Apache Shiro是一个强大且易用的Java安全框架,用于身份验证、授权、加密和会话管理。以下是配置Shiro框架权限管理的基本步骤:
首先,在你的项目中添加Shiro的依赖。如果你使用的是Maven,可以在pom.xml文件中添加以下依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
创建一个Shiro配置类,通常命名为ShiroConfig.java。在这个类中,你需要配置Shiro的核心组件,包括SecurityManager、Realm、Filter等。
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.realm.jdbc.JdbcRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.sql.DataSource;
@Configuration
public class ShiroConfig {
@Bean
public DataSource dataSource() {
// 配置数据源
return ...;
}
@Bean
public AuthorizingRealm authorizingRealm() {
JdbcRealm jdbcRealm = new JdbcRealm();
jdbcRealm.setDataSource(dataSource());
jdbcRealm.setPermissionsLookupEnabled(true);
return jdbcRealm;
}
@Bean
public DefaultWebSecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(authorizingRealm());
return securityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 配置过滤器链
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/admin/**", "authc");
filterChainDefinitionMap.put("/**", "anon");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
}
在你的数据库中定义权限和角色。例如,你可以创建一个roles表和一个permissions表,然后在authorizingRealm中配置这些表。
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import java.util.HashSet;
import java.util.Set;
public class AuthorizingRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String) principals.getPrimaryPrincipal();
// 查询用户权限
Set<String> permissions = getPermissionsFromDatabase(username);
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addStringPermissions(permissions);
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
// 查询用户信息
User user = getUserFromDatabase(username);
if (user == null) {
throw new UnknownAccountException("用户不存在");
}
return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());
}
private Set<String> getPermissionsFromDatabase(String username) {
// 从数据库中获取用户权限
// 返回权限集合
}
private User getUserFromDatabase(String username) {
// 从数据库中获取用户信息
// 返回用户对象
}
}
确保你的Spring应用能够扫描到Shiro配置类。你可以在Spring Boot应用中使用@ComponentScan注解来扫描配置类。
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.ComponentScan;
@SpringBootApplication
@ComponentScan(basePackages = "com.example")
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
启动你的应用,并尝试访问不同的URL,确保权限管理配置正确。例如,访问/admin/**需要管理员权限,访问/**则不需要任何权限。
通过以上步骤,你应该能够成功配置Shiro框架的权限管理。根据你的具体需求,你可能需要进一步调整和扩展这些配置。