目录
前提:
先准备一个 springboot+mybatis 的环境:https://blog.csdn.net/weidong_y/article/details/81709391
一、引入 shiro 的包
<!-- shiro 配置 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>二、自定义 realm
MyShiroRealm.java
package com.yyzheng.oa.shiro;
import com.yyzheng.oa.dao.User;
import com.yyzheng.oa.service.PermissionService;
import com.yyzheng.oa.service.RoleService;
import com.yyzheng.oa.service.UserService;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
public class MyShiroRealm extends AuthorizingRealm {
@Autowired
private RoleService roleService;
@Autowired
private PermissionService permissionService;
@Autowired
private UserService userService;
// 角色权限和对应权限添加
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
// 获取登录用户名
String userName = (String)principalCollection.getPrimaryPrincipal();
// 查询用户的角色信息
Set<String> roles = getRolesByUsername(userName);
// 查询角色的权限信息
Set<String> permissions = getPermissionsByUserName(userName);
// 设置用户的角色和权限
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setRoles(roles);
simpleAuthorizationInfo.setStringPermissions(permissions);
return simpleAuthorizationInfo;
}
// 根据用户名字从数据库中获取当前用户的权限数据
private Set<String> getPermissionsByUserName(String userName) {
List<String> list = permissionService.queryPermissionNameByUserName(userName);
if( list != null ){
Set<String> sets = new HashSet<>(list);
return sets;
}else{
return null;
}
}
// 根据用户名字从数据库中获取当前用户的角色数据
private Set<String> getRolesByUsername(String userName) {
List<String> list = roleService.queryRoleNameByUsername(userName);
if( list != null ){
Set<String> sets = new HashSet<>(list);
return sets;
}else{
return null;
}
}
// 认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 1.从主体传过来的信息中获取用户名
String userName = (String)authenticationToken.getPrincipal();
// 2.通过用户名到数据库获取凭证
String password = getPasswordByUserName(userName);
if( password == null ){
return null;
}
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(userName,password,"myShiroRealm");
return simpleAuthenticationInfo;
}
// 通过用户名从数据库中获取当前用户的密码
private String getPasswordByUserName(String userName) {
User user = userService.queryUserByUserName(userName);
if( user != null ){
return user.getPassword();
}else{
return null;
}
}
}
三、shiro 配置
package com.yyzheng.oa.config;
import com.yyzheng.oa.exception.MyExceptionResolver;
import com.yyzheng.oa.shiro.MyShiroRealm;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.HandlerExceptionResolver;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class ShiroConfiguration {
// 创建自定义 realm
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
return myShiroRealm;
}
// 创建 SecurityManager 对象
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
// Filter工厂,设置对应的过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String, String> map = new HashMap<>();
// 登出
map.put("/logout", "logout");
// 对所有用户认证
map.put("/**", "authc");
// 对登录跳转接口进行释放
map.put("/subLogin", "anon");
map.put("/err", "anon");
// 登录
// 注意:这里配置的 /login 是指到 @RequestMapping(value="/login")中的 /login
shiroFilterFactoryBean.setLoginUrl("/login");
// 首页
shiroFilterFactoryBean.setSuccessUrl("/index");
// 错误页面,认证不通过跳转
shiroFilterFactoryBean.setUnauthorizedUrl("/err");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
// 加入注解的使用,不加这个,注解不生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
// 跟上面的注解配置搭配使用,有时候加了上面的配置后注解不生效,需要加入下面的配置
@Bean
@ConditionalOnMissingBean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator app = new DefaultAdvisorAutoProxyCreator();
app.setProxyTargetClass(true);
return app;
}
}
四、写一个 controller 测试
@Controller
public class UserController {
@RequestMapping(value = "/login")
public String login(){
return "/login";
}
@RequestMapping(value = "/err")
public String err(){
return "/err";
}
@RequestMapping(value = "/subLogin")
public String subLogin(User user){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(),user.getPassword());
try{
subject.login(token);
}catch (AuthenticationException e){
e.printStackTrace();
return e.getMessage();
}
return "success";
}
@RequiresRoles(value = "admin")
@RequestMapping(value = "/test")
@ResponseBody
public String test(){
return "123";
}
}五、无权限的时候直接报错的错误方式
自定义一个异常拦截,自定义跳转页面。
MyExceptionResolver.java 拦截下异常。
package com.yyzheng.oa.exception;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.authz.UnauthorizedException;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.ModelAndView;
public class MyExceptionResolver implements HandlerExceptionResolver{
public ModelAndView resolveException(HttpServletRequest request,
HttpServletResponse response, Object handler, Exception ex) {
System.out.println("==============异常开始=============");
//如果是shiro无权操作,因为shiro 在操作auno等一部分不进行转发至无权限url
if(ex instanceof UnauthorizedException){
// 跳转到 templates 文件下面找 err.html 页面
ModelAndView mv = new ModelAndView("err");
return mv;
}
ex.printStackTrace();
ModelAndView mv = new ModelAndView("err");
mv.addObject("exception", ex.toString().replaceAll("\n", "<br/>"));
return mv;
}
}
在shiro中配置一下:
// 自定义异常捕获注册
@Bean
public HandlerExceptionResolver solver(){
HandlerExceptionResolver handlerExceptionResolver = new MyExceptionResolver();
return handlerExceptionResolver;
}