小编给大家分享一下SpringBoot2如何整合shiro框架实现用户权限管理,相信大部分人都还不怎么了解,因此分享这篇文章给大家参考一下,希望大家阅读完这篇文章后大有收获,下面让我们一起去了解一下吧!一、Shiro简介1、基础概念Apac
小编给大家分享一下SpringBoot2如何整合shiro框架实现用户权限管理,相信大部分人都还不怎么了解,因此分享这篇文章给大家参考一下,希望大家阅读完这篇文章后大有收获,下面让我们一起去了解一下吧!
Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。作为一款安全框架Shiro的设计相当巧妙。Shiro的应用不依赖任何容器,它不仅可以在JavaEE下使用,还可以应用在JavaSE环境中。
1)Subject:认证主体
代表当前系统的使用者,就是用户,在Shiro的认证中,认证主体通常就是userName和passWord,或者其他用户相关的唯一标识。
2)SecurityManager:安全管理器
Shiro架构中最核心的组件,通过它可以协调其他组件完成用户认证和授权。实际上,SecurityManager就是Shiro框架的控制器。
3)Realm:域对象
定义了访问数据的方式,用来连接不同的数据源,如:关系数据库,配置文件等等。
Shiro自己不维护用户和权限,通过Subject用户主体和Realm域对象的注入,完成用户的认证和授权。
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.4.0</version></dependency><dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.0</version></dependency>
@Configurationpublic class ShiroConfig { @Bean("sessionManager") public SessionManager sessionManager(){ DefaultWEBSessionManager sessionManager = new DefaultWebSessionManager(); //设置session过期时间 sessionManager.setGlobalSessionTimeout(60 * 60 * 1000); sessionManager.setSessionValidationSchedulerEnabled(true); // 去掉shiro登录时url里的jsESSIONID sessionManager.setSessionIdUrlRewritingEnabled(false); return sessionManager; } @Bean("securityManager") public SecurityManager securityManager(UserRealm userRealm, SessionManager sessionManager) { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setSessionManager(sessionManager); securityManager.setRealm(userRealm); return securityManager; } @Bean("shiroFilter") public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean(); shiroFilter.setSecurityManager(securityManager); shiroFilter.setLoginUrl("/userLogin"); shiroFilter.setUnauthorizedUrl("/"); Map<String, String> filterMap = new LinkedHashMap<>(); filterMap.put("/userLogin", "anon"); shiroFilter.setFilterChainDefinitionMap(filterMap); return shiroFilter; } @Bean("lifecycleBeanPostProcessor") public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator proxyCreator = new DefaultAdvisorAutoProxyCreator(); proxyCreator.setProxyTargetClass(true); return proxyCreator; } @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor(); advisor.setSecurityManager(securityManager); return advisor; }}
@Componentpublic class UserRealm extends AuthorizingRealm { @Resource private SysUserMapper sysUserMapper ; @Resource private SysMenuMapper sysMenuMapper ; @Override public AuthorizationInfo doGetAuthorizationInfo (PrincipalCollection principals) { SysUserEntity user = (SysUserEntity)principals.getPrimaryPrincipal(); if(user == null) { throw new UnknownAccountException("账号不存在"); } List<String> permsList; //默认用户拥有最高权限 List<SysMenuEntity> menuList = sysMenuMapper.selectList(); permsList = new ArrayList<>(menuList.size()); for(SysMenuEntity menu : menuList){ permsList.add(menu.getPerms()); } //用户权限列表 Set<String> permsSet = new HashSet<>(); for(String perms : permsList){ if(StringUtils.isEmpty(perms)){ continue; } permsSet.addAll(Arrays.asList(perms.trim().split(","))); } SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.setStringPermissions(permsSet); return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken)authToken; //查询用户信息 SysUserEntity user = sysUserMapper.selectOne(token.getUsername()); //账号不存在 if(user == null) { throw new UnknownAccountException("账号或密码不正确"); } //账号锁定 if(user.getStatus() == 0){ throw new LockedAccountException("账号已被锁定,请联系管理员"); } SimpleAuthenticationInfo info = new SimpleAuthenticationInfo (user, user.getPassword(), ByteSource.Util.bytes(user.getSalt()), getName()); return info; } @Override public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) { HashedCredentialsMatcher shaCredentialsMatcher = new HashedCredentialsMatcher(); shaCredentialsMatcher.setHashAlGorithmName(ShiroUtils.hashAlgorithmName); shaCredentialsMatcher.setHashIterations(ShiroUtils.hashIterations); super.setCredentialsMatcher(shaCredentialsMatcher); }}
public class ShiroUtils { public final static String hashAlgorithmName = "SHA-256"; public final static int hashIterations = 16; public static String sha256(String password, String salt) { return new SimpleHash(hashAlgorithmName, password, salt, hashIterations).toString(); } // 获取一个测试账号 admin public static void main(String[] args) { // 3743a4c09a17e6f2829febd09ca54e627810001cf255ddcae9dabd288a949c4a System.out.println(sha256("admin","123")) ; } public static Session getSession() { return SecurityUtils.getSubject().getSession(); } public static Subject getSubject() { return SecurityUtils.getSubject(); } public static SysUserEntity getUserEntity() { return (SysUserEntity)SecurityUtils.getSubject().getPrincipal(); } public static Long getUserId() { return getUserEntity().getUserId(); } public static void setSessionAttribute(Object key, Object value) { getSession().setAttribute(key, value); } public static Object getSessionAttribute(Object key) { return getSession().getAttribute(key); } public static boolean isLogin() { return SecurityUtils.getSubject().getPrincipal() != null; } public static void logout() { SecurityUtils.getSubject().logout(); }}
@RestControllerAdvicepublic class ShiroException { @ExceptionHandler(AuthorizationException.class) public String authorizationException (){ return "抱歉您没有权限访问该内容!"; } @ExceptionHandler(Exception.class) public String handleException(Exception e){ return "系统异常!"; }}
@RestControllerpublic class ShiroController { private static Logger LOGGER = LoggerFactory.getLogger(ShiroController.class) ; @Resource private SysMenuMapper sysMenuMapper ; @RequestMapping("/userLogin") public void userLogin ( @RequestParam(value = "userName") String userName, @RequestParam(value = "passWord") String passWord){ try{ Subject subject = ShiroUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(userName, passWord); subject.login(token); LOGGER.info("登录成功"); }catch (Exception e) { e.printStackTrace(); } } @RequestMapping("/menu/list") @RequiresPermissions("sys:user:shiro") public List list(){ return sysMenuMapper.selectList() ; } @RequestMapping("/menu/list2") @RequiresPermissions("ccc:DDD:bbb") public List list2(){ return sysMenuMapper.selectList() ; } @RequestMapping("/userLogOut") public String logout (){ ShiroUtils.logout(); return "success" ; }}
1)、登录后取得权限Http://localhost:7011/userLogin?userName=admin&passWord=admin2)、访问有权限接口http://localhost:7011/menu/list3)、访问无权限接口http://localhost:7011/menu/list24)、退出登录http://localhost:7011/userLogOut
以上是“SpringBoot2如何整合Shiro框架实现用户权限管理”这篇文章的所有内容,感谢各位的阅读!相信大家都有了一定的了解,希望分享的内容对大家有所帮助,如果还想学习更多知识,欢迎关注编程网精选频道!
--结束END--
本文标题: SpringBoot2如何整合Shiro框架实现用户权限管理
本文链接: https://www.lsjlt.com/news/229994.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
下载Word文档到电脑,方便收藏和打印~
2024-04-29
2024-04-29
2024-04-29
2024-04-29
2024-04-29
2024-04-29
2024-04-29
2024-04-29
2024-04-29
2024-04-29
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
0