本文共 5687 字,大约阅读时间需要 18 分钟。
Apache Shiro 是一个开源的轻量级的 Java 安全框架,它提供身份验证,授权,密码管理以及会话管理等功能,相对于 Spring Security ,Shiro 框架更加直观,易用,同时也能提供健壮的安全性。
1.创建项目,添加如下依赖:org.apache.shiro shiro-spring-boot-web-starter 1.4.0 org.springframework.boot spring-boot-starter-thymeleaf com.github.theborakompanioni thymeleaf-extras-shiro 2.0.0
2.Shiro 基本配置,在application.properties中进行配置如下代码
#开启Shrio配置shiro.enabled=true#开启Shiro Web配置shiro.web.enabled=true#默认的登陆地址shiro.loginUrl=/login#登陆成功后的地址shiro.successUrl=/index#未授权默认跳转地址shiro.unauthorizedUrl=/unauthorized#是否允许通过URL参数实现会话跟踪,如果网站支持Cookie,可以关闭此选项shiro.sessionManager.sessionIdUrlRewritingEnabled=true#是否允许通过Cookie实现会话跟踪shiro.sessionManager.sessionIdCookieEnabled=true
3.配置 Shiro
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;import org.apache.shiro.realm.Realm;import org.apache.shiro.realm.text.TextConfigurationRealm;import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;@Configurationpublic class ShiroConfig { @Bean public Realm realm() { TextConfigurationRealm realm = new TextConfigurationRealm(); realm.setUserDefinitions("sang=123,user\n admin=123,admin"); //这里配置了两个用户 realm.setRoleDefinitions("admin=read,write\n user=read"); //admin具有读写权限,user具有读权限 return realm; } @Bean public ShiroFilterChainDefinition shiroFilterChainDefinition() { DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition(); chainDefinition.addPathDefinition("/login","anon"); //匿名访问 chainDefinition.addPathDefinition("/doLogin","anon"); //匿名访问 chainDefinition.addPathDefinition("/logout","logout"); //注销登陆 chainDefinition.addPathDefinition("/**","authc"); //其他请求需要认证 return chainDefinition; } @Bean public ShiroDialect shiroDialect() { return new ShiroDialect(); //支持在 Themyleaf 中使用 Shiro 标签 }}
4.配置登陆接口以及页面访问接口
import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.annotation.Logical;import org.apache.shiro.authz.annotation.RequiresRoles;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.ui.Model;import org.springframework.web.bind.annotation.GetMapping;import org.springframework.web.bind.annotation.PostMapping;@Controllerpublic class UserController { @PostMapping("/doLogin") public String doLogin(String username, String password, Model model) { UsernamePasswordToken token = new UsernamePasswordToken(username,password); Subject subject = SecurityUtils.getSubject(); try { subject.login(token); } catch (AuthenticationException e) { model.addAttribute("error","用户名密码输入错误!"); return "login"; } return "redirect:/index"; } @RequiresRoles("admin") @GetMapping("/admin") public String admin() { return "admin"; } @RequiresRoles(value = {"admin","user"},logical = Logical.OR) @GetMapping("/user") public String user() { return "user"; }}
在doLogin方法中,首先创建一个 UsernamePasswordToken实例,然后获取一个Subject对象并调用该对象中的login方法执行登陆操作,在登陆操作执行过程中,当有异常出现时,说明登陆失败,并将错误信息返回给前端页面
import org.springframework.context.annotation.Configuration;import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;@Configurationpublic class WebMvcConfig implements WebMvcConfigurer { @Override public void addViewControllers(ViewControllerRegistry registry) { registry.addViewController("/login").setViewName("login"); registry.addViewController("/index").setViewName("index"); registry.addViewController("/unauthorized").setViewName("unauthorized"); }}
5.创建全局异常处理器进行全局异常处理
import org.apache.shiro.authz.AuthorizationException;import org.springframework.web.bind.annotation.ControllerAdvice;import org.springframework.web.bind.annotation.ExceptionHandler;import org.springframework.web.servlet.ModelAndView;@ControllerAdvicepublic class ExceptionController { @ExceptionHandler(AuthorizationException.class) public ModelAndView error(AuthorizationException e) { ModelAndView mv = new ModelAndView("unauthorized"); mv.addObject("error",e.getMessage()); return mv; }}
Title Hello,
注销登录
管理员页面
普通用户页面
Title
普通用户页面 普通用户页面
管理员页面 管理员页面
Title 未获授权,非法访问
6.进行测试
注意,必须先用 sang 用户登陆成功后在访问管理员网址才会产生这种结果
这些就是 shiro 的简单使用!转载地址:http://viqwi.baihongyu.com/