版权声明:@Shaw https://blog.csdn.net/qq_41356363/article/details/82627269
- 用户表如下
CREATE TABLE `shiro_user` (
`user_id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(32) NOT NULL,
`password` varchar(32) NOT NULL,
PRIMARY KEY (`user_id`),
KEY `username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8
#这里的密码是经过md5加密过的实际密码均为111
insert into shiro_user(username,password) values("Alice","84df234b30ed5ff9753f4a3b044ca11c");
insert into shiro_user(username,password) values("Jack","84df234b30ed5ff9753f4a3b044ca11c");
- 此次测试只使用只使用两个页面
login.html
、success.html
login页面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<title>Title</title>
</head>
<script src="/static/js/jquery-3.3.1.js"></script>
<body>
<form>
用户名:<input type="text" name="name"/><br>
密码:<input type="text" name="password"/><br>
<input type="button" value="提交"/>
</form>
</body>
<script>
$("input:button").click(function () {
$.ajax({
url: "/enter",
type: "post",
data: $("form").serialize(),
success: function (result) {
if(result.status=='SUCCESS'){//后端返回验证成功信息跳转页面
window.location.href='/success';
}else{
alert("重新登录");
}
}
});
});
</script>
</html>
success页面就只提示验证成功
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<h1>验证成功</h1>
</body>
</html>
- Controller层主要接口如下
/**
* 验证成功跳转页面
*/
@RequestMapping("/success")
public String success() {
return "success";
}
/**
* 进行用户验证
*/
@RequestMapping(value = "/enter", method = RequestMethod.POST)
@ResponseBody
public DataMsg login(User user, Model model) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getName(), user.getPassword());
try {
subject.logout();
subject.login(token);
boolean authenticated = subject.isAuthenticated();
System.out.println("登录状态" + authenticated);
} catch (Exception e) {
return DataMsg.error("登录失败");
}
return DataMsg.success("登录成功");
}
如果只是这样,那么我们的success也相当于可以随便方法,这里我们使用shiro给它赋予权限
<!--最重要的核心过滤器-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/"/>
<property name="unauthorizedUrl" value="/"/>
<property name="successUrl" value="/success"/>
<property name="filterChainDefinitions">
<value>
/toPage = anon
<!--不拦截登录的请求-->
/enter = anon
<!--不拦截静态资源-->
/static/** = anon
<!--其余页面均需认证用户-->
/** = authc
<!--/** = anon-->
</value>
</property>
</bean>
<!--shiro核心管理器-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realm"/>
<property name="rememberMeManager" ref="cookieRememberMe"/>
</bean>
<!--md5加密-->
<bean id="matcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="1"/>
</bean>
<!--角色认证-->
<bean id="realm" class="com.shaw.realm.ShiroRealm">
<property name="credentialsMatcher" ref="matcher"/>
</bean>
<!--cookie记住用户-->
<bean id="cookieRememberMe" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<property name="cookie" ref="cookie"></property>
</bean>
<bean id="cookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"></constructor-arg>
<property name="maxAge" value="960000"></property>
<property name="httpOnly" value="true"/>
</bean>
这里关于realm认证我只贴出用户部分
public class ShiroRealm extends AuthorizingRealm {
private final static Logger logger = LoggerFactory.getLogger(AuthorizingRealm.class);
@Autowired
private UserService userService;
/**
* 权限角色、权限的验证
*
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
/**
* 登录的验证,前段的的登陆请求会在这进行验证
*
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String name = token.getPrincipal().toString();
User user = userService.findUserByName(name);
try{
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getName(),user.getPassword(),"customRealm");
info.setCredentialsSalt(ByteSource.Util.bytes(name));//md5加密,salt
return info;
}catch (Exception e){
logger.error("------------shiro验证出错---------------");
}
return null;
}
}
这里尝试一下
然后我们尝试不登录的情况下访问success
页面
可以看到,没有登录的状态下访问会被重定向到登录界面,这就是之前shiroFilter设置的
<property name="unauthorizedUrl" value="/"/>
我们再尝试登录
然后登录成功!
SQL语句也正常查询,此次Shiro测试成功!!!
总结:今天讲的只是shiro的冰山一角,shiro还可以做角色授权等等知识,我遇到的问题是之前一直没有加/static/** = anon静态资源放行,导致我jquery导入一直报错
代码已经上传GitHub:https://github.com/Shaw325/Shiro