原文:https://blog.csdn.net/lidai352710967/article/details/83654132
对于shiro就不过多介绍了,相信在学习集成springboot的童鞋都对shiro都有一定的了解
shiro进行权限控制一般设计五张数据库表,user,role,user_role,resource role_resource
我自己写demo的时候将resource表名改成了menu表,其实都一样,下面贴出建表和表数据sql
/*
Navicat MySQL Data Transfer
Source Server : localhost
Source Server Version : 50560
Source Host : localhost:3306
Source Database : springboot_shiro
Target Server Type : MYSQL
Target Server Version : 50560
File Encoding : 65001
Date: 2018-11-01 15:19:14
*/
SET FOREIGN_KEY_CHECKS=0;
-- ----------------------------
-- Table structure for sys_menu
-- ----------------------------
DROP TABLE IF EXISTS `sys_menu`;
CREATE TABLE `sys_menu` (
`menu_id` varchar(32) NOT NULL COMMENT '菜单ID',
`menu_name` varchar(255) NOT NULL COMMENT '菜单名称',
`parent_id` varchar(32) DEFAULT '0' COMMENT '父菜单ID',
`url` varchar(255) DEFAULT '#' COMMENT '请求地址',
`menu_type` char(1) DEFAULT '' COMMENT '菜单类型(M目录 C菜单 F按钮)',
`perms` varchar(255) DEFAULT '' COMMENT '权限标识',
`create_by` varchar(64) DEFAULT '' COMMENT '创建者',
`create_time` datetime DEFAULT NULL COMMENT '创建时间',
`update_by` varchar(64) DEFAULT '' COMMENT '更新者',
`update_time` datetime DEFAULT NULL COMMENT '更新时间',
PRIMARY KEY (`menu_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='菜单权限表';
-- ----------------------------
-- Records of sys_menu
-- ----------------------------
INSERT INTO `sys_menu` VALUES ('1000', '用户管理', '0', '#', 'M', '', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('1001', '用户新增', '1000', '/user/add', 'C', 'user:create', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('1002', '用户查询', '1000', '/user/all', 'C', 'user:get', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('1003', '用户修改', '1000', '/user/update', 'C', 'user:update', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('1004', '用户删除', '1000', '/user/delete', 'C', 'user:delete', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('1005', '分配角色', '1000', '/userRole/add', 'C', 'userRole:add', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('1006', '移除分配角色', '1000', '/userRole/delete', 'C', 'userRole:delete', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('2000', '角色管理', '0', '#', 'M', '', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('2001', '角色新增', '2000', '/role/add', 'C', 'role:create', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('2002', '角色查询', '2000', '/role/all', 'C', 'role:get', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('2003', '角色删除', '2000', '/role/delete', 'C', 'role:delete', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('2004', '角色修改', '2000', '/role/update', 'C', 'role:update', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('3000', '权限管理', '0', '#', 'M', '', '', null, '', null);
INSERT INTO `sys_menu` VALUES ('3001', '查询所有权限', '3000', '/menu/all', 'C', 'menu:get', '', null, '', null);
-- ----------------------------
-- Table structure for sys_role
-- ----------------------------
DROP TABLE IF EXISTS `sys_role`;
CREATE TABLE `sys_role` (
`role_id` varchar(32) NOT NULL COMMENT '角色ID',
`role_name` varchar(255) NOT NULL COMMENT '角色名称',
`remark` varchar(255) NOT NULL COMMENT '角色权限字符串',
`delete_flag` char(1) NOT NULL COMMENT '角色状态(0正常 1停用)',
`create_by` varchar(64) DEFAULT '' COMMENT '创建者',
`create_time` datetime DEFAULT NULL COMMENT '创建时间',
`update_by` varchar(64) DEFAULT '' COMMENT '更新者',
`update_time` datetime DEFAULT NULL COMMENT '更新时间',
PRIMARY KEY (`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色信息表';
-- ----------------------------
-- Records of sys_role
-- ----------------------------
INSERT INTO `sys_role` VALUES ('1', 'admin', 'admin', 'N', '', null, '', null);
INSERT INTO `sys_role` VALUES ('2', 'test', 'test', 'N', '', null, '', null);
-- ----------------------------
-- Table structure for sys_role_menu
-- ----------------------------
DROP TABLE IF EXISTS `sys_role_menu`;
CREATE TABLE `sys_role_menu` (
`role_id` varchar(32) NOT NULL COMMENT '角色ID',
`menu_id` varchar(32) NOT NULL COMMENT '菜单ID',
PRIMARY KEY (`role_id`,`menu_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='角色和菜单关联表';
-- ----------------------------
-- Records of sys_role_menu
-- ----------------------------
INSERT INTO `sys_role_menu` VALUES ('1', '1001');
INSERT INTO `sys_role_menu` VALUES ('1', '1002');
INSERT INTO `sys_role_menu` VALUES ('1', '1003');
INSERT INTO `sys_role_menu` VALUES ('1', '1004');
INSERT INTO `sys_role_menu` VALUES ('1', '1005');
INSERT INTO `sys_role_menu` VALUES ('1', '1006');
INSERT INTO `sys_role_menu` VALUES ('1', '2001');
INSERT INTO `sys_role_menu` VALUES ('1', '2002');
INSERT INTO `sys_role_menu` VALUES ('1', '2003');
INSERT INTO `sys_role_menu` VALUES ('1', '2004');
INSERT INTO `sys_role_menu` VALUES ('1', '3001');
INSERT INTO `sys_role_menu` VALUES ('2', '2002');
-- ----------------------------
-- Table structure for sys_user
-- ----------------------------
DROP TABLE IF EXISTS `sys_user`;
CREATE TABLE `sys_user` (
`user_id` varchar(32) NOT NULL COMMENT '用户ID',
`username` varchar(255) NOT NULL COMMENT '用户昵称',
`email` varchar(50) DEFAULT '' COMMENT '用户邮箱',
`phonenumber` varchar(11) DEFAULT '' COMMENT '手机号码',
`sex` char(20) DEFAULT '0' COMMENT '用户性别(0男 1女 2未知)',
`password` varchar(255) DEFAULT '' COMMENT '密码',
`salt` varchar(255) DEFAULT '' COMMENT '盐加密',
`delete_flag` char(1) DEFAULT 'N' COMMENT '删除标志',
`create_by` varchar(64) DEFAULT '' COMMENT '创建者',
`create_time` datetime DEFAULT NULL COMMENT '创建时间',
`update_by` varchar(64) DEFAULT '' COMMENT '更新者',
`update_time` datetime DEFAULT NULL COMMENT '更新时间',
PRIMARY KEY (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户信息表';
-- ----------------------------
-- Records of sys_user
-- ----------------------------
INSERT INTO `sys_user` VALUES ('123456', 'admin', '123@qq.com', '18888888888', 'MALE', '2924bf023a606c036d5239129bd12860', '071d2ac3423f', 'N', '', '2018-08-28 14:35:57', '', '2018-08-28 14:35:36');
INSERT INTO `sys_user` VALUES ('654321', 'test', 'test@fdj.com', '12345645601', 'MALE', 'b995d53bdbe9f7eb8858631dcb7c5162', '0b418086e144', 'N', '', '2018-10-31 15:34:54', '', '2018-11-01 09:22:37');
-- ----------------------------
-- Table structure for sys_user_role
-- ----------------------------
DROP TABLE IF EXISTS `sys_user_role`;
CREATE TABLE `sys_user_role` (
`user_id` varchar(32) NOT NULL COMMENT '用户ID',
`role_id` varchar(32) NOT NULL COMMENT '角色ID',
PRIMARY KEY (`user_id`,`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户和角色关联表';
-- ----------------------------
-- Records of sys_user_role
-- ----------------------------
INSERT INTO `sys_user_role` VALUES ('123456', '1');
INSERT INTO `sys_user_role` VALUES ('654321', '2');
下面贴除springboot配置文件,application.properties
server.port=8001
##数据源配置
spring.datasource.url=jdbc:mysql://localhost:3306/springboot_shiro?characterEncoding=UTF-8&useSSL=false
spring.datasource.username=root
spring.datasource.password=123456
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
##Mybatis配置
mybatis.type-aliases-package=com.example.demo.entity
mybatis.configuration.map-underscore-to-camel-case=true
mybatis.mapper-locations=classpath*:/mapper/*.xml
##在控制台打印执行的sql
logging.level.com.example.demo.dao=debug
顺便贴一下pom文件吧
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>springboot_shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>springboot_shiro</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.github.pagehelper</groupId>
<artifactId>pagehelper-spring-boot-starter</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.0.29</version>
</dependency>
<dependency>
<groupId>net.sourceforge.nekohtml</groupId>
<artifactId>nekohtml</artifactId>
<version>1.9.22</version>
</dependency>
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>2.4.2.1-RELEASE</version>
<exclusions>
<exclusion>
<artifactId>shiro-core</artifactId>
<groupId>org.apache.shiro</groupId>
</exclusion>
</exclusions>
</dependency>
<!-- https://mvnrepository.com/artifact/com.alibaba/fastjson -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.47</version>
</dependency>
<!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
下面就是正式开发的内容了,首先需要一个ShiroConfig.java来对shiro进行配置
package com.example.demo.config;
import com.example.demo.shiro.MyShiroRealm;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* @author lidai
* @date 2018/10/30 16:41
*/
@Configuration
public class ShiroConfig {
public static final String LOGIN_URL="/login";
public static final String SUCCESS_URL="/index";
/**
* 管理bean生命周期
* @return
*/
@Bean
public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl(LOGIN_URL);
shiroFilterFactoryBean.setSuccessUrl(SUCCESS_URL);
Map<String,String> filterChainDefinitionMap=new LinkedHashMap<>();
filterChainDefinitionMap.put("logout","logout");
filterChainDefinitionMap.put("/login","anon");
filterChainDefinitionMap.put("/**","authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
@Bean
public MyShiroRealm myShiroRealm(){
MyShiroRealm myShiroRealm=new MyShiroRealm();
myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
return myShiroRealm;
}
/**
* 凭证匹配,加密算法
* @return
*/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher(){
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName("md5");
hashedCredentialsMatcher.setHashIterations(2);
return hashedCredentialsMatcher;
}
/**
* 开启shiro 注解支持
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
/**
* 开启shiro授权注解,若上面Bean未生效则使用此Bean
* @return
*/
@Bean
@ConditionalOnMissingBean
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator=new DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}
}
shiro真正实现认证和授权的地方其实在realm文件里,下面贴除MyShiroRealm.java
package com.example.demo.shiro;
import com.example.demo.entity.Menu;
import com.example.demo.entity.Role;
import com.example.demo.entity.User;
import com.example.demo.service.MenuService;
import com.example.demo.service.RoleService;
import com.example.demo.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.List;
import java.util.stream.Collectors;
/**
* @author lidai
* @date 2018/10/30 16:54
*/
public class MyShiroRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
@Autowired
private RoleService roleService;
@Autowired
private MenuService menuService;
/**
* 授权
* @param principalCollection 身份集合
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
User user= (User) principalCollection.getPrimaryPrincipal();
List<Role> roles=roleService.getRolesByUserId(user.getUserId());
List<Menu> menus=menuService.getMenusByUserId(user.getUserId());
simpleAuthorizationInfo.addRoles(roles.stream().map(Role::getRoleName).collect(Collectors.toSet()));
simpleAuthorizationInfo.addStringPermissions(menus.stream().map(Menu::getPerms).collect(Collectors.toSet()));
return simpleAuthorizationInfo;
}
/**
* 认证
* @param authenticationToken token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
String username= (String) authenticationToken.getPrincipal();
User user =userService.getUserByUsername(username);
if(user == null){
throw new UnknownAccountException("用户名或密码错误");
}
SimpleAuthenticationInfo simpleAuthenticationInfo=new SimpleAuthenticationInfo(
user,user.getPassword(), ByteSource.Util.bytes(user.getSalt()),getName()
);
Session session=SecurityUtils.getSubject().getSession();
session.setAttribute("user",user);
return simpleAuthenticationInfo;
}
/**
* 清理缓存权限
*/
public void clearCachedAuthorizationInfo() {
this.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());
}
}
这个realm写的比较简陋,但是功能都实现了,后期打算继续改进集成jwt,到时候再贴上相应代码(这个链接是后期整合jwt得代码,还包含了多realm跨域登录,当然直接放在单体架构中使用也是没问题得https://blog.csdn.net/lidai352710967/article/details/85772973)
到这里,关于shiro的配置就基本完成了,下面给出LoginController.java的代码
package com.example.demo.controller;
import com.example.demo.entity.User;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.util.Assert;
import org.springframework.web.bind.annotation.*;
/**
* @author lidai
* @date 2018/10/30 18:00
*/
@Controller
public class LoginController {
@GetMapping("/login")
public String login(){
return "/login";
}
@PostMapping("/login")
public String login(@RequestBody User user){
Assert.notNull(user.getUsername(),"username不能为空");
Assert.notNull(user.getPassword(),"password不能为空");
UsernamePasswordToken upToken=new UsernamePasswordToken(user.getUsername(),user.getPassword());
Subject subject= SecurityUtils.getSubject();
if(subject==null){
throw new RuntimeException("登陆异常");
}
try{
subject.login(upToken);
}catch (Exception e){
e.printStackTrace();
return "login";
}
return "index";
}
}
代码的判断依然比较简陋,但是运行起来是没问题的
在贴出一个UserControleller.java示范一下,上面有@RequirePermissions注解对权限控制做 了处理
package com.example.demo.controller;
import com.example.demo.entity.Result;
import com.example.demo.entity.User;
import com.example.demo.service.UserService;
import com.github.pagehelper.PageHelper;
import com.github.pagehelper.PageInfo;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.Assert;
import org.springframework.web.bind.annotation.*;
import java.util.List;
/**
* @author lidai
* @date 2018/10/31 14:18
*/
@RestController
@RequestMapping("/user")
public class UserController {
@Autowired
private UserService userService;
@GetMapping("/{userId}")
public User getUserById(@PathVariable String userId){
return userService.getUserById(userId);
}
@PostMapping("/add")
@RequiresPermissions("user:create")
public int insertUser(@RequestBody User user){
return userService.insertUser(user);
}
@GetMapping("/all")
@RequiresPermissions("user:get")
public PageInfo<User> getAllUser(@RequestParam(value = "pageNum ",defaultValue = "1")int pageNum,
@RequestParam(value = "pageSize",defaultValue = "10")int pageSize,
@RequestParam("username") String username,
@RequestParam("email") String email,
@RequestParam("phoneNumber") String phoneNumber){
PageHelper.startPage(pageNum,pageSize);
List<User> users=userService.getAllUser(username,email,phoneNumber);
PageInfo<User> pageInfo=new PageInfo(users);
return pageInfo;
}
@PutMapping("/update")
@RequiresPermissions("user:update")
public Result updateUser(@RequestBody User user){
Assert.notNull(user.getUserId(),"userId不能为空");
return Result.build().success("修改成功",userService.updateUser(user));
}
@PutMapping("/delete")
@RequiresPermissions("user:delete")
public Result deleteUserByIds(@RequestParam("ids")List<String> ids){
Assert.notEmpty(ids,"id能为空");
return Result.build().success("删除成功",userService.deleteUserByIds(ids));
}
}
整体的代码基本都贴出来了,实体类和一些service也比较简单,持久层使用mybatis框架
简单的讲一下shiro的认证和授权的流程:
首先当你访问LoginController的时候,当程序执行到subject.login(upToken)时,会自动跳转到MyShiroRealm中的认证方法里面去执行认证的逻辑,认证交由 SimpleAuthenticationInfo 来完成,他会完成身份密码的比较等等功能。
注意登陆的时候是不走授权的方法的,那么什么时候走呢?比如当你访问userController里面的getAllUser方法时,shiro注解@RequiresPermissions这个时候就生效了,shiro知道这个时候我需要user:get的权限字符串,在这里会跳转到MyShiroRealm的授权方法里面,从数据库查询当前登陆的用户是否有这个权限字符串。(第一次查询之后会缓存到session里面,注意修改权限之后需要清空缓存)授权由SimpleAuthorizationInfo 来完成,这个类和认证的很像,别写错了啊。
---------------------
作者:木子人弋山
来源:CSDN
原文:https://blog.csdn.net/lidai352710967/article/details/83654132
版权声明:本文为博主原创文章,转载请附上博文链接!