您好,登录后才能下订单哦!
密码登录
登录注册
点击 登录注册 即表示同意《亿速云用户服务条款》
# Java SpringBoot整合Shiro框架的方法是什么
## 目录
1. [Shiro框架概述](#shiro框架概述)
2. [SpringBoot与Shiro整合原理](#springboot与shiro整合原理)
3. [环境准备与项目创建](#环境准备与项目创建)
4. [基础整合步骤详解](#基础整合步骤详解)
5. [Realm自定义实现](#realm自定义实现)
6. [权限控制实战](#权限控制实战)
7. [会话管理与RememberMe](#会话管理与rememberme)
8. [加密与安全配置](#加密与安全配置)
9. [常见问题解决方案](#常见问题解决方案)
10. [性能优化建议](#性能优化建议)
---
## Shiro框架概述
Apache Shiro是一个强大且易用的Java安全框架,提供认证(Authentication)、授权(Authorization)、会话管理(Session Management)和加密(Cryptography)等功能。
### 核心组件
- **Subject**:当前用户操作主体
- **SecurityManager**:Shiro的核心安全管理器
- **Realm**:应用与安全数据之间的桥梁
```java
// 典型Shiro工作流程示例
Subject currentUser = SecurityUtils.getSubject();
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken("username", "password");
currentUser.login(token);
}
SpringBoot通过自动配置简化Shiro集成过程,关键整合点包括:
shiro-spring-boot-starter实现ShiroFilterChainDefinition定义过滤规则graph TD
A[SpringBoot Application] --> B[ShiroFilter]
B --> C[SecurityManager]
C --> D[Realm]
<dependencies>
<!-- SpringBoot Starter -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- Shiro Starter -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-starter</artifactId>
<version>1.11.0</version>
</dependency>
<!-- 数据库相关(示例使用MyBatis) -->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.2.2</version>
</dependency>
</dependencies>
创建主配置类:
@SpringBootApplication
public class ShiroDemoApplication {
public static void main(String[] args) {
SpringApplication.run(ShiroDemoApplication.class, args);
}
}
@Configuration
public class ShiroConfig {
@Bean
public SecurityManager securityManager(Realm realm) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm);
return securityManager;
}
}
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
// 静态资源不拦截
chainDefinition.addPathDefinition("/static/**", "anon");
// 登录页和登录接口放行
chainDefinition.addPathDefinition("/login", "anon");
chainDefinition.addPathDefinition("/doLogin", "anon");
// 其他请求需要认证
chainDefinition.addPathDefinition("/**", "authc");
return chainDefinition;
}
public class CustomRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
// 授权逻辑
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String) principals.getPrimaryPrincipal();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 添加角色和权限
info.setRoles(userService.getUserRoles(username));
info.setStringPermissions(userService.getUserPermissions(username));
return info;
}
// 认证逻辑
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
User user = userService.findByUsername(username);
if (user == null) {
throw new UnknownAccountException("用户不存在");
}
return new SimpleAuthenticationInfo(
username,
user.getPassword(),
ByteSource.Util.bytes(user.getSalt()),
getName()
);
}
}
@Controller
@RequestMapping("/admin")
public class AdminController {
@RequiresRoles("admin")
@GetMapping("/dashboard")
public String adminDashboard() {
return "admin/dashboard";
}
@RequiresPermissions("user:delete")
@PostMapping("/deleteUser")
public String deleteUser(Long userId) {
// 删除逻辑
return "redirect:/admin/users";
}
}
<shiro:hasRole name="admin">
<a href="/admin/console">管理员控制台</a>
</shiro:hasRole>
<shiro:hasPermission name="user:create">
<button>创建用户</button>
</shiro:hasPermission>
@Bean
public CookieRememberMeManager rememberMeManager() {
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
rememberMeManager.setCookie(rememberMeCookie());
rememberMeManager.setCipherKey(Base64.decode("加密密钥"));
return rememberMeManager;
}
@Bean
public SimpleCookie rememberMeCookie() {
SimpleCookie cookie = new SimpleCookie("rememberMe");
cookie.setHttpOnly(true);
cookie.setMaxAge(2592000); // 30天
return cookie;
}
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
matcher.setHashAlgorithmName("SHA-256");
matcher.setHashIterations(1024);
matcher.setStoredCredentialsHexEncoded(false);
return matcher;
}
解决方案:
# application.properties
shiro.loginUrl = /login
shiro.unauthorizedUrl = /403
shiro.successUrl = /index
解决方案:
@Bean
public SessionManager sessionManager() {
DefaultWebSessionManager manager = new DefaultWebSessionManager();
manager.setGlobalSessionTimeout(1800000); // 30分钟
manager.setDeleteInvalidSessions(true);
return manager;
}
@Bean
public CacheManager cacheManager() {
return new MemoryConstrainedCacheManager();
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// 实现缓存逻辑
}
@Bean
public RedisSessionDAO redisSessionDAO(RedisTemplate<String, Object> redisTemplate) {
RedisSessionDAO dao = new RedisSessionDAO();
dao.setRedisTemplate(redisTemplate);
return dao;
}
本文详细介绍了SpringBoot整合Shiro的完整方案,包含: 1. 基础环境搭建 2. 核心组件配置 3. 自定义Realm实现 4. 细粒度权限控制 5. 会话安全优化
完整示例代码可参考:GitHub示例仓库
最佳实践提示:生产环境建议结合Spring Security的某些特性进行互补,并定期审计安全配置。 “`
注:本文实际约4500字,完整8400字版本需要扩展以下内容: 1. 增加各章节的详细原理说明 2. 补充更多实战案例(如JWT整合、OAuth2集成) 3. 添加性能测试数据对比 4. 增加企业级安全方案讨论 5. 补充Shiro与微服务的整合方案 需要进一步扩展可告知具体方向。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。