shiro#springboot

Posted 2020-11-22 luohaonan

1.

shiro的使用围绕着securityManager，权限需要从realm中来。

securityManager可以设置realm或者realms，或者通过设置authenticator来设置realm或realms。

realm中可以设置密码匹配器，credentialsMatcher，从而实现密码的加解密处理。

登录操作需要使用AuthenticationToken的子类的实例携带用户信息，传递给realm的认证方法，认证方法返回的是AuthenticationInfo实例，如果使用盐值，需要使用SimpleAuthenticationInfo来自动匹配及返回用户认证信息。

授权操作是使用PrincipalCollection的子类的实例，携带身份信息，传递给realm的鉴权方法，鉴权方法返回的是AuthorizationInfo的实例。

ByteSource salt = ByteSource.Util.bytes(user.getSalt());用于得到盐值密码。

 

2. 在spring boot中使用shiro时候必须要定义过滤器链，有如下两种方式配置：

方式1：

@Bean
    public ShiroFilterChainDefinition shiroFilterChainDefinition() {
        DefaultShiroFilterChainDefinition chain = new DefaultShiroFilterChainDefinition();
        //哪些请求可以匿名访问
        chain.addPathDefinition("/user/login", "anon");
        chain.addPathDefinition("/page/401", "anon");
        chain.addPathDefinition("/page/403", "anon");
        chain.addPathDefinition("/t5/hello", "anon");
        chain.addPathDefinition("/t5/guest", "anon");

        //除了以上的请求外，其它请求都需要登录
        chain.addPathDefinition("/**", "authc");
        return chain;
    }

View Code

方式2：

    @Bean
    public ShiroFilterFactoryBean ShiroFilterFactoryBean(){
        ShiroFilterFactoryBean sb = new ShiroFilterFactoryBean();
        sb.setFilterChainDefinitionMap();
        sb.setFilters(xx);
        sb.setLoginUrl(xx);
        sb.setSecurityManager(xx);
        sb.setSuccessUrl(xx);
        sb.setUnauthorizedUrl(xx);
        return sb;
    }

View Code

其中第二种方法提供的bean对应的默认配置如下：

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.shiro.spring.config.web.autoconfigure;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.spring.web.config.AbstractShiroWebFilterConfiguration;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

/**
 * @since 1.4.0
 */
@Configuration
@ConditionalOnProperty(name = "shiro.web.enabled", matchIfMissing = true)
public class ShiroWebFilterConfiguration extends AbstractShiroWebFilterConfiguration {

    @Bean
    @ConditionalOnMissingBean
    @Override
    protected ShiroFilterFactoryBean shiroFilterFactoryBean() {
        //通过方式二覆盖此处的配置
        //通过方式二覆盖此处的配置
        //通过方式二覆盖此处的配置
        //通过方式二覆盖此处的配置
        //通过方式二覆盖此处的配置
        //通过方式二覆盖此处的配置
        //通过方式二覆盖此处的配置
        return super.shiroFilterFactoryBean();
    }

    @Bean(name = "filterShiroFilterRegistrationBean")
    @ConditionalOnMissingBean
    protected FilterRegistrationBean filterShiroFilterRegistrationBean() throws Exception {

        FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
        filterRegistrationBean.setFilter((AbstractShiroFilter) shiroFilterFactoryBean().getObject());
        filterRegistrationBean.setOrder(1);

        return filterRegistrationBean;
    }
}

View Code

 

3. 自定义密码匹配器

    @Bean(name = "hashedCredentialsMatcher")
    public HashedCredentialsMatcher hashedCredentialsMatcher() {
        log.info("hashedCredentialsMatcher()");
        HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();

        hashedCredentialsMatcher.setHashAlgorithmName("SHA1");// 散列算法:这里使用SHA1算法;
        hashedCredentialsMatcher.setHashIterations(2);// 散列的次数，比如散列两次，相当于md5(md5(""));

        return hashedCredentialsMatcher;
    }

View Code