spring security
引入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
编写配置类
package com.config;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@EnableWebSecurity
public class securityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//权限认证
http.authorizeRequests().mvcMatchers("/").permitAll()//设置“/”路径全都可以访问
.and().authorizeRequests().mvcMatchers("/level1/**").hasRole("vip1")//设置vip1的角色才可以访问"/level1/**"
.and().authorizeRequests().mvcMatchers("/level2/**").hasRole("vip2")
.and().authorizeRequests().mvcMatchers("/level3/**").hasRole("vip3");
//没权限就返回登录界面 /login
http.formLogin();
//注销,注销成功后跳转到"/"
http.logout().logoutSuccessUrl("/");
//记住我功能
http.rememberMe().rememberMeParameter("前端接收的名称");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//授权
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("zhangsan").password(new BCryptPasswordEncoder().encode("123123")).roles("vip1")//设置哪个用户是哪个角色
.and().withUser("lisi").password(new BCryptPasswordEncoder().encode("123123")).roles("vip2","vip3")
.and().withUser("root").password(new BCryptPasswordEncoder().encode("root")).roles("vip1","vip2","vip3");
}
}
shiro
引进依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.6.0</version>
</dependency>
创建realm类对象,继承AuthorizingRealm
package com.config;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class userRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权方法doGetAuthorizationInfo");
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了验证方法doGetAuthenticationInfo");
String username = "root";
String password = "root";
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
if (!usernamePasswordToken.getUsername().equals(username)){
return null;
}
//密码认证,shiro做
return new SimpleAuthenticationInfo("",password,"");
}
}
编写shiro配置类
package com.config;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.spring.web.config.DefaultShiroFilterChainDefinition;
import org.apache.shiro.spring.web.config.ShiroFilterChainDefinition;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.Map;
@Configuration
public class shiroConfig{
//创建ShiroFilterFactoryBean对象
@Bean
public ShiroFilterFactoryBean definition(@Qualifier("SecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
bean.setSecurityManager(defaultWebSecurityManager);
Map<String, String> map = bean.getFilterChainDefinitionMap();
/**
* anon:无需认证就能访问
* authc:需要认证才能访问
* user:拥有 记住我 功能才能访问
* perms:拥有对某个资源的权限才能访问
* role:拥有某个角色权限才能访问
*/
map.put("/add","authc");
map.put("/del","authc");
//没权限就返回登录界面
bean.setLoginUrl("/toLogin");
return bean;
}
//创建安全管理器对象
//Qualifier表示使用哪个方法里的对象,也可取@Bean里的name属性值
@Bean(name = "SecurityManager")
public DefaultWebSecurityManager defaultSecurityManager(@Qualifier("userRealm") Realm realm){
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(realm);
return manager;
}
//创建realm对象
@Bean
public userRealm userRealm(){
return new userRealm();
}
}
在resources创建templates编写前端页面测试
编写controller
package com.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class shiroController {
@RequestMapping({"/index","/"})
public String index(){
return "index";
}
@RequestMapping("/add")
public String add(){
return "user/add";
}
@RequestMapping("/del")
public String del(){
return "user/del";
}
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
@RequestMapping("/login")
public String login(String username, String password, Model model){
//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户名和密码
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
model.addAttribute("msg","登录成功!");
return "index";
}catch (UnknownAccountException e){
model.addAttribute("msg","用户名错误!");
return "login";
}catch (IncorrectCredentialsException e){
model.addAttribute("msg","密码错误!");
return "login";
}
}
}
index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.w3.org/1999/xhtml">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>首页</h1>
<p th:text="${msg}" style="color: red"></p>
<a th:href="@{/add}">add</a>
<a th:href="@{/del}">del</a>
</body>
</html>
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.w3.org/1999/xhtml">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<p th:text="${msg}" style="color: red"></p>
<form th:action="@{/login}">
<input type="text" name="username">
<input type="text" name="password">
<input type="submit" >
</form>
</body>
</html>
add.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>add</h1>
</body>
</html>
整合mybatis
引入依赖
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.49</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.4</version>
</dependency>
在realm对象userRealm里的认证方法里获取数据库查询的结果
@Autowired
UserService userService;
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("执行了验证方法doGetAuthenticationInfo");
// String username = "root";
// String password = "root";
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
User user = userService.geyAllUser(usernamePasswordToken.getUsername());//
if (user.getName()==null){
return null;
}
//密码认证,shiro做
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
再对应添加service,mapper接口,serviceImpl实现类,user对象
ymal配置
spring:
datasource:
url: jdbc:mysql://localhost:3306/study?characterEncoding=utf8
username: root
password: root
driver-class-name: com.mysql.jdbc.Driver
mybatis:
#config-location: classpath:mybatis/mybatis-config.xml #全局配置文件位置
mapper-locations: classpath:mapper/*.xml
configuration:
map-underscore-to-camel-case: true #开启驼峰命名
在类内径下创建mapper包和对应的xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.mapper.UserMapper">
<select id="gettUser" resultType="com.pojo.User">
select * from user where name =#{name}
</select>
</mapper>
启动测试
设置权限
在shiro配置类shiroConfig里设置进入某个路径需要有该路径的权限才能访问,否则跳到无权限界面
map.put("/add","perms[user:add]");
map.put("/del","perms[user:del]");
//没权限访问返回无权访问界面
bean.setUnauthorizedUrl("/available");
controller编写无权限路径
@RequestMapping("/available")
@ResponseBody
public String available(){
return "无权访问!";
}
可以在Realm对象里设置哪些路径都可以访问,当前用户只有什么权限
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了授权方法doGetAuthorizationInfo");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermission("user:add");//给与这个路径授权
//拿到当前的登录对象
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getPrincipal();
//设置当前的用户权限
info.addStringPermission(user.getPermission());
return info;
}