代码地址
简单使用
概述
便捷并轻量级的安全框架。
主要功能包括 认证和授权,加密和会话。
shiro架构
- subject 主体代表用户
- security manager 安全管理
- authenticator 认证
- authorizer 授权
- Session Manage 的管理
- Cache Manage 管理
ini文件
文件格式
- main
- users 定义用户名密码和角色
- roles 定义角色具有的权限
- urls 定义控制器的路径的过滤器
例子
[main] 后续会讲
[users]
zs = role1,role2
[roles]
role1 = user:insert,select
role2 = select
[urls]
/login=anno
项目部署
环境配置
jdk8+,maven3.0.3+
依赖包
<!-- shiro核心-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.2</version>
</dependency>
<!-- 需要日志-->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
认证流程
登录
public class QuickStartApp {
public static void main(String[] args) {
//解析ini
IniSecurityManagerFactory factory =
new IniSecurityManagerFactory("classpath:shiro.ini");
// 获取SecurityManage实例
SecurityManager securityManager = factory.getInstance();
// securityManager放入SecurityUtils工具类
SecurityUtils.setSecurityManager(securityManager);
// 工具类中取到主体对象
Subject subject = SecurityUtils.getSubject();
// 为主体对象赋用户
UsernamePasswordToken token = new UsernamePasswordToken("zs","123");
// 登录
subject.login(token);
}
异常信息
注意login()方法是一个返回类型为void的方法。通过异常来判断登录状态
try{
subject.login(token);
System.out.println("登录成功");
}catch (UnknownAccountException e) {
System.out.println("用户名错误");
}catch (IncorrectCredentialsException e){
System.out.println("不正确的凭证(密码错误)");
}catch (AuthenticationException e){
System.out.println("认证失败");
}
AuthenticationException 是认证的顶级异常。
角色权限认证
登录成功后根据角色来判断是否有角色:
登录成功后根据授权来判断该角色是否有权限:
subject.login(token);
System.out.println("登录成功");
/**授权
* 1.判断是否具有某一个角色
* 2.判断该角色是否有权限
*/
// subject.hasRoles(); 判断是否具有当中角色中的一个
// subject.hasAllRoles();只有用户有所有的角色才会返回true
boolean b = subject.hasRole("role1");
//判断当前用户具有某个角色,通过异常判断
subject.checkRole("role1");
System.out.println("是否具有该角色"+b);
//判断权限是否有select
boolean c = subject.isPermitted("select");
// 和checkRole一样具有checkPermission
加密技术
shiro自带了许多加密算法此处只看md5:
static public String saltPwd(String pwd){
System.out.println(pwd);
Md5Hash md5Hash = new Md5Hash(pwd);
System.out.println(md5Hash.toHex());
Md5Hash md5Hash1 = new Md5Hash(pwd,"123");
System.out.println(md5Hash1.toHex());
Md5Hash md5Hash2 = new Md5Hash(pwd,"123",3);//加密次数
System.out.println(md5Hash2.toHex());
return null;
}
Releam
pojo对象:
public class UserInfo {
private String id;
private String pwd;
private String salt;
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public String getPwd() {
return pwd;
}
public void setPwd(String pwd) {
this.pwd = pwd;
}
public String getSalt() {
return salt;
}
public void setSalt(String salt) {
this.salt = salt;
}
}
ini文件配置:
[main]
md5=org.apache.shiro.authc.credential.Md5CredentialsMatcher
md5.hashIterations=1
myrealm=com.study.RealmApp
myrealm.credentialsMatcher=$md5
securityManager.realms=$myrealm
releam是用来与数据做交互的组件:此处为了简化代码我演示的时候赋给了userInfo三个值,注意正常情况需要从数据库取到。
public class RealmApp extends AuthenticatingRealm {
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//拿到用户输入的用户名
//根据用户输入的名称去找
String id = token.getPrincipal().toString();
UserInfo userInfo = new UserInfo();
userInfo.setId("zs");
userInfo.setPwd("4297f44b13955235245b2497399d7a93");
userInfo.setSalt("123");
System.out.println("测试");
if(userInfo!=null){
ByteSource byteSource = ByteSource.Util.bytes(userInfo.getSalt());
// 1. 用户名 2. 查询到的密码 3.盐值可以没有 4.真实名称无用占位
SimpleAuthenticationInfo info =
new SimpleAuthenticationInfo
(userInfo.getId(),userInfo.getPwd(),byteSource,"w");
return info;
}
return null;
}
}
多Realm策略
- AtleastOneSuccessfulStrategy 满足至少一个不会短路
- FirstSuccessfulStrategy 满足一个即可会短路
- AllSuccessfullStrategy 所有都满足
SpringBoot整合shiro
依赖
<dependencies>
<!-- shiro核心-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.4.2</version>
</dependency>
<!-- 需要日志-->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.11</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.2.2</version>
</dependency>
</dependencies>
yml配置
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url:
username:
password:
shiro:
loginUrl: http://www.baidu.com
shiro-loginUrl指的是如果该用户没有登录/没有权限跳转的网址。
MyReleam文件
package com.study.controller;
import com.study.pojo.UserInfo;
import com.study.service.UserService;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class MyRealm extends AuthenticatingRealm {
@Autowired
private UserService userService;
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String id = token.getPrincipal().toString();
UserInfo userInfo = userService.login(id);
ByteSource byteSource = ByteSource.Util.bytes(userInfo.getSalt());
if(userInfo!=null){
SimpleAuthenticationInfo w =
new SimpleAuthenticationInfo(userInfo.getId(), userInfo.getPwd(), byteSource, "w");
return w;
}
return null;
}
}
配置文件(重点!!!)
放一起了,过滤链,记住我,算法设置,认证授权,退出
package com.study.controller;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.Cookie;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ShiroConfig {
@Autowired
private MyRealm myRealm;
@Bean
public DefaultWebSecurityManager defaultWebSecurity(){
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
/** 算法设置*/
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
matcher.setHashAlgorithmName("md5");
matcher.setHashIterations(1);
myRealm.setCredentialsMatcher(matcher);
/** 认证策略
ModularRealmAuthenticator modularRealmAuthenticator = new ModularRealmAuthenticator();
modularRealmAuthenticator.setAuthenticationStrategy(new FirstSuccessfulStrategy());
defaultWebSecurityManager.setAuthenticator(modularRealmAuthenticator);
*/
defaultWebSecurityManager.setRealm(myRealm);
return defaultWebSecurityManager;
}
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition(){
DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
// 顺序是由上到下
chainDefinition.addPathDefinition("/login","anon");
chainDefinition.addPathDefinition("/select","authc");
chainDefinition.addPathDefinition("/select1","user");
//退出只需要配置这个即可控制器都不需要 会自动删除cookie
chainDefinition.addPathDefinition("/logout","logout");
return chainDefinition;
}
//自定义 rememberMe
public CookieRememberMeManager cookieRememberMeManager(){
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
Cookie cookie = new SimpleCookie("realm");
cookie.setPath("/");
cookie.setHttpOnly(true);
cookie.setMaxAge(60*60*24);
cookieRememberMeManager.setCookie(cookie);
cookieRememberMeManager.setCipherKey("123".getBytes());
return cookieRememberMeManager;
}
}
Controller文件
package com.study.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@ResponseBody
public class UserController {
@GetMapping("/login/{id}/{pwd}")
public String login(@PathVariable String id,@PathVariable String pwd){
Subject subject = SecurityUtils.getSubject();
// rememberMe
UsernamePasswordToken token = new UsernamePasswordToken(id,pwd,true);
try {
subject.login(token);
System.out.println(1);
return "success1";
}catch (AuthenticationException e){
System.out.println(2);
return "error";
}
}
@GetMapping("/select")
public String select(){
System.out.println(4);
return "<h1>select1</h1>";
}
@GetMapping("/select1")
public String select1(){
System.out.println(3);
return "select2";
}
}