Shiro基本介绍
Apache Shiro是Java的一个安全框架。功能强大,使用简单的Java安全框架,它为开发人员提供一个直观而全面的认证,授权,加密及会话管理的解决方案。ps:结合Springboot的话,shiro就不一定就那么简单了!
起步依赖
<dependencies> <dependency> <groupId>mysqlgroupId> <artifactId>mysql-connector-javaartifactId> <version>5.1.47version> dependency> <dependency> <groupId>com.alibabagroupId> <artifactId>druid-spring-boot-starterartifactId> <version>1.1.10version> dependency> <dependency> <groupId>org.mybatis.spring.bootgroupId> <artifactId>mybatis-spring-boot-starterartifactId> <version>2.1.1version> dependency> <dependency> <groupId>org.apache.shirogroupId> <artifactId>shiro-springartifactId> <version>1.4.1version> dependency> <dependency> <groupId>org.springframework.bootgroupId> <artifactId>spring-boot-starter-thymeleafartifactId> dependency> <dependency> <groupId>org.springframework.bootgroupId> <artifactId>spring-boot-starter-webartifactId> dependency> <dependency> <groupId>org.projectlombokgroupId> <artifactId>lombokartifactId> <optional>trueoptional> dependency> <dependency> <groupId>org.springframework.bootgroupId> <artifactId>spring-boot-starter-testartifactId> <scope>testscope> <exclusions> <exclusion> <groupId>org.junit.vintagegroupId> <artifactId>junit-vintage-engineartifactId> exclusion> exclusions> dependency> dependencies>这边我无脑把所有依赖都加上了,主要是shiro-spring这个依赖。
在数据库里建表
CREATE TABLE `user` ( `id` int(45) NOT NULL COMMENT 'id', `username` varchar(255) DEFAULT NULL COMMENT '用户名', `password` varchar(255) DEFAULT NULL COMMENT '密码', `perms` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT '权限', PRIMARY KEY (`id`) USING BTREE) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;配置文件application.yml
spring: datasource: url: jdbc:mysql://localhost:3306/leotemp?useUnicode=true&useSSL=false&characterEncodig=utf-8 username: root password: 123456 driver-class-name: com.mysql.jdbc.Driver type: com.alibaba.druid.pool.DruidDataSource #参考来源:https://www.cnblogs.com/KuroNJQ/p/11171263.html #配置druid数据源 druid: #初始化大小 initialSize: 5 #最小值 minIdle: 5 #最大值 maxActive: 20 #最大等待时间,配置获取连接等待超时,时间单位都是毫秒ms maxWait: 60000 #配置间隔多久才进行一次检测,检测需要关闭的空闲连接 timeBetweenEvictionRunsMillis: 60000 #配置一个连接在池中最小生存的时间 minEvictableIdleTimeMillis: 300000 validationQuery: SELECT 1 FROM DUAL testWhileIdle: true testOnBorrow: false testOnReturn: false poolPreparedStatements: true # 配置监控统计拦截的filters,去掉后监控界面sql无法统计, #'wall'用于防火墙,SpringBoot中没有log4j,我改成了log4j2 filters: stat,wall,log4j2 #最大PSCache连接 maxPoolPreparedStatementPerConnectionSize: 20 useGlobalDataSourceStat: true # 通过connectProperties属性来打开mergeSql功能;慢SQL记录 connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500mybatis: mapper-locations: classpath:mapper/*.xml type-aliases-package: com.example.bean实体类 User.java
下面三个注解是lombok的,如果你没有lombok插件要么重新安装,要么自己写getset方法和有参无参构造!
import lombok.AllArgsConstructor;import lombok.Data;import lombok.NoArgsConstructor;/** * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 23:32 */@Data@NoArgsConstructor@AllArgsConstructorpublic class User{ private int id; private String username; private String password; private String perms;}没什么好说的,不解释
UserMapper.java
import org.springframework.stereotype.Repository;/** * @Repository注解,不加也行,但是引用mapper会报错! * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 23:34 */@Repositorypublic interface UserMapper{ User queryUserByName(@Param("username") String name, @Param("password") String password);}没什么好说的,不解释
UserMapper.xml
<?xml version="1.0" encoding="UTF-8" ?>/span> PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.example.mapper.UserMapper"> <select id="queryUserByName" parameterType="String" resultType="com.example.bean.User"> select * from user where username= #{username} and password= #{password} select>mapper>没什么好说的,不解释
UserService.java
/** * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 23:40 */public interface UserService{ User queryUserByName(String name,String password);}没什么好说的,不解释
UserServiceImpl.java
import com.example.bean.User;import com.example.mapper.UserMapper;import com.example.service.UserService;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Service;/** * 去除idea @AutoWired下的黄线 * https://blog.csdn.net/ligh_sqh/article/details/79384839?utm_source=blogxgwz3?utm_medium=distribute.pc_relevant.none-task-blog-baidujs-1 * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 23:41 */@Servicepublic class UserServiceImpl implements UserService{ @Autowired private UserMapper userMapper; @Override public User queryUserByName(String name,String password) { return userMapper.queryUserByName(name,password); }}没什么好说的,不解释
HelloController.java
控制页面跳转
package com.example.controller;import lombok.extern.slf4j.Slf4j;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.UnknownAccountException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.ui.Model;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.ResponseBody;/** * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 21:40 */@Controller@Slf4jpublic class HelloController{ @RequestMapping({"/", "/index"}) public String toIndex(Model model) { model.addAttribute("msg", "hello"); return "index"; } @RequestMapping("/user/add") public String add() { return "/user/add"; } @RequestMapping("/user/update") public String update() { return "/user/update"; } @RequestMapping("/toLogin") public String toLogin() { return "login"; } @RequestMapping("/login") public String login(String username, String password) { //获取当前用户 Subject subject = SecurityUtils.getSubject(); //封装用户的登陆数据 UsernamePasswordToken token = new UsernamePasswordToken(username, password); try { subject.login(token); return "index"; } catch (UnknownAccountException e) { e.printStackTrace(); return "login"; } } @RequestMapping("/unAuthorized") @ResponseBody public String unAuthorized() { return "未经授权无法访问此页面!"; } @RequestMapping("/logout") public String logout(HttpServletResponse resp) { //得到当前 Subject Subject currentSubject = SecurityUtils.getSubject(); //注销当前 Subject currentSubject.logout(); resp.setStatus(302); return "redirect:login"; }}这里面和shiro有关系的代码其实就是最后那点,其余的就是跳转页面用的。
//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登陆数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password); subject.login(token);
进入Subject.java
void login(AuthenticationToken token) throws AuthenticationException;看UsernamePasswordToken.java
/** * Constructs a new UsernamePasswordToken encapsulating the username and password submitted * during an authentication attempt, with a null {@link #getHost() host} and * a rememberMe default of false * * 译文: * 构造一个新的UsernamePasswordToken,封装提交的用户名和密码*在验证过程中,使用null {@link #getHost()主机}和* a rememberMe默认false * This is a convenience constructor and maintains the password internally via a character
* array, i.e. password.toCharArray();. Note that storing a password as a String * in your code could have possible security implications as noted in the class JavaDoc. * * @param username the username submitted for authentication * @param password the password string submitted for authentication */ public UsernamePasswordToken(final String username, final String password) { this(username, password != null ? password.toCharArray() : null, false, null); }
UsernamePasswordToken的实现类HostAuthenticationToken, RememberMeAuthenticationToken都继承了AuthenticationToken
shiro配置
ShiroConfig.java
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import java.util.LinkedHashMap;/** * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 21:51 */@Configurationpublic class ShiroConfig{ /** * anon: 无需认证即可访问 * authc: 需要认证才可访问 * user: 点击“记住我”功能可访问 * perms: 拥有权限才可以访问 * role: 拥有某个角色权限才能访问 */ @Bean public UserRealm userRealm() { return new UserRealm(); } @Bean public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm) { DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); manager.setRealm(userRealm); return manager; } @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager) { //设置安全管理器 ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager); LinkedHashMap<String, String> map = new LinkedHashMap<>(); map.put("/user/add","perms[user:add]"); map.put("/user/update","perms[user:update]");// map.put("/user/update","authc"); //设置登出 map.put("/logout","logout"); //设置授权 shiroFilterFactoryBean.setUnauthorizedUrl("/unAuthorized"); shiroFilterFactoryBean.setLoginUrl("/toLogin"); shiroFilterFactoryBean.setFilterChainDefinitionMap(map); return shiroFilterFactoryBean; }}shiro配置的三元素
realm
DefaultWebSecurityManager
ShiroFilterFactoryBean
这三个配置元素是一个套着一个的,第二个套着第一个,第三个套着第二个
shiro的过滤器使用LinkedHashMap,设置每个页面的权限;anon: 无需认证即可访问authc: 需要认证才可访问user: 点击“记住我”功能可访问perms: 拥有权限才可以访问role: 拥有某个角色权限才能访问
anon:例子/admins/**=anon 没有参数,表示可以匿名使用。
authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数
roles(角色):例子/admins/user/=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。
perms(权限):例子/admins/user/=perms[user:add:*],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/=perms["user:add:,user:modify:"],当有多个参数时必须每个参数都通过才通过,相当于isPermitedAll()方法。
rest:例子/admins/user/=rest[user],根据请求的方法,相当于/admins/user/=perms[user:method] ,其中method为post,get,delete等。
port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。
authcBasic:例如/admins/user/**=authcBasic没有参数表示httpBasic认证
ssl:例子/admins/user/**=ssl没有参数,表示安全的url请求,协议为https
user:例如/admins/user/**=user没有参数表示必须存在用户,当登入操作时不做检查
UserRealm.java
import com.example.bean.User;import com.example.service.UserService;import lombok.extern.slf4j.Slf4j;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.*;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.Subject;import org.springframework.beans.factory.annotation.Autowired;/** * @author 朝花不迟暮 * @version 1.0 * @date 2020/6/15 21:55 */@Slf4jpublic class UserRealm extends AuthorizingRealm{ @Autowired UserService userService; //授权 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { log.info("------------------>执行了授权"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();// info.addStringPermission("user:add"); //获取当前登录用户的信息 Subject subject = SecurityUtils.getSubject(); User currentUser = (User) subject.getPrincipal(); info.addStringPermission(currentUser.getPerms()); return info; } //认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { log.info("------------------>执行了认证"); //token里有用户名和密码,因为强转成了UsernamePasswordToken UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; char[] password = token.getPassword(); String password1 = String.valueOf(password); log.info("{password}---->"+password1); User user = userService.queryUserByName(token.getUsername(),password1); log.info("{user}---->"+user.toString()); if (user == null) { return null; } return new SimpleAuthenticationInfo(user, user.getPassword(), ""); }}Realm核心:通过继承AuthorizingRealm重写其中的方法一、认证:
token里有用户名和密码,因为强转成了UsernamePasswordToken,之前在控制层里存放了用户名和密码;
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;通过token里面的名字获取用户信息!
User user = userService.queryUserByName(token.getUsername());把通过认证的用户信息返回!
return new SimpleAuthenticationInfo(user, user.getPassword(), "");二、授权:
//获取当前登录用户的信息Subject subject = SecurityUtils.getSubject();User currentUser = (User) subject.getPrincipal();通过SimpleAuthorizationInfo中addStringPermission方法,给当前用户添加权限。代码中是获取数据库中的权限!
前台模板
index.html
<html lang="en" xmlns:th="http://www.thymeleaf.org"><head> <meta charset="UTF-8"> <title>首页title>head><body> <p th:text="${msg}">p><hr><a th:href="@{/user/add}">adda>|<a th:href="@{/user/update}">updatea>body>html>login.html
<html lang="en" xmlns:th="http://www.thymeleaf.org"><head> <meta charset="UTF-8"> <title>登陆title>head><body> <h1>登陆h1> <form th:action="@{/login}"> <input type="text" name="username" placeholder="请输入用户名"> <input type="password" name="password" placeholder="请输入密码"> <input type="submit"> form>body>html>logout.html
<html lang="en" xmlns:th="http://www.thymeleaf.org"><head> <meta charset="UTF-8"> <title>logouttitle>head><body><div th:fragment="myfooter"> <div class="footer"> <a th:href="@{/logout}">退出登录a> div>div>body>html>==创建user文件夹里面再放两个HTML==
add.html
<html lang="en" xmlns:th="http://www.thymeleaf.org"><head> <meta charset="UTF-8"> <title>addtitle>head><body><p>addp><hr/><div th:replace="logout :: myfooter">div>body>html>update.html
<html lang="en" xmlns:th="http://www.thymeleaf.org"><head> <meta charset="UTF-8"> <title>updatetitle>head><body><p>updatep><hr/><div th:replace="logout :: myfooter">div>body>html>最后在数据库里插入两个用户并配置权限
登陆首页
点击add,跳转到登录页面
使用root角色进入,而root正好有add页面的权限
成功,而再看看能不能进入update页面?
就会报没有权限的提示,这个是在配置类里面,有个未授权的跳转配置
shiroFilterFactoryBean.setUnauthorizedUrl("/unAuthorized");码云:https://gitee.com/thirtyleo/java_training_ground/tree/master/Character4
ps:对这篇博客做了一次改动增加了logout登出功能;修改了前端页面,增加了登出模块;修改了用户认证方式,由原来的校验数据库名称改为校验用户名和密码;
5278
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
