文章目录
- Spring Boot 整合 Shiro详解
- 一、引言
- 二、整合步骤
- 1、创建项目并引入依赖
- 2、配置Shiro
- 2.1、自定义Realm
- 2.2、配置SecurityManager和ShiroFilterFactoryBean
- 三、使用示例
- 四、总结
Spring Boot 整合 Shiro详解
一、引言
在现代的Web应用开发中,用户认证和授权是必不可少的安全措施。Apache Shiro是一个功能强大且易于使用的Java安全项目,提供了认证、授权、加密和会话管理等功能。Spring Boot作为一个流行的Java应用开发框架,与Shiro的整合可以极大地简化安全配置和管理。本文将详细介绍如何在Spring Boot应用中整合Shiro,实现用户认证和授权功能。
二、整合步骤
1、创建项目并引入依赖
首先,使用Spring Initializr创建一个新的Spring Boot项目,并添加以下依赖:
xml复制
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.11.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
这些依赖分别用于Web开发、Shiro安全框架、Thymeleaf模板引擎、Lombok简化代码编写以及测试框架。
2、配置Shiro
接下来,需要配置Shiro的相关组件,包括自定义Realm、SecurityManager和ShiroFilterFactoryBean等。
2.1、自定义Realm
创建一个自定义Realm类,用于实现用户认证和授权的逻辑:
java复制
package com.example.demo.shiro;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.example.demo.service.UserService;
public class CustomRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String) principals.getPrimaryPrincipal();
User user = userService.findByUsername(username);
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
user.getRoles().forEach(role -> authorizationInfo.addRole(role.getRoleName()));
user.getRoles().forEach(role -> role.getPermissions().forEach(permission -> authorizationInfo.addStringPermission(permission.getPermissionsName())));
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
User user = userService.findByUsername(username);
if (user == null) {
throw new UnknownAccountException("用户不存在");
}
return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());
}
}
在这个自定义Realm中,doGetAuthorizationInfo方法用于获取用户的授权信息,包括角色和权限;doGetAuthenticationInfo方法用于验证用户的登录信息。
2.2、配置SecurityManager和ShiroFilterFactoryBean
创建Shiro配置类,配置SecurityManager和ShiroFilterFactoryBean:
java复制
package com.example.demo.config;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.example.demo.shiro.CustomRealm;
@Configuration
public class ShiroConfig {
@Bean
public CustomRealm customRealm() {
return new CustomRealm();
}
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(customRealm());
return securityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/login", "anon");
filterChainDefinitionMap.put("/register", "anon");
filterChainDefinitionMap.put("/**", "authc");
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setSuccessUrl("/index");
shiroFilterFactoryBean.setUnauthorizedUrl("/error");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAAP = new DefaultAdvisorAutoProxyCreator();
defaultAAP.setProxyTargetClass(true);
return defaultAAP;
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
在这个配置类中,customRealm方法创建并返回自定义Realm实例;securityManager方法配置SecurityManager并设置自定义Realm;shiroFilterFactoryBean方法配置ShiroFilterFactoryBean,定义了请求的过滤规则,如登录页面和需要认证的页面等;defaultAdvisorAutoProxyCreator和authorizationAttributeSourceAdvisor方法用于开启Shiro的AOP支持,以便在方法调用时进行权限检查。
三、使用示例
在整合了Shiro之后,我们可以在Controller中使用Shiro提供的注解来控制方法的访问权限。例如:
java复制
package com.example.demo.controller;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class HomeController {
@GetMapping("/index")
public String index() {
return "欢迎来到主页";
}
@GetMapping("/admin")
@RequiresRoles("admin")
public String admin() {
return "欢迎来到管理员页面";
}
@GetMapping("/user")
@RequiresPermissions("user:view")
public String user() {
return "欢迎来到用户页面";
}
}
在上面的代码中,@RequiresRoles("admin")注解表示只有拥有"admin"角色的用户才能访问/admin页面;@RequiresPermissions("user:view")注解表示只有拥有"user:view"权限的用户才能访问/user页面。
四、总结
通过上述步骤,我们成功地在Spring Boot应用中整合了Shiro,实现了用户认证和授权功能。自定义Realm类负责处理用户认证和授权的逻辑,Shiro配置类则配置了SecurityManager和ShiroFilterFactoryBean等组件。在Controller中,可以使用Shiro提供的注解来控制方法的访问权限,从而实现细粒度的权限管理。这种整合方式不仅简化了安全配置,还提高了应用的安全性和可维护性。
版权声明:本博客内容为原创,转载请保留原文链接及作者信息。
参考文章:
- SpringBoot整合Shiro(详细教程分析)_springboot shiro-CSDN博客
- Spring Boot整合 Apache Shiro实现认证和授权功能(入门篇)_spring boot shiro-CSDN博客
