Shiro中loginUrl与unauthorizedUrl

    项目中有用到Shiro框架,但是只使用了身份认证,即登录功能,未用到授权 权限验证功能,在使用的时候对loginUrl和unauthorizedUrl没有区分太清,一直以为unauthorizedUrl是被拦截后要跳转到的页面,今天特意查了一下,才清楚loginUrl是登录页面,unauthorizedUrl是没有资源权限时跳转到的页面。即:

    loginUrl:没有登录的用户请求需要登录的页面时自动跳转到登录页面。 

    unauthorizedUrl:没有权限默认跳转的页面,登录的用户访问了没有被授权的资源自动跳转到的页面。

其他的一些配置,如下:   

    successUrl:登录成功默认跳转页面,不配置则跳转至”/”,可以不配置,直接通过代码进行处理。

    securityManager:这个属性是必须的,配置为securityManager就好了。

    filterChainDefinitions:配置过滤规则,从上到下的顺序匹配。

    在SpringBoot中通过Java代码来实现Shiro的配置。

示例:

package com.config;


import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.LinkedHashMap;
import java.util.Map;

/**
 * Created by
 * Description
 */
@Configuration
public class ShiroConfiguration {

   

    @Bean
    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);

        //拦截器.
        Map filterChainDefinitionMap = new LinkedHashMap();
        //登录界面        
        shiroFilterFactoryBean.setLoginUrl("/index.do");
        //未授权界面
        shiroFilterFactoryBean.setUnauthorizedUrl("/index");
      
        // 配置不会被拦截的链接 顺序判断
        filterChainDefinitionMap.put("/static/**", "anon");       
        filterChainDefinitionMap.put("/public/**", "anon"); 
        。。。。       
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/**", "authc");

        // 登录成功后要跳转的链接
        shiroFilterFactoryBean.setSuccessUrl("/main.do");
        
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        return shiroFilterFactoryBean;
    }

    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
       
        securityManager.setRealm(myShiroRealm());
        securityManager.setSessionManager(sessionManager());
      
        return securityManager;
    }

    @Bean
    public UserAuthenticationRealm myShiroRealm() {
        //UserAuthenticationRealmo为认证和授权具体实现类
        UserAuthenticationRealm myShiroRealm = new UserAuthenticationRealm();
        return myShiroRealm;
    }

    

    @Bean
    public SessionManager sessionManager() {
        DefaultWebSessionManager manager = new DefaultWebSessionManager();
        manager.setCacheManager(new MemoryConstrainedCacheManager());// 加入缓存管理器
        manager.setSessionDAO(sessionDao());// 设置SessionDao
        manager.setDeleteInvalidSessions(true);// 删除过期的session
        manager.setGlobalSessionTimeout(sessionTimeOut);// 设置全局session超时时间
        manager.setSessionValidationSchedulerEnabled(true);// 是否定时检查session、
        manager.setSessionIdCookieEnabled(true);
        manager.setSessionIdCookie(simpleCookie());
        return manager;
    }

    @Bean
    public CustomerSessionDao sessionDao() {
        CustomerSessionDao sessionDao = new CustomerSessionDao(redisSessionRepository());
        return sessionDao;
    }
    @Bean
    public RedisSessionRepository redisSessionRepository() {
        RedisSessionRepository shiroSessionRepository = new RedisSessionRepository();
        return shiroSessionRepository;
    }

    @Bean
    public SimpleCookie simpleCookie() {
        SimpleCookie simpleCookie = new SimpleCookie(sessionName);
        simpleCookie.setPath("/");
        simpleCookie.setHttpOnly(true);
        return simpleCookie;
    }
}

其中UserAuthenticationRealm为认证和授权具体实现类, 需要继承AuthorizingRealm,并实现其doGetAuthenticationInfo和doGetAuthorizationInfo两个方法,doGetAuthenticationInfo为登录认证方法, doGetAuthorizationInfo为授权认证方法。

public class UserAuthenticationRealm extends AuthorizingRealm {

    private Logger logger = LoggerFactory.getLogger(UserAuthenticationRealm.class);

    @Resource
    private IUserAuthenticationService userAuthenticationService;

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        //具体实现, 若不使用授权管理,可以返回null
        return null;
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        logger.info("用户登录验证开始");
        //具体实现        
        return simpleAuthenticationInfo;
       
}

你可能感兴趣的:(Shiro)