您好,登錄后才能下訂單哦!
這篇文章主要介紹了SpringBoot如何配置shiro安全框架,具有一定借鑒價值,感興趣的朋友可以參考下,希望大家閱讀完這篇文章之后大有收獲,下面讓小編帶著大家一起了解一下。
springboot一種全新的編程規范,其設計目的是用來簡化新Spring應用的初始搭建以及開發過程,SpringBoot也是一個服務于框架的框架,服務范圍是簡化配置文件。
首先引入pom
<!--SpringBoot 2.1.0--> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.1.0.RELEASE</version> </parent> <!--shiro--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>${shiro.version}</version> </dependency> <!-- shiro-redis --> <dependency> <groupId>org.crazycake</groupId> <artifactId>shiro-redis</artifactId> <version>3.1.0</version> </dependency> <!-- shiro-freemarker-tag --> <dependency> <groupId>net.mingsoft</groupId> <artifactId>shiro-freemarker-tags</artifactId> <version>1.0.0</version> </dependency> <!-- freemarker --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-freemarker</artifactId> </dependency>
ShiroConfig.java
package com.jx.cert.web.framework.config.shiro; import java.util.LinkedHashMap; import java.util.Map; import javax.servlet.Filter; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.cache.MemoryConstrainedCacheManager; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.session.mgt.SessionManager; import org.apache.shiro.spring.LifecycleBeanPostProcessor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.crazycake.shiro.RedisCacheManager; import org.crazycake.shiro.RedisManager; import org.crazycake.shiro.RedisSessionDAO; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.DependsOn; import com.jx.cert.web.framework.config.shiro.filter.KickoutSessionControlFilter; import com.jx.cert.web.framework.config.shiro.filter.ShiroPermissionsFilter; import com.jx.cert.web.framework.config.shiro.filter.SystemLogoutFilter; import com.jx.common.utils.CacheConstants; /** * @ClassName: gyu * @Description: TODO(shrio配置) * @author gangyu * @date 2018年12月4日 下午2:28:07 */ @Configuration public class ShiroConfig { Logger log=LoggerFactory.getLogger(ShiroConfig.class); @Value("${spring.redis.host}") private String host; @Value("${spring.redis.prot}") private int port; @Value("${spring.redis.timeout}") private int timeout; @Value("${spring.redis.password}") private String password; @Value("${spring.redis.database}") private int database; //注意這里需要設置成 static 否則 @Value 注入不了數據 @Bean(name = "lifecycleBeanPostProcessor") public static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); log.debug("-----------------Shiro攔截器工廠類注入開始"); Map<String,Filter> filterMap=shiroFilterFactoryBean.getFilters(); //權限過濾器 filterMap.put("perms", new ShiroPermissionsFilter()); shiroFilterFactoryBean.setFilters(filterMap); // 配置shiro安全管理器 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); // 指定要求登錄時的鏈接 shiroFilterFactoryBean.setLoginUrl("/login"); // 登錄成功后要跳轉的鏈接 shiroFilterFactoryBean.setSuccessUrl("/index"); // filterChainDefinitions攔截器=map必須用:LinkedHashMap,因為它必須保證有序 Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); //對外應用開發接口不驗證 filterChainDefinitionMap.put("/app/**", "anon"); filterChainDefinitionMap.put("/ajaxLogin", "anon"); // 放開驗證碼 filterChainDefinitionMap.put("/public/getGifCode", "anon"); // 退出 filterChainDefinitionMap.put("/logout", "logout"); //TODO 全部放行 // filterChainDefinitionMap.put("/manage/**", "anon[*]"); //公共資源 filterChainDefinitionMap.put("/static/**", "anon"); filterChainDefinitionMap.put("/css/**", "anon"); filterChainDefinitionMap.put("/img/**", "anon"); filterChainDefinitionMap.put("/js/**", "anon"); // authc:所有url都必須認證通過才可以訪問; filterChainDefinitionMap.put("/**", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); log.debug("-----------------Shiro攔截器工廠類注入成功"); return shiroFilterFactoryBean; } @Bean public HashedCredentialsMatcher hashedCredentialsMatcher() { HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher(); hashedCredentialsMatcher.setHashAlgorithmName("MD5");//散列算法:這里使用MD5算法; hashedCredentialsMatcher.setHashIterations(1);//散列的次數,比如散列兩次,相當于 md5(md5("")); return hashedCredentialsMatcher; } //權限緩存到內存 @Bean(name = "shiroRealm") @DependsOn("lifecycleBeanPostProcessor") public MyShiroRealm myShiroRealm() { MyShiroRealm myShiroRealm = new MyShiroRealm(); myShiroRealm.setCacheManager(new MemoryConstrainedCacheManager()); myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher()); return myShiroRealm; } @Bean(name = "securityManager") public SecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(myShiroRealm()); // 自定義session管理 使用redis securityManager.setSessionManager(sessionManager()); // 自定義緩存實現 使用redis securityManager.setCacheManager(cacheManager()); return securityManager; } /** * 配置shiro redisManager * @return */ public RedisManager redisManager() { RedisManager redisManager = new RedisManager(); redisManager.setHost(host); redisManager.setPort(port); redisManager.setTimeout(timeout); // redisManager.setPassword(password); redisManager.setDatabase(database); return redisManager; } //自定義sessionManager @Bean public SessionManager sessionManager() { MySessionManager mySessionManager = new MySessionManager(); mySessionManager.setSessionDAO(redisSessionDAO()); //默認1個小時session過期 mySessionManager.setGlobalSessionTimeout(CacheConstants.SHIRO_SESSION_MS); return mySessionManager; } /** * RedisSessionDAO shiro sessionDao層的實現 通過redis */ @Bean public RedisSessionDAO redisSessionDAO() { RedisSessionDAO redisSessionDAO = new RedisSessionDAO(); redisSessionDAO.setRedisManager(redisManager()); return redisSessionDAO; } /** * cacheManager 緩存 redis實現 * @return */ @Bean public RedisCacheManager cacheManager() { RedisCacheManager redisCacheManager = new RedisCacheManager(); redisCacheManager.setRedisManager(redisManager()); redisCacheManager.setExpire(CacheConstants.USER_DATA_TTL); return redisCacheManager; } }
MyShiroRealm.java
package com.jx.cert.web.framework.config.shiro; import java.util.ArrayList; import java.util.List; import org.apache.commons.codec.digest.DigestUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.LockedAccountException; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import com.jx.cert.web.framework.config.shiro.exception.SysUsreNotLoginAPPException; import com.jx.cert.web.framework.config.shiro.exception.SystemNotExistException; import com.jx.common.utils.SysCode; import com.jx.core.api.model.vo.cert.SysPermission; import com.jx.core.api.model.vo.cert.SysRole; import com.jx.core.api.model.vo.cert.SysSystem; import com.jx.core.api.model.vo.cert.SysUser; import com.jx.core.api.service.business.cert.SysPermissionService; import com.jx.core.api.service.business.cert.SysRoleService; import com.jx.core.api.service.business.cert.SysSystemService; import com.jx.core.api.service.business.cert.SysUserService; public class MyShiroRealm extends AuthorizingRealm { private Logger logger = LoggerFactory.getLogger(MyShiroRealm.class); @Autowired private SysUserService sysUserService; @Autowired private SysRoleService sysRoleService; @Autowired private SysPermissionService sysPermissionService; @Autowired private SysSystemService systemService; @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { logger.info("####################開始配置權限####################"); SysUser user = (SysUser) principals.getPrimaryPrincipal(); if (user != null) { //權限信息對象info,用來存放查出的用戶的所有的角色(role)及權限(permission) SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); List<String> roleStrlist = new ArrayList<String>();//用戶的角色集合 List<String> perminsStrlist = new ArrayList<String>();//用戶的菜單權限集合 for (SysRole role : user.getRoleList()) { roleStrlist.add(role.getRoleName()); } for (SysPermission permission : user.getPermissList()) { perminsStrlist.add(permission.getUrl()); } //用戶的角色集合 authorizationInfo.addRoles(roleStrlist); //用戶的菜單按鈕權限集合 authorizationInfo.addStringPermissions(perminsStrlist); return authorizationInfo; } return null; } /*主要是用來進行身份認證的,也就是說驗證用戶輸入的賬號和密碼是否正確。*/ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { logger.info("####################身份認證####################"); String userStr = (String) token.getPrincipal(); SysUser user = sysUserService.getUserByUserName(userName); //認證系統用戶 List<SysRole> roleList = sysRoleService.findRoleByUserId(user.getUserId(),systemId); user.setRoleList(roleList);//獲取用戶角色 List<SysPermission> list=sysPermissionService.getUserPermission(user.getUserId(),systemId); SysPermission permis=new SysPermission(); list.add(permis); user.setPermissList(list);//獲取用戶權限 return new SimpleAuthenticationInfo(user, DigestUtils.md5Hex(user.getPassword()),getName()); } }
ShiroTagsFreeMarkerCfg.java
package com.jx.cert.web.framework.config.shiro; import javax.annotation.PostConstruct; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer; import com.jagregory.shiro.freemarker.ShiroTags; import freemarker.template.TemplateModelException; /** * @ClassName: ShiroTagsFreeMarkerCfg * @Description: TODO(ftl shiro 標簽) * @author gangyu * @date 2018年12月5日 下午5:16:27 * */ @Component public class ShiroTagsFreeMarkerCfg { @Autowired private FreeMarkerConfigurer freeMarkerConfigurer; @PostConstruct public void setSharedVariable() throws TemplateModelException { freeMarkerConfigurer.getConfiguration().setSharedVariable("shiro", new ShiroTags()); } }
ShiroPermissionsFilter.java
/** * @Title: ShiroPermissionsFilter.java * @Package com.jx.cert.web.config.shiro * @Description: TODO(用一句話描述該文件做什么) * @author gangyu * @date 2018年12月5日 上午11:47:00 * @version V1.0 */ package com.jx.cert.web.framework.config.shiro.filter; import java.io.IOException; import java.io.PrintWriter; import java.util.List; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.gson.Gson; import com.jx.cert.web.framework.config.shiro.ShiroUtil; import com.jx.common.utils.Result; import com.jx.common.utils.enums.CodeEnum; import com.jx.core.api.model.vo.cert.SysPermission; import com.jx.core.api.model.vo.cert.SysUser; /** * @ClassName: ShiroPermissionsFilter * @Description: TODO(權限驗證) * @author gangyu * @date 2018年12月5日 上午11:47:00 */ public class ShiroPermissionsFilter extends PermissionsAuthorizationFilter { private static final Logger logger = LoggerFactory.getLogger(ShiroPermissionsFilter.class); /** * 權限檢測驗證 */ @Override protected boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException { logger.info("----------權限校驗-------------"); HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; String reqUrl=request.getRequestURI(); List<SysPermission> permsList=ShiroUtil.getUser().getPermissList(); String contextPath=request.getContextPath(); reqUrl=reqUrl.substring(contextPath.length()+1, reqUrl.length()); String header = request.getHeader("X-Requested-With"); boolean isAjax = "XMLHttpRequest".equals(header); SysUser user=ShiroUtil.getUser(); if(!new Gson().toJson(permsList).contains(reqUrl)){ if (isAjax) { logger.info("----------AJAX請求拒絕-------------"); response.setCharacterEncoding("UTF-8"); response.setContentType("application/json"); response.getWriter().write(new Gson().toJson(new Result(CodeEnum.NOT_PERMISSION))); } else { logger.info("----------普通請求拒絕-------------"); response.sendRedirect(request.getContextPath()+"/403"); } return false; }else { return true; } } }
ShiroUtil.java
package com.jx.cert.web.framework.config.shiro; import org.apache.shiro.SecurityUtils; import org.apache.shiro.session.Session; import org.apache.shiro.subject.Subject; import com.jx.core.api.model.vo.cert.SysUser; public class ShiroUtil { /** * 獲取當前 Subject * * @return */ public static Subject getSubject() { return SecurityUtils.getSubject(); } /** * 獲取shiro指定的sessionKey * * @param key * @param <T> * @return */ public static <T> T getSessionAttr(String key) { Session session = getSession(); return session != null ? (T) session.getAttribute(key) : null; } /** * 設置shiro指定的sessionKey * * @param key * @param value */ public static void setSessionAttr(String key, Object value) { Session session = getSession(); session.setAttribute(key, value); } /** * 獲取當前用戶對象 * * @return */ public static SysUser getUser() { if(getSubject().isAuthenticated()){ return (SysUser) getSubject().getPrincipals().getPrimaryPrincipal(); } return null; } /** * 獲取當前用戶對象UserID * * @return */ public static String getUserId() { return getUser().getUserId(); } /** * 移除shiro指定的sessionKey * * @param key */ public static void removeSessionAttr(String key) { Session session = getSession(); if (session != null) session.removeAttribute(key); } /** * 驗證當前用戶是否屬于該角色 * * @param roleName 角色名稱 * @return 屬于該角色:true,否則false */ public static boolean hasRole(String roleName) { return getSubject() != null && roleName != null && roleName.length() > 0 && getSubject().hasRole(roleName); } /** * shiro 中獲取session * * @return session */ public static Session getSession() { return getSubject().getSession(); } /** * 驗證當前用戶是否屬于以下所有角色 * 多權限“,”分割 * * @param roleNames 權限名稱 * @return 屬于:true,否則false */ public static boolean hasAllRoles(String roleNames) { boolean hasAllRole = true; Subject subject = getSubject(); if (subject != null && roleNames != null && roleNames.length() > 0) { for (String role : roleNames.split(",")) { if (!subject.hasRole(role.trim())) { hasAllRole = false; break; } } } return hasAllRole; } /** * 驗證當前用戶是否屬于以下任意一個角色 * 多權限“,”分割 * @param roleNames * @return */ public static boolean hasAnyRoles(String roleNames) { boolean hasAnyRole = false; Subject subject = getSubject(); if (subject != null && roleNames != null && roleNames.length() > 0) { for (String role : roleNames.split(",")) { if (subject.hasRole(role.trim())) { hasAnyRole = true; break; } } } return hasAnyRole; } }
感謝你能夠認真閱讀完這篇文章,希望小編分享的“SpringBoot如何配置shiro安全框架”這篇文章對大家有幫助,同時也希望大家多多支持億速云,關注億速云行業資訊頻道,更多相關知識等著你來學習!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。