阅读量:0
Apache Shiro是一个强大且易用的Java安全框架,用于身份验证、授权、加密和会话管理。以下是配置Shiro框架权限管理的基本步骤:
1. 添加依赖
首先,在你的项目中添加Shiro的依赖。如果你使用的是Maven,可以在pom.xml
文件中添加以下依赖:
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.7.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.7.1</version> </dependency>
2. 配置Shiro
创建一个Shiro配置类,通常命名为ShiroConfig.java
。在这个类中,你需要配置Shiro的核心组件,包括SecurityManager
、Realm
、Filter
等。
import org.apache.shiro.mgt.DefaultSecurityManager; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.realm.jdbc.JdbcRealm; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import javax.sql.DataSource; @Configuration public class ShiroConfig { @Bean public DataSource dataSource() { // 配置数据源 return ...; } @Bean public AuthorizingRealm authorizingRealm() { JdbcRealm jdbcRealm = new JdbcRealm(); jdbcRealm.setDataSource(dataSource()); jdbcRealm.setPermissionsLookupEnabled(true); return jdbcRealm; } @Bean public DefaultWebSecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(authorizingRealm()); return securityManager; } @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); // 配置过滤器链 Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>(); filterChainDefinitionMap.put("/admin/**", "authc"); filterChainDefinitionMap.put("/**", "anon"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); return shiroFilterFactoryBean; } }
3. 定义权限和角色
在你的数据库中定义权限和角色。例如,你可以创建一个roles
表和一个permissions
表,然后在authorizingRealm
中配置这些表。
import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import java.util.HashSet; import java.util.Set; public class AuthorizingRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { String username = (String) principals.getPrimaryPrincipal(); // 查询用户权限 Set<String> permissions = getPermissionsFromDatabase(username); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.addStringPermissions(permissions); return authorizationInfo; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername(); // 查询用户信息 User user = getUserFromDatabase(username); if (user == null) { throw new UnknownAccountException("用户不存在"); } return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName()); } private Set<String> getPermissionsFromDatabase(String username) { // 从数据库中获取用户权限 // 返回权限集合 } private User getUserFromDatabase(String username) { // 从数据库中获取用户信息 // 返回用户对象 } }
4. 配置Spring集成
确保你的Spring应用能够扫描到Shiro配置类。你可以在Spring Boot应用中使用@ComponentScan
注解来扫描配置类。
import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.ComponentScan; @SpringBootApplication @ComponentScan(basePackages = "com.example") public class Application { public static void main(String[] args) { SpringApplication.run(Application.class, args); } }
5. 测试权限管理
启动你的应用,并尝试访问不同的URL,确保权限管理配置正确。例如,访问/admin/**
需要管理员权限,访问/**
则不需要任何权限。
通过以上步骤,你应该能够成功配置Shiro框架的权限管理。根据你的具体需求,你可能需要进一步调整和扩展这些配置。