SpringBoot笔记--整合Shiro实现登录鉴权

一、前言

1.按上文 SpringBoot整合mybaties，先在数据库创建好用户 zhangsan/123456
2.仅仅演示了最简单的基于数据的登录鉴权，也就是/user/login接口认证

二、上代码

0.代码结构

modified:   pom.xml
modified:   src/main/java/com/yx/controller/UserController.java
new file:   src/main/java/com/yx/shiro/CustomRealm.java
new file:   src/main/java/com/yx/shiro/shiroConfig.java

image.png

1.pom.xml

     
    
        org.apache.shiro
        shiro-spring
        1.6.0
    

2./com/yx/shiro/CustomRealm.java

public class CustomRealm extends AuthorizingRealm {

@Resource
private UserMapper userMapper;

/**
 * 用于授权
 */
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
    return null;
}

/**
 * 用于认证
 * 每一次调用subject.login都会通过这个方法来实现认证
 */
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
    if (StringUtils.isEmpty(authenticationToken.getPrincipal())) {
        return null;
    }
    //从主体中获取用户名
    String name = authenticationToken.getPrincipal().toString();

    //从数据库中查出用户信息
    User user = userMapper.queryByName(name);

    if (user == null) {
        //这里返回后会报出对应异常
        return null;
    } else {
        //这里验证authenticationToken和simpleAuthenticationInfo的信息
        SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(name, user.getPassword().toString(), getName());
        return simpleAuthenticationInfo;
    }
}

}

3./com/yx/shiro/shiroConfig.java

@Configuration
public class shiroConfig {

@Bean
@ConditionalOnMissingBean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
    DefaultAdvisorAutoProxyCreator defaultAAP = new DefaultAdvisorAutoProxyCreator();
    defaultAAP.setProxyTargetClass(true);
    return defaultAAP;
}

//将自己的验证方式加入容器
@Bean
public CustomRealm myShiroRealm() {
    return new CustomRealm();
}

//权限管理，配置主要是Realm的管理认证
@Bean
public SecurityManager securityManager() {
    DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
    securityManager.setRealm(myShiroRealm());
    return securityManager;
}

//Filter工厂，设置对应的过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
    ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
    // 设置 securityManager
    shiroFilterFactoryBean.setSecurityManager(securityManager);
    LinkedHashMap filterChainDefinitionMap = new LinkedHashMap<>();

    // 设置免认证 url
    filterChainDefinitionMap.put("/user/login", "anon");
    // 配置退出过滤器，其中具体的退出代码 Shiro已经替我们实现了
    filterChainDefinitionMap.put("/user/get", "authc");
    // 除上以外所有 url都必须认证通过才可以访问，未通过认证自动访问
    filterChainDefinitionMap.put("/*", "authc");

    shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
    return shiroFilterFactoryBean;
}


@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
    AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
    authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
    return authorizationAttributeSourceAdvisor;
}

}

2./com/yx/controller/UserController.java

@RequestMapping(value = "/login", method = RequestMethod.POST)
public Object login(HttpServletResponse response,
                    @RequestParam(value = "username", required = true) String userName,
                    @RequestParam(value = "password", required = true) String password) {

    //用户认证信息
    Subject subject = SecurityUtils.getSubject();
    UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(userName, password);
    try {
        //进行验证，这里可以捕获异常，然后返回对应信息
        subject.login(usernamePasswordToken);
        return ApiResult.success("登录成功");
    } catch (UnknownAccountException e) {
        return ApiResult.failure("用户名不存在！");
    } catch (AuthenticationException e) {
        return ApiResult.failure("账号或密码错误！");
    }
}

三、Postman测试

image.png

image.png

image.png