Shiro
一款主流的java安全框架,不依赖任何容器,可以运行在javaSE和javaEE项目中,他的主要作用是对访问系统的用户进行系统身份认证,授权会话管理加密等操作。
用来解决安全管理的框架
核心组件
1、**UsernamePasswordtoken **用来封装用户的登录信息,使用用户信息来创建token令牌
2、SecurityManager,shiro的核心功能,负责安全认证和授权
3、Suject,Shiro的一个抽象概念,包含了用户信息
4、Realm,开发者自定义的模块,根据项目的需求,编写验证和授权的逻辑
5、Authenticationinfo、用户的角色信息集合,认证时是用
6、Authorizationinfo、角色权限信息集合,授权时使用
7、DefaultWebSercurityDManager,安全管理器,开发者自定义的Realm需要注入到安全管理器才能生效
8、ShiroFilterFactoryBean,过滤器工厂,Shiro的基本运行机制是开发者定制规则,Shiro去执行,具体的执行操作
运行机制
创建项目
1、导入依赖
springweb、thymeleaf、mybatis-plus、shiro、lombk
<dependencies>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.5.3</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
2、创建entity、mapper、service
Account.java
@Data
public class Account {
private Integer id;
private String username;
private String password;
private String perms;
private String role;
}
AccountMapper.java
@Repository
public interface AccountMapper extends BaseMapper<Account> {
}
AccountService
public interface AccountService {
public Account findByUsername(String username);
}
AccountServiceImpl
@Service
public class AccountServiceImpl implements AccountService{
@Autowired
private AccountMapper accountMapper;
@Override
public Account findByUsername(String username) {
QueryWrapper wrapper = new QueryWrapper();
wrapper.eq("username",username);
return accountMapper.selectOne(wrapper);
}
}
3、application.properties
# 应用服务 WEB 访问端口
server.port=8080
# 数据库驱动:
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
# 数据源名称
spring.datasource.name=defaultDataSource
# 数据库连接地址
spring.datasource.url=jdbc:mysql://localhost:3306/crud?serverTimezone=UTC&characterEncoding=utf-8
# 数据库用户名&密码:
spring.datasource.username=root
spring.datasource.password=123456
#配置日志
mybatis-plus.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl
启动类添加注解
@SpringBootApplication
@MapperScan("com.rugao.mapper")
public class SpringbootShiroApplication {
public static void main(String[] args) {
SpringApplication.run(SpringbootShiroApplication.class, args);
}
}
4、编写自定义过滤器realm方法
public class AccountRealm extends AuthorizingRealm {
@Autowired
private AccountService accountService;
/**
* 授权
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
/**
* 认证
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//获取token
UsernamePasswordToken token =(UsernamePasswordToken) authenticationToken;
//从token获取名称
String username = token.getUsername();
//通过名称查询用户
Account account = accountService.findByUsername(username);
if (account!=null){
//验证密码
return new SimpleAuthenticationInfo(account,account.getPassword(),getName());
}
return null;
}
}
5、编写配置类
@Configuration
public class ShiroConfig {
@Bean
public AccountRealm accountRealm(){
return new AccountRealm();
}
@Bean
public DefaultWebSecurityManager SecurityManager(@Qualifier("accountRealm") AccountRealm accountRealm){
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(accountRealm);
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("SecurityManager") DefaultWebSecurityManager SecurityManager){
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(SecurityManager);
return factoryBean;
}
}
6、编写认证和授权规则
认证过滤器
anon:无需认证。
authc:必须认证。
authcBasic:需要通过HTTPBasic认证。
user:不一定通过认证,只要曾经被Shiro记录即可,比如:记住我。
权限过滤器
perms:必须拥有某个权限才能访问。
role:必须拥有某个角色才能访问。
port:请求的端口必须是指定值才可以。
rest:请求必须基于RESTful,POST、PUT、GET、DELETE。
ssl:必须是安全的URL请求,协议HITPS。
7、Controller
创建3个页面,main.html、manage.html、administator.html访问权限如下:
1、必须登录才能访问main.html
2、当前用户必须拥有manage授权才能访问manage.html
3、当前用户必须拥有administator角色才能访问administator.html
用户登录时的认证操作
@Controller
public class AccountController {
@GetMapping("/{url}")
public String redirect(@PathVariable("url") String url){
return url;
}
@PostMapping("/login")
public String login(String username, String password, Model model){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token);
return "index";
}catch (UnknownAccountException e){
e.printStackTrace();
model.addAttribute("msg","用户名错误");
return "login";
}catch (IncorrectCredentialsException e){
e.printStackTrace();
model.addAttribute("msg","密码错误");
return "login";
}
}
}
当用户没有权限时会弹出报错
授权信息
/**
* 授权
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取用户信息
Subject subject = SecurityUtils.getSubject();
Account account = (Account) subject.getPrincipal();
//设置角色
Set<String> roles = new HashSet<>();
roles.add(account.getRole());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
//设置权限
info.addStringPermission(account.getPerms());
return info;
}
当用户有权限时,可以进入manage页面
8、整合thymeleaf
引入依赖
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
配置类添加ShiroDialect
@Bean
public ShiroDialect shiroDialect(){
return new ShiroDialect();
}
html页面添加标签
xmlns:shiro=“http://thymeleaf.org/thymeleaf-extras-shiro”
添加判断
<div shiro:hasPermission="message">
<a href="/manage">manage</a><br/>
</div>
<div shiro:hasRole="administrator">
<a href="/administrator">administrator</a>
</div>
效果