Spring Boot集成Shiro指南

一、添加Maven依賴

首先，需要在Spring Boot項目的pom.xml文件中添加Shiro相關的依賴。例如：

<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.7.1</version> <!-- 請根據實際需要選擇合適的版本 -->
</dependency>
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId>
</dependency>

二、配置Shiro

1. 創建Shiro配置類：

   配置Shiro的核心組件，如SecurityManager和ShiroFilterFactoryBean。例如：

   @Configuration
   public class ShiroConfig {@Beanpublic ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);shiroFilterFactoryBean.setLoginUrl("/login");shiroFilterFactoryBean.setSuccessUrl("/index");shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();filterChainDefinitionMap.put("/login", "anon");filterChainDefinitionMap.put("/logout", "logout");filterChainDefinitionMap.put("/static/**", "anon");filterChainDefinitionMap.put("/**", "authc");shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);return shiroFilterFactoryBean;}@Beanpublic DefaultWebSecurityManager securityManager(Realm realm) {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();securityManager.setRealm(realm);return securityManager;}@Beanpublic Realm realm() {return new MyRealm();}
   }
   

2. 配置Shiro的屬性：

   在application.properties或application.yml文件中配置Shiro的相關屬性，如登錄URL、成功URL、未授權URL等。例如：

   # Shiro配置
   shiro.loginUrl=/login
   shiro.successUrl=/index
   shiro.unauthorizedUrl=/unauthorized
   shiro.filterChainDefinitions=/login=anon,/logout=logout,/static/**=anon,/**=authc
   

   或者在application.yml中：

   shiro:loginUrl: /loginsuccessUrl: /indexunauthorizedUrl: /unauthorizedfilterChainDefinitions: /login=anon,/logout=logout,/static/**=anon,/**=authc
   

三、實現自定義Realm

自定義Realm類用于實現Shiro的認證和授權邏輯。例如：

public class MyRealm extends AuthorizingRealm {@Autowiredprivate UserService userService;@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();User user = (User) principals.getPrimaryPrincipal();authorizationInfo.setRoles(userService.getRoles(user.getUsername()));authorizationInfo.setStringPermissions(userService.getPermissions(user.getUsername()));return authorizationInfo;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;String username = usernamePasswordToken.getUsername();User user = userService.getUserByUsername(username);if (user == null) {throw new UnknownAccountException("用戶不存在");}return new SimpleAuthenticationInfo(user, user.getPassword(), getName());}
}

四、處理用戶登錄和注銷

創建一個UserController類，用于處理用戶登錄和注銷的請求。例如：

@Controller
public class UserController {@Autowiredprivate Subject subject;@GetMapping("/login")public String login() {return "login";}@PostMapping("/login")public String login(@RequestParam("username") String username,@RequestParam("password") String password,Model model) {UsernamePasswordToken token = new UsernamePasswordToken(username, password);try {subject.login(token);return "redirect:/index";} catch (AuthenticationException e) {model.addAttribute("error", "用戶名或密碼錯誤");return "login";}}@GetMapping("/logout")public String logout() {subject.logout();return "redirect:/login";}
}

五、其他注意事項

1. 會話管理：Shiro使用會話來跟蹤用戶的登錄狀態。可以在Shiro配置文件中定義會話管理器（DefaultWebSessionManager），并在Spring Boot中配置它。
2. 日志和調試：為了更好地理解Shiro的工作原理和排查問題，建議啟用Shiro的日志記錄功能。可以在log4j.properties或logback.xml中配置日志級別。
3. 安全性考慮：在生產環境中，確保應用程序遵循最佳安全實踐，例如使用HTTPS、定期更新依賴項、限制訪問權限等。

通過以上步驟，就可以在Spring Boot項目中成功集成Shiro，實現認證和授權功能。