1、繼承AuthorizingRealm 實現 認證(doGetAuthenticationInfo) 和 授權(doGetAuthorizationInfo)
2、shiro 配置UserRealm、DefaultWebSecurityManager、ShiroFilterFactoryBean
3、ShiroFilterFactoryBean方法裏配置認證和授權
登錄
UsernamePasswordToken token = new UsernamePasswordToken(user.getUser(), user.getPassword());
Subject subject = SecurityUtils.getSubject();
subject.login(token);
退出登錄
Subject subject = SecurityUtils.getSubject();
subject.logout();1、添加Shiro依賴
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>2、創建ShiroConfig
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("manager")DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(defaultWebSecurityManager);
LinkedHashMap<String, String> map = new LinkedHashMap<>();
//添加shiro的內置過濾器
/*
anon:無需認證可以訪問
authc:必須認證才能訪問
user:必須擁有 記住我 功能才能用
perms:擁有對某個資源的權限才能訪問
role:擁有某個角色權限才能訪問
*/
//perms需要在authc前面 先認證再授權
//1、權限授權
map.put("/user/selectAll","perms[user:user]");
map.put("/user/selectOne","perms[user:add]");
//2、認證
map.put("/user/*","authc");
bean.setFilterChainDefinitionMap(map);
//沒有認證跳轉接口
bean.setLoginUrl("/user");
//沒有授權跳轉接口
bean.setUnauthorizedUrl("/selectPerms");
return bean;
}
@Bean("manager")
public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(userRealm);
return manager;
}
@Bean("userRealm")
public UserRealm userRealm(){
return new UserRealm();
}
}
3、Realm授權、認證
public class UserRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("授權++++++++++++++++++++++++++++++");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//獲取認證 得到的用户信息
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();
//設置當前用户的權限
info.addStringPermission(currentUser.getPerms());
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("認證++++++++++++++++++++++++++++++");
//接口new UsernamePasswordToken傳入的參數 authenticationToken
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
User user = userService.selectUser(token.getUsername());
//用户不存在 報錯
if (user == null){
return null;
}
//user賦值過去 SecurityUtils.getSubject().getPrincipal();獲取user的值 user.getPassword()交給框架去校驗
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}
}
4、LogController
@RestController
public class LoginController {
//退出當前登錄用户
@GetMapping("/loginOut")
public String loginOut(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "退出登錄";
}
@PostMapping("/login")
public String login(@RequestBody User user){
UsernamePasswordToken token = new UsernamePasswordToken(user.getUser(), user.getPassword());
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
return "登錄成功";
}catch (Exception e){
return "登錄失敗";
}
}
@GetMapping("/user")
public String selectUser(){
return "認證攔截";
}
@GetMapping("/selectPerms")
public String selectPerms(){
return "你沒有該權限";
}
}5、測試接口
@RestController
@RequestMapping("/user")
public class UserController {
@Autowired
private UserService userService;
@GetMapping("/selectAll")
public List<User> selectAll(){
return userService.selectAll();
}
@GetMapping("/selectOne")
public List<User> selectOne(){
return userService.selectAll();
}
}