Apache Shiro的Spring Boot
我目前正在尝试将Apache Shiro集成到我的Spring Boot restful API中,但我遇到了一些问题,并且想知道是否有人可以提供帮助。
我的Application.class:
@Configuration @EnableTransactionManagement @EnableAutoConfiguration @ComponentScan(basePackages = "org.xelamitchell.sophia.server") public class Application { public static void main(String[] args) { SpringApplication.run(Application.class, args); } } 我的WebConfig.class:
@Configuration @EnableWebMvc public class WebConfig extends WebMvcConfigurerAdapter { @Bean public DispatcherServlet dispatcherServlet() { DispatcherServlet servlet = new DispatcherServlet(); servlet.setDispatchOptionsRequest(true); return servlet; } @Bean public ServletRegistrationBean dispatcherRegistration(DispatcherServlet dispatcherServlet) { ServletRegistrationBean registration = new ServletRegistrationBean(dispatcherServlet); registration.addUrlMappings("/sophia/*"); return registration; } @Override public void configureContentNegotiation(ContentNegotiationConfigurer configurer) { Map types = new HashMap(); types.put("json", APPLICATION_JSON); types.put("xml", APPLICATION_XML); configurer .defaultContentType(APPLICATION_JSON) .mediaTypes(types); } @Override public void configureMessageConverters(List<HttpMessageConverter> converters) { converters.add(jackson()); converters.add(jaxb()); super.configureMessageConverters(converters); } @Bean public MappingJackson2HttpMessageConverter jackson() { final MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(); converter.getObjectMapper() .setSerializationInclusion(JsonInclude.Include.NON_NULL) .setSerializationInclusion(JsonInclude.Include.NON_EMPTY) .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); return converter; } @Bean public Jaxb2RootElementHttpMessageConverter jaxb() { final Jaxb2RootElementHttpMessageConverter converter = new Jaxb2RootElementHttpMessageConverter(); return converter; } @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shiroFilter() { ShiroFilterFactoryBean shiroFilter = new ShiroFilterFactoryBean(); shiroFilter.setLoginUrl("/sophia/*"); shiroFilter.setSecurityManager(securityManager()); Map filters = new HashMap(); filters.put("anon", new FormAuthenticationFilter()); filters.put("authc", new FormAuthenticationFilter()); shiroFilter.setFilters(filters); return shiroFilter; } @Bean public org.apache.shiro.mgt.SecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(sophiaRealm()); return securityManager; } @Bean(name = "sophiaRealm") @DependsOn("lifecycleBeanPostProcessor") public SophiaRealm sophiaRealm() { return new SophiaRealm(); } @Bean public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } }
应用程序启动正常,日志确实显示正在设置shiroFilter:
INFO 12:44:44:271 org.springframework.boot.context.embedded.ServletRegistrationBean - Mapping servlet: 'dispatcherServlet' to [/sophia/*] INFO 12:44:44:277 org.springframework.boot.context.embedded.FilterRegistrationBean - Mapping filter: 'shiroFilter' to: [/*]
但是当我尝试访问/sophia/users我不会被要求进行身份validation,服务器只是给我回复。
我的shiroFilter配置基于这个问题: 如何使用Spring Boot配置Shiro
对shiroFilter的微小修改解决了这个问题:
- 删除shiroFilter.setLoginUrl(String)
- 使用以下filter链定义映射:
Map filters = new HashMap<>(); filters.put("/**", "authcBasic"); shiroFilter.setFilters(filters);
奇怪的是,整个API都使用基本HTTP身份validation进行保护。 🙂
使用Shiro的默认Webfilter