-
SpringBoot-33-shiro请求授权的实现
9.9 shiro请求授权的实现
- 在上节demo的基础上进行拓展,现在ShiroConfiguration配置类的ShiroFilterFactoryBean方法中设置请求的用户主体的访问权限,并且配置未授权时返回页面信息
- 本demo的静态资源可以访问SpringBoot整合shiro项目静态资源下载
filterChainDefinitionMap.put(“/user/addUser”,“perms[user:add]”);
shiroFilterFactoryBean.setUnauthorizedUrl(“/user/unauthorized”);
@Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager")DefaultWebSecurityManager securityManager){ ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroFilterFactoryBean.setSecurityManager(securityManager); /*添shiro的内置过滤器,类型 anon:无需认证就可以访河 authc: 必须认证了才能让河 user: 必颈拥有记住我功能才能用 perms: 拥有对某个资源的权限才能访问: role: 拥有某个角色权限才能访河 */ Map- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 当然得对未授权时返回页面信息,在MyController设置页面信息
@RequestMapping("/unauthorized") @ResponseBody public String unauthorized(){ return "未授权无法访问此页面!"; }- 1
- 2
- 3
- 4
- 5
- 然后在自定义的realm给用户授予访问授权,这个权限从数据库中来,所以需要改造数据库,增加一个perm的权限字段,设置权限信息。这样用户访问某个请求时有这个权限就可以访问,没有权限就返回无权限信息
//访问页面属于授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println("执行了授权doGetAuthorizationInfo方法!"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //硬编码,给所有登录用户授予"user:add"权限 //info.addStringPermission("user:add"); //拿到当前用户 Subject subject = SecurityUtils.getSubject(); //1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值 //2.也可以通过session传值 User currentUser= (User)subject.getPrincipal(); //设置用户访问授权 info.addStringPermission(currentUser.getPerm()); return info; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 但在授权过程中有个问题是用户信息从哪来,肯定得是从自定义realm中的认证信息中来,用户登录时会进行认证,所以哪能拿到用户信息,这块传值方式有2种,下面是用的第一种方式进行传值
传值方式
//1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值
//2.也可以通过session传值//用户登录属于认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("执行了认证doGetAuthenticationInfo方法!"); //连接真实数据库 UsernamePasswordToken userToken = (UsernamePasswordToken) token; Map- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 退出登陆操作时使用 subject.logout();来清空全局subject数据
//登陆退出 @RequestMapping("/logout") public String logout(){ Subject subject = SecurityUtils.getSubject(); subject.logout(); return "login"; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 完整的MyController 控制器
package com.example.controller; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.IncorrectCredentialsException; import org.apache.shiro.authc.LockedAccountException; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.session.Session; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; /** * @author CNCLUKZK * @create 2022/8/5-19:22 */ @Controller @RequestMapping("/user") public class MyController { @RequestMapping({"/","/toIndex"}) public String toIndex(Model model){ model.addAttribute("msg","首页,shiro!"); return "index"; } @RequestMapping("/addUser") public String toAdd(Model model){ model.addAttribute("msg","add,shiro!"); return "addUser"; } @RequestMapping("/updUser") public String toUpd(Model model){ model.addAttribute("msg","upd,shiro!"); return "updUser"; } @RequestMapping("/toLogin") public String toLogin(){ return "login"; } @RequestMapping("/login") public String login(String username,String password,Model model){ Subject subject = SecurityUtils.getSubject(); //全局token UsernamePasswordToken token = new UsernamePasswordToken(username, password); try { token.setRememberMe(true); subject.login(token); Session session = subject.getSession(); session.setAttribute("user",token.getPrincipal()); return "index"; } catch (UnknownAccountException uae) { model.addAttribute("msg",token.getPrincipal()+" is not correct"); return "login"; } catch (IncorrectCredentialsException ice) { model.addAttribute("msg","Password for account " + token.getPrincipal() + " was incorrect!"); return "login"; } catch (LockedAccountException lae) { model.addAttribute("msg","The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it."); return "login"; } } @RequestMapping("/unauthorized") @ResponseBody public String unauthorized(){ return "未授权无法访问此页面!"; } //登陆退出 @RequestMapping("/logout") public String logout(){ Subject subject = SecurityUtils.getSubject(); subject.logout(); return "login"; } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 完整的ShiroConfiguration配置类
package com.example.config; import at.pollux.thymeleaf.shiro.dialect.ShiroDialect; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.authc.credential.Md5CredentialsMatcher; import org.apache.shiro.authc.credential.SimpleCredentialsMatcher; import org.apache.shiro.crypto.hash.Md2Hash; import org.apache.shiro.mgt.DefaultSecurityManager; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.LinkedHashMap; import java.util.Map; @Configuration public class ShiroConfiguration { //第三步:ShiroFilterFactoryBean @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager")DefaultWebSecurityManager securityManager){ ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroFilterFactoryBean.setSecurityManager(securityManager); /*添shiro的内置过滤器,类型 anon:无需认证就可以访河 authc: 必须认证了才能让河 user: 必颈拥有记住我功能才能用 perms: 拥有对某个资源的权限才能访问: role: 拥有某个角色权限才能访河 */ Map- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 完整的自定义UserRealm认证授权配置
package com.example.config; import com.example.mapper.UserMapper; import com.example.pojo.User; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.util.StringUtils; import javax.jws.soap.SOAPBinding; import java.util.HashMap; import java.util.Map; //自定义UserRealm extends AuthorizingRealm public class UserRealm extends AuthorizingRealm { @Autowired UserMapper userMapper; //访问页面属于授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println("执行了授权doGetAuthorizationInfo方法!"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //硬编码,给所有登录用户授予"user:add"权限 //info.addStringPermission("user:add"); //拿到当前用户 Subject subject = SecurityUtils.getSubject(); //1.从认证这块传递的用户信息,在授权这个用这个方法得到用户,通过当前用户Subject的属性传值 //2.也可以通过session传值 User currentUser= (User)subject.getPrincipal(); //设置用户访问授权 info.addStringPermission(currentUser.getPerm()); return info; } //用户登录属于认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("执行了认证doGetAuthenticationInfo方法!"); //连接真实数据库 UsernamePasswordToken userToken = (UsernamePasswordToken) token; Map- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
-
好了,可以进行测试了,用上面数据库中的用户进行登录访问,发现只能访问相应权限的请求。
-
访问http://127.0.0.1:8080/user/toLogin,用admin/123456登陆显示user:add权限的页面链接
- 用Tom/123456登陆显示user:upd权限的页面链接
下一篇:SpringBoot-34-shiro整合thymeleaf
-
相关阅读:
基于 KubeSphere 的分级管理实践
JavaScript 初学( 十七 ) - JS HTML DOM
工作流 activiti
spring boot + mybatis+ mysql环境搭建
springboot实现简单的注册登录功能
python枚举详解
静态代码分析基础知识及分析工具
软件的界面测试是什么?怎么设计的?
windows安装docker版青龙面板
【金TECH频道】从第一性原理出发,数字原生银行原来可以这样做
- 原文地址:https://blog.csdn.net/weixin_42045639/article/details/126485493
