一、简介
Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。
shiro包含三个核心组件:Subject, SecurityManager 和 Realms.
Subject:即“当前操作用户”。但是,在Shiro中,Subject这一概念并不仅仅指人,也可以是第三方进程、后台帐户(Daemon Account)或其他类似事物。它仅仅意味着“当前跟软件交互的东西”。
Subject代表了当前用户的安全操作,SecurityManager则管理所有用户的安全操作。
SecurityManager:它是Shiro框架的核心,典型的Facade模式,Shiro通过SecurityManager来管理内部组件实例,并通过它来提供安全管理的各种服务。
Realm: Realm充当了Shiro与应用安全数据间的“桥梁”或者“连接器”。也就是说,当对用户执行认证(登录)和授权(访问控制)验证时,Shiro会从应用配置的Realm中查找用户及其权限信息。
从这个意义上讲,Realm实质上是一个安全相关的DAO:它封装了数据源的连接细节,并在需要时将相关数据提供给Shiro。当配置Shiro时,你必须至少指定一个Realm,用于认证和(或)授权。配置多个Realm是可以的,但是至少需要一个。
Shiro内置了可以连接大量安全数据源(又名目录)的Realm,如LDAP、关系数据库(JDBC)、类似INI的文本配置资源以及属性文件等。如果系统默认的Realm不能满足需求,你还可以插入代表自定义数据源的自己的Realm实现。
二、spring整合shiro
1.引入jar包
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
2.编写两个配置类
springShiroConfig,此配置类需要创建securityManager和shiroFilterFactoryBean对象
package com.cy.config;
import com.cy.vo.JsonResult;
import org.apache.shiro.ShiroException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
import java.util.LinkedHashMap;
/**
* @author Administrator
* @Configuration 标明这是一个配置类
*/
@Configuration
public class SpringShiroConfig {
/**
* 创建securityManager对象并交给spring进行管理
* @return
*/
@Bean
public SecurityManager newSecurityManager(@Autowired Realm realm,@Autowired CacheManager cacheManager){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm);
//设置缓存管理
securityManager.setCacheManager(cacheManager);
//设置记住我功能
securityManager.setRememberMeManager(newRememberMeManager());
//设置会话管理
securityManager.setSessionManager(newSessionManager());
return securityManager;
}
/**
* 创建shiroFilterFactoryBean对象,交给spring进行管理
* 并设置过滤规则
* @return
*/
@Bean("shiroFilterFactory")
public ShiroFilterFactoryBean newShiroFilterFactoryBean(@Autowired SecurityManager securityManager ){
ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
filterFactoryBean.setSecurityManager(securityManager);
//没有登录跳转到登录页面
filterFactoryBean.setLoginUrl("/doLogin");
//定义map指定请求过滤规则(哪些资源允许匿名访问,哪些必须认证访问)
LinkedHashMap<String,String> map=
new LinkedHashMap<>();
//静态资源允许匿名访问:"anon"
map.put("/bower_components/**","anon");
map.put("/build/**","anon");
map.put("/dist/**","anon");
map.put("/plugins/**","anon");
//登录页面允许匿名访问
map.put("/user/doLogin","anon");
//退出页面允许匿名访问
map.put("/doLogout","logout");
//除了匿名访问的资源,其它都要认证("authc")后访问 map.put("/**","authc");
map.put("/**","user");
filterFactoryBean.setFilterChainDefinitionMap(map);
return filterFactoryBean;
}
/**
* 生命周期管理器
* @return
*/
@Bean("lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor
newLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
*配置代理对象创建器
* @return
*/
@DependsOn("lifecycleBeanPostProcessor")
@Bean
public DefaultAdvisorAutoProxyCreator newDefaultAdvisorAutoProxyCreator() {
return new DefaultAdvisorAutoProxyCreator();
}
/**
* 配置advisor对象
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor
newAuthorizationAttributeSourceAdvisor(
@Autowired SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor=
new AuthorizationAttributeSourceAdvisor();
return advisor;
}
/**
* 配置缓存Bean对象
* @return
*/
@Bean
public CacheManager newCacheManager(){
return new MemoryConstrainedCacheManager();
}
/**
* 记住我功能实现
* @return
*/
public SimpleCookie newCookie() {
SimpleCookie c=new SimpleCookie("rememberMe");
c.setMaxAge(10*60);
return c;
}
public CookieRememberMeManager newRememberMeManager() {
CookieRememberMeManager cManager=
new CookieRememberMeManager();
cManager.setCookie(newCookie());
return cManager;
}
/**
* 会话管理器配置
* @return
*/
public DefaultWebSessionManager newSessionManager() {
DefaultWebSessionManager sManager=
new DefaultWebSessionManager();
sManager.setGlobalSessionTimeout(60*60*1000);
return sManager;
}
}
webFileterConfig
package com.cy.config;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.DelegatingFilterProxy;
/**
* @author Administrator
*/
@Configuration
public class WebFilterConfig {
/**
* 注册filter对象
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Bean
public FilterRegistrationBean
newFilterRegistrationBean() {
//1.构建过滤器的注册器对象
FilterRegistrationBean fBean = new FilterRegistrationBean();
//2.注册过滤器对象
DelegatingFilterProxy filter = new DelegatingFilterProxy("shiroFilterFactory");
fBean.setFilter(filter);
//3.进行过滤器配置
//配置过滤器的生命周期管理(可选)由ServletContext对象负责
//fBean.setEnabled(true);//默认值就是true
fBean.addUrlPatterns("/*");
//....
return fBean;
}
}
3.创建shiroUserRealm,需要实现三个方法,设置匹配器凭证方法,获取认证对象方法,获取授权对象方法
package com.cy.service;
import com.cy.dao.SysMenuDao;
import com.cy.dao.SysRoleDao;
import com.cy.dao.SysUserDao;
import com.cy.entity.SysUser;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
* @author Administrator 继承autorizingRealm
*/
@Service
public class ShiroUserRealm extends AuthorizingRealm {
@Autowired
private SysUserDao sysUserDao;
@Autowired
private SysRoleDao sysRoleDao;
@Autowired
private SysMenuDao sysMenuDao;
/**
* 设置凭证匹配器
* 1.创建认证匹配对象
* 2.设置加密方法
* 3.设置加密次数
* @param credentialsMatcher
*/
@Override
public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {
//1.构建凭证匹配对象 hashedCredentialsMatcher
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
//2.设置加密算法
hashedCredentialsMatcher.setHashAlgorithmName("MD5");
//3.设置加密次数
hashedCredentialsMatcher.setHashIterations(1);
super.setCredentialsMatcher(hashedCredentialsMatcher);
}
/**
* 获取授权对象
* 1.获取登录用户id
* 2.根据userId查询角色Id
* 3.根据roleId查询菜单Id
* 4.根据menuId查询菜单表
* 5.获取菜单权限
* 6.封装成授权对象并返回
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//1.获取当前登录用户
SysUser user = (SysUser) principals.getPrimaryPrincipal();
Integer userId = user.getId();
//数组将list转化为数组
Integer[] array = {};
//2.根据用户id查询角色id
List<Integer> roleIds = sysRoleDao.findRoleIdByUserId(userId);
if (roleIds == null || roleIds.size() <= 0){
throw new AuthorizationException();
}
//3.根据角色id查询菜单id
List<Integer> menuIds = sysRoleDao.findMenuIdByRoleIds(roleIds.toArray(array));
if (menuIds == null || menuIds.size() <= 0){
throw new AuthorizationException();
}
//4.根据菜单id查询权限
List<String> permissionList = sysMenuDao.findPermissionsByMenuIds(menuIds.toArray(array));
//5.将权限信息存到set中,不重复
Set<String> permissionSet = new HashSet<>();
for (String s : permissionList) {
if (!StringUtils.isEmpty(s)){
permissionSet.add(s);
}
}
//6.创建授权对象,添加权限并返回
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setStringPermissions(permissionSet);
return simpleAuthorizationInfo;
}
/**
* 获取认证对象
* 1.获取界面输入用户名密码
* 2.根据用户名查询数据库
* 3.判断用户状态
* 4.byteSource获取凭证盐值
* 5.创建认证对象并返回
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//1.获取用户名密码(页面输入)
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = usernamePasswordToken.getUsername();
//2.根据用户查询数据库
SysUser sysUser = sysUserDao.findUserByUserName(username);
//3.判断用户是否存在,不存在抛出不知道账户异常
if (sysUser == null){
throw new UnknownAccountException();
}
//4.判断用户是否被禁用,被禁用抛出账户锁定异常
if (sysUser.getValid() == 0){
throw new LockedAccountException();
}
//5.封装盐值
ByteSource credentialsSalt = ByteSource.Util.bytes(sysUser.getSalt());
//6.封装用户信息
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(sysUser,sysUser.getPassword(),credentialsSalt,sysUser.getUsername());
return info;
}
}
4.后台登录实现,需要利用securityManagerUtils获取subject对象,封装前端传入的用户信息提交给securityManager进行认证
package com.cy.controller;
import com.cy.dao.SysUserDao;
import com.cy.entity.SysUser;
import com.cy.service.SysUserService;
import com.cy.vo.JsonResult;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* @author Administrator
*/
@Controller
@RequestMapping("/user/")
public class UserController {
@Autowired
private SysUserService sysUserService;
@RequestMapping("doLogin")
@ResponseBody
public JsonResult doLogin(String username,String password,Boolean isRememberMe){
//1.获取subject对象
Subject subject = SecurityUtils.getSubject();
//2.封装页面输入用户名密码
UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(username,password);
//记住我功能实现
if (isRememberMe){
usernamePasswordToken.setRememberMe(true);
}
//3.subject对象将token提交给securityManager
subject.login(usernamePasswordToken);
return new JsonResult("login ok");
}
}
5,权限控制,在菜单表中有设置的权限字段,在实现的userShiroRealm中设置权限对象,通过在springShiroConfig中注入realm交给securityManager进行权限认证
/**
* 获取授权对象
* 1.获取登录用户id
* 2.根据userId查询角色Id
* 3.根据roleId查询菜单Id
* 4.根据menuId查询菜单表
* 5.获取菜单权限
* 6.封装成授权对象并返回
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//1.获取当前登录用户
SysUser user = (SysUser) principals.getPrimaryPrincipal();
Integer userId = user.getId();
//数组将list转化为数组
Integer[] array = {};
//2.根据用户id查询角色id
List<Integer> roleIds = sysRoleDao.findRoleIdByUserId(userId);
if (roleIds == null || roleIds.size() <= 0){
throw new AuthorizationException();
}
//3.根据角色id查询菜单id
List<Integer> menuIds = sysRoleDao.findMenuIdByRoleIds(roleIds.toArray(array));
if (menuIds == null || menuIds.size() <= 0){
throw new AuthorizationException();
}
//4.根据菜单id查询权限
List<String> permissionList = sysMenuDao.findPermissionsByMenuIds(menuIds.toArray(array));
//5.将权限信息存到set中,不重复
Set<String> permissionSet = new HashSet<>();
for (String s : permissionList) {
if (!StringUtils.isEmpty(s)){
permissionSet.add(s);
}
}
//6.创建授权对象,添加权限并返回
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setStringPermissions(permissionSet);
return simpleAuthorizationInfo;
}
6.shiro框架可以进行记住我,会话管理等相关的功能扩展。
/**
* 生命周期管理器
* @return
*/
@Bean("lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor
newLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
*配置代理对象创建器
* @return
*/
@DependsOn("lifecycleBeanPostProcessor")
@Bean
public DefaultAdvisorAutoProxyCreator newDefaultAdvisorAutoProxyCreator() {
return new DefaultAdvisorAutoProxyCreator();
}
/**
* 配置advisor对象
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor
newAuthorizationAttributeSourceAdvisor(
@Autowired SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor=
new AuthorizationAttributeSourceAdvisor();
return advisor;
}
/**
* 配置缓存Bean对象
* @return
*/
@Bean
public CacheManager newCacheManager(){
return new MemoryConstrainedCacheManager();
}
/**
* 记住我功能实现
* @return
*/
public SimpleCookie newCookie() {
SimpleCookie c=new SimpleCookie("rememberMe");
c.setMaxAge(10*60);
return c;
}
public CookieRememberMeManager newRememberMeManager() {
CookieRememberMeManager cManager=
new CookieRememberMeManager();
cManager.setCookie(newCookie());
return cManager;
}
/**
* 会话管理器配置
* @return
*/
public DefaultWebSessionManager newSessionManager() {
DefaultWebSessionManager sManager=
new DefaultWebSessionManager();
sManager.setGlobalSessionTimeout(60*60*1000);
return sManager;
}
在后端可以设置异常全局管理类,用来处理shiro以及service层,和runtimeException异常,给用户比较好的使用体验
package com.cy.web;
import com.cy.common.ServiceException;
import com.cy.vo.JsonResult;
import org.apache.shiro.ShiroException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationException;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* @author Administrator
*/
@ControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler(ShiroException.class)
@ResponseBody
public JsonResult doHandlerShiroException(ShiroException e){
JsonResult jsonResult = new JsonResult();
jsonResult.setState(0);
if (e instanceof UnknownAccountException){
jsonResult.setMessage("账户不存在");
}else if (e instanceof LockedAccountException){
jsonResult.setMessage("账户被禁用");
}else if (e instanceof IncorrectCredentialsException){
jsonResult.setMessage("密码不正确");
}else if (e instanceof AuthorizationException){
jsonResult.setMessage("没有操作权限");
}
return jsonResult;
}
@ExceptionHandler(ServiceException.class)
@ResponseBody
public JsonResult doHandlerServiceException(ServiceException e){
//封装错误详细信息到控制台
e.printStackTrace();
return new JsonResult(e);
}
@ExceptionHandler(RuntimeException.class)
@ResponseBody
public JsonResult doHandlerRuntimeException(RuntimeException e){
//封装错误详细信息到控制台
e.printStackTrace();
return new JsonResult(e);
}
}
总结:shiro框架作为开源的安装框架,可以很好的实现项目的安全管理,增大项目的安全系数。当然spring框架中对springSecurity的支持可能更好些,在项目开发过程可以考量使用。