Apache shiro 权限框架

Apache shiro学习文档

作者：pinkhub

时间：2021/12/24

技术栈：springboot+mybatisPlus+shiro

未来，我们抱团取暖，结伴而行…

文档目录

第一章 Apache Shiro 概述

Apache Shiro 是一个强大而灵活的开源安全框架，可以干净地处理身份验证、授权、企业会话管理和加密。

身份验证：有时也被称为“登录”，这是一种证明用户真实身份的行为。

授权：访问控制的过程，即确定“谁”可以访问“什么”。

会话管理：管理特定于用户的会话，即使是在非 Web 或 EJB 应用程序中。

密码学：使用密码算法确保数据安全，同时仍然易于使用。

官方文档：https://shiro.apache.org/reference.html

第二章 Apache Shiro 架构

关键字：

Subject

、

SecurityManager``和``Realms

第三章 Apache Shiro 配置

3.1 配置文件（ini）配置

基于INI配置使DefinitionRealm、definitionRealm生效

# =======================
# Shiro INI configuration
# =======================
[main]
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager
definitionRealm=edu.pinkhub.shrio_demo.realm.DefinitionRealm
securityManager.realms=$definitionRealm
[users]
# The 'users' section is for simple deployments
# when you only need a small number of statically-defined
# set of User accounts.
jay=1234
[roles]
# The 'roles' section is for simple deployments
# when you only need a small number of statically-defined
# roles.
[urls]
# The 'urls' section is used for url-based security
# in web applications.  We'll discuss this section in the
# Web documentation

3.2 配置类配置

@ConfigurationpublicclassShiroConfig{/**
     * 创建realm、securityManagert组件交给spring容器管理   等价于shiro.ini配置文件
     * @return
     */@Bean("shiroRealm")publicShiroRealmshiroRealm(){returnnewShiroRealm();}@Bean(name ="securityManager")publicDefaultWebSecurityManagerdefaultWebSecurityManager(@Qualifier("shiroRealm")ShiroRealm shiroRealm){DefaultWebSecurityManager securityManager =newDefaultWebSecurityManager();
        securityManager.setRealm(shiroRealm);return securityManager;}}

第四章 Apache Shiro 核心

前提

导入shiro依赖:可以选择

shiro-spring-boot-starter

、

shiro-spring

、

shiro-core

的一个。

<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring-boot-starter</artifactId><version>1.8.0</version></dependency>

tips:

如果选择shiro-core依赖时，版本不要太高，否则

IniSecurityManagerFactory

方法过时

4.1 编码和解码算法

shiro提供base64和16进制字符串编码和解码的API支持。

工具类如下：

publicclassEncodesUtil{/**
     * 利用Hex字节转字符串
     * @param input 输入字节数组
     * @return 字符串
     */publicstaticStringencodeHex(byte[] input){returnHex.encodeToString(input);}/**
     * 利用Hex字符串转字节
     * @param input 输入字符串
     * @return 字节数组
     */publicstaticbyte[]decodeHex(String input){returnHex.decode(input);}/**
     * 利用Base64格式将字节转字符串
     * @param input
     * @return
     */publicstaticStringencodeBase64(byte[] input){returnBase64.encodeToString(input);}/**
     * 利用Base64格式将字符串转字节
     * @param input
     * @return
     */publicstaticbyte[]decodeBase64(String input){returnBase64.decode(input);}}

4.2 散列算法

散列算法用于生成数据的摘要信息，不可逆算法，常用于存储密码，常见的散列算法有：MD5、SHA等，散列的对象：“密码+salt”，salt其实是干扰数据。

散列算法的5种实现类：

tips:其中6种加密实现类继承于

SimpleHash

类

关键字：salt→

SecureRandomNumberGenerator

​ password→

SimpleHash

摘要算法工具类：用于对密码加密

/*
*@param1:算法名称
*@param2:明文
*@param3:盐值
*@param4;加密次数
public SimpleHash(String algorithmName,Object source,@Nullable Object salt,int hashIterations)
*/publicclassDigestsUtil{//算法类型publicstaticfinalString SHA1="SHA-1";//加密次数publicstaticfinalInteger ITERATION=512;/**sha1摘要算法
     * @param input 明文字符串
     * @param salt  干扰数据
     * @return
     */publicstaticStringsha1(String plaintext,String salt){returnnewSimpleHash(SHA1,plaintext,salt,ITERATION).toString();}/**
     * 随机生成salt
     * @return  salt(16进制)
     */publicstaticStringcreateSalt(){SecureRandomNumberGenerator secureRandomNumberGenerator =newSecureRandomNumberGenerator();return secureRandomNumberGenerator.nextBytes().toHex();}/**
     *生成密码和salt的密文
     * @param pwd
     * @return
     */publicstaticMap<String,String>entryptPassword(String pwd){HashMap<String,String> map =newHashMap<>();String salt=createSalt();String password=sha1(pwd,salt);
        map.put("salt",salt);
        map.put("password",password);return map;}}

测试类：

System.out.println(DigestsUtil.entryptPassword("123").toString());

运行结果：

{password=54eeefc1368c375feeac0f71e1e6c929d4d5d6f1, salt=ba18ca250fd8442eaccfa3a03c3a5530}

4.3 认证

认证流程

【第一步】：Shiro把用户的数据封装成标识token，token一般封装着用户名，密码等信息

UsernamePasswordToken

【第二步】：使用Subject门面获取到封装着用户的数据的标识token

subject.login(usernamePasswordToken);

【第三步】：Subject把标识token交给SecurityManager，SecurityManager再把标识token委托给认证器Authenticator进行身份验证。

​ 认证器的作用一般是用来指定如何验证，它规定本次认证用到哪些Realm

【第四步】：认证器Authenticator将传入的标识token，与数据源Realm对比，验证token是否合法

关键字：

doGetAuthenticationInfo

、

SimpleAuthenticationInfo

案例一：登陆测试1

数据来自shiro.ini文件

第一步：导入依赖

<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring-boot-starter</artifactId><version>1.8.0</version></dependency>

第二步：创建shiro.ini

#声明用户账号
[users]
jay=1234

第三步：测试代码

publicvoidshiroLogin(){//1.导入ini配置创建工厂IniSecurityManagerFactory factory =newIniSecurityManagerFactory("classpath:shiro.ini");//2.通过工厂构建安全构建器SecurityManager securityManager = factory.getInstance();//3.通过工具类让安全构建器生效SecurityUtils.setSecurityManager(securityManager);//4.通过工具类获取subject主体Subject subject =SecurityUtils.getSubject();//5.构建账号和密码UsernamePasswordToken usernamePasswordToken =newUsernamePasswordToken("jay","1234");//6.使用subject登录
        subject.login(usernamePasswordToken);//7.输出状态System.out.println("登陆状态:"+subject.isAuthenticated());}

截图：

案例二：登陆测试2

数据来自数据库

【第一步】：自定义realm

publicclassDefinitionRealmextendsAuthorizingRealm{/*
     * 认证方法
     */@OverrideprotectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationToken authenticationToken)throwsAuthenticationException{String loginName =(String)authenticationToken.getPrincipal();//模拟数据库查询SecurityServiceImpl securityService =newSecurityServiceImpl();String password = securityService.findPasswordByUserName(loginName);if(password==""){thrownewAuthenticationException("账号不存在");}returnnewSimpleAuthenticationInfo(loginName,password,getName());}/*
    *鉴权方法
    */@OverrideprotectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollection principalCollection){returnnull;}}

【第二步】：创建shiro.ini definitionRealm生效

[main]
definitionRealm=edu.pinkhub.shrio_demo.realm.DefinitionRealm
securityManager.realms=$definitionRealm

【第三步】：测试

@TestpublicvoidshiroLogin(){//1.导入ini配置创建工厂IniSecurityManagerFactory factory =newIniSecurityManagerFactory("classpath:shiro.ini");//2.工厂构建安全构建器SecurityManager securityManager = factory.getInstance();//3.通过工具类让安全构建器生效SecurityUtils.setSecurityManager(securityManager);//4.通过工具获取subject主体Subject subject =SecurityUtils.getSubject();//5.构建账号和密码UsernamePasswordToken usernamePasswordToken =newUsernamePasswordToken("jay","1234");//6.使用subject登录
        subject.login(usernamePasswordToken);//7.输出状态System.out.println("登陆状态:"+subject.isAuthenticated());}

案例三：登录测试3

Realm使用散列算法模拟登录

【第一步】：创建shiro.ini，使自定义realm生效

[main]
definitionRealm=edu.pinkhub.shrio_demo.realm.DefinitionRealm
securityManager.realms=$definitionRealm

【第二步】：创建service接口

publicinterfaceSecurityService{Map<String,String>findPasswordByUserName(String userName);}

【第三步】：创建service实现类，模拟根据用户名从数据库查询其加密密码、角色列表、权限列表

@ServicepublicclassSecurityServiceImplimplementsSecurityService{@OverridepublicMap<String,String>findPasswordByUserName(String userName){returnDigestsUtil.entryptPassword("123456");}}

【第四步】：创建realm

publicclassDefinitionRealmextendsAuthorizingRealm{publicDefinitionRealm(){//1.指定密码匹配方式HashedCredentialsMatcher hashedCredentialsMatcher =newHashedCredentialsMatcher(DigestsUtil.SHA1);//2.指定密码迭代次数
        hashedCredentialsMatcher.setHashIterations(DigestsUtil.ITERATION);//3.生效setCredentialsMatcher(hashedCredentialsMatcher);}/*
     * 认证方法
     * */@OverrideprotectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationToken authenticationToken)throwsAuthenticationException{String loginName =(String)authenticationToken.getPrincipal();SecurityServiceImpl securityService =newSecurityServiceImpl();Map<String,String> map = securityService.findPasswordByUserName(loginName);if(map.isEmpty()){thrownewAuthenticationException("账号不存在");}String password=map.get("password");String salt = map.get("salt");returnnewSimpleAuthenticationInfo(loginName,password,ByteSource.Util.bytes(salt),getName());}/*
    鉴权方法
    */@OverrideprotectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollection principalCollection){returnnull;}}

【第五步】：编写测试类

@TestpublicvoidshiroLogin(){//1.导入ini配置创建工厂IniSecurityManagerFactory factory =newIniSecurityManagerFactory("classpath:shiro.ini");//2.工厂构建安全构建器SecurityManager securityManager = factory.getInstance();//3.通过工具类让安全构建器生效SecurityUtils.setSecurityManager(securityManager);//4.通过工具获取subject主体Subject subject =SecurityUtils.getSubject();//5.构建账号和密码UsernamePasswordToken usernamePasswordToken =newUsernamePasswordToken("pinkhub","123456");//6.使用subject登录
        subject.login(usernamePasswordToken);//7.输出状态System.out.println("登陆状态:"+subject.isAuthenticated());}

源码追踪：

将token、info密码匹配结果boolean值，返回

subject.isAuthenticated()

4.4 授权

前提：用户必须通过认证；角色和权限存放在数据库中

基本流程

【第一步】：首先调用

Subject.isPermitted*/hasRole*

接口，然后委托给

SecurityManager

（安全管理器）

【第二步】：

SecurityManager

在委托给内部组件

Authorizer

（授权器）

【第三步】：

Authorizer

再将请求委托给

Realm

去做

【第四步】：

Realm

将用户请求的参数封装成权限对象，再从我们重写的

doGetAuthorizationInfo

方法中获取从数据库中查询到的权限集合

【第五步】：

Realm

将用户传入的权限对象，与从数据库查出的权限对象进行一一对比。如果用户传入的权限对象在数据库中查出来的权限对象中，则返回true，否则返回false

关键字：

doGetAuthorizationInfo

、

SimpleAuthorizationInfo

ShiroConfig配置

配置内容：

（1）创建自定义

ShiroDbRealm

实现，用于权限认证、授权、加密方式的管理，同时从数据库中取得相关的角色、资源、用户的信息，然后交于DefaultWebSecurityManager权限管理器管理

（2）创建

DefaultWebSecurityManager

权限管理器用于管理DefaultWebSessionManager会话管理器、ShiroDbRealm

（3）创建

ShiroFilterFactoryBean

的shiro过滤器指定权限管理器、同时启动连接链及登录URL、未登录的URL的跳转

（4）创建

SimpleCookie

，访问项目时，会在客户端中cookie中存放ShiroSession

（5）创建

DefaultWebSessionManager

会话管理器定义cookie机制、定时刷新、全局会话超时时间然后交于DefaultWebSecurityManager权限管理器管理

@ConfigurationpublicclassShiroConfig{/**
     * 创建ShiroDBRealm交给spring容器
     * @return
     */@Bean("shiroDBRealm")publicShiroDBRealmshiroDBRealm(){returnnewShiroDBRealm();}/**
     * 安全管理器
     * @param userRealm
     * @return
     */@Bean(name ="securityManager")publicDefaultWebSecurityManagerdefaultWebSecurityManager(@Qualifier("shiroDBRealm")ShiroDBRealm userRealm){DefaultWebSecurityManager securityManager =newDefaultWebSecurityManager();
        securityManager.setRealm(userRealm);return securityManager;}/**
     * 拦截器--拦截请求
     * 常用的过滤器：
     * anno:无需认证即可访问
     * authc:必须认证才能访问
     * perms:拥有对某个资源的权限才能访问
     * role:拥有某个角色权限才能访问
     * @param securityManager
     * @return
     */@BeanpublicShiroFilterFactoryBeanshiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager securityManager){ShiroFilterFactoryBean shiroFilterFactoryBean =newShiroFilterFactoryBean();//拦截HashMap<String,String> filterMap =newHashMap<>();//filterMap.put("/user/login", "anon");
        filterMap.put("/user/add","perms[add]");
        filterMap.put("/user/edit","perms[update]");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);//没通过验证，触发登录拦截请求，跳转登陆页面
        shiroFilterFactoryBean.setLoginUrl("/user/toLogin");//触发未认证请求，跳转未授权页面
        shiroFilterFactoryBean.setUnauthorizedUrl("/user/noAuth");
        shiroFilterFactoryBean.setSecurityManager(securityManager);return shiroFilterFactoryBean;}}

案例一：用户权限校验

/*前提：认证成功
（1）通过doGetAuthorizationInfo方法实现鉴权
（2）使用Subject类来实现权限的校验
*//**************************************************运行结果********************************************************************/
登陆状态:true
当前用户是否拥有管理员角色true
当前用户是否拥有查看订单的权限true
当前用户没有coder角色

【1】模拟从数据库查出的角色和权限列表

@OverridepublicMap<String,String>findPasswordByUserName(String userName){returnDigestsUtil.entryptPassword("123456");}@OverridepublicList<String>findRoleByUserName(String userName){List<String> roleList =newArrayList();
     roleList.add("admin");
     roleList.add("dev");
     roleList.add("student");return roleList;}@OverridepublicList<String>findPermissionByUserName(StringUserName){List<String> list=newArrayList();
    list.add("order:add");
    list.add("order:del");
    list.add("order:update");
    list.add("order:query");return list;}

【2】编写

doGetAuthorizationInfo

publicclassDefinitionRealmextendsAuthorizingRealm{publicDefinitionRealm(){//1.指定密码匹配方式HashedCredentialsMatcher hashedCredentialsMatcher =newHashedCredentialsMatcher(DigestsUtil.SHA1);//2.指定密码迭代次数
        hashedCredentialsMatcher.setHashIterations(DigestsUtil.ITERATION);//3.生效setCredentialsMatcher(hashedCredentialsMatcher);}/*
     * 认证方法
     * */@OverrideprotectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationToken authenticationToken)throwsAuthenticationException{String loginName =(String)authenticationToken.getPrincipal();System.out.println(loginName);SecurityServiceImpl securityService =newSecurityServiceImpl();Map<String,String> map = securityService.findPasswordByUserName(loginName);if(map.isEmpty()){thrownewAuthenticationException("账号不存在");}System.out.println(getName());String password=map.get("password");String salt = map.get("salt");returnnewSimpleAuthenticationInfo(loginName,password,ByteSource.Util.bytes(salt),getName());}/*
    鉴权方法
    *principal：用户认证凭证信息,就是认证doGetAuthenticationInfo（）方法的返回值的第一个参数
    */@OverrideprotectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollection principal){//用户凭证信息,当前账户名String primaryPrincipal =(String)principal.getPrimaryPrincipal();//从数据库中查询用户的角色和权限SecurityServiceImpl securityService =newSecurityServiceImpl();List<String> roles = securityService.findRoleByUserName(primaryPrincipal);List<String> permissions = securityService.findPermissionByUserName(primaryPrincipal);//构建资源校验对象SimpleAuthorizationInfo authorizationInfo =newSimpleAuthorizationInfo();
        authorizationInfo.addRoles(roles);
        authorizationInfo.addStringPermissions(permissions);return authorizationInfo;}}

【3】编写测试代码

@TestpublicSubjectlogin(){//1.导入ini配置创建工厂IniSecurityManagerFactory factory =newIniSecurityManagerFactory("classpath:shiro.ini");//2.工厂构建安全构建器SecurityManager securityManager = factory.getInstance();//3.通过工具类让安全构建器生效SecurityUtils.setSecurityManager(securityManager);//4.通过工具获取subject主体Subject subject =SecurityUtils.getSubject();System.out.println(subject);//5.构建账号和密码UsernamePasswordToken usernamePasswordToken =newUsernamePasswordToken("pinkhub","123456");//6.使用subject登录
        subject.login(usernamePasswordToken);return subject;}@TestpublicvoidtestRole(){Subject subject =login();System.out.println("登陆状态:"+subject.isAuthenticated());System.out.println("当前用户是否拥有管理员角色"+subject.hasRole("admin"));System.out.println("当前用户是否拥有查看订单的权限"+subject.isPermitted("order:query"));try{
            subject.checkRole("coder");}catch(Exception e){System.out.println("当前用户没有coder角色");}}

【4】运行截图

第五章 项目实战

登录、注册、用户权限管理

前提：准备user表；导入shiro依赖；导入

DigestsUtil.java

、

Result.java

、

ResultCode.java

工具类

框架：sprintboot+mybatisPlus+shiro+thymeleaf

项目结构图：

【第0步】准备工作

（1）添加依赖

<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><!--lombok--><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><!--mysql--><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.49</version></dependency><!--mybatisPlus--><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.4.3.3</version></dependency><!--druid,也可以使用shiro-spring1.4.0--><dependency><groupId>com.alibaba</groupId><artifactId>druid-spring-boot-starter</artifactId><version>1.2.8</version></dependency><!--shiro--><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring-boot-starter</artifactId><version>1.8.0</version></dependency><!--thymeleaf--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId><version>2.6.1</version></dependency><!--thymeleaf-extras-shiro--><dependency><groupId>com.github.theborakompanioni</groupId><artifactId>thymeleaf-extras-shiro</artifactId><version>2.1.0</version></dependency>

（2）编写配置文件

yml

server:port:8847spring:datasource:druid:username: root
      password:123456url: jdbc:mysql://localhost:3306/books
      #url: jdbc:mysql://localhost:3306/books?useUnicode=true&&characterEncoding=utf-8&&useSSL=false&serverTimezone=GMT%2b8mybatis-plus:configuration:log-impl: org.apache.ibatis.logging.stdout.StdOutImpl

【第一步】编写User实体类

@Data@ToString@NoArgsConstructor@AllArgsConstructor@TableName("tb_user")publicclassUserimplementsSerializable{@TableId(value ="id",type =IdType.AUTO)publicInteger id;@TableField("account")publicString account;@TableField("real_name")publicString realName;@TableField("password")publicString password;@TableField("salt")publicString salt;@TableField("title")publicString title;@TableField("status")publicInteger status;@TableField("user_id")publicString userId;@TableField("perms")publicString perms;}

【第二步】编写mapper层

@MapperpublicinterfaceUserMapperextendsBaseMapper<User>{}

【第三步】编写service层

---------------------------------------UserService.java-------------------------------------------------------------------------publicinterfaceUserServiceextendsIService<User>{}---------------------------------------UserServiceImpl.java---------------------------------------------------------------------@ServicepublicclassUserServiceImplextendsServiceImpl<UserMapper,User>implementsUserService{}

【第四步】编写controller

Application.java

@ControllerpublicclassAppplicationController{@RequestMapping({"/","/index"})publicStringindex(Model model){
        model.addAttribute("msg","hello,shiro");return"login";}}

UserController.java

@RequestMapping("/user/")@ControllerpublicclassUserControlller{@AutowiredpublicUserService userService;@RequestMapping("toRegister")publicStringtoRegister(){return"register";}@PostMapping("register")publicStringregister(HttpServletRequest request,Model model){String account = request.getParameter("account");String _password = request.getParameter("password");Map<String,String> info =DigestsUtil.entryptPassword(_password);String password = info.get("password");String salt = info.get("salt");QueryWrapper<User> wrapper =newQueryWrapper<>();
        wrapper.eq("account",account);User userDB = userService.getOne(wrapper);if(userDB!=null){
            model.addAttribute("msg","账号已存在");return"register";}else{User user =newUser();
            user.setAccount(account);
            user.setPassword(password);
            user.setSalt(salt);
            user.setRealName("pinkhub");
            user.setStatus(1);Random random =newRandom();
            user.setUserId(Integer.toString(random.nextInt(1000)));
            user.setTitle("普通用户");
            user.setPerms("query,update");
            userService.save(user);return"login";}}@PostMapping("login")publicStringlogin(String account,String password,Model model){UsernamePasswordToken token =newUsernamePasswordToken(account, password);Subject subject =SecurityUtils.getSubject();try{
            subject.login(token);return"index";}catch(UnknownAccountException e){
            model.addAttribute("msg","账号不正确");return"login";}catch(IncorrectCredentialsException e){
            model.addAttribute("msg","密码错误");return"login";}}@RequestMapping("add")publicStringadd(){return"/user/add";}@RequestMapping("edit")publicStringedit(){return"/user/edit";}@RequestMapping("noAuth")publicStringnoAuth(){return"noAuth";}@RequestMapping("toLogin")publicStringtoLogin(){return"login";}

【第五步】编写realm

ShiroDBRealm.java

publicclassShiroDBRealmextendsAuthorizingRealm{@AutowiredpublicUserService userService;publicShiroDBRealm(){//指定密码匹配方式HashedCredentialsMatcher matcher =newHashedCredentialsMatcher(DigestsUtil.SHA1);//指定密码迭代次数
      matcher.setHashIterations(DigestsUtil.ITERATION);//匹配生效setCredentialsMatcher(matcher);}/**
    * 认证
    * @param token
    * @return
    * @throws AuthenticationException
    */@OverrideprotectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationToken token)throwsAuthenticationException{System.out.println("执行了doGetAuthenticationInfo（）方法");UsernamePasswordToken tk=(UsernamePasswordToken) token;QueryWrapper<User> wrapper =newQueryWrapper<User>();
      wrapper.eq("account",tk.getUsername());User user = userService.getOne(wrapper);if(user==null){returnnull;}Subject subject =SecurityUtils.getSubject();Session session = subject.getSession();
      session.setAttribute("loginUser",user);returnnewSimpleAuthenticationInfo(user,user.getPassword(),ByteSource.Util.bytes(user.getSalt()),getName());}/**
    * 授权
    * @param principal为认证返回的第一个参数，user
    * @return
    */@OverrideprotectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollection principal){System.out.println("执行了doGetAuthorizationInfo()方法");SimpleAuthorizationInfo info =newSimpleAuthorizationInfo();Subject subject =SecurityUtils.getSubject();//认证成功后，返回信息的第一个参数User user =(User)subject.getPrincipal();System.out.println(user);List<String> permList =newArrayList<>();String[] perms = user.getPerms().split(",");for(String perm:perms){
         permList.add(perm);}
      info.addStringPermissions(permList);return info;}}

【第六步】编写config

ShiroConfig.java

@ConfigurationpublicclassShiroConfig{/**
     * 创建ShiroDBRealm交给spring容器
     * @return
     */@Bean("shiroDBRealm")publicShiroDBRealmshiroDBRealm(){returnnewShiroDBRealm();}/**
     * 安全管理器
     * @param userRealm
     * @return
     */@Bean(name ="securityManager")publicDefaultWebSecurityManagerdefaultWebSecurityManager(@Qualifier("shiroDBRealm")ShiroDBRealm userRealm){DefaultWebSecurityManager securityManager =newDefaultWebSecurityManager();
        securityManager.setRealm(userRealm);return securityManager;}/**
     * 拦截器--拦截请求
     * 常用的过滤器：
     * anno:无需认证即可访问
     * authc:必须认证才能访问
     * perms:拥有对某个资源的权限才能访问
     * role:拥有某个角色权限才能访问
     * @param securityManager
     * @return
     */@BeanpublicShiroFilterFactoryBeanshiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager securityManager){ShiroFilterFactoryBean shiroFilterFactoryBean =newShiroFilterFactoryBean();//拦截HashMap<String,String> filterMap =newHashMap<>();//filterMap.put("/user/login", "anon");
        filterMap.put("/user/add","perms[add]");
        filterMap.put("/user/edit","perms[update]");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);//没通过验证，触发登录拦截请求，跳转登陆页面
        shiroFilterFactoryBean.setLoginUrl("/user/toLogin");//触发未认证请求，跳转未授权页面
        shiroFilterFactoryBean.setUnauthorizedUrl("/user/noAuth");
        shiroFilterFactoryBean.setSecurityManager(securityManager);return shiroFilterFactoryBean;}//整合ShiroDialect:用于整合shiro thymeleaf@BeanpublicShiroDialectgetShiroDialect(){returnnewShiroDialect();}}

【第七步】编写前端页面

index.html

<!DOCTYPEhtml><htmllang="en"xmlns:th="http://www.w3.org/1999/xhtml"xmlns:shiro="http://www.w3.org/1999/xhtml"><head><metacharset="UTF-8"><title>shiro</title><style>#header{height: 75px;}</style></head><body><divid="header"><imgth:src="@{../apache-shiro-logo.png}"style="height: 100%"></div><h1>首页</h1><pth:text="${msg}"style="color: red"></p><hr><divth:if="${session.loginUser==null}"><ath:href="@{/user/toLogin}">登录</a></div><divshiro:hasPermission="add"><ath:href="@{/user/add}"style="text-decoration: none">添加用户</a><span>|</span></div><divshiro:hasPermission="update"><ath:href="@{/user/edit}"style="text-decoration: none">修改用户</a></div></body></html>

login.html

<!DOCTYPEhtml><htmllang="en"xmlns:th="http://www.w3.org/1999/xhtml"><head><metacharset="UTF-8"><title>shiro</title><style>#login_form{display: block;position: absolute;transform:translate(-50%, -61.8%);/*左右方向的位置为50%, 上下方向的位置为黄金分割比例0.618*/left: 50%;top: 50%;width: 450px;}#header{height: 75px;}</style></head><body><divid="header"><imgth:src="@{../apache-shiro-logo.png}"style="height: 100%"></div><divid="login"><h1>登陆页面</h1><divid="tips"><pth:text="${msg}"style="color: red"></p></div><hr><divid="login_form"><formaction="/user/login"method="post">
            账号：<inputtype="text"name="account"/><br><br>
            密码：<inputtype="password"name="password"/><br><br><ath:href="@{/user/toRegister}"style="text-decoration: none">无账号，去注册</a><br><br><inputtype="submit"value="提交"/></form></div></div></body></html>

noAuth.html

<!DOCTYPEhtml><htmllang="en"xmlns:th="http://www.w3.org/1999/xhtml"><head><metacharset="UTF-8"><title>shiro</title><style>#header{height: 75px;}</style></head><body><divid="header"><imgth:src="@{../apache-shiro-logo.png}"style="height: 100%"></div><p>该用户无权限</p></body></html>

register.html

<!DOCTYPEhtml><htmllang="en"xmlns:th="http://www.w3.org/1999/xhtml"><head><metacharset="UTF-8"><title>shiro</title><style>#register_form{display: block;position: absolute;transform:translate(-50%, -61.8%);/*左右方向的位置为50%, 上下方向的位置为黄金分割比例0.618*/left: 50%;top: 50%;width: 450px;}#header{height: 75px;}</style></head><body><divid="header"><imgth:src="@{../apache-shiro-logo.png}"style="height: 100%"></div><divid="register"><h1>注册页面</h1><divid="tips"><pth:text="${msg}"style="color: red"></p></div><hr><divid="register_form"><formth:action="@{/user/register}"method="post">
            账号：<inputtype="text"name="account"/><br><br>
            密码：<inputtype="password"name="password"/><br><br><inputtype="submit"/></form></div></div></body></html>

add.html

<!DOCTYPEhtml><htmllang="en"xmlns:th="http://www.w3.org/1999/xhtml"><head><metacharset="UTF-8"><title>shiro</title><style>#header{height: 75px;}</style></head><body><divid="header"><imgth:src="@{../apache-shiro-logo.png}"style="height: 100%"></div><h1>shiro权限控制</h1><ath:href="@{/user/toLogin}"style="text-decoration: none">退出</a><hr><pstyle="color: green">
    增加用户
</p></body></html>

edit.html

<!DOCTYPEhtml><htmllang="en"xmlns:th="http://www.w3.org/1999/xhtml"><head><metacharset="UTF-8"><title>shiro</title><style>#header{height: 75px;}</style></head><body><divid="header"><imgth:src="@{../apache-shiro-logo.png}"style="height: 100%"></div><h1>shiro权限控制</h1><ath:href="@{/user/toLogin}"style="text-decoration: none">退出</a><hr><pstyle="color: green">
    修改用户
</p></body></html>

项目截图

账号：00

密码：000000 权限：update

账号：qiang

密码：000000 权限：add

ending.....