文章目录
一、Shiro入门
1、简介
ApacheShiro是一个功能强大且易于使用的Java安全框架,提供了认证,授权,加密,和会话管理。
Shiro有三大核心组件:
1)、Subject
即当前用户,在权限管理的应用程序里往往需要知道谁能够操作什么,谁拥有操作该程序的权利,shiro中则需要通过Subject来提供基础的当前用户信息,Subject 不仅仅代表某个用户,与当前应用交互的任何用户都是Subject,如网络爬虫等。所有的Subject都要绑定到SecurityManager上,与Subject的交互实际上是被转换为与SecurityManager的交互。
2)、SecurityManager
即所有Subject的管理者 ,这是Shiro框架的核心组件,可以把他看做是一个Shiro框架的全局管理组件,用于调度各种Shiro框架的服务。作用类似于SpringMVC中的DispatcherServlet, 用于拦截所有请求并进行处理。
3)、Realm
Realm是用户的信息认证器和用户的权限认证器,我们需要自己来实现Realm来自定义的管理我们自己系统内部的权限规则。
SecurityManager要验证用户,需要从Realm中获取用户。可以把Realm看做是数据源。
2、静态权限测试
1)、创建maven工程
2)、引入依赖包
<!--shiro核心包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<!--日志包-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.6.1</version>
</dependency>
3)、log4j日志配置文件
log4j.rootLogger=INFO,stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m%n
4)、编写shiro的ini配置文件
[users]
root=123456,admin
test=666666,role1,role2
user1=666666,role1
user2=666666,role2
[roles]
admin=*
role1=user.html,index.html
role2=user.html,menu.html
配置文件中包含两个部分,用户[users]和角色[roles]
用户配置的格式是:
用户名=密码,角色1,角色…角色n
角色配置的格式是:
角色名=权限1,权限2… .权限n
5)、测试代码
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroTest {
public static void main(String[] args) {
//1、加载配置文件,创建SecurityManager工厂对象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//2、解析配置文件,并返回一些securityManager实例
SecurityManager securityManager = factory.getInstance();
//3、将securityManager绑定给SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//安全操作,获取当前操作用户,只要程序和shiro有交互就存在Subject对象,和登录无关
Subject subject = SecurityUtils.getSubject();
System.out.println("当前用户是否登录:"+subject.isAuthenticated());//判断当前用户是否已通过身份验证(已登录)
//创建token对象
UsernamePasswordToken token = new UsernamePasswordToken("user1", "666666");
try {
//进行登录验证
subject.login(token);
} catch (IncorrectCredentialsException e) {
System.out.println("密码不正确!");;
}catch (UnknownAccountException e){
System.out.println("账号不正确!");
}
System.out.println("登录");
System.out.println("用户是否拥有admin权限:"+subject.hasRole("admin"));
System.out.println("用户是否拥用index.html访问权限:"+subject.isPermitted("index.html"));
subject.logout();//退出登录,登录状态都由SecurityManager管
System.out.println("当前用户是否登录:"+subject.isAuthenticated());
}
}
运行结果:
二、Shiro+MySQL动态权限验证
1、数据库设计
在实际开发中,用户名密码、角色、权限需要存在数据库中动态管理。
一个简单的Shiro+MySQL的项目需要三张表:
用户表shiro_user:
建表sql:
CREATE TABLE shiro_user (
id int PRIMARY KEY AUTO_INCREMENT,
user_name varchar(50) NOT NULL,
password varchar(50)
);
插入数据:
insert into shiro_user(user_name,password) values("admin","123456");
insert into shiro_user(user_name,password) values("test","666666");
insert into shiro_user(user_name,password) values("user1","666666");
insert into shiro_user(user_name,password) values("user2","666666");
用户角色表shiro_user_role:
建表sql
CREATE TABLE shiro_user_role (
user_name varchar(50) NOT NULL,
role_name varchar(50) NOT NULL
);
插入数据:
insert into shiro_user_role(user_name,role_name) values("admin","admin");
insert into shiro_user_role(user_name,role_name) values("test","test");
insert into shiro_user_role(user_name,role_name) values("user1","role1");
insert into shiro_user_role(user_name,role_name) values("user2","role2");
角色权限表shiro_role_permission:
建表sql
CREATE TABLE shiro_role_permission (
role_name varchar(50) NOT NULL,
perm_name varchar(50) NOT NULL
);
插入数据:
insert into shiro_role_permission(role_name,perm_name) values("admin","*");
insert into shiro_role_permission(role_name,perm_name) values("test","inde.html");
insert into shiro_role_permission(role_name,perm_name) values("role1","user.html");
2、项目工程搭建
在上面的工程进行增加修改
增加数据库依赖包
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.24</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>4.3.11.RELEASE</version>
</dependency>
配置文件在使用jdbc数据源的时候,不需要指定user和roles,而是在配置文件中指定数据库连接信息和要执行的sql语句。
在resources文件夹下创建配置文件shiro-mysql.ini:
[main]
dataSource=org.springframework.jdbc.datasource.DriverManagerDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://127.0.0.1:3306/数据库名
dataSource.username=用户名
#如果数据库没有密码,就不要写这行
dataSource.password=你的密码
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
#是否检查权限
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource=$dataSource
#重写sql语句
#根据用户名查询出密码
jdbcRealm.authenticationQuery = select PASSWORD from SHIRO_USER where USER_NAME = ?
#根据用户名查询出角色
jdbcRealm.userRolesQuery = select ROLE_NAME from SHIRO_USER_ROLE where USER_NAME = ?
#根据角色名查询出权限
jdbcRealm.permissionsQuery = select PERM_NAME from SHIRO_ROLE_PERMISSION WHERE ROLE_NAME = ?
securityManager.realms=$jdbcRealm
注意:
sq|语句,每次只查询一个shiro要求查询的字段,如果写select *就会报错了。
ini配置文件要求必须是key=value的形式,如果没有设置数据库的密码,就不要写对应的配置。只写"dataSource.password="等号右面没有值会报错。
测试代码除了读取文件其他和上面一样:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroTest {
public static void main(String[] args) {
//1、加载配置文件,创建SecurityManager工厂对象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-mysql.ini");
//2、解析配置文件,并返回一些securityManager实例
SecurityManager securityManager = factory.getInstance();
//3、将securityManager绑定给SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//安全操作,获取当前操作用户,只要程序和shiro有交互就存在Subject对象,和登录无关
Subject subject = SecurityUtils.getSubject();
System.out.println("当前用户是否登录:"+subject.isAuthenticated());//判断当前用户是否已通过身份验证(已登录)
//创建token对象
UsernamePasswordToken token = new UsernamePasswordToken("test", "666666");
try {
//进行登录验证
subject.login(token);
} catch (IncorrectCredentialsException e) {
System.out.println("密码不正确!");;
}catch (UnknownAccountException e){
System.out.println("账号不正确!");
}
System.out.println("登录");
System.out.println("用户是否拥有admin权限:"+subject.hasRole("admin"));
System.out.println("用户是否拥用index.html访问权限:"+subject.isPermitted("index.html"));
subject.logout();//退出登录,登录状态都由SecurityManager管
System.out.println("当前用户是否登录:"+subject.isAuthenticated());
}
}
测试结果:
三、自定义Realm
创建自定义Realm类MyRealm继承AuthorizingRealm重写方法
package com.booy.shiro;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class MyRealm extends AuthorizingRealm {
//授权,authorizationInfo聚合授权信息,PrincipalCollection是身份信息集合
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println(principalCollection.getPrimaryPrincipal());
//根据主键查询用户权限,获取相应的角色和权限
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
//赋予角色
authorizationInfo.addRole("admin");
//赋予权限
authorizationInfo.addStringPermission("index.html");
return authorizationInfo;
}
//AuthenticationInfo有值表示登录成功
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
System.out.println(token.getUsername());
if("admin".equals(token.getUsername())){
//唯一标志,真实密码,数据源名,shiro会根据返回的SimpleAuthenticationInfo对象进行比较
return new SimpleAuthenticationInfo("admin","123456",getName());
}else{
throw new UnknownAccountException();//用户名不存在
}
}
//返回Realm名,在shiro可以有多个Realm
@Override
public String getName() {
return "MyRealm";
}
//token类型判断
@Override
public boolean supports(AuthenticationToken authenticationToken) {
return authenticationToken instanceof UsernamePasswordToken;
}
}
ini配置文件
MyRealm=com.booy.shiro.MyRealm
securityManager.realms=$MyRealm
测试代码和上面相同
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroTest {
public static void main(String[] args) {
//1、加载配置文件,创建SecurityManager工厂对象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-mysql.ini");
//2、解析配置文件,并返回一些securityManager实例
SecurityManager securityManager = factory.getInstance();
//3、将securityManager绑定给SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//安全操作,获取当前操作用户,只要程序和shiro有交互就存在Subject对象,和登录无关
Subject subject = SecurityUtils.getSubject();
System.out.println("当前用户是否登录:"+subject.isAuthenticated());//判断当前用户是否已通过身份验证(已登录)
//创建token对象
UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456");
try {
//进行登录验证
subject.login(token);
} catch (IncorrectCredentialsException e) {
System.out.println("密码不正确!");;
}catch (UnknownAccountException e){
System.out.println("账号不正确!");
}
System.out.println("登录");
System.out.println("用户是否拥有admin权限:"+subject.hasRole("admin"));
System.out.println("用户是否拥用index.html访问权限:"+subject.isPermitted("index.html"));
//subject.logout();//退出登录,登录状态都由SecurityManager管
System.out.println("当前用户是否登录:"+subject.isAuthenticated());
}
}
运行结果:
四、Web中使用Shiro
1、Servlet使用Shiro
引入jar包
<!--shiro核心包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>
<!--shiroweb类库-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>
<!--servlet-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
</dependency>
<!--日志包-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.6.1</version>
</dependency>
web.xml中配置shiro
<context-param>
<param-name>shiroEnvironmentClass</param-name>
<param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value>
</context-param>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>classpath:shiro.ini</param-value>
</context-param>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
使用ini当数据源
[users]
root=123456,admin
test=666666,role1,role2
user1=666666,role1
user2=666666,role2
[roles]
admin=*
role1=user.html,index.html
role2=user.html,menu.html
[urls]
;固定过滤器,anon不进行任何验证,authc登录后才能访问
/login.html=anon
/index.html=authc
/role.html=authc,roles[admin]
/menu/**=authc,roles[admin],perms[menu:*]
创建servlet
登录页:
@WebServlet(urlPatterns = "/login.html")
public class LoginServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
} catch (AuthenticationException e) {
System.out.println("登录失败!");
request.setAttribute("error","登录失败!");
//服务器端跳转转发,服务器内部才能访问到WEB-INF下的资源
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request,response);
return;
}
response.sendRedirect("/index.html");
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request,response);
}
首页:
@WebServlet(urlPatterns = "/index.html")
public class IndexServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request,response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request,response);
}
菜单页和角色页也和首页一样直接返回一个页面
WEB-INF下创建四个jsp页面
登录页login.jsp:
<body>
<h1>登录页</h1>
<form action="/login.html" method="post">
用户名:<input type="text" name="username"><br>
密码:<input type="password" name="password"><br>
<input type="submit" value="登录">
</form>
</body>
首页index.jsp:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>这是主页</title>
</head>
<body>
<h1>这是主页</h1>
<shiro:hasRole name="admin">
<a href="/role.html">角色管理</a><br>
</shiro:hasRole>
<a href="/menu/user.html">菜单管理</a>
</body>
</html>
菜单页和角色页任意内容
2、SpringMVC使用Shiro
1)、创建maven工程
2)、引入jar包
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.22.RELEASE</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
ini配置文件
[users]
root=123456,admin
test=666666,role1,role2
user1=666666,role1
user2=666666,role2
[roles]
admin=*
role1=user.html,index.html
role2=user.html,menu:*
springMVC-servlet.xml配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation=" http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd">
<!--shiro配置-->
<bean id="iniRealm" class="org.apache.shiro.realm.text.IniRealm">
<constructor-arg name="resourcePath" value="classpath:shiro.ini"/>
</bean>
<bean id="securityManger" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="iniRealm" />
</bean>
<!-- 启动注解,注册服务-->
<mvc:annotation-driven/>
<!-- 启动自动扫描 -->
<!-- 制定扫包规则 ,扫描controller包下面的类-->
<context:component-scan base-package="controller">
<!-- 扫描使用@Controller注解的JAVA 类 -->
<context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
</context:component-scan>
<!--视图解析器-->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManger"/>
<!--去登录的地址-->
<property name="loginUrl" value="gologin.html"/>
<!--登录成功的跳转地址-->
<property name="successUrl" value="/index.html"/>
<!--验证失败的跳转地址-->
<property name="unauthorizedUrl" value="/error.html"/>
<!--定义过滤的规则,直接在写在ini文件中只能是静态的-->
<property name="filterChainDefinitions">
<value>
/login.html=anon
/index.html=authc
/role.html=authc,roles[admin]
/menu/**=authc,roles[admin],perms[menu:*]
</value>
</property>
</bean>
</beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!--将欢迎页设置成 index.html-->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--配置 DispatcherServlet -->
<servlet>
<servlet-name>springMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>springMVC</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<!--解决乱码-->
<filter>
<filter-name>EncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>EncodingFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
<!--配置shiro的核心拦截器-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
</web-app>
controller代码
package controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
@Controller
public class LoginController {
@RequestMapping("/gologin.html")
public String gologin(){
return "login";
}
@RequestMapping("/index.html")
public String index(){
return "index";
}
@RequestMapping("/role.html")
public String role(){
return "role";
}
@RequestMapping("/menu/user.html")
public String user(){
return "user";
}
@RequestMapping("/login.html")
public String login(String username, String password, HttpServletRequest request) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
request.setAttribute("error","登录失败!");
return "login";
}
return "redirect:/index.html";
}
}
jsp页面
登录页
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>登录页</title>
</head>
<body>
<h1>登录页</h1>
<form action="/login.html" method="post">
用户名:<input type="text" name="username"><br>
密码:<input type="password" name="password"><br>
<input type="submit" value="登录">
</form>
</body>
</html>
主页:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>这是主页</title>
</head>
<body>
<h1>这是主页</h1>
<shiro:hasRole name="admin">
<a href="/role.html">角色管理</a><br>
</shiro:hasRole>
<a href="/menu/user.html">菜单管理</a>
</body>
</html>
菜单和角色任意内容
再配置tomcat运行测试
1、没有登录的情况下访问index.html跳转到login.html登录页
2、登录后只能访问权限内的页面
3、admin可以看到全部菜单,非admin看不到角色管理菜单
五、拦截器
参考地址:https://www.w3cschool.cn/shiro/oibf1ifh.html
1、改写拦截器
/menu/**=authc,roles[admin,role2],perms[menu:*]
以上roles[admin]和perms[menu:*]默认需要同时满足才能访问,如果需要只满足任意条件可访问,需要自定义拦截器继承AuthorizationFilter重写isAccessAllowed方法
任意角色或任意权限只要满足条件可访问,角色和权限需要单独自定义重写拦截器规则,若某一角色满足条件,将当前状态记录进session里,在权限拦截器若果获取到session值则直接放行,若没有再进行权限验证,实际项目中一般只判断角色即可。
角色拦截器:
public class MyRoleFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
String[] roles = (String[]) mappedValue;
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
for(String role:roles){
if(subject.hasRole(role)){
session.setAttribute("Allowed",true);
return true;
}
}
return false;
}
}
权限拦截器:
public class MyPermFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
String[] perms = (String[]) mappedValue;
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
if(session.getAttribute("Allowed")!=null){
return true;
}
for(String perm:perms){
if(subject.isPermitted(perm)){
return true;
}
}
System.out.println(Arrays.toString(perms));
return false;
}
}
springMVC-servlet.xml生效filter配置
<!--自定义filter生效-->
<property name="filters">
<map>
<entry key="roles">
<bean class="filter.MyRoleFilter"/>
</entry>
<entry key="perms">
<bean class="filter.MyPermFilter"/>
</entry>
</map>
</property>
2、注解细粒度拦截
如需要拦截某个页面的按钮功能等
1)、@RequiresPermissions注解拦截,表示是否能点此按钮
@RequiresPermissions("menu:edit")
@RequestMapping("/menu/list.html")
public String list(){
return "user";
}
修改menu的角色权限menu:*改为其他权限,如:
menu:add
2)、在springMVC-servlet中加入配置文件开启shiro注解
<!--启用注解权限验证-->
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManger"/>
</bean>
<!--注解权限验证要写在mvc自容器中-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"></bean>
再登录点击会出现如下异常
页面信息很不友好,可以自己定义页面
自定义AuthExceptionHandler
@ControllerAdvice
public class AuthExceptionHandler {
//异常增强,Controller有异常才增强,不是所有异常都会增强
@ExceptionHandler({UnauthorizedException.class})//验证不通过时,异常增强
@ResponseStatus(HttpStatus.UNAUTHORIZED)
public ModelAndView processUnauthenticatedException(NativeWebRequest request, UnauthorizedException e){
ModelAndView mv = new ModelAndView();
//拿到异常并返回异常页面
mv.addObject("exception",e.getMessage());
mv.setViewName("error");
return mv;
}
}
添加error.jsp页面
<body>
${exception}
</body>
设置filter包ControllerAdvice注解被扫描到
<context:component-scan base-package="controller,filter">
<!-- 扫描使用@Controller注解的JAVA 类 -->
<context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
<context:include-filter type="annotation" expression="org.springframework.web.bind.annotation.ControllerAdvice"/>
</context:component-scan>
再登录访问就是自定义的信息
六、动态验证规则
将静态规则动态化
重写ShiroFilterFactoryBean中的setFilterChainDefinitions方法
package filter;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
@Override
public void setFilterChainDefinitions(String definitions) {
Ini ini = new Ini();
ini.load(definitions);
//设置针对url的过滤器
Ini.Section section = ini.getSection("urls");
if(CollectionUtils.isEmpty(section)){
section = ini.getSection("");
}
///如设置:menu/**=authc,roles[admin],每个url对应的权限可以从数据库中查出来
section.put("/menu/**","roles[admin]");
this.setFilterChainDefinitionMap(section);
}
}
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
修改为:
<bean id="shiroFilter" class="filter.MyShiroFilterFactoryBean">
注意:在controller中验证失败,走的是切面,在filter里验证失败走的是直接是url
七、缓存
如securityManager实现了SessionsSecurityManager,其会自动判断SessionManager是否实现了CacheManagerAware接口,如果实现了会把CacheManager设置给它。然后sessionManager会判断相应的sessionDAO(如继承自CachingSessionDAO)是否实现了CacheManagerAware,如果实现了会把CacheManager设置给它;带缓存的SessionDAO会先查缓存,如果找不到才查数据库。
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"/>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="MyShiroRealm"/>
<property name="cacheManager" ref="cacheManager"/>
</bean>
八、Shiro改造springboot权限管理项目
改造案例为前面的后台管理系统权限管理
原项目结构:
注释掉Interceptor两个类
引入依赖包
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
1、Shiro实现项目登录改造
1)、自定义Realm
创建MyRealm继承AuthorizingRealm
package com.booy.ssm.exam.shiro;
import com.booy.ssm.exam.dao.UserDAO;
import com.booy.ssm.exam.pojo.User;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component//把类交给Spring管理,可被扫描
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserDAO userDAO;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token =(UsernamePasswordToken)authenticationToken;
User user = userDAO.getUserByAccount(token.getUsername());
//用户不存在
if(user==null){
return null;
}
return new SimpleAuthenticationInfo(user.getId(),user.getPassword(),getName());
}
}
2)、登录功能改造
注释掉service登录功能
// User dologin(String account,String password);
SystemController代码改造
登录功能改造前
@RequestMapping("dologin.html")
public String dologin(String account, String password, Model model, HttpSession session){
User user = userService.dologin(account, password);
if(user==null){
model.addAttribute("message","用户名或密码错误!");
return "login";
}
session.setAttribute(ExamConstants.SESSION_USER,user);
return "redirect:index.html";
}
登录功能改造后
//用户登录
@RequestMapping("dologin.html")
public String dologin(String account, String password, Model model, HttpSession session){
Subject subject = SecurityUtils.getSubject();
User user = userDAO.getUserByAccount(account);
UsernamePasswordToken token = new UsernamePasswordToken(account, MD5Utils.getLoginMD5(user.getSalt(), password));
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
model.addAttribute("message","用户名或密码错误!");
return "login";
}
return "redirect:index.html";
}
和session相关的改造
登录退出改造
//用户注销
@RequestMapping("logout.html")
public String logout(HttpSession session){
//session.invalidate();
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "login";
}
菜单树改造
User user =(User) session.getAttribute(ExamConstants.SESSION_USER);
List<Menu> menuList = menuService.getUserMenuList(user.getId());
修改为
// User user =(User) session.getAttribute(ExamConstants.SESSION_USER);
Subject subject = SecurityUtils.getSubject();
List<Menu> menuList = menuService.getUserMenuList((int)subject.getPrincipal());
3)、创建配置类
package com.booy.ssm.exam;
import com.booy.ssm.exam.shiro.MyRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration//定义配置类
public class ShiroConfig {
//配置securityManager
@Bean
public DefaultWebSecurityManager securityManager(MyRealm realm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm);
return securityManager;
}
//设置shiroFilter
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/login.html");//登录页
shiroFilterFactoryBean.setSuccessUrl("/index.html");//登录成功
shiroFilterFactoryBean.setUnauthorizedUrl("/error.html");//验证失败
return shiroFilterFactoryBean;
}
}
运行程序,打开http://localhost:8080/login.html测试登录成功
2、改造角色权限功能
1)、增加查询方法
根据菜单id查询角色的sql方法
//根据菜单查角色
List<String> getRoleIdsByMenuId(Integer menuId);
2)、重写ShiroFilterFactoryBean
package com.booy.ssm.exam.shiro;
import com.booy.ssm.exam.dao.MenuDAO;
import com.booy.ssm.exam.dao.PremissionDAO;
import com.booy.ssm.exam.pojo.Menu;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
import org.springframework.util.StringUtils;
import java.util.List;
public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
private PremissionDAO premissionDAO;
private MenuDAO menuDAO;
@Override
public void setFilterChainDefinitions(String definitions) {
Ini ini = new Ini();
ini.load(definitions);
//设置针对url的过滤器
Ini.Section section = ini.getSection("urls");
if(CollectionUtils.isEmpty(section)){
section = ini.getSection("");
}
//数据库查询动态的角色权限
//获取所有菜单
List<Menu> menus = menuDAO.getAllMenu();
for (Menu menu:menus){
//有url的目录进行角色绑定
if(!StringUtils.isEmpty(menu.getUrl())){
List<String> roleIds = premissionDAO.getRoleIdsByMenuId(menu.getId());
if(roleIds!=null&&roleIds.size()>0){
section.put(menu.getUrl(),"roles"+roleIds);
}
}
}
// section.put("/menu/**","roles[admin]");
this.setFilterChainDefinitionMap(section);
}
//set方法注入PremissionDAO和MenuDAO
public void setPremissionDAO(PremissionDAO premissionDAO) {
this.premissionDAO = premissionDAO;
}
public void setMenuDAO(MenuDAO menuDAO) {
this.menuDAO = menuDAO;
}
}
3)、配置类
package com.booy.ssm.exam;
import com.booy.ssm.exam.dao.MenuDAO;
import com.booy.ssm.exam.dao.PremissionDAO;
import com.booy.ssm.exam.shiro.MyFilter;
import com.booy.ssm.exam.shiro.MyRealm;
import com.booy.ssm.exam.shiro.MyShiroFilterFactoryBean;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.HashMap;
@Configuration//定义配置类
public class ShiroConfig {
//配置securityManager
@Bean
public DefaultWebSecurityManager securityManager(MyRealm realm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm);
securityManager.setCacheManager(cacheManager());//开启缓存
return securityManager;
}
//设置shiroFilter
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager, PremissionDAO premissionDAO, MenuDAO menuDAO){
MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/login.html");//登录页
shiroFilterFactoryBean.setSuccessUrl("/index.html");//登录成功
shiroFilterFactoryBean.setUnauthorizedUrl("/error.html");//验证失败
shiroFilterFactoryBean.setPremissionDAO(premissionDAO);
shiroFilterFactoryBean.setMenuDAO(menuDAO);
HashMap<String, Filter> map = new HashMap<>();
map.put("roles",new MyFilter());
shiroFilterFactoryBean.setFilters(map);
//配置静态权限路径
shiroFilterFactoryBean.setFilterChainDefinitions(
"/login.html=anon\n" +
"/dologin.html=anon\n" +
"/error.html=anon\n");
return shiroFilterFactoryBean;
}
//配置缓存
@Bean
public MemoryConstrainedCacheManager cacheManager(){
return new MemoryConstrainedCacheManager();
}
//让权限注解生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager){
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
4)、完善MyRealm
doGetAuthorizationInfo方法
package com.booy.ssm.exam.shiro;
import com.booy.ssm.exam.dao.PremissionDAO;
import com.booy.ssm.exam.dao.UserDAO;
import com.booy.ssm.exam.pojo.User;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.List;
@Component//把类交给Spring管理,可被扫描
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserDAO userDAO;
@Autowired
private PremissionDAO permissionDAO;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Subject subject = SecurityUtils.getSubject();
List<Integer> roleIds = permissionDAO.getRoleByUserId((int) subject.getPrincipal());
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
if(roleIds!=null){
for(Integer roleId:roleIds){
simpleAuthorizationInfo.addRole(roleId.toString());
}
}
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token =(UsernamePasswordToken)authenticationToken;
User user = userDAO.getUserByAccount(token.getUsername());
//用户不存在
if(user==null){
return null;
}
return new SimpleAuthenticationInfo(user.getId(),user.getPassword(),getName());
}
}
5)、自定义MyFilter
继承AuthorizationFilter,实现拥有任意角色可访问相应的权限
package com.booy.ssm.exam.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
public class MyFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
String[] roles = (String[]) mappedValue;
Subject subject = SecurityUtils.getSubject();
for(String role:roles){
if(subject.hasRole(role)){
return true;
}
}
return false;
}
}