- <span style="font-family:Arial, Helvetica, sans-serif;background-color:rgb(255,255,255);">使用shiro重点在于两个类</span>
1.ShiroConfiguration
下面这个方法是设置访问时,如果想直接访问index以及后面的界面必须先登录,所以会自动跳转到login界面
- @Bean
- public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager){
- System.out.println("ShiroConfiguration.shirFilter()");
- ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
- // 必须设置 SecurityManager
- shiroFilterFactoryBean.setSecurityManager(securityManager);
- //拦截器.
- Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
- //配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
- filterChainDefinitionMap.put("/logout", "logout");
- //配置记住我或认证通过可以访问的地址
- filterChainDefinitionMap.put("/index", "user");
- filterChainDefinitionMap.put("/", "user");
- //<!-- 过滤链定义,从上向下顺序执行,一般将 /**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了;
- //<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
- filterChainDefinitionMap.put("/**", "authc");
- // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
- shiroFilterFactoryBean.setLoginUrl("/login");
- // 登录成功后要跳转的链接
- shiroFilterFactoryBean.setSuccessUrl("/index");
- //未授权界面;
- shiroFilterFactoryBean.setUnauthorizedUrl("/403");
- shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
- return shiroFilterFactoryBean;
- }
这个方法是登录时我们必须做验证,登录名以及密码是否正确,所以在这我们自己定义的有MyShiroRealm,需要注入
- <span style="font-size:24px;">//将我们自定义的Realm注入到SecurityManager中。
- @Bean
- public SecurityManager securityManager(){
- DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
- //设置realm.
- securityManager.setRealm(myShiroRealm()); //做验证是通过Reaml来做的,所以在这必须通过securityManager来设置Reaml
- //注入缓存管理器
- securityManager.setCacheManager(ehCacheManager());
- return securityManager;
- }
- @Bean
- public MyShiroRealm myShiroRealm(){
- MyShiroRealm myShiroRealm = new MyShiroRealm();//这里实例化一个我们自己写的MyShiroRealm类
- myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());;
- return myShiroRealm;
- }
- @Bean
- public HashedCredentialsMatcher hashedCredentialsMatcher(){
- HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
- hashedCredentialsMatcher.setHashAlgorithmName("md5");//散列算法:这里使用MD5算法;
- hashedCredentialsMatcher.setHashIterations(2);//散列的次数,比如散列两次,相当于 md5(md5(""));
- return hashedCredentialsMatcher;
- }
- //开启shiro aop注解支持
- @Bean
- public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
- AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
- authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
- return authorizationAttributeSourceAdvisor;
- }
- //注入缓存
- @Bean
- public EhCacheManager ehCacheManager(){
- System.out.println("ShiroConfiguration.getEhCacheManager()执行");
- EhCacheManager cacheManager=new EhCacheManager();
- cacheManager.setCacheManagerConfigFile("classpath:config/ehcache-shiro.xml");
- return cacheManager;
- }</span>
2.MyShiroRealm.java
- //这个reaml是身份验证 的核心
- public class MyShiroRealm extends AuthorizingRealm {
- @Resource
- private UserInfoService userInfoService;
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- System.out.println("MyShiroRealm.doGetAuthenticationInfo()");
- // 获取用户的输入的账号.
- // token获取底层request对象来取得页面用户输入的用户名等值
- String username = (String) token.getPrincipal();
- System.out.println(token.getCredentials());
- // 通过username从数据库中查找 User对象,如果找到,没找到.
- // 实际项目中,这里可以根据实际情况做缓存,如果不做,Shiro自己也是有时间间隔机制,2分钟内不会重复执行该方法
- UserInfo userInfo = userInfoService.findByUsername(username);
- System.out.println("----->>userInfo=" + userInfo);
- if (userInfo == null) {
- return null;
- }
- // 上面只是通过查询数据库找有没有输入用户名的数据,这里是如果存在则需要比较密码是否相同
- // 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配
- SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(userInfo, // 用户名
- userInfo.getPassword(), // 密码
- // 这里用到了加密
- ByteSource.Util.bytes(userInfo.getCredentialsSalt()), // salt=username+salt
- getName() // realm name
- );
- return authenticationInfo;
- }
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- System.out.println("权限配置-->MyShiroRealm.doGetAuthorizationInfo");
- SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
- UserInfo userInfo = (UserInfo) principals.getPrimaryPrincipal();
- for (SysRole role : userInfo.getRoleList()) {
- authorizationInfo.addRole(role.getRole());//遍历用户下面的角色信息,添加角色
- for (SysPermission p : role.getPermissions()) {
- authorizationInfo.addStringPermission(p.getPermission());//遍历角色的权限信息,添加权限
- }
- }
- return authorizationInfo;
- }
- }