shrio核心功能
Authentication认证:验证用户是否有相应的身份----登录认证
Authorization授权:即权限验证,对已有通过认证的用户检查是否有某有权限或者角色,从而控制是否能进行某种操作
SessionManagement会话管理,用户再认证成功后创建会话,在没有退出之前,当前用户的所有信息都会保存在这个会话之中,可以普通的javase应用,也可以是web应用
crrytography加密,对敏感信息进行加密,shiro就提供这种加密机制。
支持的特性
web support–shrio提供了过滤器,通过过滤器拦截web请求来处理web应用的访问控制
Caching缓存支持,shiro可以缓存用户信息以及用户的角色权限信息,可以提高执行效率
Concurrency shiro支持多线程应用
Testing提供测试支持
Run As 允许一个用户以另一种身份去访问
shiro三大核心组件:subject Realms securityManager
subject:表示待认证和授权的用户
Realm:相当于shiro进行认证和授权的数据源,充当了shiro与数据源的桥梁,当用户进行认证(登录)和授权(访问控制),shiro会用应用配置的realm中查找用户及其权限信息
securityManager:shrio框架的一个核心,shrio是通过安全管理器来进行内部框架的管理,并通过它提供安全管理的各种服务
Authenticator 认证器
Authorize 授权器
SessionManager 会话管理器
Cacchemanager 缓存管理器
subject封装了当前用户的权限信息。
shiro基本使用(javaSE)
创建一个普通的maven项目,加入maven依赖
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.1</version>
</dependency>
</dependencies>
在resources创建一个shiro.ini文件,来存放信息
[users]
zhangsan=123456,seller
lisi=666666,ckmgr
admin=999999,admin
[roles]
admin=*
seller=order-add,order-del,order-list
ckmgr=ck-add,ck-del,ck-list
其中上一栏可以看成用户权限 :账户,密码,权限
admin为所有权限
seller 订单增删查
ckmgr为管理增删查
shiro基本使用
在java文件夹下创建自己的package,然后创建一个类,如下:
package com.wh.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.subject.Subject;
import java.security.Security;
import java.util.Scanner;
public class TestShiro {
public static void main(String[] args) {
Scanner scanner = new Scanner(System.in);
System.out.println("请输入账号:");
String username = scanner.nextLine();
System.out.println("请输入密码:");
String password = scanner.nextLine();
// SecurityManager需要借助SecurityUtils这个帮助类
//创建安全管理器
DefaultSecurityManager securityManager=new DefaultSecurityManager();
// 创建数据源
IniRealm iniRealm=new IniRealm("classpath:shiro.ini");
// 将realm设置安全管理器
securityManager.setRealm(iniRealm);
// 将realm设置给securityUtils工具
SecurityUtils.setSecurityManager(securityManager);
// 通过SecurityUtils工具类获取subject对象
Subject subject = SecurityUtils.getSubject();
// 认证
/**
* 将账号密码设置subject
*/
// 账号密码封装到token
UsernamePasswordToken token
= new UsernamePasswordToken(username, password);
// 通过subject对象调用login方法进行认证
// 状态
// System.out.println(subject.isAuthenticated());
boolean b=false;
try {
subject.login(token);
b=true;
}catch (IncorrectCredentialsException e){
b=false;
}
System.out.println(b?"登录成功":"登录失败");
// System.out.println(subject.isAuthenticated());
// 权限认证
System.out.println(subject.hasRole("seller"));
// subject表示当前用户角色
// 判断某个权限,用户存在这个权限
boolean permitted = subject.isPermitted("order-list");
System.out.println(permitted);
}
}
1.通过subject.login(token)进行登录,就会将token包含的用户信息(账号和密码)传递给secuityManager
2.secuityManager就会调用authentication进行身份认证
3. authenticator把token传递给对应的Realm
4. realm根据token,调用dogetauthentication方法进行认证(如果认证失败通过抛出异常提示认证器)
5-7.将认证结果一层一层的返回subject(如果login抛出异常就算认证失败)
springboot项目整合shiro
创建一个springboot项目,导入maven依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.wh</groupId>
<artifactId>shirodemo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>shirodemo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<spring-boot.version>2.3.7.RELEASE</spring-boot.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.4</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.10</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>2.3.7.RELEASE</version>
<configuration>
<mainClass>com.wh.shirodemo.ShirodemoApplication</mainClass>
</configuration>
<executions>
<execution>
<id>repackage</id>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
配置shiro过滤器,拦截需要进行认证和权限的用户请求
配置securityManager到spring容器
secuitymanager需要realm
realm可以shiro提供的也可以是自定义的
在导入依赖shiro-spring
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>
shiro配置
springboot默认没有提供shiro自动配置
yml配置
spring:
application:
name: shirodemo
datasource:
druid:
url: jdbc:mysql://localhost:3306/db_shiro?characterEncoding=UTF-8
driver-class-name: com.mysql.cj.jdbc.Driver
username: root
password: 123456
min-idle: 1
max-active: 20
thymeleaf:
cache: false
prefix: classpath:/templates/
mode: HTML5
#字符
encoding: utf-8
servlet:
#Content-Type值
content-type: text/html
mybatis:
mapper-locations: classpath:com/wh/mapper/*.xml
type-aliases-package: com.wh.shirodemo.beans
# 整合shiro
server:
port: 9090
在resource下面创建shiro.ini文件
[users]
zhangsan=123456
在需要创建一个config的包,需要创建一个ShiroConfig
package com.wh.shirodemo.config;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.HashMap;
@Configuration
public class ShiroConfig {
@Bean
public IniRealm getInReam(){
IniRealm iniRealm = new IniRealm("classpath:shiro.ini");
return iniRealm;
}
@Bean
public DefaultWebSecurityManager getDefaultSecurityManager(IniRealm iniRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// securityManager要完成效验,需要realm
securityManager.setRealm(iniRealm);
return securityManager;
}
// 配置过滤器
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultSecurityManager securityManager){
ShiroFilterFactoryBean filter=new ShiroFilterFactoryBean();
// 因为过滤器是权限效验的核心,进行认证和授权需要secuitymanager
// 设置shiro拦截规则
// anon 匿名用户可访问
// authc 认证用户可访问
// user 使用remeber Me用户可访问
// perms 对应权限可访问
// role对应角色可以访问
filter.setSecurityManager(securityManager);
HashMap<String,String> filtermap = new HashMap<>();
filtermap.put("/","anon");
filtermap.put("/**","authc");
filtermap.put("/user/login","anon");
filter.setLoginUrl("/login.html");
return filter;
}
}
在需要创建一个controller层
package com.wh.shirodemo.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class PageController {
@RequestMapping("/login")
public String login(){
return "login";
}
@RequestMapping("/")
public String login1(){
return "login";
}
@RequestMapping("/index")
public String index(){
return "index";
}
}
在前端创建对应的html5,在这里是使用的模板引擎,在templates下面创建login.html和index.html如下
<!--login.html-->
<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/html">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
login111111111111
<hr/>
<form action="/user/login">
<label>账号</label>
<input type="text" name="username" placeholder="请输入账号"></br>
<label>密码</label>
<input type="password" name="password" placeholder="请输入密码"></br>
<button type="submit">提交</button>
</form>
</body>
</html>
<!--index.html-->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>
登录成功!
</h1>
</body>
</html>
在创建一个service层,来验证登录业务
package com.wh.shirodemo.service;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Service;
@Service
public class UserServiceImpl {
public void checkLogin(String username,String password){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);
}
}
最后在创建一个userController
package com.wh.shirodemo.controller;
import com.wh.shirodemo.service.UserServiceImpl;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.annotation.Resource;
@Controller
@RequestMapping("/user")
public class UserController {
@Resource
private UserServiceImpl userService;
@RequestMapping("/login")
public String login(String username,String password){
try {
userService.checkLogin(username,password);
System.out.println("登录成功!");
return "index";
}catch (Exception e){
System.out.println("登陆失败!");
return "login";
}
}
}
打开浏览器
输入shrio.ini里面的内容就可以登录成功
真正完成认证和授权工作的是realm。
jdbcRealm是内置的realm
如果使用jdbcRealm,则必须使用jdbcRealm所需的表结构
用户表·
-- ----------------------------
-- Table structure for `users`
-- ----------------------------
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int NOT NULL AUTO_INCREMENT,
`username` varchar(60) DEFAULT NULL,
`password` varchar(20) DEFAULT NULL,
`password_salt` varchar(20) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
-- ----------------------------
-- Records of users
-- ----------------------------
INSERT INTO `users` VALUES ('1', 'zhangsan', '123456', null);
INSERT INTO `users` VALUES ('2', 'lisi', '123456', null);
INSERT INTO `users` VALUES ('3', 'wangwu', '123456', null);
INSERT INTO `users` VALUES ('4', 'zhaoliu', '123456', null);
INSERT INTO `users` VALUES ('5', 'chenqi', '123456', null);
角色表
-- ----------------------------
-- Table structure for `user_roles`
-- ----------------------------
DROP TABLE IF EXISTS `user_roles`;
CREATE TABLE `user_roles` (
`id` int NOT NULL AUTO_INCREMENT,
`username` varchar(60) DEFAULT NULL,
`role_name` varchar(100) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
-- ----------------------------
-- Records of user_roles
-- ----------------------------
INSERT INTO `user_roles` VALUES ('1', 'zhangsan', 'admin');
INSERT INTO `user_roles` VALUES ('2', 'lisi', 'cmanager');
INSERT INTO `user_roles` VALUES ('3', 'wangwu', 'xmanager');
INSERT INTO `user_roles` VALUES ('4', 'zhaoliu', 'kmanager');
INSERT INTO `user_roles` VALUES ('5', 'chenqi', 'zmanager');
权限信息表
SET FOREIGN_KEY_CHECKS=0;
-- ----------------------------
-- Table structure for `permission`
-- ----------------------------
DROP TABLE IF EXISTS `permission`;
CREATE TABLE `permission` (
`id` int NOT NULL AUTO_INCREMENT,
`role_name` varchar(100) DEFAULT NULL,
`permission` varchar(100) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
-- ----------------------------
-- Records of permission
-- ----------------------------
INSERT INTO `permission` VALUES ('1', 'admin', '*');
INSERT INTO `permission` VALUES ('2', 'cmanager', 'sys:c:save');
INSERT INTO `permission` VALUES ('3', 'cmanager', 'sys:c:delete');
INSERT INTO `permission` VALUES ('4', 'cmanager', 'sys:c:update');
INSERT INTO `permission` VALUES ('5', 'cmanager', 'sys:c:find');
INSERT INTO `permission` VALUES ('6', 'xmanager', 'sys:c:find');
INSERT INTO `permission` VALUES ('7', 'xmanaager', 'sys:x:sava');
INSERT INTO `permission` VALUES ('8', 'xmanager', 'sys:x:delete');
INSERT INTO `permission` VALUES ('9', 'xmanager', 'sys:x:update');
INSERT INTO `permission` VALUES ('10', 'xmanager', 'sys:x:find');
INSERT INTO `permission` VALUES ('11', 'xmanager', 'sys:k:save');
INSERT INTO `permission` VALUES ('12', 'xmanager', 'sys:k:delete');
INSERT INTO `permission` VALUES ('13', 'xmanager', 'sys:k:update');
INSERT INTO `permission` VALUES ('14', 'xmanager', 'sys:k:find');
INSERT INTO `permission` VALUES ('15', 'kmanager', 'sys:k:find');
INSERT INTO `permission` VALUES ('16', 'kmanager', 'sys:k:update');
INSERT INTO `permission` VALUES ('17', 'zmanager', 'sys:*:find');
更改ShrioConfig这个配置类
package com.wh.shirodemo.config;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.jdbc.JdbcRealm;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.sql.DataSource;
import java.util.HashMap;
@Configuration
public class ShiroConfig {
/* @Bean
public IniRealm getInReam(){
IniRealm iniRealm = new IniRealm("classpath:shiro.ini");
return iniRealm;
}*/
@Bean
public JdbcRealm getJdbcRealm(DataSource dataSource){
JdbcRealm jdbcRealm = new JdbcRealm();
// JdbcRealm会自行从数据库查询用户及权限数据(数据库的表结构要符合JdbcRealm的规范)
jdbcRealm.setDataSource(dataSource);
// 默认只有认证功能
jdbcRealm.setPermissionsLookupEnabled(true);
// 手动开启授权功能
return jdbcRealm;
}
@Bean
public DefaultWebSecurityManager getDefaultSecurityManager(JdbcRealm jdbcRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
// securityManager要完成效验,需要realm
securityManager.setRealm(jdbcRealm);
return securityManager;
}
// 配置过滤器
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultSecurityManager securityManager){
ShiroFilterFactoryBean filter=new ShiroFilterFactoryBean();
// 因为过滤器是权限效验的核心,进行认证和授权需要secuitymanager
// 设置shiro拦截规则
// anon 匿名用户可访问
// authc 认证用户可访问
// user 使用remeber Me用户可访问
// perms 对应权限可访问
// role对应角色可以访问
filter.setSecurityManager(securityManager);
HashMap<String,String> filtermap = new HashMap<>();
filtermap.put("/","anon");
filtermap.put("/**","authc");
filtermap.put("/user/login","anon");
filter.setLoginUrl("/login.html");
return filter;
}
}
主要更改成了jdbcRealm,把数据库为数据源
我在运行的时候,url之中时区不正确,可以更换成(仅供参考)
url: jdbc:mysql://localhost:3306/db_shiro?serverTimezone=CST&useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull&useSSL=true
进行运行可以验证数据库之中的账号,都可以登录成功
用户经过认证在主页面之后,需要显示用户信息及当前用户的权限信息,shiro提供了一套标签用于在页面来进行数据的呈现
加入依赖
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.1.0</version>
</dependency>
在ShiroConfig添加
@Bean
public ShiroDialect getShiroDislect(){
return new ShiroDialect();
}
在thymeleaf引入shiro的命名空间,修改一下index.html
<!--index.html-->
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>
index
<hr/>
<!-- -->
<shiro:guest>
<!-- 如果用户使游客身份,显示此标签内容-->
欢迎游客访问 <a href="login">登录</a>
</shiro:guest>
<shiro:user>
<!-- 判断用户是否认证身份,如果是认证身份显示此标签的内容-->
用户[<shiro:principal/>] 欢迎你...
<!-- principal显示当前用户的登录名-->
<!-- 显示当前用户角色-->
当前用户为<shiro:hasRole name="admin">超级管理员</shiro:hasRole>
<shiro:hasRole name="cmanager">仓库人员</shiro:hasRole>
<shiro:hasRole name="xmanager">销售人员</shiro:hasRole>
<shiro:hasRole name="kmanager">客服人员</shiro:hasRole>
<shiro:hasRole name="zmanager">行政人员</shiro:hasRole>
</shiro:user>
<hr/>
仓库管理
<ul>
<shiro:hasPermission name="sys:c:save"><li><a href="#">入库</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:c:delete"><li><a href="#">出库</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:c:update"><li><a href="#">修改</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:c:find"><li><a href="#">查询</a></li></shiro:hasPermission>
</ul>
订单管理
<ur>
<shiro:hasPermission name="sys:x:save"><li><a href="#">添加订单</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:x:delete"><li><a href="#">删除订单</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:x:update"><li><a href="#">修改订单</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:x:find"><li><a href="#">查询订单</a></li></shiro:hasPermission>
</ur>
客户管理
<ur>
<shiro:hasPermission name="sys:k:save"><li><a href="#">添加客户</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:k:delete"><li><a href="#">删除客户</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:k:update"><li><a href="#">修改客户</a></li></shiro:hasPermission>
<shiro:hasPermission name="sys:k:find"><li><a href="#">查询客户</a></li></shiro:hasPermission>
</ur>
</h1>
</body>
</html>
在运行之中我遇到了Table ‘db_shiro.roles_permissions’ doesn’t exist这样的报错,修改一下数据表的名称就可以了,名称为 roles_permissions
最后的结果
这里就是举一个例子(如上图,运行结果)