1、功能实现
我们在登录之后,关闭浏览器一段时间再重新打开浏览器,还想继续访问而不是提示需要重新登录,这就需要使用到记住我功能了
2、shiro02子工程
本篇以 入门篇 为基础
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.yzm</groupId>
<artifactId>shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath> <!-- lookup parent from repository -->
</parent>
<artifactId>shiro02</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>shiro02</name>
<description>Demo project for Spring Boot</description>
<dependencies>
<dependency>
<groupId>com.yzm</groupId>
<artifactId>common</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
application.yml
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://192.168.192.128:3306/testdb2?useUnicode=true&characterEncoding=utf8&useSSL=false&allowMultiQueries=true&zeroDateTimeBehavior=convertToNull&serverTimezone=Asia/Shanghai
username: root
password: 1234
mybatis-plus:
mapper-locations: classpath:/mapper/*Mapper.xml
type-aliases-package: com.yzm.shiro02.entity
configuration:
map-underscore-to-camel-case: true
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
3、认证和授权
package com.yzm.shiro02.config;
import com.yzm.shiro02.entity.Permissions;
import com.yzm.shiro02.entity.Role;
import com.yzm.shiro02.entity.User;
import com.yzm.shiro02.service.PermissionsService;
import com.yzm.shiro02.service.RoleService;
import com.yzm.shiro02.service.UserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
/**
* 自定义Realm,实现认证和授权
* AuthorizingRealm 继承 AuthorizingRealm
* AuthorizingRealm 提供 授权方法 doGetAuthorizationInfo
* AuthorizingRealm 提供 认证方法 doGetAuthenticationInfo
*/
public class MyShiroRealm extends AuthorizingRealm {
private final UserService userService;
private final RoleService roleService;
private final PermissionsService permissionsService;
public MyShiroRealm(UserService userService, RoleService roleService, PermissionsService permissionsService) {
this.userService = userService;
this.roleService = roleService;
this.permissionsService = permissionsService;
}
@Override
public boolean supports(AuthenticationToken token) {
return token instanceof UsernamePasswordToken;
}
/**
* 授权
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String) principalCollection.getPrimaryPrincipal();
// 查询用户,获取角色ids
User user = userService.lambdaQuery().eq(User::getUsername, username).one();
List<Integer> roleIds = Arrays.stream(user.getRIds().split(","))
.map(Integer::parseInt)
.collect(Collectors.toList());
// 查询角色,获取角色名、权限ids
List<Role> roles = roleService.listByIds(roleIds);
Set<String> roleNames = new HashSet<>(roles.size());
Set<Integer> permIds = new HashSet<>();
roles.forEach(role -> {
roleNames.add(role.getRName());
Set<Integer> collect = Arrays.stream(
role.getPIds().split(",")).map(Integer::parseInt).collect(Collectors.toSet());
permIds.addAll(collect);
});
// 获取权限名称
List<Permissions> permissions = permissionsService.listByIds(permIds);
List<String> permNames = permissions.stream().map(Permissions::getPName).collect(Collectors.toList());
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roleNames);
authorizationInfo.addStringPermissions(permNames);
return authorizationInfo;
}
/**
* 认证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 获取用户名跟密码
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
String username = usernamePasswordToken.getUsername();
// 查询用户是否存在
User user = userService.lambdaQuery().eq(User::getUsername, username).one();
if (user == null) {
throw new UnknownAccountException();
}
return new SimpleAuthenticationInfo(
user.getUsername(),
user.getPassword(),
// 用户名 + 盐
ByteSource.Util.bytes(user.getUsername() + user.getSalt()),
getName()
);
}
}
4、ShiroConfig 配置类
package com.yzm.shiro02.config;
import com.yzm.shiro02.service.PermissionsService;
import com.yzm.shiro02.service.RoleService;
import com.yzm.shiro02.service.UserService;
import com.yzm.shiro02.utils.EncryptUtils;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.Cookie;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
private final UserService userService;
private final RoleService roleService;
private final PermissionsService permissionsService;
public ShiroConfig(UserService userService, RoleService roleService, PermissionsService permissionsService) {
this.userService = userService;
this.roleService = roleService;
this.permissionsService = permissionsService;
}
/**
* 凭证匹配器
*/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName(EncryptUtils.ALGORITHM_NAME);
hashedCredentialsMatcher.setHashIterations(EncryptUtils.HASH_ITERATIONS);
return hashedCredentialsMatcher;
}
/**
* 自定义Realm
*/
@Bean
public MyShiroRealm shiroRealm() {
MyShiroRealm shiroRealm = new MyShiroRealm(userService, roleService, permissionsService);
shiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
return shiroRealm;
}
/**
* 记住我功能
*/
@Bean
public Cookie simpleCookie() {
SimpleCookie cookie = new SimpleCookie("rememberMe");
//设为true后,只能通过http访问,javascript无法访问
//防止xss读取cookie
cookie.setHttpOnly(true);
cookie.setPath("/");
//存活时间,单位秒;-1表示关闭浏览器该cookie失效
cookie.setMaxAge(120);
return cookie;
}
@Bean
public CookieRememberMeManager rememberMeManager() {
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
rememberMeManager.setCookie(simpleCookie());
//cookie加密的密钥
rememberMeManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));
return rememberMeManager;
}
/**
* 安全管理SecurityManager
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 配置realm
securityManager.setRealm(shiroRealm());
// 记住我功能
securityManager.setRememberMeManager(rememberMeManager());
return securityManager;
}
@Bean
public ShiroFilterFactoryBean shiroFilter() {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager());
shiroFilterFactoryBean.setLoginUrl("/login"); // 登录页url,默认会自动寻找Web工程根目录下的"/login.jsp"页面 或 "/login" 映射
shiroFilterFactoryBean.setUnauthorizedUrl("/401"); // 访问无权限跳转url
// 修改拦截器
Map<String, Filter> filters = new LinkedHashMap<>();
// 修改logout退出成功跳转url为"/login",默认是"/"
LogoutFilter logoutFilter = new LogoutFilter();
logoutFilter.setRedirectUrl("/login");
filters.put("logout", logoutFilter);
// 重写登录失败处理
filters.put("authc", new LoginFormAuthenticationFilter());
shiroFilterFactoryBean.setFilters(filters);
Map<String, String> definitionMap = new LinkedHashMap<>();
definitionMap.put("/", "anon");
definitionMap.put("/home", "anon");
definitionMap.put("/register", "anon");
definitionMap.put("/401", "anon");
definitionMap.put("/login", "authc");
definitionMap.put("/logout", "logout");
// 拦截器perms表示需要拥有对应的权限才可以访问
definitionMap.put("/user/select", "perms[user:select]");
definitionMap.put("/user/delete", "perms[user:delete]");
// 拦截器perms[perms1,perms2]可以有多个参数,用逗号隔开,表示需要同时拥有多个权限,缺少其中一个都会被拒绝访问
definitionMap.put("/user/createAndUpdate", "perms[user:create,user:update]");
// 拦截器roles表示需要拥有对应的角色才可以访问,跟perms一样可以拥有多个参数
// 由于url的定义是从上到下的,上面的定义高于下面的,比如把"/user/**"这行放到"/logout"下面,那么user角色没有对应的权限,依然可以访问上面的权限url
definitionMap.put("/user/**", "roles[USER]");
// 同一url可以有多个拦截器
definitionMap.put("/admin/select", "roles[ADMIN],perms[admin:select]");
definitionMap.put("/admin/create", "perms[admin:create]");
definitionMap.put("/admin/update", "perms[admin:update]");
definitionMap.put("/admin/delete", "perms[admin:delete]");
definitionMap.put("/admin/**", "roles[ADMIN]");
// 将 authc 改成 user
// definitionMap.put("/**", "authc");
definitionMap.put("/**", "user");
shiroFilterFactoryBean.setFilterChainDefinitionMap(definitionMap);
return shiroFilterFactoryBean;
}
}
5、登录成功、登录失败处理
package com.yzm.shiro02.config;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import org.apache.shiro.web.util.WebUtils;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
public class LoginFormAuthenticationFilter extends FormAuthenticationFilter {
@Override
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception {
// 登录成功之后,跳转到主页,不继续前一次请求
WebUtils.issueRedirect(request, response, "/");
return false;
}
@Override
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e, ServletRequest request, ServletResponse response) {
try {
WebUtils.issueRedirect(request, response, "/login?failure");
} catch (Exception exception) {
//
}
return false;
}
}
6、记住我功能
/**
* 记住我功能
*/
@Bean
public Cookie simpleCookie() {
SimpleCookie cookie = new SimpleCookie("rememberMe");
//设为true后,只能通过http访问,javascript无法访问
//防止xss读取cookie
cookie.setHttpOnly(true);
cookie.setPath("/");
//存活时间,单位秒;-1表示关闭浏览器该cookie失效
cookie.setMaxAge(120);
return cookie;
}
@Bean
public CookieRememberMeManager rememberMeManager() {
CookieRememberMeManager rememberMeManager = new CookieRememberMeManager();
rememberMeManager.setCookie(simpleCookie());
//cookie加密的密钥
rememberMeManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));
return rememberMeManager;
}
/**
* 安全管理SecurityManager
*/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// 配置realm
securityManager.setRealm(shiroRealm());
// 记住我功能
securityManager.setRememberMeManager(rememberMeManager());
return securityManager;
}
7、接口页面
在HomeController 中,使用记住我功能
@PostMapping("login")
public void doLogin(@RequestParam String username, @RequestParam String password, boolean rememberMe) {
// 1.创建UsernamePasswordToken
UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(username, password);
// 使用记住我功能
usernamePasswordToken.setRememberMe(rememberMe);
// 2.创建Subject 用户主体
Subject subject = SecurityUtils.getSubject();
// 3.前期准备后,开始登录
subject.login(usernamePasswordToken);
}
在login.html中,添加 rememberMe 复选框
<form action="doLogin" method="post">
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username" placeholder="Username">
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password" placeholder="Password">
</p>
<!-- 添加rememberMe -->
<p>
<label>
<input type="checkbox" name="rememberMe">
Remember me on this computer.
</label>
</p>
<button type="submit">Sign in</button>
</form>
设置拦截
// 将 authc 改成 user
// definitionMap.put("/**", "authc");
definitionMap.put("/**", "user");
8、测试
启动项目,用yzm用户正常登录
关闭浏览器,重新打开浏览器 访问/home,登录状态变成未登录
重新登录,这次选择记住我,按F12,可以看到值为rememberMe的cookie
F12查看cookie
关闭浏览器,重开浏览器,访问主页,还是已登录,接口也可以正常访问
可以看出authc跟user的区别:
authc是认证过,user是登录过,如果开启了rememberMe功能的话,user是可以通过的,而authc通过不了。
故我们用authc来校验一些关键操作。
比如购买,我们可以采用user校验即可;而支付的时候,我们需要认证的用户,那就需要authc了。