Shiro安全框架的使用

1 导入shiro

<dependency> 

   <groupId>org.apache.shiro</groupId>  

  <artifactId>shiro-spring</artifactId>  

  <version>1.4.2</version>

</dependency>

 

2 Config包下

import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.HashMap;
import java.util.Map;

@Configuration
public class ShiroConfig {

    //ShiroFilterFactoryBean 3
    @Bean
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
        ShiroFilterFactoryBean shiroBean = new ShiroFilterFactoryBean();
        //设置安全管理器
        shiroBean.setSecurityManager(securityManager);
        /**
         * - anon : 无需认证就可以访问
         * - authc : 必须认证才能访问
         * - user : 必须开启rememberme后才能用
         * - perms : 拥有对某个资源权限才能访问
         * - role : 拥有某个角色才能访问
         */

        Map<String,String> filterMap = new HashMap<String,String>();

        filterMap.put("/*","anon");
        filterMap.put("/level1/*","perms[level1:page]");
        filterMap.put("/level2/*","perms[level2:page]");
        filterMap.put("/level3/*","perms[level3:page]");

        shiroBean.setFilterChainDefinitionMap(filterMap);
        //设置登录页面
        shiroBean.setLoginUrl("/toLogin");
        //未经授权页面
        shiroBean.setUnauthorizedUrl("/noauth");
        return shiroBean;
    }

    //DefaultWebSecurityManager 2
    @Bean(name="securityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("usrRm") UserRealm userRealm){
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        //关联Realm
        securityManager.setRealm(userRealm);//这样直接是不行的

        return securityManager;
    }

    //Realm 需要自定义 1
    @Bean(name="usrRm")
    public UserRealm userRealm(){
        return new UserRealm();
    }

    @Bean
    public ShiroDialect getShiroDialect(){
        return new ShiroDialect();
    }
}


2.2 认证的class
import com.icodingedu.mapper.UserMapper;
import com.icodingedu.pojo.UserInfo;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;

public class UserRealm extends AuthorizingRealm {

    //授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        System.out.println("执行了授权=》 AuthorizationInfo");
        //定义一个授权
        //从DB里取,who?-》role
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        Subject subject = SecurityUtils.getSubject();
        UserInfo userInfo = (UserInfo) subject.getPrincipal();
        info.addStringPermission(userInfo.getRolename());

        return info;
    }

    @Autowired
    UserMapper userMapper;

    //认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        System.out.println("执行了认证=》 AuthenticationInfo");

        UsernamePasswordToken userToken = (UsernamePasswordToken) authenticationToken;

        UserInfo userInfo = userMapper.queryUserForName(userToken.getUsername());

        if(userInfo==null){
            return null;
        }
        //这里只需要把密码传入就ok了
        return new SimpleAuthenticationInfo(userInfo,userInfo.getPassword(),"");
    }

 
3登录认证
@RequestMapping("/login")
public String login(String username, String password, Model model){
    //获取当前用户
    Subject subject = SecurityUtils.getSubject();
    UsernamePasswordToken token = new UsernamePasswordToken(username, password);
    try {
        subject.login(token);
        return "index";
    }catch (UnknownAccountException uae) { //用户名不存在
        model.addAttribute("msg","用户名不存在!");
        return "views/login";
    } catch (IncorrectCredentialsException ice) {
        model.addAttribute("msg","密码错误!");
        return "views/login";
    } catch (Exception ex){
        model.addAttribute("msg","未知登录异常!");
        return "views/login";
    }
}

@RequestMapping("/noauth")
@ResponseBody
public String noauth(){
    return "未授权不能访问!";
}
@RequestMapping("/logout")
public String logout(){
    Subject subject = SecurityUtils.getSubject();
    subject.logout();
    return "index";
}





posted @ 2020-02-08 10:22  jack-jin  阅读(121)  评论(0)    收藏  举报