shiro学习笔记
shiro的三个核心组件:Subject SecurityManager Realms
Subject主体,代表了当前的用户,这个用户不一定是具体的人,与当前应用交互的任何东西都是Subject,所有的Subject都绑定到SecurityManager,与Subject的交互都委托给SecurityManager处理,可以把Subject当做是一个门面,SecurityManager才是真正的执行者。
SecurityManager:安全管理器,即所有的与安全有关的交互都会和它交互,他是shiro的核心,而且他管理着Subject提供安全管理的各种服务。
Realm:shiro和应用安全数据之间的桥梁或连接器,也就是说,当用户执行登录或者授权的时候,shiro会在配置的Realm中查找用户及其权限信息,配置shiro中必须要有shiro,可以配置多个
一个简单的shiro应用:
①应用代码通过Subject来进行认证和授权,而Subject又委托给SecurityManager。
②我们需要给shiro的SecurityManager注入Realm,从而让SecurityManager能够得到合法的用户及其权限进行判断。
shiro的配置:
自定义Realm(实现认证和授权):
public class OwnRealm extend AuthorizingRealm{
//用户认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken usernamePasswordToken=(UsernamePasswordToken)authenticationToken;
String username=usernamePasswordToken.getUsername();
String password=new String(usernamePasswordToken.getPassword());
QueryWrapper<User> qw = new QueryWrapper<>();
qw.eq("userName",username);
User user=userDao.selectOne(qw);//利用mybatisplus查询数据库
if(user==null){
throw new UnknowAccountException("用户不存在");
}
SimpleAuthenticationInfo simpleAuthenticationInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassWord(),getName());
return simpleAuthenticationInfo;
}
//用户授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取登录的用户名
String userName=(String)principalCollection.getPrimaryPrincipal();
HashSet<String> roles=new HashSet<String>();
HashSet<String> permission=new HashSet<String>();
Role role=roleDao.queryRoleByUserName(userName);
if(role==null){
return null;
}
if("admin".equals(role.getRoleName())){
roles.add("admin");
roles.add("user");
permission.add("add");
}
if("user".equals(role.getRoleName())){
role.add("user");
permission.add("delete");
}
SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setRoles(roles);
simpleAuthorizationInfo.setStringPermission(permission);
return simpleAuthorizationInfo;
}
}
@Configuration
public class ShiroConfig{
@Bean
public Realm realm(){
return new OwnRealm();
}
@Bean
public SecurityManager securityManager(Realm realm){
DefaultWebSecurityManager defaultWebSecurityManager=new DefaultWebSecurityManager();
defaultWebSecurityManager.setRealm(realm);
return defaultWebSecurityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/");//登录页面跳转地址
shiroFilterFactoryBean.setSuccessUrl("/success");//登录成功页面跳转地址
shiroFilterFactoryBean.setUnauthorizedUrl("/noAuthorized");//无权限页面跳转地址
// HashMap<String, String> hashmap = new HashMap<>();
// hashmap.put("/login","anon");//表示login地址无需验证
// hashmap.put("/doLogin","anon");
// hashmap.put("/logout","logout");//logout登出后清除用户内存
// hashmap.put("/admin/**","authc,roles[admin]");//admin/**地址需要admin用户身份
// shiroFilterFactoryBean.setFilterChainDefinitionMap(hashmap);
return shiroFilterFactoryBean;
}
//如果需要使用注解来鉴权的话需要添加如下的Bean
@Bean//开启注解(需要使用AOP功能)
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoCreator;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}