要在Spring Boot项目中使用Apache Shiro来实现授权控制,并确保只有拥有admin角色的用户才能访问/backend路径,你可以按照以下步骤进行配置:
1. 添加依赖
在你的pom.xml中添加Shiro相关的依赖。
<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.8.0</version>
</dependency>
2. 配置Shiro
创建一个Shiro配置类来配置Shiro的安全管理器和过滤器。
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.spring.web.config.ShiroWebFilterConfiguration;
import org.apache.shiro.spring.web.config.ShiroWebConfiguration;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;@Configuration
public class ShiroConfig {@Beanpublic ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);// 配置过滤器链Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();filterChainDefinitionMap.put("/backend/**", "authc, roles[admin]");filterChainDefinitionMap.put("/**", "anon");shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);return shiroFilterFactoryBean;}@Beanpublic SecurityManager securityManager() {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();// 配置RealmsecurityManager.setRealm(myRealm());return securityManager;}@Beanpublic MyRealm myRealm() {return new MyRealm();}
}
3. 实现Realm
创建一个自定义的Realm来处理身份验证和授权。
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;public class MyRealm extends AuthorizingRealm {@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {String username = (String) principals.getPrimaryPrincipal();SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();// 添加角色if ("admin".equals(username)) {authorizationInfo.addRole("admin");}return authorizationInfo;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;String username = usernamePasswordToken.getUsername();// 假设密码都是"password"if ("admin".equals(username) || "user".equals(username)) {return new SimpleAuthenticationInfo(username, "password", getName());}return null;}
}
4. 配置Shiro的会话管理
在你的Spring Boot应用主类中添加Shiro的会话管理。
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;@SpringBootApplication
public class ShiroApplication {public static void main(String[] args) {SpringApplication.run(ShiroApplication.class, args);}@Beanprotected ShiroFilterChainDefinition shiroFilterChainDefinition() {DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();chainDefinition.addPathDefinition("/backend/**", "authc, roles[admin]");chainDefinition.addPathDefinition("/**", "anon");return chainDefinition;}
}
这样配置好后,访问/backend路径时,Shiro会检查用户是否已经认证,并且是否拥有admin角色。如果用户未认证或没有admin角色,Shiro会自动进行拦截。