shiro的三大对象
Subject:是指用户,即与application进行交互的第三方,不一定是人,也可能是另一个程序。每一个subject都要绑定一个subjectMannger。
SubjectMannger:SecurityManager是Shiro体系结构的核心,并充当一种“伞”对象,该对象协调其内部安全组件,这些安全组件一起形成对象图。但是,一旦为应用程序配置了SecurityManager及其内部对象图,通常就不理会它。
Realm:本质上是特定于安全性的DAO:它封装了数据源的连接详细信息,并根据需要使关联数据可用于Shiro。在配置Shiro时,可以配置多个,但至少要配置一个。
代码展示
首先我们需要配置一个属于shiro的配置类,里面创建shiro所必须的三大对象,这三个对象是相互依存的,即创建另一个对象需要用前一个作为参数。
@Configuration
public class ShiroConfig {
@Bean(name="shiroFilter")
ShiroFilterFactoryBean doFilter(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFactory = new ShiroFilterFactoryBean();
shiroFactory.setSecurityManager(securityManager);
//设置登录页和没有权限返回的页面
shiroFactory.setLoginUrl("/login");
shiroFactory.setUnauthorizedUrl("/bupei");
shiroFactory.setSuccessUrl("/index");
//创建一个小本本
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
//ket页面 value权限
// <!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
filterChainDefinitionMap.put("/login","anon");
filterChainDefinitionMap.put("/toLogin","anon");
filterChainDefinitionMap.put("/static/css/**","anon");
filterChainDefinitionMap.put("/static/js/**","anon");
filterChainDefinitionMap.put("/static/images/**","anon");
filterChainDefinitionMap.put("/static/fonts/**","anon");
//设置静态资源放行
filterChainDefinitionMap.put("/index", "authc");
filterChainDefinitionMap.put("/logout", "authc");
//这行代码必须写在最后否则会导致所有url都被拦截
filterChainDefinitionMap.put("/**", "authc");
shiroFactory.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFactory;
}
@Bean(name = "securityManager")
SecurityManager getSecurityManager(UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm);
return securityManager;
}
@Bean(name = "userRealm")
UserRealm userRealm(){
return new UserRealm();
}
}
然后需要自定义一个Realm继承AuthorizingRealm类注入上面的配置
public class UserRealm extends AuthorizingRealm {
@Autowired
UserMapper userService;
@Override//权限
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getPrincipal();
// info.addStringPermission(user.getPerms());
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
User user = userService.selectAByName(token.getUsername());
SecurityUtils.getSubject().getSession().setAttribute("ID",user);
if(user==null){
return null;
}
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}
}
然后到这我以为一切都结束了结果登录之后每一个请求都被弹回登陆界面,且再次登陆之后无法进入我刚才的请求。
然后我重新编写了登录逻辑。用shiro的方法login()来登录
@RequestMapping("/login")
public String login(Model model, HttpSession session,String username,String password){
Subject user = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
String page = "index";
try {
user.login(token);
User login = userService.login(token.getUsername());
model.addAttribute("articleList",articleService.queryArticlesByUserId(login.getId()));
session.setAttribute("ID",login);
} catch (UnknownAccountException e) {
model.addAttribute("msg", "用户不存在");
page = "login";
} catch (IncorrectCredentialsException e) {
model.addAttribute("msg", "密码错误");
page = "login";
}
return page;
}
然后世界都正常了。