shiro是非常流行的安全管理框架,主要包括认证、授权、session管理、remember me、web支持、加密等。本文将以springboot为基础,介绍如何整合shiro框架及演示其中的基本功能。
1、环境约束
- win10 64位操作系统
- idea2018.1.5
- maven-3.0.5
- jdk-8u162-windows-x64
2、前提约束
- 完成springboot创建web项目 https://www.jianshu.com/p/de979f53ad80
注意:笔者创建项目的时候约束的包前缀是net.wanho.springboot.shiro,读者可以自行创建包名,只是要注意本文中的代码也要修改包名。
3、修改pom.xml
加入shiro依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
4、在src/main/resources/static文件夹创建所需静态页面
创建admin.html、index.html、login.html、loginerror.html、unauthorize.html。
里面的内容分别标记为 "admin", "index", "login", "loginerror", "unauthorize",为后面做实验提供前提。
5、在src/main/java中创建net.wanho.springboot.shiro.config.ShiroConfiguration.java
package net.wanho.springboot.shiro.config;
import net.wanho.shiro.MyShiroRealm;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
@Configuration
public class ShiroConfiguration {
//将自定义Realm加入容器
@Bean
public MyShiroRealm myShiroRealm() {
MyShiroRealm myShiroRealm = new MyShiroRealm();
return myShiroRealm;
}
//设置容器中自定义Realm到SecurityManager
@Bean
public org.apache.shiro.mgt.SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
//配置shiro过滤链
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(org.apache.shiro.mgt.SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String, String> map = new HashMap<String, String>();
//登出
map.put("/logout", "logout");
//登录api为anon,而且只能是anon,要不然永远不可能登录成功
map.put("/login", "anon");
//对所有其他url访问都需要用户认证
map.put("/**", "user");
//登录页面
shiroFilterFactoryBean.setLoginUrl("/login.html");
//登录成功之后跳转的页面
shiroFilterFactoryBean.setSuccessUrl("/index.html");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
/**
* 使得Shiro的注解(如@RequiresRoles, @RequiresPermissions)有效,与AuthorizationAttributeSourceAdvisor配合使用
*/
@Bean
public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
return new DefaultAdvisorAutoProxyCreator();
}
/**
* 使得Shiro的注解(如@RequiresRoles, @RequiresPermissions)有效,与DefaultAdvisorAutoProxyCreator配合使用
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(org.apache.shiro.mgt.SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
/**
* 该方法必须要有返回值。返回值类型必须是: SimpleMappingExceptionResolver
* 用来设置产生异常时跳转的页面
*/
@Bean
public SimpleMappingExceptionResolver getSimpleMappingExceptionResolver() {
SimpleMappingExceptionResolver resolver = new SimpleMappingExceptionResolver();
Properties mappings = new Properties();
/**
* 参数一:异常的类型,注意必须是异常类型的全名 参数二:视图名称
*/
//验证权限不通过跳转的界面
mappings.put("org.apache.shiro.authz.AuthorizationException", "unauthorize.html");
//账号错误跳转的界面
mappings.put("org.apache.shiro.authc.UnknownAccountException", "loginerror.html");
//密码错误跳转的界面
mappings.put("org.apache.shiro.authc.CredentialsException", "loginerror.html");
// 设置异常与视图映射信息的
resolver.setExceptionMappings(mappings);
return resolver;
}
}
6、在src/main/java中创建net.wanho.springboot.shiro.realm.MyShrioRealm.java
package net.wanho.springboot.shiro.realm;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class MyShiroRealm extends AuthorizingRealm {
/**
* 鉴权:看是否具有某种角色或者权限
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取登录用户名
//String name= (String) principalCollection.getPrimaryPrincipal();
//添加角色和权限
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
//加入admin角色,这里本来因该去数据库查询,我们这里边简化处理
simpleAuthorizationInfo.addRole("admin");
//加入admin:delete权限,这里本来因该去数据库查询,我们这里边简化处理
simpleAuthorizationInfo.addStringPermission("admin:delete");
return simpleAuthorizationInfo;
}
/**
* 认证:账号和密码是否正确
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//获取用户账号
String name = authenticationToken.getPrincipal().toString();
//获取用户密码
String password = new String((char[]) authenticationToken.getCredentials());
//如果账号不是ali,则抛出异常【这里本该去数据库查询,我们做简化处理】
if (!"ali".equals(name)) {
throw new UnknownAccountException();
}
//如果密码不是123456,则抛出异常【这里本该去数据库查询,我们做简化处理】
if (!"123456".equals(password)) {
throw new CredentialsException();
}
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(name, authenticationToken.getCredentials(), getName());
return simpleAuthenticationInfo;
}
}
7、在src/main/java中创建net.wanho.springboot.shiro.controller.UserController.java
package net.wanho.springboot.shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class UserController {
/**
* 登录api,拉起认证逻辑
* @param username
* @param password
* @return
*/
@RequestMapping("/login")
public ModelAndView login(String username, String password)
{
ModelAndView modelAndView = new ModelAndView("index.html");
modelAndView.addObject("name","ali");
UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(username,password);
Subject subject = SecurityUtils.getSubject();
subject.login(usernamePasswordToken);
return modelAndView;
}
/**
* 鉴权api,即只有admin角色才能访问此api
* @return
*/
@RequestMapping("/admin")
@RequiresRoles("admin")
@ResponseBody
public String admin()
{
return "admin";
}
/**
* /admin api的对照组
* @return
*/
@RequestMapping("/admin1")
@RequiresRoles("admin1")
@ResponseBody
public String admin1()
{
return "admin";
}
/**
* 鉴权api,即只有admin:delete权限才能访问此api
* @return
*/
@RequestMapping("/admindel")
@RequiresPermissions("admin:delete")
@ResponseBody
public String admindel()
{
return "admin";
}
/**
* /admindel api的对照组
* @return
*/
@RequestMapping("/admindel1")
@RequiresPermissions("admin:delete1")
@ResponseBody
public String admindel1()
{
return "admin";
}
@RequestMapping("/logout")
@ResponseBody
public void logout()
{
//用户退出时释放资源
return;
}
}
8、启动测试【注意,每一步的操作都以前面步骤为前提】。
-
验证shiro对受保护保护api的非session过滤
访问http://localhost:8080/asdfghj
结果:跳转到login.html
分析:此为shiro的过滤功能//登出 map.put("/logout", "logout"); //登录api为anon,而且只能是anon,要不然永远不可能登录成功 map.put("/login", "anon"); //对所有其他url访问都需要用户认证 map.put("/**", "user");
这三句代码告诉我们,除了login api可以匿名,其他的api均需要登录。
- 验证shiro登录以后,对受保护api的不过滤
访问 http://localhost:8080/login?username=ali&password=123456,再访问http://localhost:8080/asdfghj
结果:先跳转到index.html,再跳转到404
分析:在已经登录的情况下,shiro将放行声明为"user"的api - 验证shiro登录之后的logout api
访问 localhost:8080/logout
结果:跳转到login.html
分析:此为shiro的登出api - 验证登录之后的角色校验
(1)访问 http://localhost:8080/login?username=ali&password=123456, 再访问http://localhost:8080/admin
结果:先跳转到index.html,在跳转的admin.html
分析:/admin api所要求的的admin角色,myshirorealm当中是赋予了的,因此,可以访问该 /admin
(2)访问http://localhost:8080/admin1
结果:跳转到unauthorize.html
分析:/admin1 api所要求的的admin1角色,myshirorealm当中没有赋予,因此,不能访问该 /admin1 - 验证登录之后的权限验证
(1)访问 http://localhost:8080/admindel
结果:跳转到admin.html
分析:/admindel所要求的的admin:delete角色,myshirorealm当中是赋予了的,因此,可以访问该 /admindel
(2)访问 http://localhost:8080/admindel1
结果:跳转到unauthorize.html
分析:/admindel1 api所要求的的admin1角色,myshirorealm当中没有赋予,因此,不能访问该 /admindel1 - 至此,我们搭建整合了spring与shiro,并做了基本的测试。