@Configuration
public class ShiroConfig {
//ShiroFilterFactoryBean @Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("getDefaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){ ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); //设置安全管理器 bean.setSecurityManager(defaultWebSecurityManager); //添加shiro内置过滤器 /* * anon: 无需认证就可访问 * authc: 必须认证才能访问 * user: 必须用户记住我功能才能使用 * perms: 拥有对某个资源的权限才能访问 * role: 拥有某个角色可以访问 * */ //拦截 Map<String,String> fifterMap = new LinkedHashMap<>(); //授权,正常情况下,未授权会跳转到未授权页面 fifterMap.put("/user/add","perms[user:add]"); //只有授权了user:add才能进入add页面 fifterMap.put("/user/update","perms[user:update]"); bean.setFilterChainDefinitionMap(fifterMap); //设置登录页面 bean.setLoginUrl("/toLogin"); //设置未授权页面 bean.setUnauthorizedUrl("/noauth"); return bean; } //DefaultWebSecurityManager @Bean public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){ DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //关联UserRealm securityManager.setRealm(userRealm); return securityManager; } //创建realm对象 需要自定义 @Bean public UserRealm userRealm(){ return new UserRealm(); }
}
认证和授权class:
public class UserRealm extends AuthorizingRealm {
@Autowired userServiceImpl userService; //授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println("执行============》授权"); //SimpleAuthorizationInfo SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //拿到当前登录的这个对象 Subject subject = SecurityUtils.getSubject(); User currentUser=(User) subject.getPrincipal(); //拿到user对象 System.out.println(currentUser); //设置登录的请求 info.addStringPermission(currentUser.getPerms()); return info; } //认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("执行============》认证"); //点击提交则会进入这个方法 UsernamePasswordToken userToken=(UsernamePasswordToken)token; User user = userService.getUserByName(userToken.getUsername()); if(user==null){ return null; } String username=user.getName(); String password=user.getPwd(); if(!userToken.getUsername().equals(username)){ return null; //抛出异常 UnknownAccountException } //将user放入shiro的session中 SecurityUtils.getSubject().getSession().setAttribute("loginUser",user); //密码认证,shiro帮我们做 若密码错误则抛出异常 IncorrectCredentialsException return new SimpleAuthenticationInfo(user, password, ""); }
}