springboot整合shiro 框架
java1234
共 11653字,需浏览 24分钟
·
2020-09-06 15:33
点击上方蓝色字体,选择“标星公众号”
优质文章,第一时间送达
写这篇文章主要是记录我的学习过程,刚开始在网上找资料的时候,网上的资料很乱。所以自己整合了一个比较简单的shiro的使用方法,shiro是什么、怎么用就不用我在这里详细的讲解了。
1.添加依赖
<dependency><groupId>org.apache.shirogroupId><artifactId>shiro-springartifactId><version>1.4.0version>dependency><dependency><groupId>org.apache.shirogroupId><artifactId>shiro-coreartifactId><version>1.4.0version>dependency>
2.配置文件
shiroconfig
package com.xl.shiro;import org.apache.shiro.mgt.SecurityManager;import org.apache.shiro.session.mgt.SessionManager;import org.apache.shiro.spring.LifecycleBeanPostProcessor;import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import java.util.LinkedHashMap;import java.util.Map;/*** Shiro 配置文件*/public class ShiroConfig {/*** Session Manager:会话管理* 即用户登录后就是一次会话,在没有退出之前,它的所有信息都在会话中;* 会话可以是普通JavaSE环境的,也可以是如Web环境的;*/("sessionManager")public SessionManager sessionManager(){DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();//设置session过期时间sessionManager.setGlobalSessionTimeout(60 * 60 * 1000);sessionManager.setSessionValidationSchedulerEnabled(true);// 去掉shiro登录时url里的JSESSIONIDsessionManager.setSessionIdUrlRewritingEnabled(false);return sessionManager;}/*** SecurityManager:安全管理器*/("securityManager")public SecurityManager securityManager(UserRealm userRealm, SessionManager sessionManager) {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();//securityManager.setSessionManager(sessionManager);securityManager.setRealm(userRealm);return securityManager;}/*** ShiroFilter是整个Shiro的入口点,用于拦截需要安全控制的请求进行处理*/("shiroFilter")public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();shiroFilter.setSecurityManager(securityManager);shiroFilter.setLoginUrl("/userLogin");shiroFilter.setUnauthorizedUrl("/");Map<String, String> filterMap = new LinkedHashMap<>();//authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问,先配置anon再配置authc,当你变为authc的时候,登入将会跳转/userLoginfilterMap.put("/userLogin", "anon");shiroFilter.setFilterChainDefinitionMap(filterMap);return shiroFilter;}/*** 管理Shiro中一些bean的生命周期*/("lifecycleBeanPostProcessor")public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {return new LifecycleBeanPostProcessor();}/*** 扫描上下文,寻找所有的Advistor(通知器)* 将这些Advisor应用到所有符合切入点的Bean中。*/public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator();proxyCreator.setProxyTargetClass(true);return proxyCreator;}/*** 匹配所有加了 Shiro 认证注解的方法*/public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();advisor.setSecurityManager(securityManager);return advisor;}}
这个配置文件是我们进行权限和登入认证的时候需要用到的
package com.xl.shiro;import org.apache.shiro.authc.*;import org.apache.shiro.authc.credential.CredentialsMatcher;import org.apache.shiro.authc.credential.HashedCredentialsMatcher;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.util.ByteSource;import org.springframework.stereotype.Component;import org.springframework.util.StringUtils;import javax.annotation.Resource;import java.util.*;/*** Shiro 认证实体*/public class UserRealm extends AuthorizingRealm {private SysUserMapper sysUserMapper ;private SysMenuMapper sysMenuMapper ;/*** 授权(验证权限时调用)* 获取用户权限集合*/public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {Object user = principals.getPrimaryPrincipal();if(user == null) {throw new UnknownAccountException("账号不存在");}List<String> permsList;//默认用户拥有最高权限User user1 =new User();user1.setUserid(1);user1.setUserid1(2);user1.setUserid2(3);user1.setUserid3("123");ListpermsList = new ArrayList<>(menuList.size());for(Map menu : menuList){permsList.add(menu.get("perms").toString());}//用户权限列表Set<String> permsSet = new HashSet<>();for(String perms : permsList){if(StringUtils.isEmpty(perms)){continue;}permsSet.addAll(Arrays.asList(perms.trim().split(",")));}SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();info.setStringPermissions(permsSet);return info;}/*** 认证(登录时调用)* 验证用户登录*/protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authToken) throws AuthenticationException {UsernamePasswordToken token = (UsernamePasswordToken)authToken;//查询用户信息Map user = sysUserMapper.selectOne(token.getUsername());//账号不存在if(user == null) {throw new UnknownAccountException("账号或密码不正确");}//账号锁定/* if(user.getStatus() == 0){throw new LockedAccountException("账号已被锁定,请联系管理员");}*/SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.get("password"),getName());// SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user,user.get("password"),getName());return info;}/*重写这个方法是因为登入验证的时候,从数据库取出的密码是加密过的,shiro进行密码验证的时候会将明文密码加密后与数据库的密码进行对比。*/public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {HashedCredentialsMatcher shaCredentialsMatcher = new HashedCredentialsMatcher();shaCredentialsMatcher.setHashAlgorithmName(ShiroUtils.hashAlgorithmName);// shaCredentialsMatcher.setHashIterations(ShiroUtils.hashIterations);//这里就是自己设置如何去加密的多少次super.setCredentialsMatcher(shaCredentialsMatcher);}}
3.添加shiro工具类
package com.xl.shiro;import org.apache.shiro.SecurityUtils;import org.apache.shiro.crypto.hash.SimpleHash;import org.apache.shiro.session.Session;import org.apache.shiro.subject.Subject;/*** Shiro工具类*/public class ShiroUtils {/** 加密算法 */public final static String hashAlgorithmName = "SHA-256";/** 循环次数 */public final static int hashIterations = 16;public static String sha256(String password, String salt) {return new SimpleHash(hashAlgorithmName, password, salt, hashIterations).toString();}// 获取一个测试账号 adminpublic static void main(String[] args) {// 3743a4c09a17e6f2829febd09ca54e627810001cf255ddcae9dabd288a949c4a// System.out.println(sha256("qqq","123")) ;System.out.println(new SimpleHash(hashAlgorithmName, "admin").toString()) ;}/*** 获取会话*/public static Session getSession() {return SecurityUtils.getSubject().getSession();}/*** Subject:主体,代表了当前“用户”*/public static Subject getSubject() {return SecurityUtils.getSubject();}/* public static SysUserEntity getUserEntity() {return (SysUserEntity)SecurityUtils.getSubject().getPrincipal();}public static Long getUserId() {return getUserEntity().getUserId();}*/public static void setSessionAttribute(Object key, Object value) {getSession().setAttribute(key, value);}public static Object getSessionAttribute(Object key) {return getSession().getAttribute(key);}public static boolean isLogin() {return SecurityUtils.getSubject().getPrincipal() != null;}public static void logout() {SecurityUtils.getSubject().logout();}}
4.重写抛出异常类
package com.xl.shiro;import org.apache.shiro.authz.AuthorizationException;import org.springframework.web.bind.annotation.ExceptionHandler;import org.springframework.web.bind.annotation.RestControllerAdvice;@RestControllerAdvicepublic class ShiroException {@ExceptionHandler(AuthorizationException.class)public String authorizationException (){return "抱歉您没有权限访问该内容!";}@ExceptionHandler(Exception.class)public String handleException(Exception e){return "系统异常!";}}
5.控制层
package com.xl.shiro;import lombok.extern.slf4j.Slf4j;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.annotation.RequiresPermissions;import org.apache.shiro.subject.Subject;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Value;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestParam;import org.springframework.web.bind.annotation.RestController;import javax.annotation.Resource;import java.util.List;/*** Shrio 测试方法控制层*/public class ShiroController {private Integer time;private static Logger LOGGER = LoggerFactory.getLogger(ShiroController.class) ;private SysMenuMapper sysMenuMapper ;/*** 登录测试* http://localhost:7011/userLogin?userName=admin&passWord=admin*/public void userLogin (String userName,String passWord){try{Subject subject = ShiroUtils.getSubject();// String ps=ShiroUtils.sha256(passWord,"123");log.info(time.toString());UsernamePasswordToken token = new UsernamePasswordToken(userName, passWord);subject.login(token);LOGGER.info("登录成功");}catch (Exception e) {e.printStackTrace();}}/*** 服务器每次重启请求该接口之前必须先请求上面登录接口* http://localhost:7011/menu/list 获取所有菜单列表* 权限要求:sys:user:shiro*/public List list(){User user =new User();user.setUserid(1);user.setUserid1(2);user.setUserid2(3);user.setUserid3("123");return sysMenuMapper.selectList(user) ;}/*** 用户没有该权限,无法访问* 权限要求:ccc:ddd:bbb*/public List list2(){User user =new User();user.setUserid(1);user.setUserid1(2);user.setUserid2(3);user.setUserid3("123");return sysMenuMapper.selectList(user) ;}/*** 退出测试*/public String logout (){ShiroUtils.logout();return "success" ;}}
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Heyyouare/article/details/108384771
感谢点赞支持下哈 
评论