Shiro
Subject用户
SecurityManager管理所有用户
Realm连接数据
Maven使用到的jar包
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.16.18</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.1</version>
</dependency>
<!-- Shiro核心包 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<!-- Shrio整合SpringBoot-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
<!-- slf4j的接口实现 -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.12</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.12</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
application配置文件
properties
server.port=8088
mybatis.type-aliases-package=com.hzy.pojo #扫描有@mapper注解的包
mybatis.mapper-locations=classpath:mapper/* #扫描xml文件
yml
spring:
datasource:
username: root
password:
#?serverTimezone=UTC解决时区的报错
url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8
driver-class-name: com.mysql.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
#Spring Boot 默认是不注入这些属性值的,需要自己绑定
#druid 数据源专有配置
initialSize: 5
minIdle: 5
maxActive: 20
maxWait: 60000
timeBetweenEvictionRunsMillis: 60000
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
poolPreparedStatements: true
#配置监控统计拦截的filters,stat:监控统计、log4j:日志记录、wall:防御sql注入
#如果允许时报错 java.lang.ClassNotFoundException: org.apache.log4j.Priority
#则导入 log4j 依赖即可,Maven 地址: https://mvnrepository.com/artifact/log4j/log4j
filters: stat,wall,log4j
maxPoolPreparedStatementPerConnectionSize: 20
useGlobalDataSourceStat: true
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
controller层
@RequestMapping("/login")
public String login(String username,String password,Model model,Integer rememberme){
// 获取当前的用户
Subject subject= SecurityUtils.getSubject();
// 封装用户的登录数据
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
if(rememberme != null && rememberme == 1) {
token.setRememberMe(true);
}
try{
subject.login(token);//执行的登录方法,如果没有异常就说明ok了
}catch (UnknownAccountException e){
model.addAttribute("msg","用户名不存在");
return "login";
}catch (IncorrectCredentialsException e){
model.addAttribute("msg","密码错误");//密码错误
return "login";
}
return "index";
}
@RequestMapping("/noauth")//没有权限
@ResponseBody
public String unauthorized(){
return "未经授权无法访问!";
}
@RequestMapping("/logout")//登出
public String logout(){
Subject subject=SecurityUtils.getSubject();
subject.logout();
return "login";
}
Shiro的配置Config
package com.hzy.config;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
//3.ShiroFilterFactoryBean
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean factoryBean=new ShiroFilterFactoryBean();
// 设置安全管理器
factoryBean.setSecurityManager(securityManager);
// 添加shiro的内置过滤器
/**
* anno:无需认证就可以访问
* authc:必须认证了才能访问
* user:必须拥有记住我功能
* perms:拥有对某个资源的权限
* role:拥有某个角色权限才能访问
* */
Map<String,String> fiterMap=new LinkedHashMap<>();
// 登录拦截
// fiterMap.put("/user/add","authc");
// fiterMap.put("/user/update","authc");
// 授权(未授权跳转页面)
fiterMap.put("/user/add","perms[user:add]");
fiterMap.put("/user/update","perms[user:update]");
factoryBean.setUnauthorizedUrl("/noauth");
// 拥有所有权限
fiterMap.put("/user/*","perms[user:all]");
factoryBean.setFilterChainDefinitionMap(fiterMap);
// 设置登录的请求
factoryBean.setLoginUrl("/toLogin");
return factoryBean;
}
//2.DafaultWebSecurityManager
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
// 关联Realm
securityManager.setRealm(userRealm);
return securityManager;
}
//1.创建realmc对象,需要自定义类
@Bean(name="userRealm")
public UserRealm userRealm(){
return new UserRealm();
}
// 整合thymeleaf-extras-shiro
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
}
和userRealm关联的自定义类
package com.hzy.config;
import com.hzy.pojo.User;
import com.hzy.service.impl.UserServiceImpl;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
//这里用user.getAddress代表user.getPassword
//自定义的UserRealm extends AuthorizingRealm
public class UserRealm extends AuthorizingRealm {
@Autowired
UserServiceImpl userService;
// 授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权doGetAuthorizationInfo");
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
// 拿到当前登录的这个对象
Subject subject=SecurityUtils.getSubject();
User currentUser=(User)subject.getPrincipal();
info.addStringPermission(currentUser.getPerms());
return info;
}
// 认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
// 用户名和密码 数据中取
/**String name="root";
String password="123456";*/
UsernamePasswordToken userToken=(UsernamePasswordToken)token;
// 用户认证
/**if(!userToken.getUsername().equals(name)){
return null;//抛出异常
}*/
// 连接数据库
User user=userService.queryUserByName(userToken.getUsername());
// MD5盐式加密注册的时候使用这时没有用到
String algorithmName = "MD5";//加密算法
Object source = user.getAddress();//要加密的密码
Object salt = user.getName();//盐值,一般都是用户名或者userid,要保证唯一
int hashIterations = 1024;//加密次数
SimpleHash simpleHash = new SimpleHash(algorithmName,source,salt,hashIterations);
System.out.println(simpleHash);
if(user==null){
return null;
}
Subject subject=SecurityUtils.getSubject();
Session session=subject.getSession();
session.setAttribute("loginUser",user.getName());
// 密码认证,shiro帮我们做
return new SimpleAuthenticationInfo(user,user.getAddress(),"");
}
}
thymeleaf和shiro的整合
使用头
xmlns:th=“http://www.thymeleaf.org”
xmlns:shiro=“http://www.thymeleaf.org/thymeleaf-extras-shiro”
页面中使用
shiro:hasPermission=“user:all” //表示拥有该权限显示