shiro+springboot:ShiroConfiguration,shiro配置

1.EhCacheManager  EhCache缓存管理**********也可将shiro  session存入redis中(后面dan)单独总结*****

@Bean
    public EhCacheManager getEhCacheManager() {
        EhCacheManager em = new EhCacheManager();
        em.setCacheManagerConfigFile("classpath:ehcache-shiro.xml");
        return em;
    }

 ehcache-shiro.xml中的配置





    
    
    

    

2.配置  LifecycleBeanPostProcessor(管理shiro Bean的生命周期)

 public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

3.配置  DefaultAdvisorAutoProxyCreator(用来扫描上下文,寻找所有的Advistor,将这些Advistor应用到符合其定义的切入点的Bean中)

@Bean
    public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
        daap.setProxyTargetClass(true);
        return daap;
    }

4.配置SecurityManager (管理器,管理subject及其相关的登陆验证,授权等,需配置realm和缓存管理)

@Bean(name = "securityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(SystemAuthorizingRealm realm) {
        DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
        dwsm.setRealm(realm);
//       
        dwsm.setCacheManager(getEhCacheManager());
        return dwsm;
    }

5.配置  AuthorizationAttributeSourceAdvisor(开启shiro spring aop 权限注解支持,即:@RequiresPermissions("权限code")

 @Bean
    public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
        aasa.setSecurityManager(securityManager);
        return aasa;
    }

6.配置shiroFilter

 @Bean(name = "shiroFilter")
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager, UserService userService,MaterialCategoryService materialCategoryMapper,PermissionsServcie permissionsServcie,OrgService orgService) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        // 必须设置 SecurityManager  
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
        shiroFilterFactoryBean.setLoginUrl("/login");
        // 登录成功后要跳转的连接
        shiroFilterFactoryBean.setSuccessUrl("/user");
        shiroFilterFactoryBean.setUnauthorizedUrl("/403");
        //设置过滤链的私有方法
        loadShiroFilterChain(shiroFilterFactoryBean, userService,materialCategoryMapper,permissionsServcie,orgService);
        return shiroFilterFactoryBean;
    }

7. private loadShiroFilterChain     私有过滤链定义,供6使用

/**
     * 加载shiroFilter权限控制规则(从数据库读取然后配置)
     */
    private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean, UserService userService, MaterialCategoryService materialCategoryMapper, PermissionsServcie permissionsServcie, OrgService orgService) {
        //拦截规则,
        //CaptchaFormAuthenticationFilter extends FormAuthenticationFilter(shiro认证)
        //MapLogoutFilter  extends org.apache.shiro.web.filter.authc.LogoutFilter(shiro Logout)
        Map filters = shiroFilterFactoryBean.getFilters();
        filters.put("authc", new CaptchaFormAuthenticationFilter(userService,materialCategoryMapper, permissionsServcie,orgService));
        filters.put("logout", new MapLogoutFilter());
        /////////////////////// 下面这些规则配置最好配置到配置文件中 ///////////////////////
        Map filterChainDefinitionMap = new LinkedHashMap<>();
        // authc:该过滤器下的页面必须验证后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter
        filterChainDefinitionMap.put("/myCode/**", "authc");// 这里为了测试,只限制/user,实际开发中请修改为具体拦截的请求规则
        // anon:它对应的过滤器里面是空的,什么都没做
        logger.info("##################从数据库读取权限规则,加载到shiroFilter中##################");
        filterChainDefinitionMap.put("/user/edit/**", "authc,perms[user:edit]");// 这里为了测试,固定写死的值,也可以从数据库或其他配置中读取
        //什么请求对应什么拦截规则
        filterChainDefinitionMap.put("/login", "authc");
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/**", "anon");//anon 可以理解为不拦截

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
    }

 

你可能感兴趣的:(shiro,springboot)