shiro+springboot:ShiroConfiguration,shiro配置
1.EhCacheManager EhCache缓存管理**********也可将shiro session存入redis中(后面dan)单独总结*****
@Bean
public EhCacheManager getEhCacheManager() {
EhCacheManager em = new EhCacheManager();
em.setCacheManagerConfigFile("classpath:ehcache-shiro.xml");
return em;
}ehcache-shiro.xml中的配置
2.配置 LifecycleBeanPostProcessor(管理shiro Bean的生命周期)
public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
3.配置 DefaultAdvisorAutoProxyCreator(用来扫描上下文,寻找所有的Advistor,将这些Advistor应用到符合其定义的切入点的Bean中)
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
daap.setProxyTargetClass(true);
return daap;
}4.配置SecurityManager (管理器,管理subject及其相关的登陆验证,授权等,需配置realm和缓存管理)
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(SystemAuthorizingRealm realm) {
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
dwsm.setRealm(realm);
//
dwsm.setCacheManager(getEhCacheManager());
return dwsm;
}5.配置 AuthorizationAttributeSourceAdvisor(开启shiro spring aop 权限注解支持,即:@RequiresPermissions("权限code")
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(securityManager);
return aasa;
}6.配置shiroFilter
@Bean(name = "shiroFilter")
public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager securityManager, UserService userService,MaterialCategoryService materialCategoryMapper,PermissionsServcie permissionsServcie,OrgService orgService) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 必须设置 SecurityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
shiroFilterFactoryBean.setLoginUrl("/login");
// 登录成功后要跳转的连接
shiroFilterFactoryBean.setSuccessUrl("/user");
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
//设置过滤链的私有方法
loadShiroFilterChain(shiroFilterFactoryBean, userService,materialCategoryMapper,permissionsServcie,orgService);
return shiroFilterFactoryBean;
}7. private loadShiroFilterChain 私有过滤链定义,供6使用
/**
* 加载shiroFilter权限控制规则(从数据库读取然后配置)
*/
private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean, UserService userService, MaterialCategoryService materialCategoryMapper, PermissionsServcie permissionsServcie, OrgService orgService) {
//拦截规则,
//CaptchaFormAuthenticationFilter extends FormAuthenticationFilter(shiro认证)
//MapLogoutFilter extends org.apache.shiro.web.filter.authc.LogoutFilter(shiro Logout)
Map filters = shiroFilterFactoryBean.getFilters();
filters.put("authc", new CaptchaFormAuthenticationFilter(userService,materialCategoryMapper, permissionsServcie,orgService));
filters.put("logout", new MapLogoutFilter());
/////////////////////// 下面这些规则配置最好配置到配置文件中 ///////////////////////
Map filterChainDefinitionMap = new LinkedHashMap<>();
// authc:该过滤器下的页面必须验证后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter
filterChainDefinitionMap.put("/myCode/**", "authc");// 这里为了测试,只限制/user,实际开发中请修改为具体拦截的请求规则
// anon:它对应的过滤器里面是空的,什么都没做
logger.info("##################从数据库读取权限规则,加载到shiroFilter中##################");
filterChainDefinitionMap.put("/user/edit/**", "authc,perms[user:edit]");// 这里为了测试,固定写死的值,也可以从数据库或其他配置中读取
//什么请求对应什么拦截规则
filterChainDefinitionMap.put("/login", "authc");
filterChainDefinitionMap.put("/logout", "logout");
filterChainDefinitionMap.put("/**", "anon");//anon 可以理解为不拦截
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
}