1.SpringSecurity
1.1环境搭建
导入web和thymeleaf
<!--thymeledf-->
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<!--web-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
关闭模板引擎缓存
spring.thymeleaf.cache=false
编写controller
@Controller
public class RouterController {
@RequestMapping({"/","index"})
public String index(){
return "index";
}
@RequestMapping("toLogin")
public String toLogin(){
return "views/login";
}
@RequestMapping("/level/{id}")
public String lecel1(@PathVariable("id")int id){
return "views/level"+id;
}
@RequestMapping("/leve2/{id}")
public String lecel2(@PathVariable("id")int id){
return "views/leve2"+id;
}
@RequestMapping("/leve3/{id}")
public String lecel3(@PathVariable("id")int id){
return "views/leve3"+id;
}
}
这里同级目录多文件,使用传入id,一个请求多个页面
1.2用户认证和授权
导入依赖
<!--security-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
添加认证授权
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
//授权
protected void configure(HttpSecurity http) throws Exception {
//首页各种人可以访问,功能页只有对应权限的人才能访问
http.authorizeHttpRequests()
.antMatchers("/").permitAll()
.antMatchers("/level1/**").hasRole("vip1")
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//没有权限默认登录,需要开启登录的页面
http.formLogin();
}
//认证
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("wushuang").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip3")
.and()
.withUser("aaa").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
//密码需要加密
}
}
使用@EnableWebSecurity托管给springboot,springSecurity的认证的密码需要编码
1.3注销及权限控制
前端添加请求
<!--注销-->
<a class="item" th:href="@{/logout}">
<i class="external alternate card icon"></i> 注销
</a>
在config开启注销
//注销 跳到首页
http.logout().logoutSuccessUrl("/");
调整权限展示页,导包
security和thymeledf整合包
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>3.0.4.RELEASE</version>
</dependency>
低版本注销失败的原因
http.csrf().disable();
按条件显示登录和注销
<!--登录注销-->
<div class="right menu">
<!--如果未登录-->
<div sec:authorize="!isAuthenticated()">
<a class="item" th:href="@{/toLogin}">
<i class="address card icon"></i> 登录
</a>
</div>
<!--如果登录 注销 和 用户名-->
<div sec:authorize="isAuthenticated()">
<a class="item">
用户名: <span sec:authentication="name"></span>
角色: <span sec:authentication="principal.authorities"></span>
</a>
</div>
<div sec:authorize="isAuthenticated()">
<a class="item" th:href="@{/logout}">
<i class="external alternate card icon"></i> 注销
</a>
</div>
</div>
通过角色控制显示页面
sec:authorizes="hasRole('角色名')
1.4记住我和首页定制
开启记住我功能
//开启记住我
http.rememberMe();
默认保存两周
定制登录页
先添加login的路径
http.formLogin().loginPage("/toLogin");
然后把登录提交的请求也是这个路径
<form th:action="@{/toLogin}" method="post">
或者路径分离
http.formLogin().loginPage("/toLogin").loginProcessingUrl("/login");
登录映射到loginProcessingUrl
<form th:action="@{/login}" method="post">
注意:
<input type="text" placeholder="Username" name="username">
<i class="user icon"></i>
</div>
</div>
<div class="field">
<label>Password</label>
<div class="ui left icon input">
<input type="password" name="password">
这里的用户名和密码都必须是username和password否则识别不出来,若不一致需要修改配置
http.formLogin().loginPage("/toLogin").usernameParameter().passwordParameter().loginProcessingUrl("/login");
添加remeber Me功能
<input type="checkbox" name="remeber">记住我
修改配置
http.rememberMe().rememberMeParameter("remeber");
2.Shiro
2.1环境搭建
常见方法
Subject currentUser = SecurityUtils.getSubject();
Session session = currentUser.getSession();
currentUser.isAuthenticated()
currentUser.getPrincipal()
currentUser.hasRole("schwartz")
currentUser.isPermitted("lightsaber:wield")
currentUser.logout();
Springboot集成shiro
导入依赖
<!--shiro整合spring的包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--thymeleaf模板-->
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
</dependency>
编写shiro的配置
UserRealm.java
public class UserRealm extends AuthorizingRealm {
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权doGetAuthorizationInfo");
return null;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
return null;
}
}
ShiroConfig.java
@Configuration
public class ShiroConfig {
//ShiroFilterFactoryBean
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean=new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
return bean;
}
//DefaultWebSecurityManager
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
//关联UserRealm
securityManager.setRealm(userRealm);
return securityManager;
}
//创建realm对象,需要自定义类
@Bean(name="userRealm")
public UserRealm userRealm(){
return new UserRealm();
}
}
这里写是从下往上写,依次调用
编写controller
@Controller
public class MyController {
@RequestMapping({"/","/index"})
public String toIndex(Model model){
model.addAttribute("msg","hello shiro");
return "index";
}
@RequestMapping("/user/add")
public String add(){
return "user/add";
}
@RequestMapping("/user/update")
public String update(){
return "user/update";
}
}
首页
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:shiro="http://www.thymeleaf.org/thymeleaf-extras-shiro">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>首页</h1>
<p th:text="${msg}"></p>
<a th:href="@{/user/add}">add</a> | <a th:href="@{/user/update}">update</a>
</body>
</html>
add.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>add</h1>
</body>
</html>
update
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>update</h1>
</body>
</html>
2.2shiro实现登录拦截
添加用户权限
/*
anno:无需认证就可以访问
authc:必须认证了才能访问
user:必须拥有记住我,才能用
perms:拥有对某个资源的权限才能访问
role:拥有某个角色权限才能访问
*/
//添加shiro内置过滤器
Map<String,String> filter=new LinkedHashMap<>();
filter.put("/user/*","authc");
bean.setFilterChainDefinitionMap(filter);
//设置登录的请求
bean.setLoginUrl("/toLogin");
controller添加功能
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
@RequestMapping("/login")
public String login(String username,String password,Model model){
//获取当前的用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登录数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token);//执行登录的方法,如果没有异常则ok
return "index";
} catch (UnknownAccountException e) {//用户名不存在
model.addAttribute("msg","用户名错误");
return "login";
}catch (IncorrectCredentialsException e){
model.addAttribute("msg","密码错误");
return "login";
}
}
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>登录</h1>
<hr>
<p>
<span style="color: red" th:text="${msg}"></span>
</p>
<form th:action="@{/login}" method="post">
<p>用户名: <input type="text" name="username"></p>
<p>密码: <input type="text" name="password"></p>
<p><input type="submit"> </p>
</form>
</body>
</html>
index.html添加功能
<a th:href="@{/user/add}">add</a> | <a th:href="@{/user/update}">update</a>
2.3添加授权认证
先使用伪数据
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
String name="root";
String password="123456";
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
if(!userToken.getUsername().equals(name)){
return null; //抛出异常 UnknownAccountException
}
//密码认证 shiro做
return new SimpleAuthenticationInfo("",password,"");
}
2.4shiro整合mybatis
导入依赖
<!--MySQL驱动-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!--log4j-->
<dependency>
<groupId>org.darkphoenixs</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<!--durid-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.12</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.2.2</version>
</dependency>
编写application.yml
spring:
datasource:
username: root
password: admin
#?serverTimezone=UTC解决时区的报错
url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8
driver-class-name: com.mysql.cj.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
#Spring Boot 默认是不注入这些属性值的,需要自己绑定
#druid 数据源专有配置
initialSize: 5
minIdle: 5
maxActive: 20
maxWait: 60000
timeBetweenEvictionRunsMillis: 60000
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
poolPreparedStatements: true
#配置监控统计拦截的filters,stat:监控统计、log4j:日志记录、wall:防御sql注入
#如果允许时报错 java.lang.ClassNotFoundException: org.apache.log4j.Priority
#则导入 log4j 依赖即可,Maven 地址:https://mvnrepository.com/artifact/log4j/log4j
filters: stat,wall,log4j
maxPoolPreparedStatementPerConnectionSize: 20
useGlobalDataSourceStat: true
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
配置mybatis
mybatis:
type-aliases-package: com.liu.pojo
mapper-locations: classpath:mapper/*.xml
编写实体类,导入lombok
<!--lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.16.10</version>
</dependency>
@Data
@AllArgsConstructor
@NoArgsConstructor
public class User {
private int id;
private String name;
private String pwd;
}
创建mapper接口
@Repository
@Mapper
public interface UserMapper {
public User queryUserByName(String name);
}
mapper.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<!--namespace=绑定一个对应的Dao/Mapper接口-->
<mapper namespace="com.liu.mapper.UserMapper">
<select id="queryUserByName" resultType="User" parameterType="String">
select * from mybatis.user where name=#{name}
</select>
</mapper>
Userservice
package com.liu.service;
import com.liu.pojo.User;
import org.springframework.stereotype.Service;
public interface UserService {
public User queryUserByName(String name);
}
UserserviceImpl
@Service
public class UserServiceImpl implements UserService{
@Autowired
private UserMapper userMapper;
@Override
public User queryUserByName(String name) {
return userMapper.queryUserByName(name);
}
}
认证数据库数据
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
//从数据库内拿
User user = userService.queryUserByName(userToken.getUsername());
if(user==null){
return null;
}
//密码认证 shiro做
return new SimpleAuthenticationInfo("",userToken.getPassword(),"");
}
2.5请求授权
添加授权过滤
//授权,正常情况下,没授权会跳到未授权页面
filter.put("/user/add","perms[user:add]");
filter.put("/user/update","perms[user:update]");
未授权强求
@RequestMapping("/noauth")
@ResponseBody
public String unauthorized(){
return "未经授权无法访问此页面";
}
设置未授权强求
//为授权页面
bean.setUnauthorizedUrl("/noauth");
给用户授权
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权doGetAuthorizationInfo");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermission("user:add");
return info;
}
这里是经过授权就添加进去权限
给数据库设置权限
pojo添加字段
private String perms;
把用户信息通过认证传递给授权 return new SimpleAuthenticationInfo(user,userToken.getPassword(),“”);
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
//从数据库内拿
User user = userService.queryUserByName(userToken.getUsername());
if(user==null){
return null;
}
//密码认证 shiro做
//密码可以加密,MD5加密 MD5盐值加密
return new SimpleAuthenticationInfo(user,userToken.getPassword(),"");
}
授权获取权限字段
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权doGetAuthorizationInfo");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//info.addStringPermission("user:add");
//拿到当前登录的对象
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();//拿到User
//设置当前用户权限
System.out.println("currentUser.getPerms()==>"+currentUser.getPerms());
info.addStringPermission(currentUser.getPerms());
return info;
}
2.6shiro整合Thymeleaf
导入依赖
<!--shiro-thymeleaf整合-->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.1.0</version>
</dependency>
整合ShiroDialect方法
@Bean
//整合ShiroDialect:用来整合 shiro thymeleaf
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
前端添加权限验证显示
<div shiro:hasPermission="user:add">
<a th:href="@{/user/add}">add</a>
</div>
<div shiro:hasPermission="user:update">
<a th:href="@{/user/update}">update</a>
</div>
判断登录按钮显示
<div th:if="${session.loginUser==null}">
<a th:href="@{/toLogin}">登录</a>
</div>
认证成功后添加session
Subject currentSubject=SecurityUtils.getSubject();
Session session = currentSubject.getSession();
session.setAttribute("loginUser",user);
项目结构