# Shiro
**Repository Path**: zzzxp/Shiro
## Basic Information
- **Project Name**: Shiro
- **Description**: 适合新手学习的shiro安全框架,基于Spring-boot,thymleaf,shiro
- **Primary Language**: Java
- **License**: Apache-2.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 2
- **Forks**: 2
- **Created**: 2020-04-13
- **Last Updated**: 2024-08-20
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
# Shiro
#### 介绍
适合新手学习的shiro安全框架,基于Spring-boot,thymleaf,shiro,是一个功能强大且易于使用的Java安全框架,用于执行身份验证,授权,加密和会话管理。
#### 核心类
`ShiroFilterFactoryBean`
`DefaultWebSecurityManager`
`realm 对象`
#### 项目搭建
1. 引入依赖
```
com.github.theborakompanioni`
thymeleaf-extras-shiro
2.0.0
org.apache.shiro
shiro-spring
1.5.1
org.springframework.boot
spring-boot-starter-web
代码`
org.thymeleaf
thymeleaf-spring5
org.thymeleaf.extras
thymeleaf-extras-java8time
```
2. 自定义UserRealm,继承AuthorizingRealm,让spring-IOC容器托管realm
```
//创建自定义的realm 对象 1
@Bean
public UserRealm userRealm(){
return new UserRealm();
}
```
3. DefaultWebSecurityManager关联UserRealm
```
@Bean(name="securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManger(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm);
return securityManager;
}
```
4. ShiroFilterFactoryBean关联SecurityManager,设置安全管理器,添加shiro的内置过滤器
```
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
//添加shiro的内置过滤器
/*
anon: 无需认证就可以访问;
authc:必须认证了才能访问;
user:必须拥有 记住我 功能才可以访问;
perms:拥有对某个资源的权限才能访问;
role:拥有某个角色才能访问;
*/
//登录拦截
Map filterMap = new LinkedHashMap<>();
//授权 必须是user用户,add权限
filterMap.put("/index","anon");
filterMap.put("/","anon");
filterMap.put("/logout","logout");
filterMap.put("/views/level1","perms[views:level1]");
filterMap.put("/views/level2","perms[views:level2]");
filterMap.put("/views/level3","perms[views:level3]");
filterMap.put("/toLogin", "anon");
filterMap.put("/**", "authc");
bean.setLoginUrl("/login");
// bean.setSuccessUrl("/index");
bean.setUnauthorizedUrl("/unAuth");
bean.setFilterChainDefinitionMap(filterMap);
return bean;
}
```
5. 认证、授权
```
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权doGetAuthorizationInfo");
//获取当前登录的对象
Subject subject = SecurityUtils.getSubject();
User user = (User)subject.getSession().getAttribute(UserRealm.SESSION_USER_PERMISSION);
// User user =(User)subject.getSession().getAttribute(UserRealm.SESSION_USER_PERMISSION);
JSONObject jsonObject = JSONObject.parseObject(JSONObject.toJSONString(user));
//设置当前用户的权限
System.out.println(jsonObject.toString());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermissions((Collection) jsonObject.get("permissionsList"));
return info;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
String username = (String) token.getPrincipal();
String password = String.valueOf((char[])token.getCredentials());
//连接数据库
User user = userService.queryInfo(username, password);
//JSONObject jsonObject = JSONObject.parseObject(JSONObject.toJSON(user).toString());
if (null == user){
return null;
}
SecurityUtils.getSubject().getSession().setAttribute(UserRealm.SESSION_USER_PERMISSION,user);
//MD5加密, MD5盐值加密
//密码认证,shiro来做
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}
```
6. 依次编写controller、service、dao层
- 详情见上述代码
#### 项目演示
1. 首页
- 进入到首页我们可以看到,没有用户登录,level1、level2、level3三个菜单是没有权限看到的。同时注销的按钮也是被我们所限制。
2. 登录
- 用户进入登录页,进行登录
3. root账号登录
- root用户登录后有level1、level2、level3三个菜单的权限,同时注销按钮随着用户账号被认证,也进行了显示。
4. zxp账号登录
- zxp用户登录后仅有有level1菜单的权限,同时注销按钮随着用户账号被认证,也进行了显示。
5. 注销
- 点击注销回到首页