首先是数据库涉及到四张表,用户表、权限表、用户-权限表、权限-功能表;表如下
/*
SQLyog 企业版 - MySQL GUI v8.14
MySQL - 5.5.40 : Database - shirotest
*********************************************************************
*/
/*!40101 SET NAMES utf8 */;
/*!40101 SET SQL_MODE=''*/;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
CREATE DATABASE /*!32312 IF NOT EXISTS*/`shirotest` /*!40100 DEFAULT CHARACTER SET utf8 */;
USE `shirotest`;
/*Table structure for table `permission` */
DROP TABLE IF EXISTS `permission`;
CREATE TABLE `permission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`url` varchar(30) NOT NULL,
`roleid` int(11) DEFAULT NULL,
`description` varchar(100) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
/*Data for the table `permission` */
insert into `permission`(`id`,`url`,`roleid`,`description`) values (1,'/readName',1,'查看名单'),(2,'/readData',2,'查看数据');
/*Table structure for table `role` */
DROP TABLE IF EXISTS `role`;
CREATE TABLE `role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`role` varchar(20) NOT NULL,
`description` varchar(120) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
/*Data for the table `role` */
insert into `role`(`id`,`role`,`description`) values (1,'管理员','管理员'),(2,'普通用户','普通用户');
/*Table structure for table `user` */
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`account` varchar(20) NOT NULL,
`password` varchar(20) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
/*Data for the table `user` */
insert into `user`(`id`,`account`,`password`) values (1,'123','123'),(2,'1234','1234');
/*Table structure for table `user_role` */
DROP TABLE IF EXISTS `user_role`;
CREATE TABLE `user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`userid` int(11) NOT NULL,
`roleid` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8 CHECKSUM=1 DELAY_KEY_WRITE=1 ROW_FORMAT=DYNAMIC;
/*Data for the table `user_role` */
insert into `user_role`(`id`,`userid`,`roleid`) values (1,1,1),(2,2,2);
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
pom文件需要的包如下
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>mvc_shiro</groupId>
<artifactId>mvc_shiro</artifactId>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<name>mvc_shiro Maven Webapp</name>
<url>http://maven.apache.org</url>
<properties>
<!-- spring版本号 -->
<spring.version>4.0.2.RELEASE</spring.version>
<!-- mybatis版本号 -->
<mybatis.version>3.2.6</mybatis.version>
<!-- log4j日志文件管理包版本 -->
<slf4j.version>1.7.7</slf4j.version>
<log4j.version>1.2.17</log4j.version>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.3</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-all -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<!-- 表示开发的时候引入,发布的时候不会加载此包 -->
<scope>test</scope>
</dependency>
<!-- spring核心包 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-oxm</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- mybatis核心包 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>${mybatis.version}</version>
</dependency>
<!-- mybatis/spring包 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.2.2</version>
</dependency>
<!-- 导入java ee jar 包 -->
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-api</artifactId>
<version>7.0</version>
</dependency>
<!-- 导入Mysql数据库链接jar包 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.30</version>
</dependency>
<!-- 导入dbcp的jar包,用来在applicationContext.xml中配置数据库 -->
<dependency>
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.2.2</version>
</dependency>
<!-- JSTL标签类 -->
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- 日志文件管理包 -->
<!-- log start -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
</dependency>
<!-- 格式化对象,方便输出日志 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.1.41</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j.version}</version>
</dependency>
<!-- log end -->
<!-- 映入JSON -->
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.9.13</version>
</dependency>
<!-- 上传组件包 -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.9</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-crypto -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-core -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>5.1.5.RELEASE</version>
</dependency>
</dependencies>
<build>
<finalName>mvc_shiro</finalName>
</build>
</project>
spring和shiro结束的xml配置如下
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" /> <!--加载管理器-->
<property name="loginUrl" value="/user/login" /> <!--没有登录的时候,跳转到这个页面-->
<property name="unauthorizedUrl" value="/user/nopermission" /> <!--当没有权限的时候,跳转到这个url-->
<property name="filterChainDefinitions">
<value>
/user/reg = anon
/user/login = anon <!--可以不需要登录-->
/user/readName = authc, perms[/readName] <!-- perms 表示需要该权限才能访问的页面 -->
/user/readData = authc, perms[/readData]
/user/* = authc <!-- authc 表示需要认证才能访问的页面 -->
</value>
</property>
</bean>
<!-- 自定义Realm -->
<bean id="myShiroRealm" class="com.Shiro.MyShiroReaml">
<!-- businessManager 用来实现用户名密码的查询 -->
<property name="shiroService" ref="accountService" />
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<!-- 加密算法 -->
<property name="hashAlgorithmName" value="SHA-256"></property>
<!-- 加密次数 -->
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- 注入realm -->
<property name="realm" ref="myShiroRealm"/>
</bean>
<!--声明一个Service 注入到自定义Realm-->
<bean id="accountService" class="com.Service.Impl.ShiroServiceImpl"/>
<!-- <bean id="shiroCacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="cacheManager" /> </bean> -->
</beans>
其中,下面这些代码涉及到了需要加密的类型,可以为SHA、MD5,加密的次数,例如1024次;
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<!-- 加密算法 -->
<property name="hashAlgorithmName" value="SHA-256"></property>
<!-- 加密次数 -->
<property name="hashIterations" value="1024"></property>
</bean>
</property>
加密的代码如下
/**
* @param md5 加密方式(也可以改为MD5)
* @param encodePassWord 密码
* @param salt 盐(一般可以用用户的创建时间作为盐)
* @param hashIterations 加密次数
*/
String passwordEncoded = new SimpleHash("md5",passWord, ByteSource.Util.bytes("123"),1024).toString();
核心的代码就是下面这个,先会进行用户验证,再会得到用户的权限和权限能干的事情.
这个方法是不需要对密码进行加密的方法
/**
* 验证身证,提供账户信息返回认证信息
* @param
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//验证账号密码
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
User user = shiroService.getUserByUserName(token.getUsername());
System.out.println("2");
//最后的比对需要交给安全管理器
//三个参数进行初步的简单认证信息对象的包装
AuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getClass().getSimpleName());
return info;
}
/**
*下面这个方法是进行了密码加密的方法
* 其中盐是我默认用户名+"reg"字符串的,这个比较简单.
**/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
String username = userToken.getUsername();
User u = shiroService.getUserByUserName(username);
if(u!=null){
String passWord = u.getPassword();
SimpleAuthenticationInfo info = null;
info = new SimpleAuthenticationInfo(u, passWord, ByteSource.Util.bytes(u.getAccount()+"reg"), getName());
return info;
}
return null;
}
假若盐不随机的话可以用下面这个方法 ,盐可以保存到数据库(假如加个salt字段的话,安全方面我没考虑到许多)
/*盐量随机*/
String salt = new SecureRandomNumberGenerator().nextBytes().toString();
用户登录之后,就会查询下用户所拥有的权限,会使用下面这个方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
/**
* 登录之后用于授权, 提供用户信息返回权限信息
* 流程
* 1.根据用户user->2.获取角色id->3.根据角色id获取权限permission
*/
//方法一:获得user对象
User user=(User)pc.getPrimaryPrincipal();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//获取permission
if(user!=null) {
List<Permission> permissionsByUser = shiroService.getPermissionsByUser(user);
if (permissionsByUser.size()!=0) {
for (Permission p: permissionsByUser) {
info.addStringPermission(p.getUrl());
}
return info;
}
}
//方法二: 从subject管理器里获取user
// Subject subject = SecurityUtils.getSubject();
// User _user = (User) subject.getPrincipal();
// System.out.println("subject"+_user.getUsername());
return null;
}
下面这是自定义Reaml的完整代码
package com.Shiro;
import com.Pojo.Permission;
import com.Pojo.User;
import com.Service.ShiroService;
import org.apache.log4j.Logger;
import org.apache.shiro.authc.*;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.util.StringUtils;
import java.util.List;
public class MyShiroReaml extends AuthorizingRealm {
private Logger log = Logger.getLogger(MyShiroReaml.class);
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
/**
* 登录之后用于授权, 提供用户信息返回权限信息
* 流程
* 1.根据用户user->2.获取角色id->3.根据角色id获取权限permission
*/
//方法一:获得user对象
User user=(User)pc.getPrimaryPrincipal();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//获取permission
if(user!=null) {
List<Permission> permissionsByUser = shiroService.getPermissionsByUser(user);
if (permissionsByUser.size()!=0) {
for (Permission p: permissionsByUser) {
info.addStringPermission(p.getUrl());
}
return info;
}
}
//方法二: 从subject管理器里获取user
// Subject subject = SecurityUtils.getSubject();
// User _user = (User) subject.getPrincipal();
// System.out.println("subject"+_user.getUsername());
return null;
}
/**
* 验证身证,提供账户信息返回认证信息
* @param
* @return
* @throws AuthenticationException
*/
// @Override
// protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// //验证账号密码
// UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
// User user = shiroService.getUserByUserName(token.getUsername());
// System.out.println("2");
// //最后的比对需要交给安全管理器
// //三个参数进行初步的简单认证信息对象的包装
// AuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getClass().getSimpleName());
// return info;
// }
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
String username = userToken.getUsername();
User u = shiroService.getUserByUserName(username);
if(u!=null){
String passWord = u.getPassword();
SimpleAuthenticationInfo info = null;
info = new SimpleAuthenticationInfo(u, passWord, ByteSource.Util.bytes(u.getAccount()+"reg"), getName());
return info;
}
return null;
}
private ShiroService shiroService;
public ShiroService getShiroService() {
return shiroService;
}
public void setShiroService(ShiroService shiroService) {
this.shiroService = shiroService;
}
}
其中controller层的loginController代码如下
package com.Controller;
import com.Pojo.User;
import com.Service.ShiroService;
import org.apache.log4j.Logger;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* Created by Administrator on 2017/10/10.
*/
@Controller
@RequestMapping("/user")
public class loginController {
@Autowired
private ShiroService shiroService;
private Logger logger = Logger.getLogger(loginController.class);
/**
* 验证登录
* @param username
* @param password
* @param session
* @return url
*/
@RequestMapping(value = "/login")
public String Login(String username, String password, HttpSession session, Model model){
if(username==null){
model.addAttribute("message", "账号不为空");
return "login";
}
//主体,当前状态为没有认证的状态“未认证”
Subject subject = SecurityUtils.getSubject();
// 登录后存放进shiro token
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
User user;
//登录方法(认证是否通过)
//使用subject调用securityManager,安全管理器调用Realm
try {
//利用异常操作
//需要开始调用到Realm中
System.out.println("========================================");
System.out.println("1、进入认证方法");
subject.login(token);
user = (User)subject.getPrincipal();
session.setAttribute("user",subject);
model.addAttribute("message", "登录完成");
System.out.println("登录完成");
} catch (UnknownAccountException e) {
model.addAttribute("message", "账号密码不正确");
return "index";
} catch (Exception e){
e.printStackTrace();
}
return "test";
}
@RequestMapping("/check")
public String check(HttpSession session){
Subject subject=(Subject)session.getAttribute("user");
User user=(User)subject.getPrincipal();
System.out.println(user.toString());
return "permission";
}
@RequestMapping("/readName")
public String readName(HttpSession session){
return "name";
}
@RequestMapping("/readData")
public String readData(){
return "data";
}
@RequestMapping("/nopermission")
public String noPermission(){
return "error";
}
/**
*用户加注册并加密
**/
@RequestMapping("/reg")
@ResponseBody
public Object reg(@RequestParam("userName")String userName,
@RequestParam("passWord")String passWord){
String hashPassWord = new SimpleHash("SHA-256",passWord,userName+"reg",1024).toString();
User user = new User();
user.setAccount(userName);
user.setPassword(hashPassWord);
// user.setSalt(userName+"reg");
shiroService.addUser(user);
return "注册成功";
}
}
其中Dao层的接口方法如下
/**
* 根据账号获取账号密码
* @param username
* @return UserPojo
*/
User getUserByUserName(String username);
/**
* 根据角色id获取该账号的权限
* @param roleId
* @return List
*/
List<Permission> getPermissionsByRoleId(int roleId);
/**
* 根据userId获取角色id
* @param id
* @return LIST
*/
List<Integer> getUserRoleByUserId(int id);
/**
* 添加用户
* @param user
* @return
*/
int addUser(User user);
由于本人是新人,时间不太充足,写的不太好。
这是我的第一篇博客;技术方面言语方面不太好,敬请各位谅解下。
有不懂的可以评论,谢谢各位,以后我将完善shiro系列的博客.
注(博客中的大部分代码来自github上一个名为’mvc-shiro’的项目,链接https://github.com/MyBaron/SSM_Shiro,ta的这个项目比较简单(命名方式也有些不太好),我在上面的基础上进行了密码加密);