Shiro基本介绍
Apache Shiro是Java的一个安全框架。功能强大,使用简单的Java安全框架,它为开发人员提供一个直观而全面的认证,授权,加密及会话管理的解决方案。
ps:结合Springboot的话,shiro就不一定就那么简单了!
起步依赖
<dependencies>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.47</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.10</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- lombok依赖需要导入插件 -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
这边我无脑把所有依赖都加上了,主要是shiro-spring这个依赖。
在数据库里建表
CREATE TABLE `user` (
`id` int(45) NOT NULL COMMENT 'id',
`username` varchar(255) DEFAULT NULL COMMENT '用户名',
`password` varchar(255) DEFAULT NULL COMMENT '密码',
`perms` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT '权限',
PRIMARY KEY (`id`) USING BTREE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
配置文件application.yml
spring:
datasource:
url: jdbc:mysql://localhost:3306/leotemp?useUnicode=true&useSSL=false&characterEncodig=utf-8
username: root
password: 123456
driver-class-name: com.mysql.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
#参考来源: https://www.cnblogs.com/KuroNJQ/p/11171263.html
#配置druid数据源
druid:
#初始化大小
initialSize: 5
#最小值
minIdle: 5
#最大值
maxActive: 20
#最大等待时间,配置获取连接等待超时,时间单位都是毫秒ms
maxWait: 60000
#配置间隔多久才进行一次检测,检测需要关闭的空闲连接
timeBetweenEvictionRunsMillis: 60000
#配置一个连接在池中最小生存的时间
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
poolPreparedStatements: true
# 配置监控统计拦截的filters,去掉后监控界面sql无法统计,
#'wall'用于防火墙,SpringBoot中没有log4j,我改成了log4j2
filters: stat,wall,log4j2
#最大PSCache连接
maxPoolPreparedStatementPerConnectionSize: 20
useGlobalDataSourceStat: true
# 通过connectProperties属性来打开mergeSql功能;慢SQL记录
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
mybatis:
mapper-locations: classpath:mapper/*.xml
type-aliases-package: com.example.bean
实体类 User.java
下面三个注解是lombok的,如果你没有lombok插件要么重新安装,要么自己写getset方法和有参无参构造!
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
/**
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 23:32
*/
@Data
@NoArgsConstructor
@AllArgsConstructor
public class User
{
private int id;
private String username;
private String password;
private String perms;
}
没什么好说的,不解释
UserMapper.java
import org.springframework.stereotype.Repository;
/**
* @Repository注解,不加也行,但是引用mapper会报错!
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 23:34
*/
@Repository
public interface UserMapper
{
User queryUserByName(@Param("username") String name, @Param("password") String password);
}
没什么好说的,不解释
UserMapper.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.example.mapper.UserMapper">
<select id="queryUserByName" parameterType="String" resultType="com.example.bean.User">
select * from user where username= #{username} and password= #{password}
</select>
</mapper>
没什么好说的,不解释
UserService.java
/**
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 23:40
*/
public interface UserService
{
User queryUserByName(String name,String password);
}
没什么好说的,不解释
UserServiceImpl.java
import com.example.bean.User;
import com.example.mapper.UserMapper;
import com.example.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
/**
* 去除idea @AutoWired下的黄线
* https://blog.csdn.net/ligh_sqh/article/details/79384839?utm_source=blogxgwz3?utm_medium=distribute.pc_relevant.none-task-blog-baidujs-1
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 23:41
*/
@Service
public class UserServiceImpl implements UserService
{
@Autowired
private UserMapper userMapper;
@Override
public User queryUserByName(String name,String password)
{
return userMapper.queryUserByName(name,password);
}
}
没什么好说的,不解释
HelloController.java
控制页面跳转
package com.example.controller;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 21:40
*/
@Controller
@Slf4j
public class HelloController
{
@RequestMapping({
"/", "/index"})
public String toIndex(Model model)
{
model.addAttribute("msg", "hello");
return "index";
}
@RequestMapping("/user/add")
public String add()
{
return "/user/add";
}
@RequestMapping("/user/update")
public String update()
{
return "/user/update";
}
@RequestMapping("/toLogin")
public String toLogin()
{
return "login";
}
@RequestMapping("/login")
public String login(String username, String password)
{
//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登陆数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try
{
subject.login(token);
return "index";
} catch (UnknownAccountException e)
{
e.printStackTrace();
return "login";
}
}
@RequestMapping("/unAuthorized")
@ResponseBody
public String unAuthorized()
{
return "未经授权无法访问此页面!";
}
@RequestMapping("/logout")
public String logout(HttpServletResponse resp)
{
//得到当前 Subject
Subject currentSubject = SecurityUtils.getSubject();
//注销当前 Subject
currentSubject.logout();
resp.setStatus(302);
return "redirect:login";
}
}
这里面和shiro有关系的代码其实就是最后那点,其余的就是跳转页面用的。
//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登陆数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);
进入Subject.java
void login(AuthenticationToken token) throws AuthenticationException;
看UsernamePasswordToken.java
/**
* Constructs a new UsernamePasswordToken encapsulating the username and password submitted
* during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and
* a <tt>rememberMe</tt> default of <tt>false</tt>
* <p/>
* 译文:
* 构造一个新的UsernamePasswordToken,封装提交的用户名和密码
*在验证过程中,使用null {@link #getHost()主机}和
* a rememberMe默认false
* <p>This is a convenience constructor and maintains the password internally via a character
* array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a String
* in your code could have possible security implications as noted in the class JavaDoc.</p>
*
* @param username the username submitted for authentication
* @param password the password string submitted for authentication
*/
public UsernamePasswordToken(final String username, final String password) {
this(username, password != null ? password.toCharArray() : null, false, null);
}
UsernamePasswordToken的实现类HostAuthenticationToken, RememberMeAuthenticationToken都继承了AuthenticationToken
shiro配置
ShiroConfig.java
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
/**
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 21:51
*/
@Configuration
public class ShiroConfig
{
/**
* anon: 无需认证即可访问
* authc: 需要认证才可访问
* user: 点击“记住我”功能可访问
* perms: 拥有权限才可以访问
* role: 拥有某个角色权限才能访问
*/
@Bean
public UserRealm userRealm()
{
return new UserRealm();
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm)
{
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(userRealm);
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager)
{
//设置安全管理器
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
LinkedHashMap<String, String> map = new LinkedHashMap<>();
map.put("/user/add","perms[user:add]");
map.put("/user/update","perms[user:update]");
// map.put("/user/update","authc");
//设置登出
map.put("/logout","logout");
//设置授权
shiroFilterFactoryBean.setUnauthorizedUrl("/unAuthorized");
shiroFilterFactoryBean.setLoginUrl("/toLogin");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
}
shiro配置的三元素
- realm
- DefaultWebSecurityManager
- ShiroFilterFactoryBean
这三个配置元素是一个套着一个的,第二个套着第一个,第三个套着第二个
shiro的过滤器
使用LinkedHashMap,设置每个页面的权限;
anon: 无需认证即可访问
authc: 需要认证才可访问
user: 点击“记住我”功能可访问
perms: 拥有权限才可以访问
role: 拥有某个角色权限才能访问
anon:例子/admins/**=anon 没有参数,表示可以匿名使用。
authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数
roles(角色):例子/admins/user/=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/=roles[“admin,guest”],每个参数通过才算通过,相当于hasAllRoles()方法。
perms(权限):例子/admins/user/=perms[user:add:*],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/=perms[“user:add:,user:modify:”],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法。
rest:例子/admins/user/=rest[user],根据请求的方法,相当于/admins/user/=perms[user:method] ,其中method为post,get,delete等。
port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。
authcBasic:例如/admins/user/**=authcBasic没有参数表示httpBasic认证
ssl:例子/admins/user/**=ssl没有参数,表示安全的url请求,协议为https
user:例如/admins/user/**=user没有参数表示必须存在用户,当登入操作时不做检查
UserRealm.java
import com.example.bean.User;
import com.example.service.UserService;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
/**
* @author 朝花不迟暮
* @version 1.0
* @date 2020/6/15 21:55
*/
@Slf4j
public class UserRealm extends AuthorizingRealm
{
@Autowired
UserService userService;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection)
{
log.info("------------------>执行了授权");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// info.addStringPermission("user:add");
//获取当前登录用户的信息
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();
info.addStringPermission(currentUser.getPerms());
return info;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException
{
log.info("------------------>执行了认证");
//token里有用户名和密码,因为强转成了UsernamePasswordToken
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
char[] password = token.getPassword();
String password1 = String.valueOf(password);
log.info("{password}---->"+password1);
User user = userService.queryUserByName(token.getUsername(),password1);
log.info("{user}---->"+user.toString());
if (user == null)
{
return null;
}
return new SimpleAuthenticationInfo(user, user.getPassword(), "");
}
}
Realm核心:
通过继承AuthorizingRealm重写其中的方法
一、认证:
token里有用户名和密码,因为强转成了UsernamePasswordToken,之前在控制层里存放了用户名和密码;
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
通过token里面的名字获取用户信息!
User user = userService.queryUserByName(token.getUsername());
把通过认证的用户信息返回!
return new SimpleAuthenticationInfo(user, user.getPassword(), "");
二、授权:
//获取当前登录用户的信息
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();
通过SimpleAuthorizationInfo中addStringPermission方法,给当前用户添加权限。代码中是获取数据库中的权限!
前台模板
index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>首页</title>
</head>
<body>
<p th:text="${msg}"></p>
<hr>
<a th:href="@{/user/add}">add</a>|<a th:href="@{/user/update}">update</a>
</body>
</html>
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>登陆</title>
</head>
<body>
<h1>登陆</h1>
<form th:action="@{/login}">
<input type="text" name="username" placeholder="请输入用户名">
<input type="password" name="password" placeholder="请输入密码">
<input type="submit">
</form>
</body>
</html>
logout.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>logout</title>
</head>
<body>
<div th:fragment="myfooter">
<div class="footer">
<a th:href="@{/logout}">退出登录</a>
</div>
</div>
</body>
</html>
创建user文件夹里面再放两个HTML
add.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>add</title>
</head>
<body>
<p>add</p>
<hr/>
<div th:replace="logout :: myfooter"></div>
</body>
</html>
update.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>update</title>
</head>
<body>
<p>update</p>
<hr/>
<div th:replace="logout :: myfooter"></div>
</body>
</html>
最后在数据库里插入两个用户并配置权限
登陆首页
点击add,跳转到登录页面
使用root角色进入,而root正好有add页面的权限
成功,而再看看能不能进入update页面?
就会报没有权限的提示,这个是在配置类里面,有个未授权的跳转配置
shiroFilterFactoryBean.setUnauthorizedUrl("/unAuthorized");
码云:https://gitee.com/thirtyleo/java_training_ground/tree/master/Character4
ps:对这篇博客做了一次改动
增加了logout登出功能;
修改了前端页面,增加了登出模块;
修改了用户认证方式,由原来的校验数据库名称改为校验用户名和密码;