Spring Boot集成Shiro指南

一、添加Maven依赖

首先，需要在Spring Boot项目的pom.xml文件中添加Shiro相关的依赖。例如：

<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.7.1</version> <!-- 请根据实际需要选择合适的版本 -->
</dependency>
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId>
</dependency>

二、配置Shiro

1. 创建Shiro配置类：

   配置Shiro的核心组件，如SecurityManager和ShiroFilterFactoryBean。例如：

   @Configuration
   public class ShiroConfig {@Beanpublic ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);shiroFilterFactoryBean.setLoginUrl("/login");shiroFilterFactoryBean.setSuccessUrl("/index");shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();filterChainDefinitionMap.put("/login", "anon");filterChainDefinitionMap.put("/logout", "logout");filterChainDefinitionMap.put("/static/**", "anon");filterChainDefinitionMap.put("/**", "authc");shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);return shiroFilterFactoryBean;}@Beanpublic DefaultWebSecurityManager securityManager(Realm realm) {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();securityManager.setRealm(realm);return securityManager;}@Beanpublic Realm realm() {return new MyRealm();}
   }
   

2. 配置Shiro的属性：

   在application.properties或application.yml文件中配置Shiro的相关属性，如登录URL、成功URL、未授权URL等。例如：

   # Shiro配置
   shiro.loginUrl=/login
   shiro.successUrl=/index
   shiro.unauthorizedUrl=/unauthorized
   shiro.filterChainDefinitions=/login=anon,/logout=logout,/static/**=anon,/**=authc
   

   或者在application.yml中：

   shiro:loginUrl: /loginsuccessUrl: /indexunauthorizedUrl: /unauthorizedfilterChainDefinitions: /login=anon,/logout=logout,/static/**=anon,/**=authc
   

三、实现自定义Realm

自定义Realm类用于实现Shiro的认证和授权逻辑。例如：

public class MyRealm extends AuthorizingRealm {@Autowiredprivate UserService userService;@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();User user = (User) principals.getPrimaryPrincipal();authorizationInfo.setRoles(userService.getRoles(user.getUsername()));authorizationInfo.setStringPermissions(userService.getPermissions(user.getUsername()));return authorizationInfo;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;String username = usernamePasswordToken.getUsername();User user = userService.getUserByUsername(username);if (user == null) {throw new UnknownAccountException("用户不存在");}return new SimpleAuthenticationInfo(user, user.getPassword(), getName());}
}

四、处理用户登录和注销

创建一个UserController类，用于处理用户登录和注销的请求。例如：

@Controller
public class UserController {@Autowiredprivate Subject subject;@GetMapping("/login")public String login() {return "login";}@PostMapping("/login")public String login(@RequestParam("username") String username,@RequestParam("password") String password,Model model) {UsernamePasswordToken token = new UsernamePasswordToken(username, password);try {subject.login(token);return "redirect:/index";} catch (AuthenticationException e) {model.addAttribute("error", "用户名或密码错误");return "login";}}@GetMapping("/logout")public String logout() {subject.logout();return "redirect:/login";}
}

五、其他注意事项

1. 会话管理：Shiro使用会话来跟踪用户的登录状态。可以在Shiro配置文件中定义会话管理器（DefaultWebSessionManager），并在Spring Boot中配置它。
2. 日志和调试：为了更好地理解Shiro的工作原理和排查问题，建议启用Shiro的日志记录功能。可以在log4j.properties或logback.xml中配置日志级别。
3. 安全性考虑：在生产环境中，确保应用程序遵循最佳安全实践，例如使用HTTPS、定期更新依赖项、限制访问权限等。

通过以上步骤，就可以在Spring Boot项目中成功集成Shiro，实现认证和授权功能。