SSM+shiro框架入门学习
1、subject ,securityManage,
2、用户,角色,资源,权限。
根据需要,设计角色与权限。
3、shiroFilter拦截请求,对请求进行访问控制。
4、三个文件,一个config,一个realm,一个controller。
cinfig配置过滤器和角色,权限。
Map<String,String> map = new HashMap<String, String>();
//登出
map.put("/logout","logout");
map.put("/doLogin", "anon");
reaml进行授权和认证。
授权:
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection)
认证:
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException
controller触发请求。
5、如果没有做身份验证,则将请求跳转到指定页面。
如果登录成功。
如果权限不足。
//没有认证强制跳转登录
shiroFilterFactoryBean.setLoginUrl("/login");
//认证成功,首页
shiroFilterFactoryBean.setSuccessUrl("/index");
//角色/权限不足,错误页面,认证不通过跳转
shiroFilterFactoryBean.setUnauthorizedUrl("/error");
6、
map.put("/logout","logout");
map.put("/doLogin", "anon");
anon 不需要身份认证
authc 需要认证
logout 退出登录
roles 需要指定角色
perms 需要权限
9、常见报错:config无法创建bean
解决:在reaml文件@autowired创建实例
7、控制器请求添加权限、角色限制
//需要user角色,和create权限,才能请求成功/create。
@RequiresRoles("user")
@RequiresPermissions("create")
@RequestMapping(value = "/create")
public String create(){
return "Create success!";
}
10、md5加盐哈希加密,
需要config配置一个适配器bean,并传入realm,realm认证的时候传入四个参数。
8、代码示例`
package com.example.jsls.config;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.SessionManager;
import org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
//将自己的验证方式加入容器
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
return myShiroRealm;
}
//权限管理,配置主要是Realm的管理认证
@Bean
public org.apache.shiro.mgt.SecurityManager securityManager(CacheManager cacheManager, SessionManager sessionManager) {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setSessionManager(sessionManager);
securityManager.setRealm(myShiroRealm());
securityManager.setCacheManager(cacheManager);
return securityManager;
}
//Filter工厂,设置对应的过滤条件和跳转条件
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String,String> map = new HashMap<String, String>();
//登出
map.put("/logout","logout");
map.put("/doLogin", "anon");
//对所有用户认证
// map.put("/**","authc");
//没有认证强制跳转登录
shiroFilterFactoryBean.setLoginUrl("/login");
//认证成功,首页
shiroFilterFactoryBean.setSuccessUrl("/index");
//角色/权限不足,错误页面,认证不通过跳转
shiroFilterFactoryBean.setUnauthorizedUrl("/error");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
//加入注解的使用,不加入这个注解不生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
@Bean
public CacheManager cacheManager(){
return new EhCacheManager();
}
@Bean
public SessionDAO sessionDAO(){
return new EnterpriseCacheSessionDAO();
}
@Bean
public SessionManager sessionManager(SessionDAO sessionDAO){
DefaultWebSessionManager manager = new DefaultWebSessionManager();
manager.setSessionDAO(sessionDAO);
manager.setGlobalSessionTimeout(3600000);
manager.setSessionValidationInterval(3600000);
return manager;
}
}
package com.example.jsls.config;
import com.example.jsls.entity.User;
import com.example.jsls.mapper.UserMapper;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
public class MyShiroRealm extends AuthorizingRealm {
@Autowired
private UserMapper userMapper;
//角色权限和对应权限添加
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取登录用户名
String name = (String) principalCollection.getPrimaryPrincipal();
//添加角色和权限
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
User user = userMapper.getUserInfo(name);
if(user.getUser_rank()>=1) {
//添加角色
simpleAuthorizationInfo.addRole("user");
//添加权限
simpleAuthorizationInfo.addStringPermission("create");
simpleAuthorizationInfo.addStringPermission("detail");
}
return simpleAuthorizationInfo;
}
//用户认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
String username = (String) authenticationToken.getPrincipal();
String password = new String((char[])authenticationToken.getCredentials());
User user = userMapper.getUserInfo(username);
String realPwd = user.getUser_password();
if(StringUtils.isEmpty(username)){
throw new AccountException("账号不正确");
}else if(!realPwd.equals(password)){
throw new AccountException("密码不正确");
}
return new SimpleAuthenticationInfo(username,password,getName());
}
}
package com.example.jsls.controller;
import com.example.jsls.biz.bizImp.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
@RestController
public class LoginController {
@GetMapping("/login")
public String login(){
return "need login ss";
}
@PostMapping("/login")
@ResponseBody
public String doLogin(String username,String password){
// 依靠shiro的subject 来实现登陆的逻辑
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
} catch (UnknownAccountException uae) {
return "未知账户";
} catch (IncorrectCredentialsException ice) {
return "密码不正确";
} catch (LockedAccountException lae) {
return "账户已锁定";
} catch (ExcessiveAttemptsException eae) {
return "用户名或密码错误次数过多";
} catch (AuthenticationException ae) {
return "用户名或密码不正确!";
}
if(subject.isAuthenticated()){
return "登陆成功";
}else{
token.clear();
return "登陆失败" ;
}
}
@RequestMapping(value = "/index")
public String index(){
return "index";
}
//登出
@RequestMapping(value = "/logout")
public String logout(){
return "logout";
}
//错误页面展示
@GetMapping("/error")
public String error(){
return "error ok!";
}
@RequiresRoles("user")
@RequiresPermissions("create")
@RequestMapping(value = "/create")
public String create(){
return "Create success!";
}
@RequiresPermissions("detail")
@RequestMapping(value = "/detail")
public String detail(){
return "uid";
}
}