Shiro框架学习笔记(一)

最新推荐文章于 2022-08-24 03:24:01 发布
最新推荐文章于 2022-08-24 03:24:01 发布
阅读量1.1k 收藏
点赞数
分类专栏: 后端框架
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weweeeeeeee/article/details/80321793
版权
#Shiro框架学习笔记(一)

#############################################################################
###一、sessionValidationScheduler的使session失效执行流程(SessionManeger)###
#############################################################################
1.ExecutorServiceSessionValidationScheduler
    
    public void run() {
        if (log.isDebugEnabled()) {
            log.debug("Executing session validation...");
        }

        long startTime = System.currentTimeMillis();
        
        //(1)调用AbstractValidatingSessionManager.validateSessions()方法
        this.sessionManager.validateSessions();
        
        long stopTime = System.currentTimeMillis();
        if (log.isDebugEnabled()) {
            log.debug("Session validation completed successfully in " + (stopTime - startTime) + " milliseconds.");
        }

    }

2.AbstractValidatingSessionManager.validateSessions()方法

    public void validateSessions() {
        if (log.isInfoEnabled()) {
            log.info("Validating all active sessions...");
        }

        int invalidCount = 0;
        Collection<Session> activeSessions = this.getActiveSessions();
        if (activeSessions != null && !activeSessions.isEmpty()) {
            Iterator i$ = activeSessions.iterator();

            while(i$.hasNext()) {
                Session s = (Session)i$.next();

                try {
                    SessionKey key = new DefaultSessionKey(s.getId());
                    
                    //(2)调用validate()方法
                    this.validate(s, key);
                    
                } catch (InvalidSessionException var8) {
                    if (log.isDebugEnabled()) {
                        boolean expired = var8 instanceof ExpiredSessionException;
                        String msg = "Invalidated session with id [" + s.getId() + "]" + (expired ? " (expired)" : " (stopped)");
                        log.debug(msg);
                    }

                    ++invalidCount;
                }
            }
        }

        if (log.isInfoEnabled()) {
            String msg = "Finished session validation.";
            if (invalidCount > 0) {
                msg = msg + "  [" + invalidCount + "] sessions were stopped.";
            } else {
                msg = msg + "  No sessions were stopped.";
            }

            log.info(msg);
        }

    }

3.AbstractValidatingSessionManager.validate()方法
    
    3.1 AbstractValidatingSessionManager
        
        protected void validate(Session session, SessionKey key) throws InvalidSessionException {
            try {
                //(3)调用dpValidate()方法,如何session失效抛出InvalidSessionException异常
                this.doValidate(session);
            } catch (ExpiredSessionException var4) {
                this.onExpiration(session, var4, key);
                throw var4;
            } catch (InvalidSessionException var5) {
                //(4)捕获InvalidSessionExceptiony异常,调用onInvalidation()方法
                this.onInvalidation(session, var5, key);
                throw var5;
            }
        }
    
    3.2 AbstractValidatingSessionManager
        
        protected void doValidate(Session session) throws InvalidSessionException {
            if (session instanceof ValidatingSession) {
                //调用ValidatingSession.validate()方法
                ((ValidatingSession)session).validate();
            
            } else {
                String msg = "The " + this.getClass().getName() + " implementation only supports validating " + "Session implementations of the " + ValidatingSession.class.getName() + " interface.  " + "Please either implement this interface in your session implementation or override the " + AbstractValidatingSessionManager.class.getName() + ".doValidate(Session) method to perform validation.";
                throw new IllegalStateException(msg);
            }
        }
    
    3.3 SimpleSession
        
        public void validate() throws InvalidSessionException {
            if (this.isStopped()) {
                String msg = "Session with id [" + this.getId() + "] has been " + "explicitly stopped.  No further interaction under this session is " + "allowed.";
                throw new StoppedSessionException(msg);
            } else if (this.isTimedOut()) {
                this.expire();
                Date lastAccessTime = this.getLastAccessTime();
                long timeout = this.getTimeout();
                Serializable sessionId = this.getId();
                DateFormat df = DateFormat.getInstance();
                String msg = "Session with id [" + sessionId + "] has expired. " + "Last access time: " + df.format(lastAccessTime) + ".  Current time: " + df.format(new Date()) + ".  Session timeout is set to " + timeout / 1000L + " seconds (" + timeout / 60000L + " minutes)";
                if (log.isTraceEnabled()) {
                    log.trace(msg);
                }
                //抛出ExpiredSessionException异常(实现了InvalidSessionException)
                throw new ExpiredSessionException(msg);
            }
        }
    
4.AbstractValidatingSessionManager.onInvalidation()方法
    
    protected void onInvalidation(Session s, InvalidSessionException ise, SessionKey key) {
        if (ise instanceof ExpiredSessionException) {
            this.onExpiration(s, (ExpiredSessionException)ise, key);
        } else {
            log.trace("Session with id [{}] is invalid.", s.getId());

            try {
                //(5)调用onStop()方法
                this.onStop(s);
                //(6)调用notifyStop()方法
                this.notifyStop(s);
            } finally {
                //(7)最终调用afterStopped()方法
                this.afterStopped(s);
            }

        }
    }


##################################################################
###二、Shiro简单实现登录校验与权限验证的流程(SecurityManager)###
##################################################################

ApplicationCode-->  Subject  -->      SecurityManager  -->  Realm
                (The current user)    (manages all Subject) (access your sercurity data)

                
1.LoginController

    @RequestMapping(value = "/login",method = RequestMethod.POST)
    @ResponseBody
    public ResultVo<Map<String,Object>> doLogin(User user, HttpServletRequest request){


        Map<String,Object> map=new HashMap<>();

        if (StringUtils.isEmpty(user.getUsername())){
            return ResultVoUtil.failed("请输入用户名!");
        }
        if (StringUtils.isEmpty(user.getPassword())){
            return ResultVoUtil.failed("请输入密码!");
        }

        //使用Shiro进行登录校验 SecurityUtils.getSubject().login(token);
        try {
            //(1)获取认证对象
            Subject subject = SecurityUtils.getSubject();
            //(2)实例化Token对象
            UsernamePasswordToken token=new UsernamePasswordToken(user.getUsername(),user.getPassword());
            //(3)进行登录认证
            subject.login(token);(进入UserRealm的doGetAuthenticationInfo)
        }catch (Exception e){
        
            return ResultVoUtil.failed("账号密码有误!");
        }

        map.put("url",request.getContextPath()+"/index");
        return ResultVoUtil.success(map);
    }
    
    
2.UserRealm

    public class UserRealm extends AuthorizingRealm {

        @Autowired
        UserService userService;
        @Autowired
        RoleService roleService;
        @Autowired
        PermissionService permissionService;

        /**
         * 授权信息,用于进行权限认证
         */
        @Override
        protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
            //(1) 获得签名, 可做进一步查询
            User user= (User) principalCollection.getPrimaryPrincipal();
            //(2)创建SimpleAuthenticationInfo对象
            SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
            //(3)查询角色、权限信息
            Set<String> roles = roleService.findRolesByUser(user);
            info.setRoles(roles);

            Set<String> permissions = permissionService.findPermissionsByUser(user);
            info.addStringPermissions(permissions);
            return info;
        }

        /**
         *  认证信息,主要针对用户登录,
         */
        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
            //(1)获取登录的token
            UsernamePasswordToken token= (UsernamePasswordToken) authenticationToken;
            //(2)获取username和password,调用登录
            String username=token.getUsername();
            String password=new String(token.getPassword());

            User user=new User();
            user.setUsername(username);
            user.setPassword(password);

            User login = userService.login(user);

            //(3)登录失败
            if (null==login){
                throw new AccountException("账号或密码不正确!");
            }
            if (user.getStatus()==0){
                throw new DisabledAccountException("帐号已经禁止登录!");
            }

            //(4)登录成功
            user.setUpdatetime(new Date());
            userService.updateUser(user);

            return new SimpleAuthenticationInfo(user,user.getPassword(),user.getUsername());
        }
    }

3.配置文件

    <!-- (二)SecurityManager -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="userRealm"/>
        <property name="sessionManager" ref="sessionManager"/>
        <property name="rememberMeManager" ref="rememberMeManager"/>
        <property name="cacheManager" ref="customShiroCacheManager"/>
    </bean>
    <!-- ShiroCacheManager -->    <!-- 用于缓存AuthenticationInfo -->
    <bean id="customShiroCacheManager" class="com.brillilab.ssmdemo.common.shiro.cache.impl.CustomShiroCacheManager">
        <property name="shiroCacheManager" ref="jedisShiroCacheManager"/>
    </bean>
    <!-- shiro 缓存实现,对ShiroCacheManager,我是采用redis的实现 -->
    <bean id="jedisShiroCacheManager" class="com.brillilab.ssmdemo.common.shiro.cache.impl.JedisShiroCacheManager">
        <property name="jedisManager" ref="jedisManager"/>
    </bean>

    <!-- 授权 认证 -->
    <bean id="userRealm" class="com.brillilab.ssmdemo.common.shiro.realms.UserRealm" >
        <property name="cacheManager" ref="customShiroCacheManager"/>
        <property name="cachingEnabled" value="false"/>
        <property name="authenticationCachingEnabled" value="true"/>
        <property name="authenticationCacheName" value="authenticationCache"/>
        <property name="authorizationCachingEnabled" value="true"/>
        <property name="authorizationCacheName" value="authorizationCache"/>
    </bean>

    
    
#############################################################
###三、Shiro简单实现登录拦截和权限拦截(使用自定义拦截器)###
#############################################################

(一)自定义拦截器的配置

    <!-- (五)shiro权限过滤器 -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/login" />
        <property name="successUrl" value="/index" />
        <property name="unauthorizedUrl" value="/login" />
        <!-- 过滤器映射 -->
        <property name="filterChainDefinitions" >
            <value>
                /common/** = anon
                /login = anon
                /index = anon
                /user/insert = login,permission
                /user/delete = login,permission
            </value>
        </property>
        <property name="filters">
            <util:map>
                <entry key="login" value-ref="login"></entry>
                <entry key="role" value-ref="role"></entry>
            </util:map>
        </property>
    </bean>
    <!-- 自定义拦截器 -->
    <bean id="login" class="com.brillilab.ssmdemo.common.shiro.filter.LoginFilter"/>
    <bean id="role" class="com.brillilab.ssmdemo.common.shiro.filter.RoleFilter"/>
    <bean id="permission" class="com.brillilab.ssmdemo.common.shiro.filter.PermissionFilter"/>
    
(一)登录拦截

1.LoginFilter

    public class LoginFilter extends AccessControlFilter {
        /**
         * 写如何能通过该拦截器的逻辑
         */
        @Override
        protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object o) throws Exception {
            //(1)获取认证信息
            User token = (User)SecurityUtils.getSubject().getPrincipal();
            //(2)登录请求直接放行
            if(null != token || isLoginRequest(request, response)){
                return true;
            }

            //(3)非登录请求,重定向到登录页面
            ResultVo result = ResultVoUtil.failed("当前用户没有登录!");
            WebUtil.jsonOut(response,result);

            return false;
        }

        /**
         * isAccessAllowed返回值为fales时经过该方法
         */
        @Override
        protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
            //保存Request和Response 到登录后的链接
            saveRequestAndRedirectToLogin(request, response);
            return false;
        }
    }


(二)权限拦截

2.RoleFilter

    public class RoleFilter extends AccessControlFilter {
        /**
         * 写如何能通过该拦截器的逻辑
         */
        @Override
        protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object value) throws Exception {
            //(1)获取认证实体
            Subject subject = getSubject(request, response);
            //(2)进行角色校验(角色为"1"能通过)
            if (subject.hasAllRoles(Arrays.asList("1"))){
                return true;
            }
            //(3)未通过角色校验重定向回登录页面
            ((HttpServletResponse)response).sendRedirect(request.getServletContext().getContextPath()+"/login");
            return false;
        }

        /**
         * isAccessAllowed返回值为fales时经过该方法
         */
        @Override
        protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
            //(3)未通过角色校验重定向回登录页面
            //((HttpServletResponse)response).sendRedirect(request.getServletContext().getContextPath()+"/login");
            Subject subject = getSubject(request, response);
            if (subject.getPrincipal()==null){
                //未登录重定向登录页面
                saveRequest(request);
                WebUtils.issueRedirect(request,response,((HttpServletRequest)request).getContextPath()+"/login");
            }else {
                //已登录重定向未授权错误页面
                WebUtils.issueRedirect(request,response,((HttpServletRequest)request).getContextPath()+"/error/unauthorizerror");
            }
            return false;
        }
    }

3.PermissionFilter

    public class PermissionFilter extends AccessControlFilter {
        
        /**
         * 写如何能通过该拦截器的逻辑
         */    
        @Override
        protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object o) throws Exception {
            //(1)获取认证实体
            Subject subject = getSubject(request,response);
            //(2)进行权限校验
                //①获取请求url
            HttpServletRequest httpRequest=(HttpServletRequest)request;
            String url = httpRequest.getRequestURI();
            String contextPath = httpRequest.getContextPath();
            if (url!=null && url.startsWith(contextPath)){
                url = url.replaceFirst(contextPath,"");
            }
                //②权限校验
            if (subject.isPermitted(url)){
                return true;
            }
            return false;
        }

        /**
         * isAccessAllowed返回值为fales时经过该方法
         */
        @Override
        protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
            //(3)未通过权限校验的逻辑
            Subject subject = getSubject(request, response);
            if (subject.getPrincipal()==null){
                //未登录重定向登录页面
                saveRequest(request);
                WebUtils.issueRedirect(request,response,((HttpServletRequest)request).getContextPath()+"/login");
            }else {
                //已登录重定向未授权错误页面
                WebUtil.jsonOut(response,ResultVoUtil.failed("用户未被授权该操作"));
            }
            return false;
        }
    }


#############################################################
###四、Shiro页面内容的授权显示                            ###
#############################################################
1.<shiro:guest>标签中的类容在游客访问时显示
    
    <!-- shiro标签测试 -->
    <shiro:guest>
    <li class="nav-item">
        <a class="nav-link" href="/login">Login</a>
    </li
    </shiro:guest>
    
2.<shiro:hasRole name="1">标签中的内容在用户登录情况下,角色包含name属性值时显示
    
    <shiro:hasRole name="1">
    <li class="nav-item">
        <a class="nav-link" href="#">管理员</a>
    </li
    </shiro:hasRole>
    
3.<shiro:hasPermission name="/user/insert">标签中的类容在用户登录情况下,权限包含name属性值时显示
    
    <shiro:hasPermission name="/user/insert">
    <li class="nav-item">
        <a class="nav-link" href="#">能够添加用户</a>
    </li
    </shiro:hasPermission>
Wu_Menghao
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
shiro安全框架扩展教程--异常退出没有清除缓存信息处理方案
shadowsick的专栏
12-11 3万+
自从之前研究了security3一段时间,发现也不咋滴,后来转行去玩玩shiro,感觉还是挺不错的,小巧灵活;然后遇到个大家都应该遇到过的问题就是当用户退出或者异常关闭浏览器的时候不会自动清除缓存授权信息,当然shiro是有个玩意会自动扫描过期的会话,但是它只会清除会话信息不会清除cache里面的信息,看了网上的答案都是不靠谱的,最好还是自己看源码吧,下面看我的解决方案 <bean id="
Invalid argument to native writeImage Finished invalidation session. No sessions were stopped.
墨落青衫
06-30 9079
异常信息 Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@6bef3b3] 18:35:48.398 [schedule-pool-2] INFO c.r.f.s.w.s.OnlineWebSessionManager - [validateSessions,159] - Finished invalidation session. No sessions were sto
shiro安全框架异常退出没有清除缓存信息处理方案
zyujie的专栏
09-11 6197
最近项目遇到问题,shiro框异常退出没有清除缓存信息,服务器重启后,又拿旧的缓存session来登录,造成后台报错。 这里转载网友的文章,记录一下解决方法。大体就是重写sessionManager类,做一个清除操作。 配置默认会话管理器: 全局的会话信息设置成15秒,检测扫描信息间隔30秒,第三个参数就是是否开启扫描 重写管理器类的一个方法 packa
Shiro使用Redis作为缓存(解决Shiro频繁访问Redis)(十一)
Doge的技术小屋
11-10 1693
原文:https://blog.csdn.net/qq_34021712/article/details/80791219 之前写过一篇博客,使用的一个开源项目,实现了redis作为缓存 缓存用户的权限 和 session信息,还有两个功能没有修改,一个是用户并发登录限制,一个是用户密码错误次数.本篇中几个类 也是使用的开源项目中的类,只不过是拿出来了,redis单独做的配置,方便进行优化。 整合过程 1.首先是整合Redis Redis客户端使用的是RedisTemplate,自己写了一个序列化工具继承R
Shiro学习(10)Session管理
m0_67403073的博客
08-24 2570
但是如在web环境中,如果用户不主动退出是不知道会话是否过期的,因此需要定期的检测会话是否过期,Shiro提供了会话验证调度器SessionValidationScheduler来做这件事情。Shiro提供了完整的企业级会话管理功能,不依赖于底层容器(如web容器tomcat),不管JavaSE还是JavaEE环境都可以使用,提供了会话管理、会话事件监听、会话存储/持久化、容器无关的集群、失效/过期支持、对Web的透明支持、SSO单点登录的支持等特性。更新会话最后访问时间及销毁会话;
shiro学习笔记
04-03
Apache Shiro 是一个强大且易用的Java安全框架,提供了认证、授权、加密和会话管理功能,可以非常轻松地开发出足够安全的应用。Shiro 不仅可以用于Java Web 应用,也可以用于任何Java应用,如Java桌面应用或者...
shiro学习笔记.rar
10-06
学习笔记中的代码示例将引导你完成从零开始搭建一个具备用户认证和授权功能的Spring Boot项目,通过实际操作加深对Shiro的理解和应用。 总的来说,Apache Shiro是一个功能全面的Java安全框架,它简化了安全开发的...
shiro学习笔记0.0.0.0
12-21
尽管这份"shiro学习笔记0.0.0.0"可能内容不多,但通过它,你可以对 Shiro 有个初步的认识,为进一步深入学习打下基础。在实际项目中,根据需求选择合适的 Shiro 组件和配置,可以有效地提升应用的安全性。
shiro框架教案+笔记+sql脚本+项目案例
08-14
在这个压缩包中,包含了关于Shiro框架学习资料,包括教案、笔记、SQL脚本以及项目案例,这些都是深入理解和应用Shiro的重要资源。 首先,"shiro框架教案"部分可能涵盖了Shiro的基本概念、架构设计、核心组件如...
quartz包、QuartzSessionValidationScheduler错误
dgh112233的博客
04-23 2880
报错:an tempt to call the method org.quartz.Scheduler.getListenerManager(). but 它不存在。 就这种错误。 java.lang.InstantiationError: org.quartz.SimpleTrigger 遇到这种问题,基本就是本文所提到的了。 spring 3.0.1以下的使用 quartz 1点几版...
数据库系统概论试题与答案
06-24
数据库系统概论的试题,一共有五套试卷,并配有答案,
shiro管理多登录入口配置,手机端登录与网页端登录
qq_43425632的博客
12-20 5194
shiro管理多登录入口配置,手机端登录与网页端登录 1、2个Realm:分别为手机端、网页端的 /** * 自定义MobileRealm . */ public class MobileRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo(Principa...
java shiro 实现按钮级别控制_shiro权限控制的简单实现
weixin_34746715的博客
02-16 453
importjava.util.LinkedHashMap;importjava.util.LinkedList;importjava.util.Map;importorg.apache.shiro.authc.UsernamePasswordToken;importorg.apache.shiro.authc.credential.HashedCredentialsMatcher;importo...
shiro——session会话管理
热门推荐
dgh112233的博客
08-23 1万+
目录 1. 会话 1.1 Session 接口 1.2 SessionManager 会话管理 1.3 SessionListener 会话监听 2. 会话持久化 2.1 SessionDAO接口 2.2AbstractSessionDAO类 2.3 CachingSessionDAO 类 2.4 EnterpriseCacheSessionDAO 类 2.5 Memo...
ValidatingSessionManager接口
iteye_10899的博客
11-02 627
ValidatingSessionManager接口用来定义会话的校验,里面只有一个方法,先对其解析如下: void validateSessions();//校验会话信息
shiro和spring quartz 冲突
java的涟漪
05-22 5891
缘由:在使用shiro时,如果Quartz 为Quartz 2的版本,则抛出异常Java.lang.InstantiationError: org.quartz.SimpleTrigger。原因是默认的shiro-quartz1.2.3中的实现是针对quartz1.6版本的实现(详细源码请查看org.apache.shiro.session.mgt.quartz.QuartzSessionValid
客户端访问后台每次请求sessionId不同的两种不同处理方式
12-05 1万+
许多框架在封装的时候由于各种安全等原因,导致使用自身的封装请求时每次都是使用新的会话,导致每次的sessionid都不同。 解决方法: 1.如微信小程序 可以直接修改 header.cookie = ‘SESSION=’ + sessionId cookie里面的数据时可以考虑在后端校验成功后将当次的sessionid返回到页面,页面再修改cookie进行下一次请求,如果过期了,再调用后台登录方法...
shiro框架如何学习
最新发布
07-15
学习Shiro框架可以按照以下步骤进行: 1. 了解基础概念:首先,你需要了解Shiro的基本概念和术语,例如主体(Subject)、认证(Authentication)、授权(Authorization)、Realm等。可以阅读Shiro的官方文档或者...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值