SpringBoot使用Shiro安全框架

其他 2020-04-23 17:10:47 阅读次数: 0

Shiro

Subject用户
SecurityManager管理所有用户
Realm连接数据

Maven使用到的jar包

     <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.21</version>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <version>1.16.18</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid-spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.1.1</version>
        </dependency>
        <!-- Shiro核心包 -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.3.2</version>
        </dependency>
<!--        Shrio整合SpringBoot-->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.4.1</version>
        </dependency>
        <dependency>
            <groupId>com.github.theborakompanioni</groupId>
            <artifactId>thymeleaf-extras-shiro</artifactId>
            <version>2.0.0</version>
        </dependency>
        <!-- slf4j的接口实现 -->
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>jcl-over-slf4j</artifactId>
            <version>1.7.12</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-log4j12</artifactId>
            <version>1.7.12</version>
        </dependency>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

application配置文件

properties

server.port=8088
mybatis.type-aliases-package=com.hzy.pojo #扫描有@mapper注解的包
mybatis.mapper-locations=classpath:mapper/*  #扫描xml文件

yml

spring:
  datasource:
    username: root
    password:
    #?serverTimezone=UTC解决时区的报错
    url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8
    driver-class-name: com.mysql.jdbc.Driver
    type: com.alibaba.druid.pool.DruidDataSource

    #Spring Boot 默认是不注入这些属性值的,需要自己绑定
    #druid 数据源专有配置
    initialSize: 5
    minIdle: 5
    maxActive: 20
    maxWait: 60000
    timeBetweenEvictionRunsMillis: 60000
    minEvictableIdleTimeMillis: 300000
    validationQuery: SELECT 1 FROM DUAL
    testWhileIdle: true
    testOnBorrow: false
    testOnReturn: false
    poolPreparedStatements: true

    #配置监控统计拦截的filters,stat:监控统计、log4j:日志记录、wall:防御sql注入
    #如果允许时报错  java.lang.ClassNotFoundException: org.apache.log4j.Priority
    #则导入 log4j 依赖即可,Maven 地址: https://mvnrepository.com/artifact/log4j/log4j
    filters: stat,wall,log4j
    maxPoolPreparedStatementPerConnectionSize: 20
    useGlobalDataSourceStat: true
    connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500

controller层

    @RequestMapping("/login")
    public String login(String username,String password,Model model,Integer rememberme){
        //        获取当前的用户
        Subject subject= SecurityUtils.getSubject();
//        封装用户的登录数据
        UsernamePasswordToken token=new UsernamePasswordToken(username,password);
        if(rememberme != null && rememberme == 1) {
            token.setRememberMe(true);
        }
        try{
            subject.login(token);//执行的登录方法,如果没有异常就说明ok了
        }catch (UnknownAccountException e){
            model.addAttribute("msg","用户名不存在");
            return "login";
        }catch (IncorrectCredentialsException e){
            model.addAttribute("msg","密码错误");//密码错误
            return "login";
        }
        return "index";
    }
     @RequestMapping("/noauth")//没有权限
    @ResponseBody
    public String unauthorized(){
        return "未经授权无法访问!";
    }
    @RequestMapping("/logout")//登出
    public String logout(){
        Subject subject=SecurityUtils.getSubject();
        subject.logout();
        return "login";
    }

Shiro的配置Config

package com.hzy.config;

import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.LinkedHashMap;
import java.util.Map;

@Configuration
public class ShiroConfig {
    //3.ShiroFilterFactoryBean
    @Bean
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
        ShiroFilterFactoryBean factoryBean=new ShiroFilterFactoryBean();
//        设置安全管理器
        factoryBean.setSecurityManager(securityManager);
//        添加shiro的内置过滤器
        /**
         * anno:无需认证就可以访问
         * authc:必须认证了才能访问
         * user:必须拥有记住我功能
         * perms:拥有对某个资源的权限
         * role:拥有某个角色权限才能访问
         * */
        Map<String,String> fiterMap=new LinkedHashMap<>();
//        登录拦截
//        fiterMap.put("/user/add","authc");
//        fiterMap.put("/user/update","authc");
//        授权(未授权跳转页面)
        fiterMap.put("/user/add","perms[user:add]");
        fiterMap.put("/user/update","perms[user:update]");
        factoryBean.setUnauthorizedUrl("/noauth");
//      拥有所有权限
        fiterMap.put("/user/*","perms[user:all]");
        factoryBean.setFilterChainDefinitionMap(fiterMap);
//        设置登录的请求
        factoryBean.setLoginUrl("/toLogin");
        return factoryBean;
    }
    //2.DafaultWebSecurityManager
    @Bean(name = "securityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
        DefaultWebSecurityManager securityManager=new DefaultWebSecurityManager();
//        关联Realm
        securityManager.setRealm(userRealm);
        return securityManager;
    }
    //1.创建realmc对象,需要自定义类
    @Bean(name="userRealm")
    public UserRealm userRealm(){
        return new UserRealm();
    }
//    整合thymeleaf-extras-shiro
    @Bean
    public ShiroDialect getShiroDialect(){
        return new ShiroDialect();
    }
}

和userRealm关联的自定义类

package com.hzy.config;

import com.hzy.pojo.User;
import com.hzy.service.impl.UserServiceImpl;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
//这里用user.getAddress代表user.getPassword
//自定义的UserRealm  extends AuthorizingRealm
public class UserRealm extends AuthorizingRealm {
    @Autowired
    UserServiceImpl userService;
//    授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        System.out.println("执行了=>授权doGetAuthorizationInfo");
        SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();

//        拿到当前登录的这个对象
        Subject subject=SecurityUtils.getSubject();
        User currentUser=(User)subject.getPrincipal();
        info.addStringPermission(currentUser.getPerms());
        return info;
    }
//    认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        System.out.println("执行了=>认证doGetAuthenticationInfo");
//        用户名和密码   数据中取
        /**String name="root";
        String password="123456";*/
        UsernamePasswordToken userToken=(UsernamePasswordToken)token;
//        用户认证
        /**if(!userToken.getUsername().equals(name)){
            return null;//抛出异常
        }*/
//        连接数据库
        User user=userService.queryUserByName(userToken.getUsername());
//      MD5盐式加密注册的时候使用这时没有用到
        String algorithmName = "MD5";//加密算法
        Object source = user.getAddress();//要加密的密码
        Object salt = user.getName();//盐值,一般都是用户名或者userid,要保证唯一
        int hashIterations = 1024;//加密次数
        SimpleHash simpleHash = new SimpleHash(algorithmName,source,salt,hashIterations);
        System.out.println(simpleHash);
        
        if(user==null){
            return null;
        }
        Subject subject=SecurityUtils.getSubject();
        Session session=subject.getSession();
        session.setAttribute("loginUser",user.getName());
        //        密码认证,shiro帮我们做
        return new SimpleAuthenticationInfo(user,user.getAddress(),"");
    }
}

thymeleaf和shiro的整合

使用头
xmlns:th=“http://www.thymeleaf.org”
xmlns:shiro=“http://www.thymeleaf.org/thymeleaf-extras-shiro”

页面中使用

shiro:hasPermission=“user:all” //表示拥有该权限显示

程序员之窝
发布了21 篇原创文章 · 获赞 7 · 访问量 452
私信 关注

猜你喜欢

转载自blog.csdn.net/weixin_42998267/article/details/104237808
今日推荐
面壁智能发布 Eurux-8x22B 开源大模型 —— 堪称「理科状元」
开源日报 | 谷歌扶持鸿蒙上位;开源Rabbit R1;Docker加持的安卓手机;微软的焦虑和野心;海尔电器把开放平台关了
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
周排行
【转】spring中对控制反转和依赖注入的理解
tms webcore 安装和使用
java程序员进阶相关书籍
SpringMVC接受请求参数、
如何保存训练好的机器学习模型
MyEclipse、Eclipse设置项目JDK的三个地方
商超行业微信小程序开发定制一般多少钱 (行业技术人员解读)
Markdown编辑器语言——30分钟入门到到精通
Linux系统下MongoDB的简单安装与基本操作
Power Strings
每日归档
更多
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022