1、依赖:

        <dependency>

            <groupId>org.apache.shiro</groupId>

            <artifactId>shiro-core</artifactId>

            <version>1.4.0</version>

        </dependency>

        <dependency>

            <groupId>org.apache.shiro</groupId>

            <artifactId>shiro-spring</artifactId>

            <version>1.4.0</version>

        </dependency>

        <dependency>

            <groupId>org.apache.shiro</groupId>

            <artifactId>shiro-web</artifactId>

            <version>1.4.0</version>

        </dependency>

        <dependency>

            <groupId>org.aspectj</groupId>

            <artifactId>aspectjweaver</artifactId>

            <version>1.8.9</version>

        </dependency>

2、自定义Realm:

package com.example.demo_mg.realm;

import org.apache.commons.collections.map.HashedMap;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authc.AuthenticationInfo;

import org.apache.shiro.authc.AuthenticationToken;

import org.apache.shiro.authc.SimpleAuthenticationInfo;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.crypto.hash.Md5Hash;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

import org.apache.shiro.util.ByteSource;

import java.util.*;

public class TestRealm extends AuthorizingRealm {

    //模拟users、user_roles、roles_permissions三张表的查询,实际应用需要查询数据库或缓存

    Map<String, String> users = new HashMap<>();

    Map<String, Set<String>> user_roles = new HashedMap();

    Map<String, Set<String>> roles_permissions = new HashedMap();

//    String salt = UUID.randomUUID().toString().replaceAll("-","");

    {

        //不加盐(与认证对应)

        users.put("wzs", new Md5Hash("123456",null, 2).toString());

        //加盐

//        users.put("wzs", new Md5Hash("123456",salt, 2).toString());

        user_roles.put("wzs", new HashSet<>(Arrays.asList("admin", "test")));

        roles_permissions.put("admin", new HashSet<>(Arrays.asList("user:delete", "user:update")));

        super.setName("TestRealm"); //设置Realm名称,可选

    }

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {

        //从认证信息获取用户名

        String username = (String)principalCollection.getPrimaryPrincipal();

        //从数据库或缓存中获取角色、权限数据

        Set<String> roles = user_roles.get(username);

        Set<String> permissions = new HashSet<>();

        for (String role : roles) {

            Set<String> set;

            if((set = roles_permissions.get(role)) != null) {

                permissions.addAll(set);

            }

        }

        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();

        simpleAuthorizationInfo.setRoles(roles);

        simpleAuthorizationInfo.setStringPermissions(permissions);

        return simpleAuthorizationInfo;

    }

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {

        //从主题传过来的认证信息中,获得用户名

        String username = (String)authenticationToken.getPrincipal();

        //通过用户名从数据库中获取凭证

        String password = users.get(username);

        if(password != null) {

            //不加盐

//            return new SimpleAuthenticationInfo(username, password, super.getName());

            //加盐

            SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(username, password, super.getName());

//            simpleAuthenticationInfo.setCredentialsSalt(ByteSource.Util.bytes(salt));

            return simpleAuthenticationInfo;

        }

        return null;

    }

}

3、配置:

package com.example.demo_mg.config;

import com.example.demo_mg.realm.TestRealm;

import org.apache.shiro.authc.credential.HashedCredentialsMatcher;

import org.apache.shiro.mgt.SecurityManager;

import org.apache.shiro.spring.LifecycleBeanPostProcessor;

import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;

import org.apache.shiro.web.mgt.DefaultWebSecurityManager;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import java.util.LinkedHashMap;

@Configuration

public class ShiroConfiguration {

    @Bean

    public HashedCredentialsMatcher getCredentialsMatcher() {

        HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();

        credentialsMatcher.setHashAlgorithmName("md5");

        credentialsMatcher.setHashIterations(2);

        return credentialsMatcher;

    }

    @Bean

    public TestRealm getRealm(HashedCredentialsMatcher credentialsMatcher) {

        TestRealm testRealm = new TestRealm();

        testRealm.setCredentialsMatcher(credentialsMatcher);

        return testRealm;

    }

    @Bean

    public DefaultWebSecurityManager getDefaultWebSecurityManager(TestRealm testRealm) {

        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

        securityManager.setRealm(testRealm);

        return  securityManager;

    }

    @Bean

    public ShiroFilterFactoryBean getShiroFilter(SecurityManager securityManager) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        shiroFilterFactoryBean.setLoginUrl("login.html");

        shiroFilterFactoryBean.setUnauthorizedUrl("403.html");

        LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();

        filterChainDefinitionMap.put("/login.html", "anon");

        filterChainDefinitionMap.put("/login", "anon");

        filterChainDefinitionMap.put("/*", "authc");

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return shiroFilterFactoryBean;

    }

    /**

     * 注解式授权2个bean

     * @return

     */

    //Shiro生命周期处理器

    @Bean

    public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {

        return new LifecycleBeanPostProcessor();

    }

    @Bean

    public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(SecurityManager securityManager) {

        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();

        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);

        return authorizationAttributeSourceAdvisor;

    }

}

4、实体:

package com.example.demo_mg.entity;

public class User {

    private String username;

    private String password;

    public String getPassword() {

        return password;

    }

    public void setPassword(String password) {

        this.password = password;

    }

    public String getUsername() {

        return username;

    }

    public void setUsername(String username) {

        this.username = username;

    }

}

5、控制器:

package com.example.demo_mg.controller;

import org.apache.shiro.SecurityUtils;

import org.apache.shiro.authc.UsernamePasswordToken;

import org.apache.shiro.authz.annotation.RequiresPermissions;

import org.apache.shiro.authz.annotation.RequiresRoles;

import org.apache.shiro.subject.Subject;

import org.springframework.stereotype.Controller;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RequestMethod;

@Controller

public class LoginContrller {

    @RequestMapping(value = "/login",method = RequestMethod.GET)

    public String loginUser(String username, String password) {

        UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(username, password);

        Subject subject = SecurityUtils.getSubject();

        try {

            subject.login(usernamePasswordToken);   //完成登录

            //更新用户登录时间,也可以在ShiroRealm里面做

            return "index";

        } catch(Exception e) {

            return "login";//返回登录页面

        }

    }

    @RequestMapping("/logout")

    public String logout() {

        Subject subject = SecurityUtils.getSubject();

        subject.logout();

        return "login";

    }

    @RequestMapping("/test")

    public void test() {

        System.out.println("test");

    }

    @RequiresRoles("admin")

    @RequestMapping("/role")

    public void role() {

        System.out.println("role");

    }

    @RequiresPermissions("user:delete1")

    @RequestMapping("/permission")

    public void permission() {

        System.out.println("permission");

    }

}

6、自定义过滤器,授权继承AuthorizationFilter,认证继承AuthenticatinFilter,可以阅读其源码。

Shiro提供的认证过滤器包括anon,authBasic,authc,user,logout,授权过滤器包括perms,roles,ssl,port,举例perms["user:delete","user:update"],roles["admin","user"],方括号内的角色或权限需要同时满足,否则跳到unauthorizadUrl,ssl是https过滤器。

自定义过滤器例子,角色满足一个即可:

package com.example.demo_mg.filter;

import org.apache.shiro.subject.Subject;

import org.apache.shiro.web.filter.authz.AuthorizationFilter;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

public class RoleOrFilter extends AuthorizationFilter {

    @Override

    protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object o) throws Exception {

        Subject subject = getSubject(servletRequest, servletResponse);

        String[] roles = (String[])o;

        if(roles == null || roles.length == 0) {

            return true;

        }

        for (String role : roles) {

            if(subject.hasRole(role)) {

                return true;

            }

        }

        return false;

    }

}

拿到subject,o是配置的过滤器方括号里面的数组,return true;表示通过过滤器。

配置类修改使自定义过滤器生效:

    @Bean

    public ShiroFilterFactoryBean getShiroFilter(SecurityManager securityManager) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        shiroFilterFactoryBean.setLoginUrl("login.html");

        shiroFilterFactoryBean.setUnauthorizedUrl("403.html");

        LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();

        filterChainDefinitionMap.put("/login.html", "anon");

        filterChainDefinitionMap.put("/login", "anon");

        filterChainDefinitionMap.put("/filter", "roleOr[admin,user]");

        filterChainDefinitionMap.put("/*", "authc");

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        //自定义拦截器

        LinkedHashMap<String, Filter> filters = new LinkedHashMap<>();

        filters.put("roleOr", getRoleOrFilter());

        shiroFilterFactoryBean.setFilters(filters);

        return shiroFilterFactoryBean;

    }

    @Bean

    public RoleOrFilter getRoleOrFilter() {

        RoleOrFilter roleOrFilter = new RoleOrFilter();

        return roleOrFilter;

    }

测试:

    @RequestMapping("/filter")

    public void filter() {

        System.out.println("filter");

    }

Apache Shiro 集成Spring(二)的更多相关文章

  1. 【权限管理】Apache Shiro和Spring Security的对比

    一.Shiro简介 Apache Shiro是Java的一个安全框架.目前,使用Apache Shiro的人越来越多,因为它相当简单,对比Spring Security,可能没有Spring Secu ...

  2. apache shiro整合spring(一)

    apache shiro整合spring 将shiro配置文件整合到spring体系中 方式一:直接在spring的配置文件中import shiro的配置文件 方式二:直接在web.xml中配置sh ...

  3. Apache Shiro和Spring Security的详细对比

    参考资料: 1)Apache Shiro Apache Shiro:http://shiro.apache.org/ 在Web项目中应用 Apache Shiro:http://www.ibm.com ...

  4. Shiro集成Spring

    本篇博客主要讲述的是两者的集成.不涉及到各自的详细细节和功能. 因为官方给出的文档不够具体,对新手而言通过官方文档还不可以非常快的搭建出SpringShiro的webproject.本博客将通过实际的 ...

  5. shiro 集成spring 配置 学习记录(一)

    首先当然是项目中需要增加shiro的架包依赖: <!-- shiro --> <dependency> <groupId>org.apache.shiro</ ...

  6. shiro集成spring&工作流程&DelegatingFilterProxy

    1.集成Spring 参考文献: 新建web工程: ehcache-core来自Hibernate wen.xml <?xml version="1.0" encoding= ...

  7. Apache Shiro 集成-Cas

    http://blog.csdn.net/peterwanghao/article/details/8825008 Shiro集成CAS是在1.2版本里新增的功能. Shiro-cas模块将应用作为C ...

  8. shiro 集成spring 使用 redis作为缓存 学习记录(六)

    1.在applicationContext-redis.xml配置文件中增加如下: 申明一个cacheManager对象 用来注入到  shiro的   securityManager 属性  cac ...

  9. shiro学习(四、shiro集成spring+springmvc)

    依赖:spring-context,spring-MVC,shiro-core,shiro-spring,shiro-web 实话实说:web.xml,spring,springmvc配置文件好难 大 ...

随机推荐

  1. python学习第十八天计算机字符编码

    人类语言和计算机语言二进制怎么沟通,最开始字符编码为ascii码对照表 包括数据和字母,没有汉字,中国自己搞了一套自己的编码 gb2312编码后来发展GBK编码,日本,韩国都,甚至台湾也搞自己的编码, ...

  2. 独立成分分析(Independent Component Analysis)

    ICA是一种用于在统计数据中寻找隐藏的因素或者成分的方法.ICA是一种广泛用于盲缘分离的(BBS)方法,用于揭示随机变量或者信号中隐藏的信息.ICA被用于从混合信号中提取独立的信号信息.ICA在20世 ...

  3. combox系列问题集

    visual studio崩溃 你是不是经常会遇到一编辑combox,visual studio就会立马崩溃.一直都无法理解是什么原因,然后后来发现居然是因为有道的截屏翻译,关掉截屏翻译就好了. co ...

  4. chrome浏览器canvas画图不显示

    问题产生在学习cabvas给画布画图像的时候发现使用IE edge浏览器可以正常显示图像,而chrome则不行,经百度后知道是因为chrome浏览器会先加载javascript代码,之后才加载图片,这 ...

  5. 1.ireport基本使用

    1. 2.

  6. elasticsearch 基础 —— Get API

    Get API get API允许根据其id从索引中获取指定类型的JSON文档.以下示例从名为twitter的索引获取JSON文档,该索引类型名为_doc,id值为0: GET twitter/_do ...

  7. 关于同PC上存在多个版本的GeneXus

    如题 有的时候需要在不同的版本上开发  如我一般 有四个版本IDE 那么有的时候可能在安装的时候 提示安装失败 比如这样 这个时候你需要将安装好的GeneXus安装目录 全部备份一下 然后  从控制面 ...

  8. MySQL06-- mysql索引

    目录 一.索引介绍 1.什么是索引 2.索引类型介绍 3.索引管理 5.索引操作 6.前缀索引 7.联合索引 8.创建索引总结: 一.索引介绍 1.什么是索引 1)索引就好比一本书的目录,它能让你更快 ...

  9. ELKStack之极速入门(上)

    ELKStack之极速入门(上) 链接:https://pan.baidu.com/s/1V2aYpB86ZzxL21Hf-AF1rA 提取码:7izv 复制这段内容后打开百度网盘手机App,操作更方 ...

  10. JDBC和驱动类Driver

    什么是JDBC? JDBC(Java DataBase Connectivity),是一套面向对象的应用程序接口(API),制定了统一的访问各类关系数据库的标准接口,为各个数据库厂商提供了标准的实现. ...