登录*/@OverrideprotectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationTokenauthToken)throwsAuthenticationException{UsernamePasswordTokentoken=(UsernamePasswordToken)authToken;//查询用户信息SysUserEntityuser=sysUserMapper.selectOne(token.getUsername());//账号不存在if(user==null){thrownewUnknownAccountException("账号或密码不正确");}//账号锁定if(user.getStatus()==0){thrownewLockedAccountException("账号已被锁定,请联系管理员");}SimpleAuthenticationInfoinfo=newSimpleAuthenticationInfo(user,user.getPassword(),ByteSource.Util.bytes(user.getSalt()),getName());returninfo;}@OverridepublicvoidsetCredentialsMatcher(CredentialsMatchercredentialsMatcher){HashedCredentialsMatchershaCredentialsMatcher=newHashedCredentialsMatcher();shaCredentialsMatcher.setHashAlgorithmName(ShiroUtils.hashAlgorithmName);shaCredentialsMatcher.setHashIterations(ShiroUtils.hashIterations);super.setCredentialsMatcher(shaCredentialsMatcher);}}
4、核心工具类
publicclassShiroUtils{/**加密算法*/publicfinalstaticStringhashAlgorithmName="SHA-256";/**循环次数*/publicfinalstaticinthashIterations=16;publicstaticStringsha256(Stringpassword,Stringsalt){returnnewSimpleHash(hashAlgorithmName,password,salt,hashIterations).toString();}//获取一个测试账号adminpublicstaticvoidmain(String[]args){//3743a4c09a17e6f2829febd09ca54e627810001cf255ddcae9dabd288a949c4aSystem.out.println(sha256("admin","123"));}/***获取会话*/publicstaticSessiongetSession(){returnSecurityUtils.getSubject().getSession();}/*** Subject:主体,代表了当前“用户”*/publicstaticSubjectgetSubject(){returnSecurityUtils.getSubject();}publicstaticSysUserEntitygetUserEntity(){return(SysUserEntity)SecurityUtils.getSubject().getPrincipal();}publicstaticLonggetUserId(){returngetUserEntity().getUserId();}publicstaticvoidsetSessionAttribute(Objectkey,Objectvalue){getSession().setAttribute(key,value);}publicstaticObjectgetSessionAttribute(Objectkey){returngetSession().getAttribute(key);}publicstaticbooleanisLogin(){returnSecurityUtils.getSubject().getPrincipal()!=null;}publicstaticvoidlogout(){SecurityUtils.getSubject().logout();}}
5、自定义权限异常提示
@RestControllerAdvicepublicclassShiroException{@ExceptionHandler(AuthorizationException.class)publicStringauthorizationException(){return"抱歉您没有权限访问该内容!";}@ExceptionHandler(Exception.class)publicStringhandleException(Exceptione){return"系统异常!";}}
三、案例演示代码
1、测试接口
@RestControllerpublicclassShiroController{privatestaticLoggerLOGGER=LoggerFactory.getLogger(ShiroController.class);@ResourceprivateSysMenuMappersysMenuMapper;/***登录测试*http://localhost:7011/userLogin?userName=admin&passWord=admin*/@RequestMapping("/userLogin")publicvoiduserLogin(@RequestParam(value="userName")StringuserName,@RequestParam(value="passWord")StringpassWord){try{Subjectsubject=ShiroUtils.getSubject();UsernamePasswordTokentoken=newUsernamePasswordToken(userName,passWord);subject.login(token);LOGGER.info("登录成功");}catch(Exceptione){e.printStackTrace();}}/***服务器每次重启请求该接口之前必须先请求上面登录接口*http://localhost:7011/menu/list获取所有菜单列表*权限要求:sys:user:shiro*/@RequestMapping("/menu/list")@RequiresPermissions("sys:user:shiro")publicListlist(){returnsysMenuMapper.selectList();}/***用户没有该权限,无法访问*权限要求:ccc:ddd:bbb*/@RequestMapping("/menu/list2")@RequiresPermissions("ccc:ddd:bbb")publicListlist2(){returnsysMenuMapper.selectList();}/***退出测试,退出后没有任何权限*/@RequestMapping("/userLogOut")publicStringlogout(){ShiroUtils.logout();return"success";}}
2、测试流程
1)、登录后取得权限http://localhost:7011/userLogin?userName=admin&passWord=admin2)、访问有权限接口http://localhost:7011/menu/list3)、访问无权限接口http://localhost:7011/menu/list24)、退出登录http://localhost:7011/userLogOut
四、源代码地址
GitHub地址:知了一笑https://github.com/cicadasmile/middle-ware-parent
以上就是SpringBoot整合Shiro框架,实现用户权限管理的详细内容,更多关于SpringBoot整合Shiro框架的资料请关注其它相关文章!
往往教导我们大家要好好学习天天向上,
