Shiro是一个轻量级的权限框架,比较简单易上手,大多数公司的权限认证都使用Shiro进行认证授权,今天就简单写一个SpringBoot整合Shiro的入门教程,以防遗忘,项目已打包,解压后导入即可。
1.创建SpringBoot工程;
2.pom.xml导入相关的jar包:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<!-- 导入web支持 -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<!-- 导入thymeleaf依赖 -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<!-- 导入mybatis相关的依赖 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.0.9</version>
</dependency>
<!-- mysql -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!-- SpringBoot的Mybatis启动器 -->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.1.1</version>
</dependency>
<!-- themeleaf整合shiro标签 -->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
3.编写页面(实体类,接口,控制层等):
实体类:
package com.mrz.pojo;
public class User {
private Integer id;
private String name;
private String password;
//权限字段
private String perms;
public String getPerms() {
return perms;
}
public void setPerms(String perms) {
this.perms = perms;
}
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
Mapper接口:
package com.mrz.mapper;
import com.mrz.pojo.User;
public interface UserMapper {
public User findByName(String name);
public User findById(Integer id);
}
Service接口:
package com.mrz.service;
import com.mrz.pojo.User;
public interface UserService {
public User findByName(String name);
public User findById(Integer id);
}
ServiceImpl(实现类):
package com.mrz.service;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.mrz.mapper.UserMapper;
import com.mrz.pojo.User;
@Service
public class UserServiceImpl implements UserService{
//注入Mapper接口
@Autowired
private UserMapper userMapper;
@Override
public User findByName(String name) {
// TODO Auto-generated method stub
return userMapper.findByName(name);
}
@Override
public User findById(Integer id) {
// TODO Auto-generated method stub
return userMapper.findById(id);
}
}
Controller控制层(已写每步的注释):
package com.mrz.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class UserController {
/**
* 测试方法
* 此方法只是测试能不能正常访问页面
*/
@RequestMapping("/hello")
@ResponseBody
public String hello() {
System.out.println("UserController.hello()");
return "ok";
}
//跳转到添加页面
@RequestMapping("/add")
public String add() {
return "/user/add";
}
//跳转到更新页面
@RequestMapping("/update")
public String update() {
return "/user/update";
}
//跳转到登陆页面
@RequestMapping("/toLogin")
public String toLogin() {
return "/login";
}
//返回未授权的页面
@RequestMapping("/noAuth")
public String noAuth() {
return "/noAuth";
}
/**
* 测试thymeleaf
*/
@RequestMapping("/testThymeleaf")
public String testThymeleaf(Model model) {
//把数据存入model
model.addAttribute("name","小狐狸学Shiro");
//返回test.html
return "test";
}
/**
* 登录逻辑处理
*/
@RequestMapping("/login")
public String login(String name,String password,Model model) {
/**
* 使用Shiro编写认证操作
*/
//1.获取Subject(固定格式)
Subject subject = SecurityUtils.getSubject();
//2.封装用户数据(固定格式)
UsernamePasswordToken token = new UsernamePasswordToken(name,password);
//3.执行登陆方法
try {
/**
* 执行登录方法就会跳转到UserRealm中的认证逻辑
* 参数是token,会把封装的用户的数据(name和password带过去进行验证)
*/
subject.login(token);
//登陆成功
//跳转到test.html(redirect表示重定向到这个地址)
return "redirect:/testThymeleaf";
} catch (UnknownAccountException e) {
// TODO: handle exception
//登陆失败:用户名不存在
//catch中UnknownAccountException是Shiro中的异常,表示没有匹配到用户
model.addAttribute("msg","用户名不存在");
return "login";
} catch (IncorrectCredentialsException e) {
// TODO: handle exception
//登陆失败:用户名不存在
//catch中IncorrectCredentialsException是Shiro中的异常,表示密码不对
model.addAttribute("msg","密码错误");
return "login";
}
}
}
UserMapper.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.mrz.mapper.UserMapper">
<resultMap type="User" id="UserResult">
<result property="id" column="id" />
<result property="name" column="NAME" />
<result property="password" column="PASSWORD" />
<result property="perms" column="perms" />
</resultMap>
<sql id="selectUserVo">
select id,NAME,PASSWORD,perms from user
</sql>
<select id="findByName" parameterType="String" resultMap="UserResult">
<include refid="selectUserVo"/>
<where>
NAME = #{name}
</where>
</select>
<select id="findById" parameterType="int" resultMap="UserResult">
<include refid="selectUserVo"/>
<where>
id = #{id}
</where>
</select>
<!-- <select id="findByName" parameterType="String" resultType="User">
SELECT id,NAME,PASSWORD FROM user where name = #{value}
</select> -->
</mapper>
application.yml:
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost:3306/vuetest?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&serverTimezone=GMT%2B8
username: root
password: admin12345
mybatis:
#搜索指定包别名
typeAliasesPackage: com.mrz
以上主要是SpringBoot部分,访问页面等操作,只有在Controller的登录逻辑有Shiro相关操作。
下面主要就是Shiro部分的配置等
创建包并创建ShiroConfig配置类:
package com.mrz.shiro;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
/**
* Shiro的配置类
* @author admin
*
*/
@Configuration
public class ShiroConfig {
/**
* 创建ShiroFilterFactoryBean
*/
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager")DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
//添加Shiro内置过滤器
/**
* Shiro内置过滤器,可以实现权限相关的拦截器
* 常用的过滤器:
* anon:无需认证(登录)可以访问
* authc:必须认证才可以访问
* user:如果使用rememberMe的功能可以直接访问
* perms:该资源必须得到资源权限才可以访问
* role:该资源必须得到角色权限才可以访问
*/
Map<String,String> filterMap = new LinkedHashMap<String, String>();
//这种写法只能针对某一个页面进行拦截
/*filterMap.put("/add", "authc");
filterMap.put("/update", "authc");*/
//放行testThymeleaf页面
filterMap.put("/testThymeleaf", "anon");
//放行登录页面
filterMap.put("/login", "anon");
//授权过滤器
//注意:当前授权拦截后,shiro会自动跳转到未授权的页面
filterMap.put("/add", "perms[user:add]");
filterMap.put("/update", "perms[user:update]");
//这种写法可以将根目录下的所有资源拦截
filterMap.put("/*", "authc");
//修改调整的登陆页面(跳转到登录页面)
shiroFilterFactoryBean.setLoginUrl("/toLogin");
//设置未授权提示页面
shiroFilterFactoryBean.setUnauthorizedUrl("/noAuth");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);
return shiroFilterFactoryBean;
}
/**
* 创建DefaultWebSecurityManager
*/
@Bean(name="securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联realm
securityManager.setRealm(userRealm);
return securityManager;
}
/**
* 创建Realm
*/
@Bean(name="userRealm")
public UserRealm getRealm() {
return new UserRealm();
}
/**
* 配置ShiroDialect,用于thymeleaf和shiro标签配合使用
* 实现Shiro对页面的权限控制
*/
@Bean
public ShiroDialect getShiroDialect() {
return new ShiroDialect();
}
}
创建UserRealm类,继承AuthorizingRealm:
package com.mrz.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import com.mrz.pojo.User;
import com.mrz.service.UserService;
/**
* 自定义Realm
* @author admin
*
*/
public class UserRealm extends AuthorizingRealm{
/**
* 执行授权逻辑
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// TODO Auto-generated method stub
System.out.println("执行授权逻辑");
//给资源进行授权
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//添加资源的授权字符串(这种是不连数据库的测试方法)
//info.addStringPermission("user:add");
//到数据库查询当前登录用户的授权字符串
//获取当前登录用户
Subject subject = SecurityUtils.getSubject();
User user = (User)subject.getPrincipal(); //传递认证完成的用户对象
User dbUser = userService.findById(user.getId()); //根据id获取到用户
info.addStringPermission(dbUser.getPerms()); //加上授权字符串,将权限授予用户
return info;
}
@Autowired
private UserService userService;
/**
* 执行认证逻辑
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// TODO Auto-generated method stub
System.out.println("执行认证逻辑");
//假设数据库的用户和密码(这种是不连数据库的测试方法)
/*String name = "eric";
String password = "123456";*/
//编写Shiro判断逻辑,判断用户名和密码
//1.判断用户名
UsernamePasswordToken uptoken = (UsernamePasswordToken)token; //这里会把Controller里面的token封装的账号密码带过来
User user = userService.findByName(uptoken.getUsername());
if(user==null) {
//用户名不存在
return null; //Shiro底层会抛出UnknownAccountException
}
//2.判断密码
//如果获取到了用户名,但是没获取到用户名对应的密码,则会抛出IncorrectCredentialsException异常
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}
}
页面部分:
test.html(这里可以在标签中添加shiro权限,达到shiro控制页面的效果):
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>测试Thymeleaf的使用</title>
</head>
<body>
<h3 th:text="${name}"></h3>
<hr/>
<div shiro:hasPermission="user:add">
进入用户添加功能:<a href="add">用户添加</a><br/>
</div>
<div shiro:hasPermission="user:update">
进入用户更新功能:<a href="update">用户更新</a><br/>
</div>
<a href="toLogin">登录</a>
</body>
</html>
login.html(登录页面,当用户未登录访问页面时跳转到登陆页面):
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>登录页面</title>
</head>
<body>
<h3>登录</h3>
<h3 th:text="${msg}" style="color: red"></h3>
<form method="post" action="login">
用户名:<input type="text" name="name"/><br/>
密码:<input type="password" name="password"/><br/>
<input type="submit" value="登录"/>
</form>
</body>
</html>
noAuth.html(用户访问无权限的页面跳转的页面):
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>未经授权提示页面</title>
</head>
<body>
你好,你未经授权访问该页面
</body>
</html>
add.html(测试添加页面):
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>用户添加页面</title>
</head>
<body>
用户添加
</body>
</html>
update.html(测试更新页面):
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>用户更新页面</title>
</head>
<body>
用户更新
</body>
</html>
项目概览(报错是因为我的Java版本和SpringBoot版本不一致,不影响运行):
数据库: