shiro集成spring-boot项目简介

• shiro集成spring-boot项目简介
• • 1.引入依赖
  • 2.自定义类继承AuthorizingRealm
  • • 2.1 ShiroRealm 类解释
    • • 2.1.1 认证方法doGetAuthenticationInfo
      • 2.1.2 授权方法doGetAuthorizationInfo
  • 3.ShiroConfig
  • 4. 在Controller中写login请求
  • 5. 认证流程
  • 6.授权流程

 
        org.springframework.boot
        spring-boot-starter-parent
        2.3.12.RELEASE
         
    

    org.springframework.boot
    spring-boot-starter-web



    org.apache.shiro
    shiro-spring-boot-starter
    1.5.3

AuthorizingRealm类时shiro提供的父类，用于自定义认证和授权逻辑。

public class ShiroRealm extends AuthorizingRealm {

    @Autowired
    private UserService userService;
    //授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo();
        authInfo.addStringPermission("test");

        //System.out.println("执行授权+++++++++");

        return authInfo;
    }
    //认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        UsernamePasswordToken userToken = (UsernamePasswordToken) token;
        UserEntity user = userService.findUserByName(userToken.getUsername());
        //System.out.println("执行认证+++++++++");
        if (user!=null){
            //匹配从数据库获取的到密码与前端传递的密码时候相同
            return new SimpleAuthenticationInfo(user,user.getPwd(),this.getName());
        }
        return null;
    }
}

​ 在controller中从前端获取了用户名和密码并封装到UsernamePasswordToken对象中。

UsernamePasswordToken token = new UsernamePasswordToken(userVO.getUserName(), userVO.getPwd());

doGetAuthenticationInfo方法中的形参（AuthenticationToken token）可以取出封装后的对象，然后做以下工作：

1. 通过username查询数据库中是否有该对象如果没有则返回null并抛出UnknownAccountException异常，在controller层的login请求中处理。
2. 查到该用户后通过SimpleAuthenticationInfo()对象自动比较前端传递的密码与数据库中的密码是否相同，相同则认证通过(登录成功)，否则抛出IncorrectCredentialsException异常，在controller中的login请求处理。

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    //取出UsernamePasswordToken对象
    UsernamePasswordToken userToken = (UsernamePasswordToken) token;
    //查询数据库中的用户
    UserEntity user = userService.findUserByName(userToken.getUsername());
    if (user!=null){
            //匹配从数据库获取的到密码与前端传递的密码是否相同
            return new SimpleAuthenticationInfo(user,user.getPwd(),this.getName());
        }
    return null;
}

用于给当前登录的用户授予某些访问权限，但前提是在ShiroFilterFactoryBean中添加了一些权限限制

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo();
   
    //给所有登录后的用户授予test权限
    authInfo.addStringPermission("test");

    System.out.println("执行授权+++++++++");

    return authInfo;
}

@Configuration
public class ShiroConfig {
    //3.创建ShiroFilterFactoryBean绑定securityManager
    @Bean
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("getSecurityManager")DefaultWebSecurityManager securityManager){
        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
        //设置安全管理器
        factoryBean.setSecurityManager(securityManager);
        //添加shiro内置过滤器
        
        //拦截
        Map filterMap = new linkedHashMap<>();
        //设置权限
        System.out.println("授权前");

        filterMap.put("/user/test","perms[user:test]");

        System.out.println("授权后");
        filterMap.put("/user/login","anon");
        //filterMap.put("/user/test","authc");

        factoryBean.setFilterChainDefinitionMap(filterMap);
        factoryBean.setLoginUrl("/user/login");

        return factoryBean;
    }

    //2.创建Manage绑定Realm对象
    @Bean
    public DefaultWebSecurityManager getSecurityManager(@Qualifier("userRealm") ShiroRealm shiroRealm){
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        securityManager.setRealm(shiroRealm);
        return securityManager;
    }
    //1.创建Realm对象，需要自定义类继承AuthorizingRealm
    @Bean
    public ShiroRealm userRealm(){
        return new ShiroRealm();
    }
}

@PostMapping("/login")
@ApiOperation(value = "登录")
public Result login(@RequestBody UserVO userVO){
    Subject subject = SecurityUtils.getSubject();
    UsernamePasswordToken token = new UsernamePasswordToken(userVO.getUserName(), userVO.getPwd());
    String sessionId =null;
    try {
        subject.login(token);
        if(subject.getSession()!=null){
            sessionId=(String) subject.getSession().getId();
            log.info("session=====>"+sessionId);
        }
    }catch (UnknownAccountException e){
        e.printStackTrace();
        log.info("用户名错误");
        return Result.build(CodeEnum.USER_ERROR);
    }catch (IncorrectCredentialsException e){
        e.printStackTrace();
        log.info("密码错误");
        return Result.build(CodeEnum.USER_ERROR);
    }
    //认证成功，返回登录对象
    UserEntity userEntity = userService.findUserByName(userVO.getUserName());
    long roleId = authRelationService.getRoleId(userEntity.getId());
    RoleEntity roleEntity = roleService.queryRoleById(roleId);

    UserReturnVO userReturnVO = new UserReturnVO(userEntity.getId(), userEntity.getUserName(), userEntity.getPwd(),
            userEntity.getTel(),userEntity.getGender(), userEntity.getIdentityCard(),roleEntity.getTitle(),sessionId);

    return Result.ok(userReturnVO);
}

由于在ShiroConfig方法中的ShiroFilterFactoryBean getShiroFilterFactoryBean()下添加了需要授权的资源。

所以在用户登录时会执行doGetAuthorizationInfo方法，通过数据库查询其角色和权限然后与受限资源需要的权限比较，如果权限满足则放行，否则不放行。