Shiro整合SpringMVC实现权限控制、登陆、注销
Apache Shiro是Java一个简单易用的安全框架,执行身份认证、授权、密码和会话管理。与SpringSecurity对比来说,Shiro更容易上手,但它的功能却不如SpringSercity强大,对于我们开发而言Shiro已经能够满足我们的要求了。
本项目使用Maven搭建、初学者需要去了解以下。开发工具Eclipse
Shiro的核心组件
核心组件 | 描述 |
---|---|
Subiect | 简单可以理解为当前用户安全操作 |
SecurityManager | Shiro通过SecurityManager来管理内部组件实例,并通过它来提供安全管理的各种服务 |
Realm | Realm充当了Shiro与应用安全数据间的“桥梁”或者“连接器”。也就是说,当对用户执行认证(登录)和授权(访问控制)验证时,Shiro会从应用配置的Realm中查找用户及其权限信息。 |
创建数据库
总共3个表,用户表、用户角色表、角色权限表sql如下
/**创建数据库**/
DROP DATABASES IF EXISTS test;
CREATE DATABASES test;
DROP TABLE IF EXISTS `permiss`;
/**角色权限表**/
CREATE TABLE `permiss` (
`id` int(10) NOT NULL,
`userName` varchar(255) NOT NULL,
`userPermiss` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `kf1` (`userName`),
CONSTRAINT `kf1` FOREIGN KEY (`userName`) REFERENCES `user` (`userName`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
/**用户角色表**/
DROP TABLE IF EXISTS `roles`;
CREATE TABLE `roles` (
`id` int(10) NOT NULL,
`userName` varchar(255) NOT NULL,
`userRole` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `userName` (`userName`),
CONSTRAINT `fk` FOREIGN KEY (`userName`) REFERENCES `user` (`userName`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
/**测试数据**/
INSERT INTO `roles` VALUES ('1', 'admin', 'admin');
/**用户角表*/
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
`id` int(10) NOT NULL,
`userName` varchar(255) NOT NULL,
`userPassword` varchar(255) NOT NULL,
PRIMARY KEY (`id`),
KEY `fk` (`userName`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
/**测试数据**/
INSERT INTO `user` VALUES ('1', 'admin', '123456');
整合所需要的jar包
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.8.1</version>
<scope>test</scope>
</dependency>
<!--添加servlet支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>javax.servlet.jsp-api</artifactId>
<version>2.3.1</version>
<scope>provided</scope>
</dependency>
<!--添加jstl支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- 添加Spring支持 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>4.1.7.RELEASE</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.2.3</version>
</dependency>
<!-- 添加mybatis支持 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.3.0</version>
</dependency>
<!-- 添加mysql的jdbc驱动包支持 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.38</version>
</dependency>
<!-- 添加shiro支持 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.12</version>
</dependency>
<!-- 添加shrio-web支持 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.4</version>
</dependency>
<!-- 添加shrio-spring支持 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.4</version>
</dependency>
<!-- 添加日志支持 -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
<build>
<plugins>
<!-- 配置Tomcat插件 -->
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<configuration>
<path>/</path>
<port>8080</port>
</configuration>
</plugin>
</plugins>
</build>
1.
一、配置mybatis在resources目录下创建配置文件mybatis-config.xml具体配置如下
<!DOCTYPE configuration
PUBLIC "-//mybatis.org//DTD Config 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-config.dtd">
<configuration>
<!-- 别名 -->
<typeAliases>
<package name="com.demo.entity"/>
</typeAliases>
</configuration>
二、配置Shiro在resources目录下创建配置文件applicationContext.xml具体配置如下
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-4.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd">
<!-- 自动扫描 -->
<context:component-scan base-package="com.demo.service" />
<!-- 配置数据源 -->
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost:3306/test"/>
<property name="username" value="root"/>
<property name="password" value="root"/>
</bean>
<!-- 配置mybatis的sqlSessionFactory -->
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<!-- 自动扫描mappers.xml文件 -->
<property name="mapperLocations" value="classpath:mapper/*.xml"></property>
<!-- mybatis配置文件 -->
<property name="configLocation" value="classpath:mybatis-config.xml"></property>
</bean>
<!-- DAO接口所在包名,Spring会自动查找其下的类 -->
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="basePackage" value="com.demo.dao" />
<property name="sqlSessionFactoryBeanName" value="sqlSessionFactory"></property>
</bean>
<!-- 事务管理 -->
<bean id="transactionManager"
class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource" />
</bean>
<!-- 自定义Realm -->
<bean id="myRealm" class="com.demo.realm.MyRealm"/>
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
<!-- Shiro过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- Shiro的核心安全接口,这个属性是必须的 -->
<property name="securityManager" ref="securityManager"/>
<!-- 身份认证失败,则跳转到登录页面的配置 -->
<property name="loginUrl" value="/login.jsp"/>
<!-- 权限认证失败,则跳转到指定页面 -->
<property name="unauthorizedUrl" value="/403.jsp"/>
<!-- Shiro连接约束配置,即过滤链的定义 -->
<property name="filterChainDefinitions">
<value>
/login=anon
/admin*=authc
/student=roles[teacher]
/teacher=perms["user:create"]
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- 开启Shiro注解 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<!-- 配置事务通知属性 -->
<tx:advice id="txAdvice" transaction-manager="transactionManager">
<!-- 定义事务传播属性 -->
<tx:attributes>
<tx:method name="insert*" propagation="REQUIRED" />
<tx:method name="update*" propagation="REQUIRED" />
<tx:method name="edit*" propagation="REQUIRED" />
<tx:method name="save*" propagation="REQUIRED" />
<tx:method name="add*" propagation="REQUIRED" />
<tx:method name="new*" propagation="REQUIRED" />
<tx:method name="set*" propagation="REQUIRED" />
<tx:method name="remove*" propagation="REQUIRED" />
<tx:method name="delete*" propagation="REQUIRED" />
<tx:method name="change*" propagation="REQUIRED" />
<tx:method name="check*" propagation="REQUIRED" />
<tx:method name="get*" propagation="REQUIRED" read-only="true" />
<tx:method name="find*" propagation="REQUIRED" read-only="true" />
<tx:method name="load*" propagation="REQUIRED" read-only="true" />
<tx:method name="*" propagation="REQUIRED" read-only="true" />
</tx:attributes>
</tx:advice>
<!-- 配置事务切面 -->
<aop:config>
<aop:pointcut id="serviceOperation"
expression="execution(* com.demo.service.*.*(..))" />
<aop:advisor advice-ref="txAdvice" pointcut-ref="serviceOperation" />
</aop:config>
</beans>
三、配置SpringMVC在resources下创建spring-mvc.xml具体配置如下
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<context:component-scan base-package="com.demo"/>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver" id="viewResolver">
<property name="prefix" value="/"/>
<property name="suffix" value=".jsp"/>
</bean>
</beans>
四、配置web.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>ShiroSpringWeb</display-name>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<!-- shiro过滤器定义、>>>>>>注意:此处的shiroFilter要和applicationContext.xml 中的名称保持一致-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!-- 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 -->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring配置文件 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<!-- 编码过滤器 -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring监听器 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 添加对springmvc的支持 -->
<servlet>
<servlet-name>springMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>springMVC</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
</web-app>
2、开始写代码
一、创建实体层
//User类
private Integer id;
private String userNamer;
private String userPassword;
此处省略getters and setters......
//Permiss类
private Integer id;
private String userName;
private String userRole;
此处省略getters and setters......
//Roles类
private Integer id;
private String userName;
private String userRole;
此处省略getters and setters.....
接口
package com.demo.dao;
import com.demo.entity.User;
import java.util.Set;
public interface UserMapper {
//通过名称查询用户对象
public User queryUserByName(String username);
//通过名称查询用户角色
public Set<String> queryRolesByName(String username);
//通过名称查询用户角色权限
public Set<String> queryPermissionsByName(String username);
}
sql查询在resouerces创建UserMapper.xml内容如下
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.demo.dao.UserMapper">
<select id="queryUserByName" parameterType="String"
resultType="User">
SELECT * FROM user WHERE userName=#{username}
</select>
<select id="queryRolesByName" parameterType="String"
resultType="String">
SELECT r.userName FROM roles r WHERE userName=#{username}
</select>
<select id="queryPermissionsByName" parameterType="String"
resultType="String">
SELECT p.userPermiss FROM permiss p WHERE
userName=#{username}
</select>
</mapper>
在这里没有复杂的业务逻辑我就不写service层了
实现自定义的Realm
Shiro从Realm中获取安全数据,也就是说SecurityManager需要验证身份,他需要从Realm中或许相应的用户进行比较判断 用户身份是否合法。实现自定义的Realm需要继承AuthorizingRealm重写doGetAuthorizationInfo和doGetAuthenticationInfo类,doGetAuthorizationInfo是对用户进行授权,doGetAuthenticationInfo是校验用户的合法性根据抛出的异常来判断用户的登陆状态。
package com.demo.realm;
import com.demo.dao.UserMapper;
import com.demo.entity.User;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
public class MyRealm extends AuthorizingRealm{
@Autowired
private UserMapper userMapper;
//用户的访问控制方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username= (String) principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
info.setRoles(userMapper.queryRolesByName(username));//用户权限
info.setStringPermissions(userMapper.queryPermissionsByName(username));//角色权限
return info;
}
//登录信息和用户验证信息验证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//得到用户名
String username= (String) authenticationToken.getPrincipal();
//查询用户
User byUsername = userMapper.queryUserByName(username);
//当前 Realm 的 name
String realmName = this.getName();
if (byUsername!=null) {
AuthenticationInfo info = new SimpleAuthenticationInfo(byUsername.getUserName(),byUsername.getUserPassword(), realmName);
return info;
}
return null;
}
}
创建UserController
package com.demo.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
@Controller
@RequestMapping("/user")
public class UserController {
//登陆的方法
@RequestMapping("/login")
public String login(String userCode,String password, HttpServletRequest request) {
//代表当前用户
Subject subject = SecurityUtils.getSubject();
//用户身份认证
UsernamePasswordToken token = new UsernamePasswordToken(userCode, password);
try {
//登陆
subject.login(token);
request.getSession().setAttribute("user", userCode);
return "success";
//根据抛出的异常判断用户的登陆状态
} catch (IncorrectCredentialsException e) {
e.printStackTrace();
request.getSession().setAttribute("user", userCode);
request.setAttribute("error", "密码不正确");
return "login";
}catch (UnknownAccountException e) {
e.printStackTrace();
request.getSession().setAttribute("user", userCode);
request.setAttribute("error", "用户名不存在");
return "login";
}
}
//注销
@RequestMapping("/logout")
public String logout(HttpServletRequest request) {
request.getSession().removeAttribute("user");
return "login";
}
@RequestMapping(value = "/testadmin")
@ResponseBody
public String TestPermiss(HttpServletRequest request) throws UnsupportedEncodingException {
Subject subject = SecurityUtils.getSubject();
try {
//测试用户是否拥有此权限
subject.checkRole("admin");
return "success";
} catch (AuthorizationException e) {
e.printStackTrace();
return "no permiss";
}
}
}
jsp页面
<!--login.jsp-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<body>
<form action="/user/login.do" method="post">
用户名:<input type="text" name="userCode"/><br>
密 码:<input type="password" name="password"/><br>
<input type="submit" value="登陆">${error }
</form>
</body>
</body>
</html>
===========================================华丽的分割线======================================================
<!--success.jsp-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<!-- 这是success.jsp中的 -->
<body>
欢迎你${user}
<a href="${pageContext.request.contextPath }/user/logout.do">退出</a>
</body>
</body>
</html>
===========================================华丽的分割线======================================================
<!--403.jsp-->
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<body>
<h1>登陆失败,权限认证未通过</h1>
<a href="/user/logout.do">退出</a>
</body>
</body>
</html>
如果写的有问题欢迎来提