[关闭]
@wangzhuanyun 2020-09-27T03:40:48.000000Z 字数 4344 阅读 722

SpringBoot shiro(八)

springboot

shiro登录与权限验证:
1.完成bean,dao,service.实现对用户的登录查询
需查询出用户所有信息,包括角色及权限

2.引入依赖:

<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-spring</artifactId>
    <version>1.4.0</version>
</dependency>

PS:版本不低于1.4.0

3.新建类,继承AuthorizingRealm,自定义权限验证和登录验证0

import com.kgc.demoshiro.bean.User;
import com.kgc.demoshiro.service.UserService;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
//自定的类,重写父类的方法,分别实现自定义登录和权限验证
public class Myrealm extends AuthorizingRealm {
    @Autowired
    UserService us;
   //za权限验证  return null 以为着不需要权限验证
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {

        return null;
    }




    //登录验证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        //登录的用户名判断,为空则直接返回
        if(token.getPrincipal()==null){
            return null;
        }
        //从token获取到用户登录输入的用户名
        String uname=token.getPrincipal().toString();
        //调用第一步完成的service,实现数据库查询
        User user=us.queryByName(uname);

        if(user==null){
            //用户名不存在
            return  null;
        }else{
            //用户名存在 将查到的用户对象,用户密码,及当前realm的name传递给info
            //如果不需要权限验证,则传递的第一个参数可以为用户名
            SimpleAuthenticationInfo info=new SimpleAuthenticationInfo(user,user.getPwd(),getName());
            return info;
        }



    }
}

4.shiro的配置类:

import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.LinkedHashMap;
import java.util.Map;
//此注解是保障项目启动加载
@Configuration
public class Shiro {
    //shiro过滤器
    @Bean
    public ShiroFilterFactoryBean shiroFilter(SecurityManager manager){
        //创建filter对象
        ShiroFilterFactoryBean filter =new ShiroFilterFactoryBean();
        //给过滤器设置管理工具
        filter.setSecurityManager(manager);
        //新建map设置请求权限映射
        Map<String,String> map=new LinkedHashMap<>();
        map.put("/static/**","anon");//anon无须验证  开发白名单资源
        map.put("/login","anon");
        map.put("/welcome","anon");
        map.put("/**","authc");//authc登录验证
        //设置登录链接
        filter.setLoginUrl("/");
        //设置登录成功的跳转
        filter.setSuccessUrl("/index");
        //将映射设置到过滤器
        filter.setFilterChainDefinitionMap(map);
        return filter;
    }
    //创建自定义的realm
    @Bean
    public Myrealm myrealm(){
        System.out.println("这是我的shiro realm");
        Myrealm myrealm=new Myrealm();
        return  myrealm;
    }
    //创建基于web的securityManager
    @Bean
    public SecurityManager securityManager(){
        System.out.println("这是我的shiro securityManager");
        DefaultWebSecurityManager securityManager =new DefaultWebSecurityManager();

        securityManager.setRealm(myrealm());
        return  securityManager;
    }

}

5.controller:处理登录:

@PostMapping("login")
public String a1(String uname,String pwd){
    //将用户提交的用户名,密码放入token
    UsernamePasswordToken token=new UsernamePasswordToken(uname,pwd,true);
    //获取shiro对象
    Subject subject= SecurityUtils.getSubject();
    try {
        //通过shiro进行登录操作
        subject.login(token);

    }catch (UnknownAccountException e){
        //用户名不存在
        return "redirect:/";
    }catch (IncorrectCredentialsException e){
        //密码错误
        return "redirect:/";
    }

    return "index";
}

=====================================
权限验证:::::::

6.引入依赖:

<dependency>
    <groupId>com.github.theborakompanioni</groupId>
    <artifactId>thymeleaf-extras-shiro</artifactId>
    <version>2.0.0</version>
</dependency>

7.重写realm中的权限验证的方法

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    //创建保存权限和角色信息的对象
    SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
    //获取成功登录的用户信息
    User user=(User)principalCollection.getPrimaryPrincipal();
    //遍历获取角色、权限
    for(Role r:user.getRole()){
        //将角色名添加到info
        info.addRole(r.getRname());
        for(Perssion p:r.getP()){
            //遍历获取所有的权限,将权限名添加到info
            info.addStringPermission(p.getPname());
        }
    }

    return info;
}

8.回到config:

@Bean
public ShiroDialect shiroDialect(){

    return new ShiroDialect();
}

9.在前台页面通过属性标签识别权限和角色:

<div shiro:hasPermission="a">拥有a权限</div>
<div shiro:hasAnyPermissions="a,user:add,c">拥有某一个权限</div>
<div shiro:hasAllPermissions="a,b,c">拥有全部的权限</div>
<div shiro:guest>访客才能看到的信息</div>
<div shiro:hasRole="vip">拥有vip角色</div>
<div shiro:hasAllRoles="vip,a">拥有vip,a两种角色</div>
<div shiro:hasAnyRoles="vip,a">拥有vip,a任一种角色</div>
<div shiro:lacksPermission="a">没有a权限</div>
<div shiro:lacksRole="a">没有a角色</div>
<shiro:principal/>用户的全部信息
<shiro:principal property="属性名"/>展示用户某一属性值
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注