建立一个权限管理配置类,在类上添加注解@Configuration,如下:
1、设置安全管理
@Bean
public DefaultWebSecurityManager securityManager(CookieRememberMeManager rememberMeManager,
CacheManager cacheShiroManager,
SessionManager sessionManager) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(this.shiroDbRealm());
securityManager.setCacheManager(cacheShiroManager);
//securityManager.setRememberMeManager(rememberMeManager);
securityManager.setSessionManager(sessionManager);
return securityManager;
}
2、 spring session管理器(多机环境)
@Bean
@ConditionalOnProperty(prefix = “oa”, name = “spring-session-open”, havingValue = “true”)
public ServletContainerSessionManager servletContainerSessionManager() {
return new ServletContainerSessionManager();
}
3、session管理器(单机环境)
@Bean
@ConditionalOnProperty(prefix = “oa”, name = “spring-session-open”, havingValue = “false”)
public DefaultWebSessionManager defaultWebSessionManager(CacheManager cacheShiroManager, OaProperties gunsProperties) {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setCacheManager(cacheShiroManager);
sessionManager.setSessionValidationInterval(gunsProperties.getSessionValidationInterval() * 1000);
sessionManager.setGlobalSessionTimeout(gunsProperties.getSessionInvalidateTime() * 1000);
sessionManager.setDeleteInvalidSessions(true);
sessionManager.setSessionValidationSchedulerEnabled(true);
Cookie cookie = new SimpleCookie(ShiroHttpSession.DEFAULT_SESSION_ID_NAME);
cookie.setName(“shiroCookie”);
cookie.setHttpOnly(true);
sessionManager.setSessionIdCookie(cookie);
return sessionManager;
}
4、缓存管理器 使用Ehcache实现
@Bean
public CacheManager getCacheShiroManager(EhCacheManagerFactoryBean ehcache) {
EhCacheManager ehCacheManager = new EhCacheManager();
ehCacheManager.setCacheManager(ehcache.getObject());
return ehCacheManager;
}
5、项目自定义的Realm
@Bean
public ShiroDbRealm shiroDbRealm() {
return new ShiroDbRealm();
}
6、rememberMe管理器, cipherKey生成键
7、记住密码Cookie
@Bean
public SimpleCookie rememberMeCookie() {
SimpleCookie simpleCookie = new SimpleCookie(“rememberMe”);
simpleCookie.setHttpOnly(true);
simpleCookie.setMaxAge(7 * 24 * 60 * 60);//7天
return simpleCookie;
}
8、Shiro的过滤器链
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean();
shiroFilter.setSecurityManager(securityManager);
/**
* 默认的登陆访问url
/
shiroFilter.setLoginUrl("/login");
/*
* 登陆成功后跳转的url
/
shiroFilter.setSuccessUrl("/");
/*
* 没有权限跳转的url
*/
shiroFilter.setUnauthorizedUrl("/global/error");
/*** 覆盖默认的user拦截器(默认拦截器解决不了ajax请求 session超时的问题,若有更好的办法请及时反馈作者)*/HashMap<String, Filter> myFilters = new HashMap<>();myFilters.put("user", new GunsUserFilter());shiroFilter.setFilters(myFilters);/*** 配置shiro拦截器链** anon 不需要认证* authc 需要认证* user 验证通过或RememberMe登录的都可以** 当应用开启了rememberMe时,用户下次访问时可以是一个user,但不会是authc,因为authc是需要重新认证的** 顺序从上到下,优先级依次降低** api开头的接口,走rest api鉴权,不走shiro鉴权**/Map<String, String> hashMap = new LinkedHashMap<>();for (String nonePermissionRe : NONE_PERMISSION_RES) {hashMap.put(nonePermissionRe, "anon");}hashMap.put("/**", "user");shiroFilter.setFilterChainDefinitionMap(hashMap);return shiroFilter;
}
9、 在方法中 注入 securityManager,进行代理控制
@Bean
public MethodInvokingFactoryBean methodInvokingFactoryBean(DefaultWebSecurityManager securityManager) {
MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean();
bean.setStaticMethod(“org.apache.shiro.SecurityUtils.setSecurityManager”);
bean.setArguments(securityManager);
return bean;
}
10、Shiro生命周期处理器
@Bean
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
11、启用shrio授权注解拦截方式,AOP式方法级权限检查
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor =
new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
