1.创建一个maven的web工程
2.ssm整合到web工程中。
2.1pom依赖
<dependencies>
<!--spring-webmvc-->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.2.15.RELEASE</version>
</dependency>
<!--mybatis依赖-->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.5.6</version>
</dependency>
<!--mybatis和spring整合的依赖-->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>2.0.6</version>
</dependency>
<!--mysql驱动-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.28</version>
</dependency>
<!--druid连接池依赖-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.2.1</version>
</dependency>
<!--lombok依赖-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.24</version>
</dependency>
<!--jackson java对象转换为json对象 @ResponseBody-->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.2.2</version>
</dependency>
<!--servlet-api依赖-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>4.0.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-jdbc -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>5.2.12.RELEASE</version>
</dependency>
<!-- mybatis 代码生成器的依赖-->
<dependency>
<groupId>org.mybatis.generator</groupId>
<artifactId>mybatis-generator-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
</dependency>
<!-- 分页插件的依赖-->
<dependency>
<groupId>com.github.pagehelper</groupId>
<artifactId>pagehelper</artifactId>
<version>5.1.11</version>
</dependency>
<!--shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.9.0</version>
</dependency>
</dependencies>
2.2.spring配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc https://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 包扫秒-->
<context:component-scan base-package="com.lzl"/>
<!-- 开启注释-->
<mvc:annotation-driven/>
<!--释放静态资源-->
<mvc:default-servlet-handler/>
<!--spring 配置-->
<!-- 数据源配置-->
<bean id="ds" class="com.alibaba.druid.pool.DruidDataSource" >
<!--驱动名称-->
<property name="driverClassName" value="com.mysql.cj.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost:3306/mydb?serverTimezone=Asia/Shanghai" />
<property name="username" value="root" />
<property name="password" value="lzl200038" />
<!--初始化连接池数量-->
<property name="initialSize" value="5" />
<!--至少的个数-->
<property name="minIdle" value="5" />
<!--最多的个数-->
<property name="maxActive" value="5"/>
<!--最长等待时间 单位毫秒-->
<property name="maxWait" value="3000"/>
</bean>
<!--sqlSessionFactory 整合mybatis-->
<bean id="sessionFactoryql" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="ds" />
<!--设置mybatis 映射文件的路径-->
<!--<property name="mapperLocations" value="classpath:mapper/*.xml" />-->
<property name="plugins" >
<array>
<bean class="com.github.pagehelper.PageInterceptor">
</bean>
</array>
</property>
</bean>
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<!--为com.lzl.dao包下的接口生成实现类-->
<property name="basePackage" value="com.lzl.dao" />
</bean>
<!--整合shiro的配置文件
1 SecurityManger-->
<bean id="securityManger" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realm" />
</bean>
<!--创建自定义realm类对象-->
<bean id="realm" class="com.lzl.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!--创建密码匹配器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"/>
<property name="hashIterations" value="1024"/>
</bean>
<!--shiro过滤工厂:设置过滤规则-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManger"/>
<property name="filterChainDefinitions">
<value>
/login=anon
/**=authc
/login.jsp=anon
</value>
</property>
<property name="filters">
<map>
<entry key="authc">
<bean class="com.lzl.filter.LoginFilter"/>
</entry>
</map>
</property>
</bean>
<!-- 启动Shrio的注解 -->
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManger" />
</bean>
</beans>
2.3web.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<!--shiro过滤器的代理-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring.xml</param-value>
</init-param>
<!--当tomcat启动时创建DipatcherServlet 默认当访问controller路径时创建-->
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
3.整合shrio 注:上面的配置文件,依赖已经加进去了
(1)引入依赖
<!--shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.9.0</version>
</dependency>
(2)修改spring配置文件
<!--整合shiro的配置内容-->
<!--①SecurityManager-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realm"/>
</bean>
<!--创建自定义realm类对象-->
<bean id="realm" class="com.ykq.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!--创建密码匹配器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"/>
<property name="hashIterations" value="1024"/>
</bean>
<!--shiro过滤工厂: 设置过滤的规则-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!--如果没有登录,跳转的路径-->
<property name="loginUrl" value="/login.jsp"/>
<!--没有权限,跳转的路径-->
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<value>
/login=anon
/**=authc
</value>
</property>
</bean>
shiro中内置很多过滤器,而每个过滤都有相应的别名.
(3) 修改web.xml文件
<!--shiro过滤器的代理-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(4) 修改controller层
@PostMapping("/login")
public String login(String username,String password){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
try {
subject.login(token);
return "redirect:/success.jsp";
}catch (Exception e){
return "redirect:/login.jsp";
}
}
(5)重写real
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
//授权功能
//当你进行权限校验就会走该方法
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//根据用户查询该用户拥有那些权限
System.out.println(principalCollection);
User primaryPrincipal = (User) principalCollection.getPrimaryPrincipal();
List<String> list = userService.findPermissionUsername(primaryPrincipal.getUserid());
if (list!=null&&list.size()>0){
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermissions(list);
return info;
}
return null;
}
@Override
//认证功能
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//1.根据token获取账号
String username = (String) authenticationToken.getPrincipal();
User user = userService.findByUsername(username);
if (user!=null){
ByteSource source = ByteSource.Util.bytes(user.getSalt());
SimpleAuthenticationInfo info= new SimpleAuthenticationInfo(user,user.getUserpwd(),source,this.getName());
return info;
}
return null;
}
}
4.进入主页后,不同的用户可以看到不同的内容。
<%--
Created by IntelliJ IDEA.
User: 17162
Date: 2022/8/5
Time: 21:31
To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h1><shiro:principal property="username"></shiro:principal>欢迎来到主页</h1>
<shiro:hasPermission name="user:query"><a href="/user/query">查询用户</a></shiro:hasPermission>
<shiro:hasPermission name="user:update"><a href="/user/update">修改用户</a></shiro:hasPermission>
<shiro:hasPermission name="user:delete"><a href="/user/delete">删除用户</a></shiro:hasPermission>
<shiro:hasPermission name="user:insert"><a href="/user/insert">添加用户</a></shiro:hasPermission>
<shiro:hasPermission name="user:export"><a href="/user/export">导出用户</a></shiro:hasPermission>
</body>
</html>
可以在jsp中获取当前登录者的账号
上面只是在网页中根据不同用户显示不同的菜单,这种方式只能防君子不能防小人。
拦截器---获取请求路径 然后根据你的路径判断当前用户是否具有该权限。
spring整合shiro时提供了一个注解:可以加载相应方法上。
@RestController
@RequestMapping("user")
public class UserController {
@GetMapping("query")
@RequiresPermissions(value = "user:query")
public String query(){
return "user:query";
}
@GetMapping("insert")
@RequiresPermissions(value = "user:insert")
public String isnert(){
return "user:insert";
}
@GetMapping("delete")
@RequiresPermissions(value = "user:delete")
public String delete(){
return "user:delete";
}
@GetMapping("select")
@RequiresPermissions(value = "user:select")
public String select(){
return "user:select";
}
@GetMapping("export")
@RequiresPermissions(value = "user:export")
public String export(){
return "user:export";
}
}
<!-- 启动Shrio的注解 -->
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
使用全局异常处理: