springboot项目中使用shiro框架基于RBAC实现权限控制_spring shiro权限控制

1、在pom.xml文件中添加相关依赖项

<!-- Shiro依赖 -->
<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-spring-boot-starter</artifactId>
    <version>1.8.0</version>
</dependency>
 
<!-- Spring Boot Web依赖 -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>

2、创建一个自定义的Realm类，继承AuthorizingRealm，并实现其中的方法。这个类负责用户身份认证和权限授权的逻辑。例如

public class CustomRealm extends AuthorizingRealm {
 
    @Autowired
    private UserService userService;
 
    // 身份认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        String username = (String) token.getPrincipal();
        User user = userService.findByUsername(username);
 
        if (user == null) {
            throw new UnknownAccountException("用户名不存在");
        }
 
        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
                user.getUsername(),
                user.getPassword(),
                ByteSource.Util.bytes(user.getSalt()),
                getName()
        );
 
        return authenticationInfo;
    }
 
    // 权限授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
        String username = (String) principals.getPrimaryPrincipal();
 
        User user = userService.findByUsername(username);
 
        for (Role role : user.getRoles()) {
            authorizationInfo.addRole(role.getName());
            for (Permission permission : role.getPermissions()) {
                authorizationInfo.addStringPermission(permission.getName());
            }
        }
 
        return authorizationInfo;
    }
}

3、创建一个Shiro配置类，使用@Configuration注解标记，并在该类中进行相关的配置，包括创建SecurityManager、配置Realm等。例如

@Configuration
public class ShiroConfig {
 
    @Bean
    public CustomRealm customRealm() {
        return new CustomRealm();
    }
 
    @Bean
    public SecurityManager securityManager(CustomRealm customRealm) {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        securityManager.setRealm(customRealm);
        return securityManager;
    }
 
    @Bean
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
        factoryBean.setSecurityManager(securityManager);
 
        // 配置URL的访问规则和权限要求
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/admin/**", "roles[admin]");
        // 更多的URL配置
 
        factoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
 
        return factoryBean;
    }
}

4、创建一个登录页面和相应的登录Controller，用于处理用户登录请求。例如

@Controller
public class LoginController {
 
    @GetMapping("/login")
    public String login() {
        return "login";
    }
 
    @PostMapping("/login")
    public String doLogin(String username, String password, boolean rememberMe) {
        Subject currentUser = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        token.setRememberMe(rememberMe);
 
        try {
            currentUser.login(token);
            return "redirect:/admin/dashboard";  // 登录成功后跳转到管理员页面
        } catch (AuthenticationException e) {
            // 处理登录失败的逻辑，如跳转到错误页面或显示错误信息
            return "login";
        }
    }
}

5、在需要进行权限控制的Controller方法上，添加相应的Shiro注解（如@RequiresRoles、@RequiresPermissions）来限制访问。例如

@Controller
@RequestMapping("/admin")
public class AdminController {
 
    @GetMapping("/dashboard")
    @RequiresRoles("admin")
    public String dashboard() {
        // 执行管理员首页的业务逻辑
        return "dashboard";
    }
 
    @GetMapping("/users")
    @RequiresPermissions("user:view")
    public String users() {
        // 执行查看用户列表的业务逻辑
        return "users";
    }
 
    // 其他需要权限控制的方法
}