目录
UserRealm
包含两个方法,用户的授权和登录认证。
public class UserRealm extends AuthorizingRealm {
//用户授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取MenuService
MenuService menuService = ApplicationContextRegister.getBean(MenuService.class);
//获取用户id
Long userId = ShiroUtils.getUserId();
//获取该对象的权限列表
Set<String> parms = menuService.getParms(userId);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
for (String parm : parms) {
info.addStringPermission(parm);
}
return info;
}
//登录认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//包含用户输入的信息 如用户名和密码
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String userName = (String) usernamePasswordToken.getPrincipal();
//从数据库中 根据用户名查询用户信息
UserDao userDao = ApplicationContextRegister.getBean(UserDao.class);
User u = userDao.getUserByUserName(userName);
String password = new String(usernamePasswordToken.getPassword());
if (u == null){
throw new UnknownAccountException("账号或者密码不正确");
}
else if (!password.equals(u.getPassword())){
throw new IncorrectCredentialsException("账号或密码不正确");
}
// 账号锁定
if (u.getStatus() == 0) {
throw new LockedAccountException("账号已被锁定,请联系管理员");
}
//user对象、数据库中的密码,当前类的名字
return new SimpleAuthenticationInfo(u, u.getPassword(), getName());
}
}
ApplicationContextRegister
实现接口ApplicationContextAware ,获取Spring的ioc容器,方便获取java bean。
@Repository
public class ApplicationContextRegister implements ApplicationContextAware {
private static Logger logger = LoggerFactory.getLogger(ApplicationContextAware.class);
private static ApplicationContext APPLICATION_CONTEXT;
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
logger.info("applicationContext--->",applicationContext);
APPLICATION_CONTEXT = applicationContext;
}
public static ApplicationContext getApplicationContext(){
return APPLICATION_CONTEXT;
}
public static <T> T getBean(Class<T> type ){
return APPLICATION_CONTEXT.getBean(type);
}
}
ShiroUtil
方便获取用户对象及信息
public class ShiroUtils {
public static Subject getSubject(){
Subject subject = SecurityUtils.getSubject();
return subject;
}
public static User getUser(){
User user = (User) getSubject().getPrincipal();
return user;
}
public static Long getUserId(){
return getUser().getUserId();
}
public static void logout(){
getSubject().logout();
}
}
UsernamePasswordToken
AuthenticationToken 用于收集用户提交的身份(如用户名)及凭据(如密码):
public interface AuthenticationToken extends Serializable {
Object getPrincipal(); //身份 用户名
Object getCredentials(); //凭据 密码
}
扩展接口RememberMeAuthenticationToken:提供了“boolean isRememberMe()”现“记住我”的功能;
扩展接口是HostAuthenticationToken:提供了“String getHost()”方法用于获取用户“主机”的功能。
Shiro 提供了一个直接拿来用的UsernamePasswordToken,用于实现用户名/密码Token组,另外其实现了RememberMeAuthenticationToken和HostAuthenticationToken,可以实现记住我及主机验证的支持。
getPrincipal 与 getUserName
getCredentials 与 getPassword
SimpleAuthenticationInfo
密码验证,交予shiro做。将数据库中的密码和前端传回的密码进行匹配。
//user对象、数据库中的密码,当前类的名字
new SimpleAuthenticationInfo(u, u.getPassword(), getName());
ShiroConfig
shiro的配置文件,配置三个组件。
ShiroFilterFactoryBean 、SecurityManager 、UserRealm
@Configuration
public class ShiroConfig {
@Bean
ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
//设置登录失败,授权成功、授权失败之后的uri
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setSuccessUrl("/index");
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
//设置资源权限
/*
anon 无拦截
authc 认证后登录
user 拥有记住我访问
perms 拥有某个资源权限权限
role 拥有某个角色权限权限
*/
LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/login","anon");
filterChainDefinitionMap.put("/getVerify","anon");
filterChainDefinitionMap.put("/css/**", "anon");
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/fonts/**", "anon");
filterChainDefinitionMap.put("/img/**", "anon");
filterChainDefinitionMap.put("/docs/**", "anon");
filterChainDefinitionMap.put("/druid/**", "anon");
filterChainDefinitionMap.put("/upload/**", "anon");
filterChainDefinitionMap.put("/files/**", "anon");
filterChainDefinitionMap.put("/logout", "logout");
filterChainDefinitionMap.put("/", "anon");
filterChainDefinitionMap.put("/blog", "anon");
filterChainDefinitionMap.put("/blog/open/**", "anon");
filterChainDefinitionMap.put("/**", "authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(userRealm());
return securityManager;
}
@Bean
UserRealm userRealm(){
return new UserRealm();
}
// ShiroDialect 用来整合 shiro-thymeleaf整合
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
}
前端接收参数
@PostMapping("/login")
@ResponseBody
public ResponseInfo login(String username, String password, String verify, HttpSession session,HttpServletRequest request){
String key = (String) session.getAttribute(RandomValidateCodeUtil.RANDOMCODEKEY);
System.out.println(key);
if (verify.length() != 0 && verify != ""){
if (verify.equals(key)){
//加密
String encrypt = MD5Utils.encrypt(username,password);
UsernamePasswordToken token = new UsernamePasswordToken(username, encrypt);
Subject subject = SecurityUtils.getSubject();
//跳转到UserRealm中的用户登录中
subject.login(token);
logger.info("登录成功");
return ResponseInfo.ok();
}
return ResponseInfo.error(1,"验证码错误");
}else {
logger.error("验证码错误");
return ResponseInfo.error(1,"验证码不能为空!");
}
}