Spring boot 加入shiro支持

在項目添加依賴

       <!-- shiro spring. -->
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-spring</artifactId>
		<version>1.4.0</version>
	</dependency>
	<!-- shiro core -->
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-core</artifactId>
		<version>1.4.0</version>
	</dependency>

配置文件目錄下新建spring文件夾，在文件夾內新建spring-shiro.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">



	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		<!-- ref對應咱們寫的realm myRealm -->
		<property name="realm" ref="AuthRealm" />
		<!-- 使用下面配置的緩存管理器 -->
		<!-- <property name="cacheManager" ref="shiroEncacheManager" /> -->
	</bean>




	<!-- 安全認證過濾器 -->
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<!-- 調用咱們配置的權限管理器 -->
		<property name="securityManager" ref="securityManager" />
		<!-- 配置咱們的登陸請求地址 -->
		<property name="loginUrl" value="/toLogin" />
		<!-- 配置咱們在登陸頁登陸成功後的跳轉地址，若是你訪問的是非/login地址，則跳到您訪問的地址 -->
		<property name="successUrl" value="/" />
		<!-- 若是您請求的資源再也不您的權限範圍，則跳轉到/403請求地址 -->
		<property name="unauthorizedUrl" value="/html/403.html" />
		<property name="filterChainDefinitions">
			<value>
			<!-- anon是容許經過  authc相反 -->
				/statics/**=anon
				/login=anon
				/** = authc
			</value>
		</property>
	</bean>


	<!-- 保證明現了Shiro內部lifecycle函數的bean執行 -->
	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

	<!-- AOP式方法級權限檢查 -->
	<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
		<property name="proxyTargetClass" value="true" />
	</bean>
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
		<property name="securityManager" ref="securityManager" />
	</bean>




</beans>

在主入口加載spring-shiro.xml

@ImportResource({ "classpath:spring/spring-shiro.xml" })

在登陸Controller內更改爲

		//構造登陸參數
		UsernamePasswordToken token = new UsernamePasswordToken(name, pwd);
		try {
			//交給Realm類處理
			SecurityUtils.getSubject().login(token);
		} catch (UnknownAccountException uae) {
			map.put("msg", "未知用戶");
			return "login";
		} catch (IncorrectCredentialsException ice) {
			map.put("msg", "密碼錯誤");
			return "login";
		} catch (AuthenticationException ae) {
			// unexpected condition? error?
			map.put("msg", "服務器繁忙");
			return "login";
		}
	 
		return "redirect:/toIndex";

看5行就知道登陸交給了Realm類處理了，因此咱們要有Realm類

在能夠被主入口掃描到的地方新建AuthRealm類而且繼承AuthorizingRealm，重寫doGetAuthenticationInfo（登陸邏輯），重寫doGetAuthorizationInfo（受權邏輯）

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

public class AuthRealm extends AuthorizingRealm {

	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		// TODO Auto-generated method stub
		return null;
	}

	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		// TODO Auto-generated method stub
		return null;
	}

}

登陸驗證在doGetAuthenticationInfo方法寫入

		// 獲取Token
		UsernamePasswordToken token2 = (UsernamePasswordToken) token;
		//獲取用戶名
		String userName = token2.getUsername();
		//獲取密碼
		String pwd = new String(token2.getPassword());
		//下面我使用的是MyBatis-puls3.0
		//查詢條件對象
		QueryWrapper<User> queryWrapper = new QueryWrapper();
		//查詢該用戶
		queryWrapper.eq("name", userName).or().eq("phone", userName);
		//查詢
		User user = iUserService.getOne(queryWrapper);
		//查回的對象爲空
		if (CommonUtil.isBlank(user)) {
			//拋出未知的帳戶異常
			throw new UnknownAccountException();
		}
		//查回的對象密碼和輸入密碼不相等
		if (!CommonUtil.isEquals(user.getPwd(), pwd)) {
			//拋出憑證不正確異常
			throw new IncorrectCredentialsException();
		}
		//上面都經過了就說明該用戶存在而且密碼相等
		// 驗證成功了
		SecurityUtils.getSubject().getSession().setAttribute(Constant.SESSION_USER_KEY, user);
		// 返回shiro用戶信息
		// token傳過來的密碼，必定要跟驗證信息傳進去的密碼一致，加密的密碼必定要加密後傳過來

		return new SimpleAuthenticationInfo(user, user.getPwd(), getName());

若是要設置權限，就在對應的Controllerf方法加上

@RequiresPermissions("/system/user/list")

再doGetAuthorizationInfo方法內寫

//建立簡單的受權信息對象
SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo();
//授予權限
simpleAuthorizationInfo.addStringPermission("/system/user/list");

return simpleAuthorizationInfo;

　　

當全部Controller都加了@RequiresPermissions註解後，若是訪問到沒有受權的Controller會報錯。