导入依赖

• shiro整合spring

  <dependency>
     <groupId>org.apache.shiro</groupId>
     <artifactId>shiro-spring-boot-web-starter</artifactId>
     <version>1.7.1</version>
  </dependency>
  

Config

• shiro配置类

  @Bean
  public UserRealm userRealm(){
      return new UserRealm();
  }

  @Bean(name = "defaultWebSecurityManager")
  public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){
      DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
      securityManager.setRealm(userRealm);
      return securityManager;
  }

  @Bean
  public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){
      ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
      bean.setSecurityManager(defaultWebSecurityManager);
      //添加内置过滤器
      /**
       * anon  无需认证就可以访问
       * authc  认证才能访问
       * user  有 记住我 功能才能访问
       * perms 有资源权限才能访问
       * role  有角色权限才能访问
       */
      Map<String, String> filterMap = new LinkedHashMap<>();

      //设置访问权限
      //认证权限
      //filterMap.put("/user/*","authc");支持通配符
      filterMap.put("/user/add","authc");
      filterMap.put("/user/delete","authc");

      //只有 user:add 权限才能访问 add 页面
      filterMap.put("/user/add","perms[user:add]");

      //设置登录请求
      bean.setLoginUrl("/toLogin");
      //未授权进入此提醒页面
      bean.setUnauthorizedUrl("/unauthorized");

      bean.setFilterChainDefinitionMap(filterMap);
      return bean;
  }

• Realm类

public class UserRealm extends AuthorizingRealm {
//    授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        System.out.println("执行授权");
        //设置当前用户权限
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        info.addStringPermission("user:add");

        /**
         * 得到当前用户
         * Subject subject = SecurityUtils.getSubject();
         * 拿到 认证 方法中得到的 user 对象
         * User user = (User)subject.getPrincipal();
         * user 对象中有自己的 权限
         * info.addStringPermission(user.getPerms())
         */
        return info;
    }

    //认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        System.out.println("执行认证");
        //用户名、密码，数据库中取得
        //查询数据库返回 user 对象
        String name = "root";
        String pwd = "123123";
        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
        if (!token.getUsername().equals(name)){
            return null;//抛异常 UnknownAccountException
        }

        //AuthenticationInfo 是接口，返回该接口的实现类
        //shiro做密码认证
        return new SimpleAuthenticationInfo("",pwd,"");
//        return new SimpleAuthenticationInfo(user,pwd,"");
    }
}

Controller

• 获取登录信息，通过 UsernamePasswordToken(username, password) 传递参数。
• subject.login() 进行登录认证。

备注

• 添加权限和角色