创建一个SpringBoot应用,如何创建SpringBoot应用不在本文讨论范围,可参见官方文档

添加依赖

  1. <dependency>
  2.     <groupId>org.apache.shiro</groupId>
  3.     <artifactId>shiro-core</artifactId>
  4.     <version>1.4.0</version>
  5. </dependency>

实例化SecurityManager

Shiro的核心是SecurityManager,每一个Shiro应用必须有一个SecurityManager。所以使用Shiro的第一件事情就是创建SecurityManager的实例。
SecurityManager的实现有很多的配置项,直接使用代码配置SecurityManager会非常困难和痛苦。因此更推荐使用更简单而灵活的文本配置文件的形式来配置SecurityManager。
在Shiro中,默认的配置文件的格式是INI格式,当然,它也支持其他的配置文件的形式,如XML,YAML,JSON等常用格式。
在我们的第一个Shiro应用中,我们使用默认的INI配置文件的格式来配置SecurityManager
在src/main/resources目录下,新建shiro.ini文件,并写入以下内容:

  1. # =============================================================================
  2. # Tutorial INI configuration
  3. #
  4. # Usernames/passwords are based on the classic Mel Brooks' film "Spaceballs" :)
  5. # =============================================================================
  7. # -----------------------------------------------------------------------------
  8. # Users and their (optional) assigned roles
  9. # username = password, role1, role2, ..., roleN
  10. # -----------------------------------------------------------------------------
  11. [users]
  12. root = secret, admin
  13. guest = guest, guest
  14. presidentskroob = 12345, president
  15. darkhelmet = ludicrousspeed, darklord, schwartz
  16. lonestarr = vespa, goodguy, schwartz
  18. # -----------------------------------------------------------------------------
  19. # Roles with assigned permissions
  20. # roleName = perm1, perm2, ..., permN
  21. # -----------------------------------------------------------------------------
  22. [roles]
  23. admin = *
  24. schwartz = lightsaber:*
  25. goodguy = winnebago:drive:eagle5

有了配置文件之后,就可以读取配置,来实例化SecurityManager.

  1. //1.
  2. Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
  4. //2.
  5. SecurityManager securityManager = factory.getInstance();
  7. //3.
  8. SecurityUtils.setSecurityManager(securityManager);

获取Subject

  1. Subject currentUser = SecurityUtils.getSubject();

获取Session

  1. Session session = currentUser.getSession();
  2. session.setAttribute( "someKey", "aValue" );

用户登录

  1. if ( !currentUser.isAuthenticated() ) {
  2.     //collect user principals and credentials in a gui specific manner
  3.     //such as username/password html form, X509 certificate, OpenID, etc.
  4.     //We'll use the username/password example here since it is the most common.
  5.     UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
  7.     //this is all you have to do to support 'remember me' (no config - built in!):
  8.     token.setRememberMe(true);
  10.     currentUser.login(token);
  11. }

角色与权限判断

  1. if ( currentUser.hasRole( "schwartz" ) ) {
  2.     log.info("May the Schwartz be with you!" );
  3. } else {
  4.     log.info( "Hello, mere mortal." );
  5. }
  1. if ( currentUser.isPermitted( "lightsaber:weild" ) ) {
  2.     log.info("You may use a lightsaber ring.  Use it wisely.");
  3. } else {
  4.     log.info("Sorry, lightsaber rings are for schwartz masters only.");
  5. }

退出登录

  1. currentUser.logout(); //removes all identifying information and invalidates their session too.