springboot中使用shiro

本文介绍如何在项目中使用Apache Shiro进行权限验证配置。主要内容包括:在pom文件中添加Shiro依赖;创建配置类ShiroConfiguration实现自定义Realm;设置过滤器工厂Bean等。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

首先在pom文件中添加shiro的jar包

  <!--权限验证Shiro-->
  <dependency>
       <groupId>org.apache.shiro</groupId>
       <artifactId>shiro-spring</artifactId>
       <version>1.2.4</version>
   </dependency>

在项目中添加shiro的配置类ShiroConfiguration


@Configuration
public class ShiroConfiguration {



    @Bean
    public MyShiroRealm myShiroRealm(){
        MyShiroRealm myShiroRealm=new MyShiroRealm();
        myShiroRealm.setCachingEnabled(false);
        return myShiroRealm;
    }
    @Bean
    public DefaultWebSecurityManager defaultWebSecurityManager(MyShiroRealm myShiroRealm){
        DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
        securityManager.setRealm(myShiroRealm);
        return securityManager;
    }

    @Bean
    public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager defaultWebSecurityManager){
        ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setLoginUrl("/login");
        shiroFilterFactoryBean.setSuccessUrl("/subLogin");
        shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
        //shiroFilterFactoryBean.setUnauthorizedUrl("/login");
        Map<String,String> filerChainDefinitionMap=new LinkedHashMap<>();
        filerChainDefinitionMap.put("/logout","logout");
        filerChainDefinitionMap.put("/static/**","anon");
        filerChainDefinitionMap.put("/loginPage","anon");
        filerChainDefinitionMap.put("/login","anon");
        filerChainDefinitionMap.put("/success","anon");
        filerChainDefinitionMap.put("/**","authc");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filerChainDefinitionMap);
        return shiroFilterFactoryBean;
    }



}

因为上面需要ShiroRealm我们这里自己创建一个MyShiroRealm ,这里面写的是验证登陆人的账号密码是否正确,和验证账号的权限信息。

public class MyShiroRealm extends AuthorizingRealm {

    @Resource
    private TbUserDao userDao;

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
      ShiroUser shiroUser = (ShiroUser) principals.getPrimaryPrincipal();

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        //权限表中权限拼接的set集合
        Set<String> permNames = userService.findPermNamesByUserId(shiroUser.getId());

        info.addStringPermissions(permNames);

        logger.info(String.format("用户[%s]登录成功,获取权限集合:%s", shiroUser.getLoginName(), permNames.toString()));

        return info;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken token=(UsernamePasswordToken)authenticationToken;
        String userName = token.getUsername();//查看是否有此用户
        TbUser user=userDao.findTbUserByLoginName(userName);
        if(user==null) return null;
        ShiroUser shiroUser = new ShiroUser();
        try{
            shiroUser.setId(user.getId());
            shiroUser.setLoginName(user.getLoginName());
            shiroUser.setName(user.getName());
            shiroUser.setDataRange(user.getDataRange());
            if(user.getCompany() != null){
                shiroUser.setCompanyId(user.getCompany().getId());
                shiroUser.setCompanyName(user.getCompany().getCompanyName());
                shiroUser.setState(user.getCompany().getState());
            }else{
                shiroUser.setState("1");
            }
            String roleNames = "";
            for(TBRole r : user.getRoles()){
                roleNames += ","+r.getName();
            }
            shiroUser.setRoleNames(roleNames.substring(1));
        }catch(Exception e){
            e.printStackTrace();
        }
            return new SimpleAuthenticationInfo(shiroUser,user.getPassWord(),user.getLoginName());

    }
        /**
     * 自定义Authentication对象,使得Subject除了携带用户的登录名外还可以携带更多信息.
     */
    public static class ShiroUser implements Serializable {
        private static final long serialVersionUID = -1373760761780840081L;
        public Long id;
        public String loginName;
        public String name;
        public String dataRange;
        public Long companyId;
        public String companyName;
        public String roleNames;
        public String state;
        public String getDataRange() {
            return dataRange;
        }

        public void setDataRange(String dataRange) {
            this.dataRange = dataRange;
        }

        public String getName() {
            return name;
        }

        public String getLoginName() {
            return loginName;
        }

        public Long getId() {
            return id;
        }

        public static long getSerialversionuid() {
            return serialVersionUID;
        }

        public void setId(Long id) {
            this.id = id;
        }

        public void setLoginName(String loginName) {
            this.loginName = loginName;
        }

        public void setName(String name) {
            this.name = name;
        }


        public Long getCompanyId() {
            return companyId;
        }

        public void setCompanyId(Long companyId) {
            this.companyId = companyId;
        }


        public void setCompanyName(String companyName) {
            this.companyName = companyName;
        }

        public String getCompanyName() {
            return companyName;
        }

        public String getRoleNames() {
            return roleNames;
        }

        public void setRoleNames(String roleNames) {
            this.roleNames = roleNames;
        }

        public String getState() {
            return state;
        }

        public void setState(String state) {
            this.state = state;
        }

        /**
         * 本函数输出将作为默认的<shiro:principal/>输出.
         */
        @Override
        public String toString() {
            return loginName;
        }

        /**
         * 重载hashCode,只计算loginName;
         */
        @Override
        public int hashCode() {
            return Objects.hashCode(loginName);
        }

        /**
         * 重载equals,只计算loginName;
         */
        @Override
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null) {
                return false;
            }
            if (getClass() != obj.getClass()) {
                return false;
            }
            ShiroUser other = (ShiroUser) obj;
            if (loginName == null) {
                if (other.loginName != null) {
                    return false;
                }
            } else if (!loginName.equals(other.loginName)) {
                return false;
            }

            return true;
        }

    }
}
要在Spring Boot项目中使用Shiro实现接口授权,需要进行以下步骤: 1. 添加Shiro依赖 在pom.xml文件中添加Shiro依赖: ``` <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.5.0</version> </dependency> ``` 2. 配置Shiro 在Spring Boot的配置文件中添加Shiro的配置,如下所示: ``` shiro: filter-chain-definitions: /** = anon /login = anon /logout = logout /api/** = authc security-manager: realm: type: org.apache.shiro.realm.jdbc.JdbcRealm authentication-query: SELECT password FROM users WHERE username = ? user-roles-query: SELECT role_name FROM user_roles WHERE username = ? permissions-query: SELECT permission FROM roles_permissions WHERE role_name = ? ``` 该配置文件中配置了Shiro的过滤链,以及Shiro的安全管理器和Realm。 3. 编写Shiro Realm 编写一个继承自JdbcRealm的Realm类,并实现doGetAuthenticationInfo()和doGetAuthorizationInfo()两个方法,如下所示: ``` public class MyRealm extends JdbcRealm { @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername(); String password = new String(upToken.getPassword()); // 根据用户名和密码查询数据库,如果查询到了用户,则返回一个封装了该用户信息的AuthenticationInfo对象 // 如果没有查询到用户,则返回null } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); String username = (String) principals.getPrimaryPrincipal(); // 根据用户名查询用户的角色和权限信息,并将其添加到authorizationInfo中 return authorizationInfo; } } ``` 4. 配置ShiroFilterFactoryBean 在Spring Boot的配置文件中配置ShiroFilterFactoryBean,如下所示: ``` @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Autowired MyRealm myRealm) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(new DefaultWebSecurityManager(myRealm)); Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); filterChainDefinitionMap.put("/login", "anon"); filterChainDefinitionMap.put("/logout", "logout"); filterChainDefinitionMap.put("/api/**", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactoryBean; } ``` 该配置文件中配置了一个ShiroFilterFactoryBean,并将其与安全管理器和过滤链绑定在一起。 5. 编写接口控制器 编写一个接口控制器,并在该控制器中添加需要授权的接口方法,如下所示: ``` @RestController public class ApiController { @GetMapping("/api/hello") public String hello() { return "Hello, world!"; } @RequiresRoles("admin") @PostMapping("/api/admin") public String admin() { return "Hello, admin!"; } } ``` 上述代码中,hello()方法不需要授权,而admin()方法需要授予admin角色才能访问。 6. 测试接口授权 启动Spring Boot应用程序,并使用curl或Postman等工具测试接口授权。例如,可以使用以下命令测试admin接口: ``` curl -X POST http://localhost:8080/api/admin -H 'Authorization: Basic YWRtaW46YWRtaW4=' ``` 其中,Authorization头中的值是用户名和密码的Base64编码,上述例子中的用户名和密码都是admin。如果授权成功,服务器将返回"Hello, admin!"。如果授权失败,则返回401 Unauthorized错误。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值