在现代Web应用程序开发中,安全性是一个至关重要的方面。Shiro是一个强大的Java安全框架,提供了身份验证、授权、密码存储和会话管理等功能。本文将详细介绍如何在Spring Boot项目中集成Shiro,以实现授权功能。
一、项目准备
首先,我们需要创建一个Spring Boot项目。你可以使用Spring Initializr或者你喜欢的IDE(如IntelliJ IDEA)来创建一个新的Spring Boot项目。
二、添加Maven依赖
在pom.xml文件中添加Shiro相关的依赖。这里有两种方式:
- 使用
shiro-spring依赖:
<dependency> | |
<groupId>org.apache.shiro</groupId> | |
<artifactId>shiro-spring</artifactId> | |
<version>1.3.2</version> | |
</dependency> |
- 使用
shiro-spring-boot-web-starter依赖(更简便):
<dependency> | |
<groupId>org.apache.shiro</groupId> | |
<artifactId>shiro-spring-boot-web-starter</artifactId> | |
<version>1.4.2</version> | |
</dependency> |
三、配置Shiro
在Spring Boot项目中,我们通常使用application.yml或application.properties文件来配置Shiro。以下是一个简单的application.yml配置示例:
spring: | |
profiles: | |
active: dev | |
mybatis: | |
mapper-locations: classpath:mapper/*Mapper.xml | |
server: | |
port: 8080 | |
shiro: | |
web: | |
enabled: true | |
loginUrl: /login |
四、创建Shiro配置类
Shiro配置类用于配置Shiro的SecurityManager和自定义的Realm。以下是一个示例:
import org.apache.shiro.mgt.DefaultWebSecurityManager; | |
import org.apache.shiro.spring.web.ShiroFilterFactoryBean; | |
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition; | |
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition; | |
import org.apache.shiro.web.mgt.DefaultWebSubjectFactory; | |
import org.springframework.context.annotation.Bean; | |
import org.springframework.context.annotation.Configuration; | |
import javax.servlet.Filter; | |
import java.util.LinkedHashMap; | |
import java.util.Map; | |
@Configuration | |
public class ShiroConfig { | |
@Bean | |
public UserRealm userRealm() { | |
return new UserRealm(); | |
} | |
@Bean | |
public DefaultWebSecurityManager securityManager(UserRealm userRealm) { | |
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); | |
securityManager.setRealm(userRealm); | |
securityManager.setSubjectFactory(new DefaultWebSubjectFactory()); | |
return securityManager; | |
} | |
@Bean | |
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) { | |
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); | |
shiroFilterFactoryBean.setSecurityManager(securityManager); | |
shiroFilterFactoryBean.setLoginUrl("/login"); | |
shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized"); | |
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); | |
filterChainDefinitionMap.put("/login", "anon"); | |
filterChainDefinitionMap.put("/doLogin", "anon"); | |
filterChainDefinitionMap.put("/admin/**", "authc, roles[admin]"); | |
filterChainDefinitionMap.put("/docs/**", "authc, perms[document:read]"); | |
filterChainDefinitionMap.put("/**", "authc"); | |
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); | |
return shiroFilterFactoryBean; | |
} | |
} |
五、创建自定义Realm
自定义Realm用于处理身份验证和授权逻辑。以下是一个示例:
import org.apache.shiro.authc.*; | |
import org.apache.shiro.authz.AuthorizationInfo; | |
import org.apache.shiro.authz.SimpleAuthorizationInfo; | |
import org.apache.shiro.realm.AuthorizingRealm; | |
import org.apache.shiro.subject.PrincipalCollection; | |
import org.springframework.beans.factory.annotation.Autowired; | |
public class UserRealm extends AuthorizingRealm { | |
@Autowired | |
private UserService userService; | |
@Override | |
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { | |
String username = (String) principalCollection.getPrimaryPrincipal(); | |
User user = userService.findByUsername(username); | |
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); | |
authorizationInfo.setRoles(user.getRoles()); | |
authorizationInfo.setStringPermissions(user.getPermissions()); | |
return authorizationInfo; | |
} | |
@Override | |
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { | |
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; | |
String username = token.getUsername(); | |
User user = userService.findByUsername(username); | |
if (user == null) { | |
throw new UnknownAccountException("用户不存在"); | |
} | |
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo( | |
username, | |
user.getPassword(), | |
getName() | |
); | |
return authenticationInfo; | |
} | |
} |
六、实现授权功能
在自定义Realm中,我们已经实现了授权逻辑。现在,我们需要在控制器中使用Shiro的注解来实现授权控制。
import org.apache.shiro.authz.annotation.RequiresPermissions; | |
import org.apache.shiro.authz.annotation.RequiresRoles; | |
import org.springframework.web.bind.annotation.GetMapping; | |
import org.springframework.web.bind.annotation.RequestMapping; | |
import org.springframework.web.bind.annotation.RestController; | |
@RestController | |
@RequestMapping("/admin") | |
public class AdminController { | |
@GetMapping("/dashboard") | |
@RequiresRoles("admin") | |
public String dashboard() { | |
return "Admin Dashboard"; | |
} | |
@GetMapping("/docs") | |
@RequiresPermissions("document:read") | |
public String docs() { | |
return "Documents"; | |
} | |
} |
七、测试授权功能
启动Spring Boot应用程序,并访问不同的URL来测试授权功能。例如:
- 访问
/admin/dashboard,应该要求登录,并且只有具有admin角色的用户才能访问。 - 访问
/docs,应该要求登录,并且只有具有document:read权限的用户才能访问。
八、总结
通过本文,我们详细介绍了如何在Spring Boot项目中集成Shiro并实现授权功能。Shiro提供了强大的安全功能,可以大大提高Web应用程序的安全性。希望本文对你有所帮助,如果你有任何问题或建议,请随时留言。