1:配置pom.xml

 1 <!--导入shiro包-->
 2     <dependency>
 3       <groupId>org.apache.shiro</groupId>
 4       <artifactId>shiro-all</artifactId>
 5       <version>1.4.0</version>
 6     </dependency>
 7     <!--导入shiro-spring-->
 8     <dependency>
 9       <groupId>org.apache.shiro</groupId>
10       <artifactId>shiro-spring</artifactId>
11       <version>1.4.0</version>
12     </dependency>

2:web.xml中的配置

 1 <!-- shiro的过滤器(帮我们拦截请求)-》什么事情都不做
 2 Delegating:授(权); 把(工作、权力等)委托(给下级); 选派(某人做某事)
 3 Proxy:代理 -> 需要通过名称(shiroFilter)去找真正的过滤器
 4 -->
 5   <filter>
 6     <filter-name>shiroFilter</filter-name>
 7     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 8     <init-param>
 9       <param-name>targetFilterLifecycle</param-name>
10       <param-value>true</param-value>
11     </init-param>
12   </filter>
13   <filter-mapping>
14     <filter-name>shiroFilter</filter-name>
15     <url-pattern>/*</url-pattern>
16   </filter-mapping>

3:配置applictionContest-shiro.xml

 1 <?xml version="1.0" encoding="UTF-8"?>
 2 <beans xmlns="http://www.springframework.org/schema/beans"
 3        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4        xsi:schemaLocation="
 5        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
 6     <!--
 7         Shiro的核心对象(权限管理器)
 8         DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
 9         securityManager.setRealm(jpaRealm)
10     -->
11     <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
12         <property name="realm" ref="jpaRealm"/>
13     </bean>
14     <!--
15        JpaRealm jpaRealm = new JpaRealm();
16        配置咱们的自定义realm
17     -->
18     <bean id="jpaRealm" class="com.logo.aisell.web.shiro.JpaRealm">
19         <!--Realm的名称-->
20         <property name="name" value="jpaRealm"/>
21         <property name="credentialsMatcher">
22             <!-- 配置哈希密码匹配器 -->
23             <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
24                 <!--加密方式:MD5-->
25                 <property name="hashAlgorithmName" value="MD5"/>
26                 <!--迭代次数-->
27                 <property name="hashIterations" value="10" />
28             </bean>
29         </property>
30     </bean>
31     <!-- 这三个配置好,可以支持注解权限 -->
32     <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
33     <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
34           depends-on="lifecycleBeanPostProcessor"/>
35     <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
36         <property name="securityManager" ref="securityManager"/>
37     </bean>
38     <!--
39        shiro真正的过滤器(功能就是它完成的)
40            这个bean的名称必需和web.xml里的的代理过滤器名字相同
41     -->
42     <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
43         <!--必需要用到权限管理器-->
44         <property name="securityManager" ref="securityManager"/>
45         <!--如果你没有登录,你会进入这个页面-->
46         <property name="loginUrl" value="/login"/>
47         <!--登录成功后,进入的页面(一般没什么用)-->
48         <property name="successUrl" value="/main"/>
49         <!--如果你没有权限,你会进入这个页面-->
50         <property name="unauthorizedUrl" value="/s/unauthorized.jsp"/>
51         <property name="filterChainDefinitionMap" ref="filterChainDefinitionMap" />
52         <property name="filters">
53             <map>
54                 <entry key="aiSellPerms" value-ref="aiSellPermissionsAuthorizationFilter"></entry>
55             </map>
56         </property>
57     </bean>
58
59     <!--拿到shiroFilterMapFactory里面的createMap方法的值 -->
60     <bean id="filterChainDefinitionMap" factory-bean="shiroFilterMapFactory" factory-method="creatMap" />
61     <bean id="shiroFilterMapFactory" class="com.logo.aisell.web.shiro.ShiroFilterMapFactory"/>
62     <!--配置我们的自定义权限过滤器-->
63     <bean id="aiSellPermissionsAuthorizationFilter"
64           class="com.logo.aisell.web.shiro.AiSellPremissiAuthorizationFilter">
65     </bean>
66 </beans>

4:配置applictionContext.xml

 <import resource="classpath:applicationContext-shiro.xml" />

5:准备自定义Realm 用于做身份认证和权限

 1 public class JpaRealm extends AuthorizingRealm {
 2     @Autowired
 3     private IEmployeeService employeeService;
 4     @Autowired
 5     private IPermissionService permissionService;
 6
 7     @Override//授权
 8     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
 9         //拿到授权对象
10         SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
11         //从数据库中获取权限并放且放到授权对象中
12         Set<String> permission = permissionService.findByLoginUser();
13         authorizationInfo.setStringPermissions(permission);
14         return authorizationInfo;
15     }
16     @Override//身份认证
17     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
18        //拿到令牌(UsernamePasswordToken)
19         UsernamePasswordToken taken = (UsernamePasswordToken) authenticationToken;
20         //拿到用户名,判断这个用户是否存在
21         String username = taken.getUsername();
22         //根据用户名从数据库中拿到用户对象
23         Employee employee = employeeService.findByUsername(username);
24         //如果没有拿到密码(没有通过用户名拿到相应的用户->用户不存在)
25         if(employee==null){
26             return  null;
27         }
28         //拿到咱们的盐值对象(ByteSource)
29         ByteSource source = ByteSource.Util.bytes("itsource");
30         SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(username, employee.getPassword(), source, "JpaRealm");
31         return authenticationInfo;
32     }
33 }

  applictionContest-shiro.xml中的配置

 <bean id="jpaRealm" class="com.logo.aisell.web.shiro.JpaRealm">
        <!--Realm的名称-->
        <property name="name" value="jpaRealm"/>
        <property name="credentialsMatcher">
            <!-- 配置哈希密码匹配器 -->
            <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
                <!--加密方式:MD5-->
                <property name="hashAlgorithmName" value="MD5"/>
                <!--迭代次数-->
                <property name="hashIterations" value="10" />
            </bean>
        </property>
    </bean>

6:自定义过滤器用于过滤请求   修改过滤路径后需要重新启动服务器

public class ShiroFilterMapFactory {
    @Autowired
    private IPermissionService permissionService;
    public Map<String,String> creatMap(){
        LinkedHashMap<String, String> map = new LinkedHashMap<>();
       //anon:需要放行的路径
        map.put("/login","anon");
        map.put("/easyui/**","anon");
        map.put("/images/**","anon");
        map.put("/js/**","anon");
        map.put("/s/**","anon");
        map.put("*.js","anon");
        //permissions:权限拦截 动态的从数据库中获取
        map.put("*.css","anon");
        List<Permission> permissions = permissionService.findAll();
        permissions.forEach(p -> {
            map.put(p.getUrl(),"aiSellPerms["+p.getSn()+"]");
        });
        //authc:拦截
        map.put("/**","authc");
        return map;
    }
}

   applictionContext.shiro.xml中的配置

<property name="filters">
            <map>
                <entry key="aiSellPerms" value-ref="aiSellPermissionsAuthorizationFilter"></entry>
            </map>
</property>

7:重写请求过滤器 shiro自带的请求过滤器会过滤掉AJax请求 重写过滤器 对AJax请求放行

 1 public class AiSellPremissiAuthorizationFilter extends PermissionsAuthorizationFilter {
 2
 3     protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws IOException {
 4         Subject subject = this.getSubject(request, response);
 5         //装换request response
 6
 7         if (subject.getPrincipal() == null) {
 8             //没有登录的操作
 9             this.saveRequestAndRedirectToLogin(request, response);
10         } else {
11             //登录成功后没有权限的操作
12             //1.转成http的请求与响应操作
13             HttpServletRequest httpRequest =(HttpServletRequest)request;
14             HttpServletResponse httpResponse=(HttpServletResponse)response;
15             ////2.根据请求确定是什么请求
16             String xRequestedWith = httpRequest.getHeader("X-Requested-With");
17             if(xRequestedWith != null &&"XMLHttpRequest".equals(xRequestedWith)){
18                 //3.在这里就代表是ajax请求
19                 //表示ajax请求 {"success":false,"message":"没有权限"}
20                 httpResponse.setContentType("text/json; charset=UTF-8");
21                 httpResponse.getWriter().print("{\"success\":false,\"msg\":\"没有权限\"}");
22             }else {
23                 //普通请求的返回方式
24                 String unauthorizedUrl = this.getUnauthorizedUrl();
25                 if (StringUtils.hasText(unauthorizedUrl)) {
26                     WebUtils.issueRedirect(request, response, unauthorizedUrl);
27                 } else {
28                     WebUtils.toHttp(response).sendError(401);
29                 }
30             }
31
32         }
33
34         return false;
35     }
36 }

    applictionContext.shiro.xml中的配置

<!--配置我们的自定义权限过滤器-->
    <bean id="aiSellPermissionsAuthorizationFilter"
          class="com.logo.aisell.web.shiro.AiSellPremissiAuthorizationFilter">
    </bean>
02-13 03:42