马果老师整理
shiro在项目中的实际用法:
阶段1、搭建一个项目结构(与shiro无关,只是一个普通的项目)
阶段2、加入shiro的配置实现认证(与数据库无关)
阶段3、加入数据表
阶段4、授权
阶段5、缓存
------------------------------------------------------------------
阶段1、搭建一个项目结构(与shiro无关,只是一个普通的项目)
1、创建web项目
2、导入ssm的基本依赖
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<!--引入基本的依赖-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>1.1.2</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.3.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>4.3.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>4.3.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.1.1</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.44</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.10</version>
</dependency>
3、创建applicationContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.2.xsd ">
<context:component-scan base-package="org.java"/>
<context:property-placeholder location="classpath:jdbc.properties"/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
<property name="suffix" value=".jsp"/>
</bean>
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource">
<property name="url" value="${url}"/>
<property name="driverClassName" value="${driver}"/>
<property name="username" value="${user}"/>
<property name="password" value="${pwd}"/>
</bean>
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource"/>
<property name="mapperLocations" value="classpath:mapper/*Mapper.xml"/>
</bean>
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="basePackage" value="org.java.dao"/>
</bean>
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource"/>
</bean>
<tx:annotation-driven transaction-manager="transactionManager"/>
</beans>
4、编写web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>mvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>mvc</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>ico</extension>
<mime-type>image/x-icon</mime-type>
</mime-mapping>
</web-app>
5、编写index.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<jsp:forward page="init.do"/>
</body>
</html>
6、编写一个FirstContorller
package org.java.web;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpSession;
import java.util.Map;
@Controller
public class FirstController {
/**
* 该方法只有在登录成功以后,才会执行
* @return
*/
@RequestMapping("/init")
public String init(HttpSession session){
System.out.println("-------------进入firstController----------------");
//获得认证成功的主体
Subject subject = SecurityUtils.getSubject();
//通过subject获得认证返回的主要信息(也就是 Realm类中认证方法,返回的authencationInfo对象中的第一个参数 )
Map map = (Map) subject.getPrincipal();
session.setAttribute("username",map.get("username"));
session.setAttribute("menus",map.get("menus"));//list<map>
return "/main";
}
}
7、编写login.jsp
<%@ page isELIgnored="false" contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
<link rel="stylesheet" type="text/css" href="${pageContext.request.contextPath}/css/my.css">
</head>
<body>
<%--注意,如果是登录界面,点击登录以后,数据将会被封装成一个token,传递到Realm类中的认证方法进行判断--%>
<form action="login.do" method="post">
姓名:<input type="text" name="username"/><Br>
密码:<input type="password" name="password"/><Br>
<input type="submit" value="登录"/>
</form>
</body>
</html>
8、编写主界面
<%--
Created by IntelliJ IDEA.
User: Administrator
Date: 2020/8/6
Time: 15:34
To change this template use File | Settings | File Templates.
--%>
<%@ page isELIgnored="false" contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt" %>
<html>
<head>
<title>Title</title>
<style>
body{
margin: 0px;
}
table,tr,td{
border: 1px black solid;
border-collapse: collapse;
}
a{
color: blue;
text-decoration: none;
}
</style>
</head>
<body>
<table width="100%" height="100%" border="1px">
<tr height="120px">
<Td colspan="2">
logo....
【${sessionScope.username}】
<a href="logout.do">退出</a>
</Td>
</tr>
<Tr>
<TD width="20%" valign="top" align="center">
<c:forEach items="${sessionScope.menus}" var="m">
<a href="${pageContext.request.contextPath}/${m.url}" target="right">${m.NAME}</a>
<Br>
</c:forEach>
</TD>
<TD>
<iframe name="right" src="right.jsp" style="width: 100%;height: 100%;" frameborder="0"></iframe>
</TD>
</Tr>
</table>
</body>
</html>
阶段2、加入shiro的配置实现认证(与数据库无关)
(要实现的效果,只要用户未登录,所有请求转向登录页面)
1、在pom.xml文件,加入shiro依赖
<!--配置shiro的依赖-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.6</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.6</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.6</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.6</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
2、编写applicationContext-shiro.xml文件,用于配置shiro的相关信息
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.2.xsd ">
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!--设置安全管理器-->
<property name="securityManager" ref="securityManager"/>
<!--指定如果拦截用户请求,发现用户未登录,发出请求名称,准备登录-->
<property name="loginUrl" value="/login.do"/>
<!--指定哪些资源需要登录以后才可以访问,哪些资源不登录也可以访问-->
<!--authc:它是shiro内置的过滤器,它表示,请求要认证以后才允许访问-->
<!--anon:它是shiro内置的过滤器,它婧示,请求允许匿名访问(不登录也可以访问)-->
<property name="filterChainDefinitions">
<value>
/css/**=anon
/js/**=anon
/images/**=anon
/favicon.ico = anon
/logout.do=logout
/**=authc
</value>
</property>
</bean>
<!--配置安全管理器-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
<property name="cacheManager" ref="cacheManager"/>
</bean>
<!--配置realm类-->
<bean id="myRealm" class="org.java.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!--配置凭证匹配器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="3"/>
</bean>
<!--配置缓存-->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:shiro-ehcache.xml"/>
</bean>
</beans>
3、编写web.xml文件,在这个文件中,配置过滤器,用于拦截所有请求,交给shiro的过滤器进行处理
<!--配置监听器,用于加载spring以及shiro的配置文件-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext*.xml</param-value>
</context-param>
<filter>
<filter-name>shiro</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!--当前shiroFilter的生命周期由spring容器控制-->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
<!--当前用于处理所有请求的shiro过滤器的名称是什么(这个名称要在shiro的配置文件中进行配置 )-->
<init-param>
<param-name>targetBeanName</param-name>
<param-value>shiroFilter</param-value>
</init-param>
</filter>
<filter>
<filter-name>encoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiro</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>encoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
4、编写一个LoginController,用于跳转到登录页面
package org.java.web;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.web.util.SavedRequest;
import org.apache.shiro.web.util.WebUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
/**
* 这个控制器只有两种情况下,会进入:
* 1、用户没有登录时,会进入
* 2、用户登录时,输入的信息错误会进入
*
* 注意:如果在登录时,输入的用户名,密码是正确的,系统是不会进入该控制器的
*/
@Controller
public class LoginController {
@RequestMapping("/login")
public String login(HttpServletRequest request) throws Exception{
System.out.println("============进入loginController=============");
//如果用户是登录失败进入的,request中会存储一个错误消息,名称是:shiroLoginFailure,值就是:失败原因
// UnknownAccountException 用户名不存在
// IncorrectCredentialsException 密码错误
String err = (String) request.getAttribute("shiroLoginFailure");
if(err!=null){
//如果登录失败,抛出异常,告诉用户出错原因
if(err.endsWith("UnknownAccountException")){
throw new Exception("用户名不存在");
}
if(err.endsWith("IncorrectCredentialsException")){
throw new Exception("密码错误");
}
}
return "/login";
}
}
- shiro的realm类,如果认证成功了,将会执行之前没有执行成功的请求
阶段3、加入数据表
1、编写jdbc.properties配置文件
url=jdbc:mysql://localhost:3306/d91
driver=com.mysql.jdbc.Driver
user=root
pwd=root
2、编写dao接口和mapper映射文件
package org.java.dao;
import org.apache.ibatis.annotations.Param;
import java.util.List;
import java.util.Map;
public interface SysUserMapper {
/**
* 根据用户名,查询用户信息,判断用户名是否存在
* @param username
* @return
*/
public List<Map> login(@Param("username") String username);
/**
* 根据编号,加载对应的菜单
* @param userId
* @return
*/
public List<Map> loadMenu(@Param("userId") int userId);
/***
* 根据编号,加载访问权限
* @param userId
* @return
*/
public List<String> loadPermission(int userId);
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
<mapper namespace="org.java.dao.SysUserMapper">
<select id="login" resultType="map">
select * from sys_user where username = #{username}
</select>
<!--根据用户的编号,查询用户可以访问的菜单-->
<select id="loadMenu" resultType="map">
SELECT * FROM sys_permission WHERE TYPE='menu' AND id IN(
SELECT permission_id FROM sys_role_permission WHERE role_id IN(
SELECT role_id FROM sys_user_role WHERE user_id=#{userId}
)
)
</select>
<!--编写用户编号,查询用户拥有的访问权限 -->
<select id="loadPermission" resultType="String">
SELECT percode FROM sys_permission WHERE id IN(
SELECT permission_id FROM sys_role_permission WHERE role_id IN(
SELECT role_id FROM sys_user_role WHERE user_id=#{userId}
)
)
</select>
</mapper>
3、编写service接口与实现类
package org.java.service;
import java.util.List;
import java.util.Map;
public interface SysUserService {
/**
* 根据用户名,查找用户信息,返回结果有两种可能性
* 1、用户名不存在,则返回null
* 2、用户名存在,则返回具体的map(map,包含用户名称,用户代码,以及该用户名的正确密码)
* @param username
* @return
*/
public Map login(String username);
/**
* 根据用户的编号,加载用户可以访问的菜单
* @param userId
* @return
*/
public List<Map> loadMenu(Integer userId);
//加载权限
public List<String> loadPermission(Integer userId);
}
package org.java.service.impl;
import org.java.dao.SysUserMapper;
import org.java.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.List;
import java.util.Map;
@Service
public class SysUserServiceImpl implements SysUserService {
@Autowired
private SysUserMapper sysUserMapper;
/**
* 根据用户名,查找用户信息,返回结果有两种可能性
* 1、用户名不存在,则返回null
* 2、用户名存在,则返回具体的map(map,包含用户编号、用户名称,用户代码,以及该用户名的正确密码)
* @param username
* @return
*/
@Override
public Map login(String username) {
List<Map> list = sysUserMapper.login(username);
if(list.isEmpty()){
return null;
}else{
return list.get(0);
}
}
/**
* 根据用户编号,加载对应的菜单
* @param userId
* @return
*/
@Override
public List<Map> loadMenu(Integer userId) {
return sysUserMapper.loadMenu(userId);
}
@Override
public List<String> loadPermission(Integer userId) {
return sysUserMapper.loadPermission(userId);
}
}
4、编写realm类
package org.java.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.java.service.SysUserService;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
public class MyRealm extends AuthorizingRealm {
@Autowired
private SysUserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("################正在进行授权操作----------正在访问数据库");
//获得认证对象中的主要信息---map(认证方法返回的info对象中的第一个参数)
Map map = (Map) principals.getPrimaryPrincipal();
//从map中,获得userId
Integer userId = (Integer) map.get("id");
//查询权限字段
List<String> list = userService.loadPermission(userId);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermissions(list);
return info;
}
//认证的方法
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("############################################进入realm类,认证的方法");
//从token中,获得用户信息(用户名)
String principal = (String) token.getPrincipal();
//根据用户名查询数据库,判断,用户是否存在
Map map = userService.login(principal);
if(map==null){
return null;//用户名不存在
}
//获得用户编号,准备加载菜单
Integer userId = (Integer) map.get("id");
//根据编号,加载菜单
List<Map> menus = userService.loadMenu(userId);
//将当前用户可以访问的菜单,存储到map中
map.put("menus",menus);
//用户名存在,从数据库,返回正确的密码
String pwd = (String) map.get("PASSWORD");
//指定盐
String salt="accp";
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(map,pwd, ByteSource.Util.bytes(salt),"myrealm");
return info;
}
}
5、编写异常处理类,处理账号不存在或密码错误的情况
package org.java.exception;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.ModelAndView;
import javax.jws.WebParam;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 异常处理类,处理程序中的所有异常
*/
@Component
public class ShiroException implements HandlerExceptionResolver {
/**
*
* @param request 请求
* @param response 响应
* @param handler 哪一个控制器类产生的异常
* @param ex 异常的原因
* @return
*/
@Override
public ModelAndView resolveException(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {
//产生modelAndView
ModelAndView mv = new ModelAndView("/err");
//存放异常原因,准备在页面显示
mv.addObject("msg",ex.getMessage());
return mv;
}
}
6、编写错误访问页面
<%@ page import="org.apache.shiro.web.util.SavedRequest" %>
<%@ page import="org.apache.shiro.web.util.WebUtils" %><%--
Created by IntelliJ IDEA.
User: Administrator
Date: 2020/8/6
Time: 17:45
To change this template use File | Settings | File Templates.
--%>
<%@ page isELIgnored="false" contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>出错了,原因是:${requestScope.msg}</h1>
<hr>
<a href="index.jsp">返回</a>
<%--<%--%>
<%--SavedRequest reqUrl = WebUtils.getSavedRequest(request);--%>
<%--String URL= reqUrl.getRequestUrl();--%>
<%--out.write("之前的拦截路径是:"+URL);--%>
<%--%>--%>
</body>
</html>
阶段4、授权
编写页面
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>欢迎使用shiro...</h1>
</body>
</html>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>用户管理</h1>
<hr>
<shiro:hasPermission name="user:add">
<div>添加用户</div>
</shiro:hasPermission>
<shiro:hasPermission name="user:del">
<div>删除用户</div>
</shiro:hasPermission>
<shiro:hasPermission name="user:update">
<div>修改用户</div>
</shiro:hasPermission>
<shiro:hasPermission name="user:query">
<div>查询用户</div>
</shiro:hasPermission>
</body>
</html>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1>产品管理</h1>
</body>
</html>
阶段5、缓存
一般shiro加载用户权限以后,就把权限进行缓存
shiro中推荐的缓存是ehcache
使用步骤:
1、下载ehcache的缓存配置文件,并且放入到resources目录
2、在applicationContext-shiro.xml文件中,配置缓存文件信息
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:shiro-ehcache.xml"/>
</bean>
3、在安全管理器中,配置缓存管理