本文介绍如何在SpringBoot项目中配置Shiro进行权限管理,包括自定义Realm、实现记住我功能、配置Shiro方言支持Thymeleaf模板、设置权限链以及在Thymeleaf中使用Shiro方言实现页面权限控制。
springBoot中shiro配置类
/**
* 作者: Lipf
* 项目名: fresh
* 时间: 2019/11/25 16:23
* 描述:
*/
@Configuration
public class ShiroConfiguration {
/**
* thymeleaf模板支持shiro方言的配置
* @return
*/
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
@Bean
public DefaultWebSecurityManager createSecurityManager() throws NoSuchAlgorithmException {
DefaultWebSecurityManager securityManager= new DefaultWebSecurityManager();
securityManager.setRealm(createRealm());
securityManager.setRememberMeManager(cookieRememberMeManager());
return securityManager;
}
@Bean // 记住我cookie
public SimpleCookie simpleCookie(){
SimpleCookie cookie = new SimpleCookie("rememberMe");
cookie.setMaxAge(60*60*24*7);
return cookie;
}
@Bean //记住我管理器
public CookieRememberMeManager cookieRememberMeManager(){
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(simpleCookie());
return cookieRememberMeManager;
}
@Bean
public MyRealm createRealm(){
MyRealm myRealm = new MyRealm();
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashIterations(Constant.SALT_COUNT);
//密码加密处理
hashedCredentialsMatcher.setHashAlgorithmName("SHA-256");
hashedCredentialsMatcher.setStoredCredentialsHexEncoded(false);
myRealm.setCredentialsMatcher(hashedCredentialsMatcher);
return myRealm;
}
/**
* 控制注解权限管理一定生效
* @return
*/
@Bean
public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();
/**
* setUsePrefix(false)用于解决一个奇怪的bug。在引入spring aop的情况下。
* 在@Controller注解的类的方法中加入@RequiresRole注解,会导致该方法无法映射请求,导致返回404。
* 加入这项配置能解决这个bug
*/
creator.setUsePrefix(true);
return creator;
}
/**
* 权限链
*/
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition(){
DefaultShiroFilterChainDefinition chain = new DefaultShiroFilterChainDefinition();
chain.addPathDefinition("/view/login","anon");
chain.addPathDefinition("/view/403","anon");
chain.addPathDefinition("/css/**","anon");
chain.addPathDefinition("/images/**","anon");
chain.addPathDefinition("/styles/**","anon");
chain.addPathDefinition("/js/**","anon");
chain.addPathDefinition("/user/captcha/verify","anon");
chain.addPathDefinition("/user/logout","logout");
chain.addPathDefinition("/back/show","roles[管理]");
chain.addPathDefinition("/back/add","roles[老板]");
return chain;
}
}
自定义MyRealm
@Component
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
User user = (User) principals.getPrimaryPrincipal();
//set集合不可重复,可以直接去重
Set<String> roles = userService.selectRolesByUsername(user.getUName());
//通过角色查询权限
Set<String> permissions = userService.selectPermissionsByRoles(roles);
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setRoles(roles);
authorizationInfo.setStringPermissions(permissions);
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String uName = (String) token.getPrincipal();
User user = userService.selectByUName(uName);
if (user==null){
return null;
}
if(user.getUState()==1){
throw new LockedAccountException("账户锁定,无法登录");
}
ByteSource salt = ByteSource.Util.bytes(user.getUSalt());
SimpleAuthenticationInfo simpleAuthenticationInfo =
new SimpleAuthenticationInfo(user,user.getUPassword(),salt,"myrealm");
return simpleAuthenticationInfo;
}
}
thymeleaf中使用shiro方言
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<head>
<meta charset="UTF-8" />
<title>Insert title here</title>
</head>
<body>
<h3>index</h3>
<!-- 验证当前用户是否为“访客”,即未认证(包含未记住)的用户。 -->
<p shiro:guest="">Please <a href="login.html">login</a></p>
<!-- 认证通过或已记住的用户。 -->
<p shiro:user="">
Welcome back John! Not John? Click <a href="login.html">here</a> to login.
</p>
<!-- 已认证通过的用户。不包含已记住的用户,这是与user标签的区别所在。 -->
<p shiro:authenticated="">
Hello, <span shiro:principal=""></span>, how are you today?
</p>
<a shiro:authenticated="" href="updateAccount.html">Update your contact information</a>
<!-- 输出当前用户信息,通常为登录帐号信息。 -->
<p>Hello, <shiro:principal/>, how are you today?</p>
<!-- 未认证通过用户,与authenticated标签相对应。与guest标签的区别是,该标签包含已记住用户。 -->
<p shiro:notAuthenticated="">
Please <a href="login.html">login</a> in order to update your credit card information.
</p>
<!-- 验证当前用户是否属于该角色。 -->
<a shiro:hasRole="admin" href="admin.html">Administer the system</a><!-- 拥有该角色 -->
<!-- 与hasRole标签逻辑相反,当用户不属于该角色时验证通过。 -->
<p shiro:lacksRole="developer"><!-- 没有该角色 -->
Sorry, you are not allowed to developer the system.
</p>
<!-- 验证当前用户是否属于以下所有角色。 -->
<p shiro:hasAllRoles="developer, 2"><!-- 角色与判断 -->
You are a developer and a admin.
</p>
<!-- 验证当前用户是否属于以下任意一个角色。 -->
<p shiro:hasAnyRoles="admin, vip, developer,1"><!-- 角色或判断 -->
You are a admin, vip, or developer.
</p>
<!--验证当前用户是否拥有指定权限。 -->
<a shiro:hasPermission="userInfo:add" href="createUser.html">添加用户</a><!-- 拥有权限 -->
<!-- 与hasPermission标签逻辑相反,当前用户没有制定权限时,验证通过。 -->
<p shiro:lacksPermission="userInfo:del"><!-- 没有权限 -->
Sorry, you are not allowed to delete user accounts.
</p>
<!-- 验证当前用户是否拥有以下所有角色。 -->
<p shiro:hasAllPermissions="userInfo:view, userInfo:add"><!-- 权限与判断 -->
You can see or add users.
</p>
<!-- 验证当前用户是否拥有以下任意一个权限。 -->
<p shiro:hasAnyPermissions="userInfo:view, userInfo:del"><!-- 权限或判断 -->
You can see or delete users.
</p>
<a shiro:hasPermission="pp" href="createUser.html">Create a new User</a>
</body>
</html>
扫一扫
546
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
