springboot 配置 shiro

心已赠人 2021-09-16 15:58 377阅读 0赞

**目录**

一、引入 shiro 的包

二、自定义 realm

三、shiro 配置

四、写一个 controller 测试

五、无权限的时候直接报错的错误方式

--------------------

前提：

先准备一个 springboot+mybatis 的环境：[https://blog.csdn.net/weidong\_y/article/details/81709391][https_blog.csdn.net_weidong_y_article_details_81709391]

# 一、引入 shiro 的包 #

<dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-spring</artifactId>
        <version>1.3.2</version>
    </dependency>

# 二、自定义 realm  #

MyShiroRealm.java

package com.yyzheng.oa.shiro;
    
    import com.yyzheng.oa.dao.User;
    import com.yyzheng.oa.service.PermissionService;
    import com.yyzheng.oa.service.RoleService;
    import com.yyzheng.oa.service.UserService;
    import org.apache.shiro.authc.AuthenticationException;
    import org.apache.shiro.authc.AuthenticationInfo;
    import org.apache.shiro.authc.AuthenticationToken;
    import org.apache.shiro.authc.SimpleAuthenticationInfo;
    import org.apache.shiro.authz.AuthorizationInfo;
    import org.apache.shiro.authz.SimpleAuthorizationInfo;
    import org.apache.shiro.crypto.hash.Md5Hash;
    import org.apache.shiro.realm.AuthorizingRealm;
    import org.apache.shiro.subject.PrincipalCollection;
    import org.apache.shiro.util.ByteSource;
    import org.springframework.beans.factory.annotation.Autowired;
    
    import java.util.HashSet;
    import java.util.List;
    import java.util.Set;
    
    public class MyShiroRealm extends AuthorizingRealm {
        @Autowired
        private RoleService roleService;
        @Autowired
        private PermissionService permissionService;
        @Autowired
        private UserService userService;
    
        // 角色权限和对应权限添加
        @Override
        protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
            // 获取登录用户名
            String userName = (String)principalCollection.getPrimaryPrincipal();
            // 查询用户的角色信息
            Set<String> roles = getRolesByUsername(userName);
            // 查询角色的权限信息
            Set<String> permissions = getPermissionsByUserName(userName);
            // 设置用户的角色和权限
            SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
            simpleAuthorizationInfo.setRoles(roles);
            simpleAuthorizationInfo.setStringPermissions(permissions);
    
            return simpleAuthorizationInfo;
        }
    
        // 根据用户名字从数据库中获取当前用户的权限数据
        private Set<String> getPermissionsByUserName(String userName) {
            List<String> list = permissionService.queryPermissionNameByUserName(userName);
            if( list != null ){
                Set<String> sets = new HashSet<>(list);
                return sets;
            }else{
                return null;
            }
        }
    
        // 根据用户名字从数据库中获取当前用户的角色数据
        private Set<String> getRolesByUsername(String userName) {
            List<String> list = roleService.queryRoleNameByUsername(userName);
            if( list != null ){
                Set<String> sets = new HashSet<>(list);
                return sets;
            }else{
                return null;
            }
        }
    
        // 认证
        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
            // 1.从主体传过来的信息中获取用户名
            String userName = (String)authenticationToken.getPrincipal();
            // 2.通过用户名到数据库获取凭证
            String password = getPasswordByUserName(userName);
            if( password == null ){
                return  null;
            }
            SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(userName,password,"myShiroRealm");
            return simpleAuthenticationInfo;
        }
    
        // 通过用户名从数据库中获取当前用户的密码
        private String getPasswordByUserName(String userName) {
            User user = userService.queryUserByUserName(userName);
            if( user != null ){
                return user.getPassword();
            }else{
                return null;
            }
        }
    
    }

# 三、shiro 配置 #

package com.yyzheng.oa.config;
    
    import com.yyzheng.oa.exception.MyExceptionResolver;
    import com.yyzheng.oa.shiro.MyShiroRealm;
    import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
    import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
    import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
    import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
    import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.web.servlet.HandlerExceptionResolver;
    
    import java.util.HashMap;
    import java.util.Map;
    
    @Configuration
    public class ShiroConfiguration {
    
        // 创建自定义 realm
        @Bean
        public MyShiroRealm myShiroRealm() {
            MyShiroRealm myShiroRealm = new MyShiroRealm();
            return myShiroRealm;
        }
    
        // 创建 SecurityManager 对象
        @Bean
        public DefaultWebSecurityManager securityManager() {
            DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
            securityManager.setRealm(myShiroRealm());
            return securityManager;
        }
    
        // Filter工厂，设置对应的过滤条件和跳转条件
        @Bean
        public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {
            ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
            shiroFilterFactoryBean.setSecurityManager(securityManager);
            Map<String, String> map = new HashMap<>();
            // 登出
            map.put("/logout", "logout");
            // 对所有用户认证
            map.put("/**", "authc");
            // 对登录跳转接口进行释放
            map.put("/subLogin", "anon");
            map.put("/err", "anon");
            // 登录
            // 注意：这里配置的 /login 是指到 @RequestMapping(value="/login")中的 /login
            shiroFilterFactoryBean.setLoginUrl("/login");
            // 首页
            shiroFilterFactoryBean.setSuccessUrl("/index");
            // 错误页面，认证不通过跳转
            shiroFilterFactoryBean.setUnauthorizedUrl("/err");
            shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
            return shiroFilterFactoryBean;
        }
    
        // 加入注解的使用，不加这个，注解不生效
        @Bean
        public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
            AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
            authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
            return authorizationAttributeSourceAdvisor;
        }
        // 跟上面的注解配置搭配使用，有时候加了上面的配置后注解不生效，需要加入下面的配置
        @Bean
        @ConditionalOnMissingBean
        public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
            DefaultAdvisorAutoProxyCreator app = new DefaultAdvisorAutoProxyCreator();
            app.setProxyTargetClass(true);
            return app;
        }
    
    }

# 四、写一个 controller 测试 #

@Controller
    public class UserController {
    
        @RequestMapping(value = "/login")
        public String login(){
            return "/login";
        }
    
        @RequestMapping(value = "/err")
        public String err(){
            return "/err";
        }
    
        @RequestMapping(value = "/subLogin")
        public String subLogin(User user){
            Subject subject = SecurityUtils.getSubject();
    
            UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(),user.getPassword());
            try{
                subject.login(token);
            }catch (AuthenticationException e){
                e.printStackTrace();
                return e.getMessage();
            }
            return "success";
        }
    
        @RequiresRoles(value = "admin")
        @RequestMapping(value = "/test")
        @ResponseBody
        public String test(){
            return  "123";
        }
    }

# 五、无权限的时候直接报错的错误方式 #

自定义一个异常拦截，自定义跳转页面。

MyExceptionResolver.java 拦截下异常。

package com.yyzheng.oa.exception;
    
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    import org.apache.shiro.authz.UnauthorizedException;
    import org.springframework.web.servlet.HandlerExceptionResolver;
    import org.springframework.web.servlet.ModelAndView;
    
    public class MyExceptionResolver implements HandlerExceptionResolver{
    
        public ModelAndView resolveException(HttpServletRequest request,
                                             HttpServletResponse response, Object handler, Exception ex) {
            System.out.println("==============异常开始=============");
            //如果是shiro无权操作，因为shiro 在操作auno等一部分不进行转发至无权限url
            if(ex instanceof UnauthorizedException){
                // 跳转到 templates 文件下面找 err.html 页面
                ModelAndView mv = new ModelAndView("err");
                return mv;
            }
            ex.printStackTrace();
            ModelAndView mv = new ModelAndView("err");
            mv.addObject("exception", ex.toString().replaceAll("\n", "<br/>"));
            return mv;
        }
    }

在shiro中配置一下：

// 自定义异常捕获注册
        @Bean
        public HandlerExceptionResolver solver(){
            HandlerExceptionResolver handlerExceptionResolver = new MyExceptionResolver();
            return handlerExceptionResolver;
        }

[https_blog.csdn.net_weidong_y_article_details_81709391]: https://blog.csdn.net/weidong_y/article/details/81709391