@Configuration
public class ShiroConfig {

//ShiroFilterFactoryBean
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("getDefaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){
    ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
    //设置安全管理器
    bean.setSecurityManager(defaultWebSecurityManager);

    //添加shiro内置过滤器
    /*
    *  anon:   无需认证就可访问
    *  authc:  必须认证才能访问
    *  user:   必须用户记住我功能才能使用
    *  perms:  拥有对某个资源的权限才能访问
    *  role:   拥有某个角色可以访问
    * */
    //拦截
    Map<String,String> fifterMap = new LinkedHashMap<>();
    //授权,正常情况下,未授权会跳转到未授权页面
    fifterMap.put("/user/add","perms[user:add]");          //只有授权了user:add才能进入add页面
    fifterMap.put("/user/update","perms[user:update]");
    bean.setFilterChainDefinitionMap(fifterMap);
    //设置登录页面
    bean.setLoginUrl("/toLogin");
    //设置未授权页面
    bean.setUnauthorizedUrl("/noauth");
    return bean;
}

//DefaultWebSecurityManager
@Bean
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){
    DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
    //关联UserRealm
    securityManager.setRealm(userRealm);
    return securityManager;
}

//创建realm对象       需要自定义
@Bean
public UserRealm userRealm(){
    return new UserRealm();
}

}

认证和授权class:
public class UserRealm extends AuthorizingRealm {

@Autowired
userServiceImpl userService;

//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    System.out.println("执行============》授权");
    //SimpleAuthorizationInfo
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    //拿到当前登录的这个对象
    Subject subject = SecurityUtils.getSubject();
    User currentUser=(User) subject.getPrincipal();               //拿到user对象
    System.out.println(currentUser);
    //设置登录的请求
    info.addStringPermission(currentUser.getPerms());
    return info;
}

//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    System.out.println("执行============》认证");         //点击提交则会进入这个方法
    UsernamePasswordToken userToken=(UsernamePasswordToken)token;
    User user = userService.getUserByName(userToken.getUsername());
    if(user==null){
        return null;
    }
    String username=user.getName();
    String password=user.getPwd();
    if(!userToken.getUsername().equals(username)){
        return null;           //抛出异常  UnknownAccountException
    }

    //将user放入shiro的session中
    SecurityUtils.getSubject().getSession().setAttribute("loginUser",user);

    //密码认证,shiro帮我们做                   若密码错误则抛出异常  IncorrectCredentialsException
    return new SimpleAuthenticationInfo(user, password, "");
}

}