9.9 shiro请求授权的实现
- 在上节demo的基础上进行拓展,现在ShiroConfiguration配置类的ShiroFilterFactoryBean方法中设置请求的用户主体的访问权限,并且配置未授权时返回页面信息
- 本demo的静态资源可以访问SpringBoot整合shiro项目静态资源下载
filterChainDefinitionMap.put(“/user/addUser”,“perms[user:add]”);
shiroFilterFactoryBean.setUnauthorizedUrl(“/user/unauthorized”);
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager")DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
/*添shiro的内置过滤器,类型
anon:无需认证就可以访河
authc: 必须认证了才能让河
user: 必颈拥有记住我功能才能用
perms: 拥有对某个资源的权限才能访问:
role: 拥有某个角色权限才能访河
*/
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
/*也可以用通配符
* filterChainDefinitionMap.put("/user/*","authc");*/
//拦截简单请求
filterChainDefinitionMap.put("/user/addUser","authc");
filterChainDefinitionMap.put("/user/updUser","authc");
//设置请求的用户主体的访问权限,然后在realm给用户授予访问权限
filterChainDefinitionMap.put("/user/addUser","perms[user:add]");
filterChainDefinitionMap.put("/user/updUser","perms[user:upd]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
//无认证权限时,设置登陆请求
shiroFilterFactoryBean.setLoginUrl("/user/toLogin");
//未授权时返回页面信息
shiroFilterFactoryBean.setUnauthorizedUrl("/user/unauthorized");
return shiroFilterFactoryBean;
}
- 当然得对未授权时返回页面信息,在MyController设置页面信息
@RequestMapping("/unauthorized")
@ResponseBody
public String unauthorized(){
return "未授权无法访问此页面!";
}
- 然后在自定义的realm给用户授予访问授权,这个权限从数据库中来,所以需要改造数据库,增加一个perm的权限字段,设置权限信息。这样用户访问某个请求时有这个权限就可以访问,没有权限就返回无权限信息
//访问页面属于授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权doGetAuthorizationInfo方法!");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//硬编码,给所有登录用户授予"user:add"权限
//info.addStringPermission("user:add");
//拿到当前用户
Subject subject = SecurityUtils.getSubject();
//1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值
//2.也可以通过session传值
User currentUser= (User)subject.getPrincipal();
//设置用户访问授权
info.addStringPermission(currentUser.getPerm());
return info;
}
- 但在授权过程中有个问题是用户信息从哪来,肯定得是从自定义realm中的认证信息中来,用户登录时会进行认证,所以哪能拿到用户信息,这块传值方式有2种,下面是用的第一种方式进行传值
传值方式
//1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值
//2.也可以通过session传值
//用户登录属于认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了认证doGetAuthenticationInfo方法!");
//连接真实数据库
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
Map<String,String> map = new HashMap(15);
/*(String)userToken.getPrincipal() == userToken.getUsername()*/
map.put("name",userToken.getUsername());
User user = userMapper.getUser(map);
if (user==null) {
return null; //抛出UnknownAccountException异常
}
/*可以加密:
MD5加密:e10adc3949ba59abbe56e057f20f883e
MD5盐值加密(密码混合账户): e10adc3949ba59abbe56e057f20f883eusername*/
//密码认证,shiro做,加密了,默认是简单验证new SimpleCredentialsMatcher()明文验证
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
//传值方式
//1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值
//2.也可以通过session传值
}
- 退出登陆操作时使用 subject.logout();来清空全局subject数据
//登陆退出
@RequestMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "login";
}
- 完整的MyController 控制器
package com.example.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* @author CNCLUKZK
* @create 2022/8/5-19:22
*/
@Controller
@RequestMapping("/user")
public class MyController {
@RequestMapping({"/","/toIndex"})
public String toIndex(Model model){
model.addAttribute("msg","首页,shiro!");
return "index";
}
@RequestMapping("/addUser")
public String toAdd(Model model){
model.addAttribute("msg","add,shiro!");
return "addUser";
}
@RequestMapping("/updUser")
public String toUpd(Model model){
model.addAttribute("msg","upd,shiro!");
return "updUser";
}
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
@RequestMapping("/login")
public String login(String username,String password,Model model){
Subject subject = SecurityUtils.getSubject();
//全局token
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
token.setRememberMe(true);
subject.login(token);
Session session = subject.getSession();
session.setAttribute("user",token.getPrincipal());
return "index";
} catch (UnknownAccountException uae) {
model.addAttribute("msg",token.getPrincipal()+" is not correct");
return "login";
} catch (IncorrectCredentialsException ice) {
model.addAttribute("msg","Password for account " + token.getPrincipal() + " was incorrect!");
return "login";
} catch (LockedAccountException lae) {
model.addAttribute("msg","The account for username " + token.getPrincipal() + " is locked. " +
"Please contact your administrator to unlock it.");
return "login";
}
}
@RequestMapping("/unauthorized")
@ResponseBody
public String unauthorized(){
return "未授权无法访问此页面!";
}
//登陆退出
@RequestMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "login";
}
}
- 完整的ShiroConfiguration配置类
package com.example.config;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authc.credential.Md5CredentialsMatcher;
import org.apache.shiro.authc.credential.SimpleCredentialsMatcher;
import org.apache.shiro.crypto.hash.Md2Hash;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfiguration {
//第三步:ShiroFilterFactoryBean
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager")DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
/*添shiro的内置过滤器,类型
anon:无需认证就可以访河
authc: 必须认证了才能让河
user: 必颈拥有记住我功能才能用
perms: 拥有对某个资源的权限才能访问:
role: 拥有某个角色权限才能访河
*/
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
/*也可以用通配符
* filterChainDefinitionMap.put("/user/*","authc");*/
//拦截简单请求
filterChainDefinitionMap.put("/user/addUser","authc");
filterChainDefinitionMap.put("/user/updUser","authc");
//设置请求的用户主体的访问权限,然后在realm给用户授予访问权限
filterChainDefinitionMap.put("/user/addUser","perms[user:add]");
filterChainDefinitionMap.put("/user/updUser","perms[user:upd]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
//无认证权限时,设置登陆请求
shiroFilterFactoryBean.setLoginUrl("/user/toLogin");
//未授权时返回页面信息
shiroFilterFactoryBean.setUnauthorizedUrl("/user/unauthorized");
return shiroFilterFactoryBean;
}
//第二步:DefaultWebSecurityManager
@Bean(name = "defaultWebSecurityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联UserRealm
securityManager.setRealm(userRealm);
return securityManager;
}
//第一步:创建Realm对象,需要自定义类
@Bean
public UserRealm userRealm(){
UserRealm userRealm = new UserRealm();
userRealm.setCredentialsMatcher(new Md5CredentialsMatcher());
return userRealm;
}
//ShiroDialect thymeleaf-extras-shiro包下的Shiro方言,导入整合包后还需要进行注册
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
}
- 完整的自定义UserRealm认证授权配置
package com.example.config;
import com.example.mapper.UserMapper;
import com.example.pojo.User;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import javax.jws.soap.SOAPBinding;
import java.util.HashMap;
import java.util.Map;
//自定义UserRealm extends AuthorizingRealm
public class UserRealm extends AuthorizingRealm {
@Autowired
UserMapper userMapper;
//访问页面属于授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权doGetAuthorizationInfo方法!");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//硬编码,给所有登录用户授予"user:add"权限
//info.addStringPermission("user:add");
//拿到当前用户
Subject subject = SecurityUtils.getSubject();
//1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值
//2.也可以通过session传值
User currentUser= (User)subject.getPrincipal();
//设置用户访问授权
info.addStringPermission(currentUser.getPerm());
return info;
}
//用户登录属于认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了认证doGetAuthenticationInfo方法!");
//连接真实数据库
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
Map<String,String> map = new HashMap(15);
/*(String)userToken.getPrincipal() == userToken.getUsername()*/
map.put("name",userToken.getUsername());
User user = userMapper.getUser(map);
if (user==null) {
return null; //抛出UnknownAccountException异常
}
/*可以加密:
MD5加密:e10adc3949ba59abbe56e057f20f883e
MD5盐值加密(密码混合账户): e10adc3949ba59abbe56e057f20f883eusername*/
//密码认证,shiro做,加密了,默认是简单验证new SimpleCredentialsMatcher()明文验证
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
//传值方式
//1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值
//2.也可以通过session传值
}
}
-
好了,可以进行测试了,用上面数据库中的用户进行登录访问,发现只能访问相应权限的请求。
-
访问http://127.0.0.1:8080/user/toLogin,用admin/123456登陆显示user:add权限的页面链接
- 用Tom/123456登陆显示user:upd权限的页面链接
下一篇:SpringBoot-34-shiro整合thymeleaf
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
文章由极客之音整理,本文链接:https://www.bmabk.com/index.php/post/123838.html
