第一步:引入相關的JAR包,本文使用的html模板引擎,所以引入thymeleaf-extras-shiro包
第二步:編寫shiro配置
@Configuration
public class ShiroConfiguration {
//將自己的驗證方式加入容器
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
return myShiroRealm;
}
//權限管理,配置主要是Realm的管理認證
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
//Filter工廠,設置對應的過濾條件和跳轉條件
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String,String> map = new HashMap<String, String>();
//登出
map.put("/sysLogin/loginOut","logout");
//配置
map.put("/sysLogin/loginVerify", "anon"); //排除靜態資源
map.put("/static/**", "anon"); //排除靜態資源
map.put("/**","authc");
//登錄
shiroFilterFactoryBean.setLoginUrl("/sysLogin/index");
//首頁
shiroFilterFactoryBean.setSuccessUrl("/wcIndex/index");
//錯誤頁面,認證不通過跳轉
shiroFilterFactoryBean.setUnauthorizedUrl("/sysLogin/toError");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
//加入註解的使用,不加入這個註解不生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
第三步:編寫登陸認證方法
public class MyShiroRealm extends AuthorizingRealm {
@Autowired
private SysLoginService sysLoginService;
private HttpServletRequest request;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//獲取登錄用戶名
String loginName= (String) principalCollection.getPrimaryPrincipal();
SysUserEntity sysUser = sysLoginService.getSysUserByLoginName(loginName);
Map<String,Object> role = sysLoginService.getRole(sysUser.getId(),1); //獲取用戶相關的角色信息
//添加角色和權限
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
if(role != null){
List<String> roleId = new ArrayList<>();
roleId.add(role.get("roleId").toString());
List<Map<String,Object>> menuBtnList = sysLoginService.getMenuBtnList(roleId);
for(Map<String,Object> menuBtn : menuBtnList){
simpleAuthorizationInfo.addStringPermission(menuBtn.get("perms").toString());
}
}
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//加這一步的目的是在Post請求的時候會先進認證,然後在到請求
if (authenticationToken.getPrincipal() == null) {
return null;
}
//獲取用戶信息
String loginName = authenticationToken.getPrincipal().toString();
SysUserEntity sysUser = sysLoginService.getSysUserByLoginName(loginName);
if (sysUser == null) {
return null;
} else {
//這裏驗證authenticationToken和simpleAuthenticationInfo的信息
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(loginName, sysUser.getPassword(), getName());
return simpleAuthenticationInfo;
}
}
}
第四步:權限驗證(分前端模塊判斷和後端模塊判斷)
前端模塊:
//引入對應包
<html lang="en" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro" xmlns:th="http://www.thymeleaf.org">
<shiro:hasPermission name="sysUser:getPage">
<button class="btn btn-primary" type="button" onclick="selBycondition();">查詢</button>
</shiro:hasPermission>
後端模塊判斷(主要加上RequiresPermissions註解):
@RequiresPermissions("sysUser:getPage")
@ResponseBody
@RequestMapping("/getPage")
public Map<String,Object> getPage(@RequestParam(value = "limit") Integer limit, @RequestParam(value = "offset") Integer offset,
@RequestParam(value = "loginName", required = false) String loginName,
@RequestParam(value = "name", required = false) String name){
return sysUserService.getPage(loginName,name,offset,limit);
}
備註:
sysUser:getPage爲自定義參數,對應用戶權限操作,需要保存數據庫中,在第三步的時候將這些參數傳入,數據庫參考如下: