spring整合shiro
- 我使用的是Gradle,spring整合shiro需要的依赖
//安全限制框架shiro
'org.apache.shiro:shiro-web:1.2.4',
'org.apache.shiro:shiro-core:1.2.4',
'org.apache.shiro:shiro-spring:1.2.4',
'org.apache.shiro:shiro-ehcache:1.2.4',
- web.xml中的配置:
<!-- 配置Shiro过滤器,先让Shiro过滤系统接收到的请求 -->
<!-- 这里filter-name必须对应applicationContext.xml中定义的<bean id="shiroFilter"/> -->
<!-- 使用[/*]匹配所有请求,保证所有的可控请求都经过Shiro的过滤 -->
<!-- 通常会将此filter-mapping放置到最前面(即其他filter-mapping前面),以保证它是过滤器链中第一个起作用的 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!-- 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 -->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- 编写自己的UserRealm类继承自Realm,主要实现认证和授权的管理操作
package com.jay.demo.shiro;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.jay.demo.bean.Permission;
import com.jay.demo.bean.Role;
import com.jay.demo.bean.User;
import com.jay.demo.service.UserService;
public class UserRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
/**
* 授权操作
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// String username = (String) getAvailablePrincipal(principals);
String username = (String) principals.getPrimaryPrincipal();
Set<Role> roleSet = userService.findUserByUsername(username).getRoleSet();
//角色名的集合
Set<String> roles = new HashSet<String>();
//权限名的集合
Set<String> permissions = new HashSet<String>();
Iterator<Role> it = roleSet.iterator();
while(it.hasNext()){
roles.add(it.next().getName());
for(Permission per:it.next().getPermissionSet()){
permissions.add(per.getName());
}
}
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roles);
authorizationInfo.addStringPermissions(permissions);
return authorizationInfo;
}
/**
* 身份验证操作
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
User user = userService.findUserByUsername(username);
if(user==null){
//木有找到用户
throw new UnknownAccountException("没有找到该账号");
}
/* if(Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); //帐号锁定
} */
/**
* 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以在此判断或自定义实现
*/
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(),getName());
return info;
}
@Override
public String getName() {
return getClass().getName();
}
}
- spring-shiro.xml配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd">
<description>Shiro 配置</description>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/500.jsp"/>
<property name="successUrl" value="/500.jsp"/>
<property name="unauthorizedUrl" value="/500.jsp"/>
<property name="filterChainDefinitions">
<value>
<!--anno 不拦截-->
<!--authc 拦截-->
/login.jsp* = anon
/login.do* = anon
/index.jsp*= anon
/error/noperms.jsp*= anon
/*.jsp* = authc
/*.do* = authc
</value>
</property>
</bean>
<!--添加securityManager定义 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--设置自定义realm -->
<property name="realm" ref="monitorRealm"/>
</bean>
<!--配置ehcache-->
<bean id = "cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"/>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!--自定义Realm 继承自AuthorizingRealm -->
<bean id="monitorRealm" class="com.tutechan.service.MonitorRealm"></bean>
<!-- securityManager -->
<!--<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager" />
<property name="arguments" ref="securityManager" />
</bean>-->
<!--如果使用Shiro相关的注解,需要在springmvc-servlet.xml中配置一下信息-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
</beans>
- Shiro权限管理的过滤器解释
默认过滤器(10个)
anon -- org.apache.shiro.web.filter.authc.AnonymousFilter
authc -- org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic -- org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
perms -- org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port -- org.apache.shiro.web.filter.authz.PortFilter
rest -- org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles -- org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl -- org.apache.shiro.web.filter.authz.SslFilter
user -- org.apache.shiro.web.filter.authc.UserFilter
logout -- org.apache.shiro.web.filter.authc.LogoutFilter
过滤器名字 | 例子 | 解释 |
---|---|---|
anon | /admins/**=anon | 没有参数,表示可以匿名使用 |
authc | /admins/user/**=authc | 表示需要认证(登录)才能使用,没有参数 |
roles | /admins/user/**=roles[admin] | 参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/**=roles[“admin,guest”],每个参数通过才算通过,相当于hasAllRoles()方法。 |
perms | /admins/user/*=perms[user:add:] | 参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/*=perms[“user:add:,user:modify:*”],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法。 |
rest | /admins/user/**=rest[user] | 根据请求的方法,相当于/admins/user/**=perms[user:method] ,其中method为post,get,delete等。 |
port | /admins/user/**=port[8081] | 当请求的url的端口不是8081是跳转到 |
schemal | //serverName:8081?queryStrin | 其中schmal是协议http或https等, |
serverName | 是你访问的host,8081是url配置里port的端口 | queryString是你访问的url里的?后面的参数。 |
authcBasic | /admins/user/**=authcBasic | 有参数表示httpBasic认证 |
ssl | /admins/user/**=ssl | 没有参数,表示安全的url请求,协议为https |
user | /admins/user/**=user | 没有参数表示必须存在用户,当登入操作时不做检查 |
- 关于shiro标签的使用
标签 | 释义 |
---|---|
< shiro:authenticated> | 登录之后 |
< shiro:notAuthenticated> | 不在登录状态时 |
< shiro:guest> | 用户在没有RememberMe时 |
< shiro:user> | 用户在RememberMe时 |
< shiro:hasAnyRoles name=”abc,123” > | 在有abc或者123角色时 |
< shiro:hasRole name=”abc”> | 拥有角色abc |
< shiro:lacksRole name=”abc”> | 没有角色abc |
< shiro:hasPermission name=”abc”> | 拥有权限abc |
< shiro:lacksPermission name=”abc”> | 没有权限abc |
< shiro:principal> | 显示用户登录名 |
从零开始学shiro
- 1 shiro.ini
[users]
benny=123456
- 2 TestShiroController
package com.ttc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author by benny on 2016/1/30.
* @version 1.0
* @description
*/
public class TestShiroController {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
public static void main(String[] args) {
//读取配置文件,初始化SecurityManger工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//获取secirutimanager实例
SecurityManager securityManager = factory.getInstance();
//把SecurityManager实例绑定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//得到当前用户
Subject currentUser = SecurityUtils.getSubject();
//创建token令牌,用户名/密码
UsernamePasswordToken token = new UsernamePasswordToken("benny", "1234");
try {
currentUser.login(token);
LOGGER.info("登录成功");
} catch (AuthenticationException e) {
e.printStackTrace();
LOGGER.info("登录成功");
}
}
}
- 3 打印结果
2016-01-30 11:11:05 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager(230) - Enabling session validation scheduler...
2016-01-30 11:11:05 [main] INFO com.ttc.controller.TestShiroController(35) - 登录成功
从零开始学shiro第二部
上述的内容在实际中,基本不会用,因为用户名在实际生产中都是存在数据库中的,下面我们来学习jdbcRealm(此单词是域的意思).
- 1:配置jdbc_realm.ini
[main]
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
//配置的是alibab的数据库连接池druid
dataSource=com.alibaba.druid.pool.DruidDataSource
//driverClassName
dataSource.driverClassName=com.mysql.jdbc.Driver
//url
dataSource.url=jdbc:mysql://localhost:3306/blog
dataSource.username=root
dataSource.password=1314
jdbcRealm.dataSource=$dataSource
securityManager.realm=$jdbcRealm
配置c3p0数据库连接池
[main]
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
//配置c3p0数据库连接池与druid不同的是参数不同
dataSource=com.mychange.v2.c3p0.ComboPooledDataSource
//driverClass
dataSource.driverClass=com.mysql.jdbc.Driver
//jdbcUrl
dataSource.jdbcUrl=jdbc:mysql://localhost:3306/blog
//user
dataSource.user=root
dataSource.password=1314
jdbcRealm.dataSource=$dataSource
securityManager.realm=$jdbcRealm
建立数据库
- 1:新建数据库(名字任意取)
- 2:新建用户表(名字必须为users)
- 3:新建字段用户名和密码(用户名:username,密码:password)
测试的Controller
package com.ttc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author by benny on 2016/1/30.
* @version 1.0
* @description
*/
public class TestShiroController {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
public static void main(String[] args) {
//读取配置文件,初始化SecurityManger工厂
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:jdbc_realm.ini");
//获取secirutimanager实例
SecurityManager securityManager = factory.getInstance();
//把SecurityManager实例绑定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//得到当前用户
Subject currentUser = SecurityUtils.getSubject();
//创建token令牌,用户名/密码
UsernamePasswordToken token = new UsernamePasswordToken("benny", "1234");
try {
currentUser.login(token);
LOGGER.info("登录成功");
} catch (AuthenticationException e) {
e.printStackTrace();
LOGGER.info("登录成功");
}
//退出当前用户
benny.logout();
}
}
打印结果
2016-01-30 23:52:27 [main] INFO org.apache.shiro.realm.AuthorizingRealm(248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained.
2016-01-30 23:52:27 [main] INFO org.apache.shiro.config.IniSecurityManagerFactory(112) - Realms have been explicitly set on the SecurityManager instance - auto-setting of realms will not occur.
2016-01-30 23:52:27 [main] INFO com.alibaba.druid.pool.DruidDataSource(669) - {dataSource-1} inited
2016-01-30 23:52:28 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager(230) - Enabling session validation scheduler...
2016-01-30 23:52:28 [main] INFO com.ttc.controller.TestShiroController(31) - 登录成功
Disconnected from the target VM, address: '127.0.0.1:50480', transport: 'socket'
从零开始shiro——授权
- 1:权限认证,
也就是访问控制,即在应用中控制能访问哪些资源。
在权限认证中,最核心的三个要素是,权限,角色,用户。
权限:及操作资源的权利,比如访问某个页面,以及对某个模块的数据的添加,修改,删除,查看的权利,url的请求。
角色:权限的集合,一个角色可以有很多权限。
用户,在shiro中,代表访问系统的用户,即subject。
- 2:授权
- (1):编程式授权
- 基于角色的访问控制
ShiroUtil:封装成一个工具类,方便调用。
package com.ttc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author by benny on 2016/1/31.
* @version 1.0
* @description
*/
public final class ShiroUtil {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
public static Subject login(String iniPath, String username, String password) {
Factory<SecurityManager> factory = new IniSecurityManagerFactory(iniPath);
SecurityManager instance = factory.getInstance();
SecurityUtils.setSecurityManager(instance);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token);
LOGGER.info("登录成功");
} catch (AuthenticationException e) {
e.printStackTrace();
}
return subject;
}
}
shiro_role.ini
//注意:此处是[users]
[users]
benny=1234,role1,role2,role3
jack=1234,role1
测试的Controller
package com.ttc.controller;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.Arrays;
/**
* @author by benny on 2016/1/30.
* @version 1.0
* @description
*/
public class TestShiroController {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
@Test
public void testShiroRole() {
//获得登录用户
Subject benny = ShiroUtil.login("shiro_role.ini", "benny", "1234");
//判断用户是否有role1的权限
LOGGER.info(benny.hasRole("role1") ? "有role1的权限" : "没有role1的权限");
//数组的形式判断是否有此权限
boolean results[] = benny.hasRoles(Arrays.asList("role1", "role2"));
LOGGER.info(results[0] ? "有role1的权限" : "没有role1的权限");
LOGGER.info(results[1] ? "有role2的权限" : "没有role2的权限");
//判断用户是否有此权限
LOGGER.info(benny.hasAllRoles(Arrays.asList("role1", "role2")) ? "有role1和role2的权限" : "没有role1和role2的权限");
//checkRole没有返回值,如果没有此权限直接抛出异常
benny.checkRole("role1");
benny.checkRoles(Arrays.asList("role1", "role2"));
//或者
benny.checkRoles("role1", "role2");
//退出当前用户
benny.logout();
}
}
- 基于权限的访问控制
shiro_permitted.ini
[users]
benny=1234,role1,role2
jack =1234,role3
[roles]
role1=user:select,user:update
role2=user:insert
role3=user:delete
测试方法:
/**
* 判断用户是否有此权限
*/
@Test
public void TestIsPermitted(){
Subject benny = ShiroUtil.login("shiro_permitted.ini", "benny", "1234");
//判断用户是否有select的权限
LOGGER.info(benny.isPermitted("user:select")?"有select权限":"没有select的权限");
//判断用户是否有以下所有的权限
boolean[] permitted = benny.isPermitted("user:select", "user:update", "user:delete");
LOGGER.info(permitted[0]?"有select的权限":"没有select的权限");
LOGGER.info(permitted[1]?"有update的权限":"没有update的权限");
LOGGER.info(permitted[2]?"有delete的权限":"没有delete的权限");
//判断用户是否有所有权限
LOGGER.info(benny.isPermittedAll("user:select", "user:update","user:delete")?"拥有权限":"没有权限");
//检查用户是否有所有权限,有则通过,没有抛出异常
benny.checkPermission("user:select");
//检查用户是否有所有权限
benny.checkPermissions("user:select", "user:update", "user:delete");
//退出当前用户
benny.logout();
}
打印结果:
2016-01-31 10:51:52 JRebel: 2016-01-31 10:51:53 JRebel: Monitoring Log4j configuration in 'file:/E:/hellofdssd/ttc-blog/ttc-core/build/resources/main/log4j.properties'.2016-01-31 10:51:53 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager(230) - Enabling session validation scheduler...
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(29) - 登录成功
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(51) - 有select权限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(55) - 有select的权限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(56) - 有update的权限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(57) - 没有delete的权限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(60) - 没有权限
- (2):注解式授权
(3):jsp标签授权
3:授权流程