1.创建SpringBoot工程,导入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.10</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</dependency>
2.配置application.properties
# 数据库配置
# 默认使用mysql的驱动是8.x的版本,注意driver-class-name,url中增加时区的配置
#spring.datasource.url=jdbc:mysql://localhost:3306/java?serverTimezone=Asia/Shanghai
#spring.datasource.username=root
#spring.datasource.password=root
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.type=com.alibaba.druid.pool.DruidDataSource
spring.datasource.url=jdbc:mysql://localhost:3306/java?serverTimezone=Asia/Shanghai&useUnicode=true&characterEncoding=utf-8&useSSL=false
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
# mybatis配置
# 配置别名需要扫描的包
#mybatis.type-aliases-package=com.lxn.entity
# 引入映射文件
#mybatis.mapper-locations=classpath:mapper/*.xml
spring.thymeleaf.cache=false
spring.thymeleaf.encoding=utf-8
spring.thymeleaf.prefix=classpath:/templates/
spring.thymeleaf.suffix=.html
spring.thymeleaf.mode=HTML5
spring.thymeleaf.servlet.content-type=text/html
3.编写ShiroRealm
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class ShiroRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
return null;
}
}
4.编写ShiroConfig
import com.lxn.realm.ShiroRealm;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
//配置shiro过滤器
@Bean
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
//创建Shiro工厂对象
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
//如果没有认证将会请求此地址进行认证,请求此地址将由formAuthenticationFilter进行表单认证,跳转到指定资源(比如登陆页面)
shiroFilterFactoryBean.setLoginUrl("/toLogin");
//没有权限操作时跳转的资源路径
shiroFilterFactoryBean.setUnauthorizedUrl("/refuse");
//认证成功统一跳转到/index
//shiroFilterFactoryBean.setSuccessUrl("/index");
//创建LinkedHashMap对象,需要保证添加顺序(很关键)
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
// authc:必须认证通过才可以访问;
// anon: 匿名访问
//过滤链定义,从上向下顺序执行,一般将/**放在最下边
//一般静态资源可以设置匿名访问(不拦截)
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/css/**", "anon");
//设置登录URL不拦截
filterChainDefinitionMap.put("/login", "anon");
// 退出时,指定logout过滤器
//filterChainDefinitionMap.put("/logout", "logout");
//必须放在所有权限设置的最后,所有url都必须认证通过才可以访问
filterChainDefinitionMap.put("/**", "authc");
//指定url都必须认证通过才可以访问
//filterChainDefinitionMap.put("/list", "authc");
//所有url都不需要认证通过就可以访问(匿名访问)
//filterChainDefinitionMap.put("/**", "anon");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
// 安全管理对象
@Bean
public SecurityManager createSecurityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(createShiroRealm());
return securityManager;
}
// 自定义realm对象
public ShiroRealm createShiroRealm() {
ShiroRealm shiroRealm = new ShiroRealm();
return shiroRealm;
}
}
过滤器简称 | 对应的java类 |
---|---|
anon | org.apache.shiro.web.filter.authc.AnonymousFilter |
authc | org.apache.shiro.web.filter.authc.FormAuthenticationFilter |
authcBasic | org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter |
perms | org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter |
port | org.apache.shiro.web.filter.authz.PortFilter |
rest | org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter |
roles | org.apache.shiro.web.filter.authz.RolesAuthorizationFilter |
ssl | org.apache.shiro.web.filter.authz.SslFilter |
user | org.apache.shiro.web.filter.authc.UserFilter |
logout | org.apache.shiro.web.filter.authc.LogoutFilter |
anon:admins/=anon 没有参数,表示可以匿名使用。
authc:/admins/user/=authc表示需要认证(登录)才能使用,FormAuthenticationFilter是表单认证,没有参数
roles:/admins/user/=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/=roles[“admin,guest”],每个参数通过才算通过,相当于hasAllRoles()方法。
perms:/admins/user/=perms[user:add:*],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/=perms[“user:add:,user:modify:”],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法。
rest:/admins/user/=rest[user],根据请求的方法,相当于/admins/user/=perms[user:method] ,其中method为post,get,delete等。
port:/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。
authcBasic:例如/admins/user/**=authcBasic没有参数表示httpBasic认证
ssl:/admins/user/**=ssl没有参数,表示安全的url请求,协议为https
user:/admins/user/**=user没有参数表示必须存在用户, 身份认证通过或通过记住我认证通过的可以访问,当登入操作时不做检查
anon,authcBasic,auchc,user是认证过滤器
perms,roles,ssl,rest,port是授权过滤器
5.UserController
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class UserController {
@RequestMapping("/list")
public String list(){
return "list";
}
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
@RequestMapping("/login")
public String login(){
return "login";
}
@RequestMapping("/refuse")
public String refuse(){
return "refuse";
}
@RequestMapping("/index")
public String index(){
return "index";
}
}
6.编写对应的login.html页面(以及list,refuse,index页面)
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>登录页面</h1>
<form action="login" method="post">
用户名:<input type="text" name="username" /><br /><br />
密码:<input type="password" name="password" /><br /><br />
<input type="submit" value="登录" /><br />
</form>
<font color="red" th:text="${msg}"></font>
</body>
</html>
6.实现用户认证
1.修改UserController中的login方法
@RequestMapping("/login")
public String login(String username, String password, Model model) {
//存储输入的用户名密码
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
//主体对象
Subject subject = SecurityUtils.getSubject();
try {
//登陆判断
subject.login(token);
//认证成功跳转到主页
return "index";
} catch (UnknownAccountException e) {
model.addAttribute("msg", "账号不存在");
return "login";
} catch (IncorrectCredentialsException e) {
model.addAttribute("msg", "密码错误");
return "login";
}
}
2.修改ShiroRealm中的AuthenticationInfo方法
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//用户名
String principal = (String)authenticationToken.getPrincipal();
System.out.println(principal);
//密码
Object credentials = authenticationToken.getCredentials();
String password = new String((char[]) credentials);
System.out.println(password);
if("jack".equals(principal) && "123".equals(password)){
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(principal,password,"");
return simpleAuthenticationInfo;
}
return null;
}
7.实现用户授权
1.在ShiroConfig中的shiroFilter方法中添加被授权的信息
//配置授权过滤器,设置未授权访问URL
filterChainDefinitionMap.put("/list","perms[user:list]");
配置之后重启项目,该资源路径则无法访问,此时需要配置授权信息
2.修改ShiroRealm中的doGetAuthorizationInfo方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.addStringPermission("user:list");
return simpleAuthorizationInfo;
}
8.Shiro整合thymleaf标签
1.导入依赖
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
2.在ShiroConfig中添加该方法
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
3.修改index.html页面中测试
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org" xmlns:shiro="http://www.w3.org/1999/xhtml">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>主页</h1>
<a href="用户查询" shiro:hasPermission="user:list">用户查询</a>
<a href="用户修改" shiro:hasPermission="user:update">用户修改</a>
<a href="用户删除" >用户删除</a>
</body>
</html>
再次进行测试即可!
实现用户退出
1.在相关html页面中添加超链接
<a href="logout">退出</a>
2.在ShiroConfig中的shiroFilter方法中添加退出配置
//配置退出
map.put("/logout",“logout”);
3.在UserController中添加logout方法
@RequestMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "toLogin";
}
rememberMe
1.在login.html页面中添加记住我
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>登录</h1>
<form action="login" method="post">
用户名:<input type="text" name="username"> <br><br>
密码:<input type="password" name="password"> <br><br>
<input type="checkbox" name="rememberMe">记住我 <br><br>
<input type="submit" value="登录">
</form>
<font color="#ff3044" th:text="${msg}"></font>
</body>
</html>
2.在UserController中的login方法配置rememberMe参数
@RequestMapping("/login")
public String login(String username, String password, Model model,boolean rememberMe){
System.out.println("rememberMe类型:"+rememberMe);
//获取令牌
UsernamePasswordToken token = new UsernamePasswordToken(username,password,rememberMe);
//获取主体
Subject subject = SecurityUtils.getSubject();
try{
//判断认证是否通过
subject.login(token);
//跳转页面
return "list";
}catch (Exception e){
//保存提示信息
model.addAttribute("msg","用户名或密码错误");
//跳转页面
return "login";
}
}
3.在ShiroConfig类中编写相关代码
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import com.lxn.realm.ShiroRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
@Configuration
public class ShiroConfig {
@Bean
public CookieRememberMeManager getCookieRememberMeManager(){
//创建Cookie
SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
simpleCookie.setMaxAge(3600*24*365);
//创建管理Cookie对象
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(simpleCookie);
return cookieRememberMeManager;
}
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
//配置realm
@Bean
public ShiroRealm createShiroRealm() {
ShiroRealm shiroRealm = new ShiroRealm();
return shiroRealm;
}
//配置realm
@Bean
public SecurityManager createSecurityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(createShiroRealm());
securityManager.setRememberMeManager(getCookieRememberMeManager());
return securityManager;
}
//配置shiro过滤器
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean (SecurityManager
securityManager) {
//配置shiroFilter工厂对象
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
//未认证跳转URL
shiroFilterFactoryBean.setLoginUrl("/toLogin");
//认证成功之后跳转URL(一般不设置)
//shiroFilterFactoryBean.setSuccessUrl("/index");
//未授权跳转URL
shiroFilterFactoryBean.setUnauthorizedUrl("/refuse");
//创建有序的Map集合
LinkedHashMap<String, String> map = new LinkedHashMap<>();
//配置过滤资源
//放行资源,不拦截
map.put("/js/**","anon");
map.put("/css/**","anon");
map.put("/login","anon");
//配置rememberMe访问路径
map.put("/list","user");
//设置访问权限
map.put("/add","perms[user:add]");
//配置退出
map.put("/logout","logout");
//访问某个资源进行认证
//map.put("/list","authc");
//所有资源都必须认证通过后才能访问
map.put("/**","authc");
//所有资源都可以匿名访问
//map.put("/**","anon");
//设置过滤信息
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
}