以下是我对shiro的简单了解
写的不好,轻喷
shiro主要分为三个部分1、subject用户,2、Security Manager 管理所有用户,3、连接数据
先导入shiro的依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.2.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.kuang</groupId>
<artifactId>spring-boot-shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>spring-boot-shiro</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!--
Subject用户
Security Manager 管理所有用户
Realm 连接数据
-->
<!--shiro整合spring的包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!--引入thymeleaf-->
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<!--引入jdbc、-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<!--引入mybatis-->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.1</version>
</dependency>
<!--引入druid(德鲁伊)的数据源-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
<!--引入log4j-->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<!--mqsql驱动-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
在yaml配置文件中配置数据库连接以及mybatis
spring:
datasource:
username: root
password: 123456
url: jdbc:mysql://localhost:3306/shiro?serverTimezone=UTC&characterEncoding=UTF-8&userUnicode=true
driver-class-name: com.mysql.cj.jdbc.Driver
mybatis:
mapper-locations: classpath:mybatis/mapper/*.xml
type-aliases-package: com.kuang.pojo
现在开始写demo
这是一个首页,我们需要做的就是当用户有add权限是可以进入add界面,有update权限时可以进入update
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>首页</h1>
<a th:text="${msg}"></a>
<hr>
<a th:href="@{/user/add}">add</a> | <a th:href="@{/user/update}">update</a>
</body>
</html>
实体类:
//@Data
//@AllArgsConstructor
//@NoArgsConstructor
public class User {
public int id;
public String username;
public String password;
public String perms;
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getPerms() {
return perms;
}
public void setPerms(String perms) {
this.perms = perms;
}
public User(String username, String password, String perms) {
this.username = username;
this.password = password;
this.perms = perms;
}
@Override
public String toString() {
return "User{" +
"id=" + id +
", username='" + username + '\'' +
", password='" + password + '\'' +
", perms='" + perms + '\'' +
'}';
}
}
service接口以及实现类:
public interface UserService {
User userlogin(String username);
}
@Service
public class UserServiceImpl implements UserService {
@Autowired
UserMapper mapper;
@Override
public User userlogin(String username) {
return mapper.userlogin(username);
}
}
mapper层:
@Mapper
@Repository
public interface UserMapper {
User userlogin(String username);
}
mapper.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.kuang.mapper.UserMapper">
<resultMap id="Userlogin" type="User">
<id property="id" column="id" jdbcType="INTEGER" ></id>
<result property="username" column="name" jdbcType="VARCHAR" ></result>
<result property="password" column="password" jdbcType="VARCHAR" ></result>
<result property="perms" column="perms" jdbcType="VARCHAR" ></result>
</resultMap>
<select id="userlogin" resultMap="Userlogin" parameterType="String" resultType="User">
select * from user where name=#{username};
</select>
</mapper>
然后这是Controller层:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* @ClassName Mycontroller
* @Description TODO
* @Author ht
* @Date 2020/8/13 15:45
* @Version 1.0
**/
@Controller
public class MyController {
@RequestMapping("/")
public String hello(Model model){
model.addAttribute("msg", "hello shiro");
return "index";
}
@RequestMapping("/user/add")
public String add(){
return "user/add";
}
@RequestMapping("/user/update")
public String update(){
return "user/update";
}
@RequestMapping("/tologin")
public String tologin(){
return "login";
}
@RequestMapping("/login")
public String login(String username,String password,Model model){
//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登录数据 获取令牌
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
System.out.println(token);
// token.setRememberMe(true);//设置记住我
//获取令牌后直接登陆令牌
try {
subject.login(token);//执行登录方法,如果没有异常就ok
return "index";
} catch (UnknownAccountException e) {//用户名不存在
model.addAttribute("msg", "用户名错误");
return "login";
}catch (IncorrectCredentialsException e) {//密码错误
model.addAttribute("msg", "密码错误");
return "login";
}
}
@RequestMapping("/unauth")
@ResponseBody
public String unauth(){
return "未授权不允许进入";
}
@RequestMapping("/logout")
public String logout(Model model) {
Subject subject = SecurityUtils.getSubject();
subject.logout();
model.addAttribute("msg","安全退出!");
return "index";
}
}
还有两个配置类config:一个是创建shiro用于授权,认证,一个连接数据获取当前用户,认证是否具有权限,它们是通过UserReaml连接的
shiroconfig:
package com.kuang.config;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* @ClassName ShiroConfig
* @Description TODO
* @Author ht
* @Date 2020/8/13 15:54
* @Version 1.0
**/
@Configuration
public class ShiroConfig {
//一层关联一层,层层递进
//ShiorFillterFactoryBean Shiro过滤对象 3第三步
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){
//死方法
ShiroFilterFactoryBean bean=new ShiroFilterFactoryBean();
//关联
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
//添加shiro的内置过滤器
/*
anon:无需认证就可以访问
authc:必须认证了才能访问
user:必须拥有“记住我”功能才能访问
perms:拥有对某个资源的权限才能访问
role:拥有某个角色权限才能访问
*/
Map<String,String> filtermap=new LinkedHashMap<>();
//授权
filtermap.put("/user/add", "perms[user:add]");
filtermap.put("/user/update", "perms[user:update]");
//logout是shiro自带的过滤器,只要拦截到访问/logout的请求,就会被走logout对应的 LogoutFilter,自动登出。
filtermap.put("/logout","logout");
// filtermap.put("/user/*","authc");
//FilterChainDefinitionMap参数是一个map类型 且FilterChainDefinitionMap为链式可以用LinkedHashMap
bean.setFilterChainDefinitionMap(filtermap);
//若没有权限,返回登陆的接口
bean.setLoginUrl("/tologin");
//设置未授权的请求
bean.setUnauthorizedUrl("/unauth");
return bean;
}
//DefaultWebSecurityManage 安全对象 2第二步
@Bean(name = "securityManager")
//@Qualifier指定()里的方法名,会自动寻找到userReaml方法名
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userReaml") UserReaml userReaml){
//死方法
DefaultWebSecurityManager securityManager =new DefaultWebSecurityManager();
//关联UserReaml 管理Reaml
securityManager.setRealm(userReaml());
return securityManager;
}
//创建 Realm对象 ,需要自定义 1第一步
//放入我们创建的自定义的Reaml对象 UserReaml
@Bean
public UserReaml userReaml(){
return new UserReaml();
}
}
UserRealconfig:
package com.kuang.config;
import com.kuang.pojo.User;
import com.kuang.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
/**
* @ClassName UserReaml
* @Description TODO
* @Author ht
* @Date 2020/8/13 15:57
* @Version 1.0
**/
//自定义的userReaml
public class UserReaml extends AuthorizingRealm {
@Autowired
UserService service;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=》授权doGetAuthorizationInfo");
//授权
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//授权
// info.addStringPermission("user:add");
//拿到当前登录对象
// 该对象是在认证类中SimpleAuthenticationInfo的第一个参数传递过来,授权这边直接获取
Subject subject = SecurityUtils.getSubject();
User currentUser =(User) subject.getPrincipal();//拿到user对象了
//设置当前用户的权限
info.addStringPermission(currentUser.getPerms());
return info;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=》认证doGetAuthenticationInfo");
UsernamePasswordToken userToken= (UsernamePasswordToken) token;
User loginuser= service.userlogin(userToken.getUsername());
if (loginuser==null){
return null;//抛出异常 未知用户名UnknownAccountException
}
//密码认证 shiro做
//SimpleAuthenticationInfo是AuthenticationInfo的一个实现类
//shiro可以加密 MD5加密 MD5颜值加密
//第一个参数:获取当前用户的认证 第二个:传递密码的对象 第三个:认证名
return new SimpleAuthenticationInfo(loginuser,loginuser.password,"");
}
}