shiro是目前主流的java安全框架,主要用来更便捷的认证,授权,加密,会话管理。废话不多说,下面是一个简单的案例,Soring boot整合shiro;
首先搭建一个spring boot框架,具体步骤请参考点击打开链接;
然后配置shiro依赖(顺便整合mybatis)
配置文件(application.xml)
#spring集成Mybatis环境
mybatis.type-aliases-package=com.huangjia.domain
#加载Mybatis配置文件
mybatis.mapper-locations = classpath:mapper/*Mapper.xml
#spring.datasource.type = com.alibaba.druid.pool.DruidDataSource
spring.datasource.driver-class-name= com.mysql.jdbc.Driver
spring.datasource.url = jdbc:mysql://localhost:3306/student?useUnicode=true&characterEncoding=utf-8
spring.datasource.username = root
spring.datasource.password = root
然后简历一个数据库表,主要字段为用户名密码及权限状态;
下面建包,把各个层建好
编写shiro配置类
ShiroConfig:
package com.huangjia.shiro;
import java.util.HashMap;
import java.util.Map;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* shiro配置类
* @author jianping.lu
*
*/
@Configuration
public class ShiroConfig {
//创建ShiroFilterFactoryBean
@Bean(name="shiroFilterFactoryBean")
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager")DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
//添加shiro内置过滤器
/*
* anon:表示可以匿名使用。
authc:表示需要认证(登录)才能使用,没有参数
roles:参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/**=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。
perms:参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/**=perms["user:add:*,user:modify:*"],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法。
rest:根据请求的方法,相当于/admins/user/**=perms[user:method] ,其中method为post,get,delete等。
port:当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。
authcBasic:没有参数表示httpBasic认证
ssl:表示安全的url请求,协议为https
user:当登入操作时不做检查
*/
Map fMap = new HashMap();
//拦截页面
fMap.put("/one", "authc");
fMap.put("/two", "authc");
//拦截未授权
fMap.put("/one", "perms[user:one]");
fMap.put("/two", "perms[user:two]");
//被拦截返回登录页面
shiroFilterFactoryBean.setLoginUrl("/login");
//授权拦截返回页面
shiroFilterFactoryBean.setUnauthorizedUrl("/permission");
shiroFilterFactoryBean.setFilterChainDefinitionMap(fMap);
return shiroFilterFactoryBean;
}
@Bean(name="defaultWebSecurityManager")
//创建DefaultWebSecurityManager
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm")UserRealm userRealm){
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();
defaultWebSecurityManager.setRealm(userRealm);
return defaultWebSecurityManager;
}
//创建Realm
@Bean(name="userRealm")
public UserRealm getUserRealm(){
return new UserRealm();
}
}
UserRealm:
package com.huangjia.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import com.huangjia.domain.User;
import com.huangjia.service.UserService;
/**
* 自定义realm
* @author jianping.lu
*
*/
public class UserRealm extends AuthorizingRealm{
@Autowired
private UserService UserService;
//执行授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) {
// TODO Auto-generated method stub
System.out.println("授权");
//获取当前登录用户
Subject subject = SecurityUtils.getSubject();
User user = (User) subject.getPrincipal();
//给资源授权
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.addStringPermission(user.getPerms());
return simpleAuthorizationInfo;
}
//执行认证逻辑
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) throws AuthenticationException {
// TODO Auto-generated method stub
System.out.println("认证");
//shiro判断逻辑
UsernamePasswordToken user = (UsernamePasswordToken) arg0;
User realUser = new User();
realUser.setName(user.getUsername());
realUser.setPassword(String.copyValueOf(user.getPassword()));
User newUser = UserService.findUser(realUser);
//System.out.println(user.getUsername());
if(newUser == null){
//用户名错误
//shiro会抛出UnknownAccountException异常
return null;
}
return new SimpleAuthenticationInfo(newUser,newUser.getPassword(),"");
}
}
编写所需功能模块
Controller:
package com.huangjia.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import com.huangjia.domain.User;
import com.huangjia.service.UserService;
@Controller
public class UserController {
@Autowired
private UserService UserService;
@RequestMapping("what")
public String why(){
return "sse";
}
@RequestMapping("one")
public String getOne(){
return "one";
}
@RequestMapping("two")
public String getTwo(){
return "two";
}
@RequestMapping("login")
public String login(){
return "login";
}
@RequestMapping("permission")
public String permission(){
return "permission";
}
@RequestMapping("toLogin")
public String toLogin(User user,Model model){
//System.out.println(newUser.getName()+newUser.getPassword());
//shiro用户认证
//获取subject
Subject subject = SecurityUtils.getSubject();
//封装用户数据
UsernamePasswordToken userToken = new UsernamePasswordToken(user.getName(),user.getPassword());
//执行登录方法,用捕捉异常去判断是否登录成功
try {
subject.login(userToken);
return "redirect:/what.do";
} catch (UnknownAccountException e) {
//用户名不存在
model.addAttribute("msg","用户名不存在");
return "login";
}catch (IncorrectCredentialsException e) {
//密码错误
model.addAttribute("msg","密码错误");
return "login";
}
}
}
Service(偷个懒,没有定义服务接口):
package com.huangjia.service;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.huangjia.domain.User;
import com.huangjia.mapper.UserMapper;
@Service
public class UserService {
@Autowired
private UserMapper userMapper;
public User findUser(User user){
return userMapper.findUser(user);
}
}
Dao:
package com.huangjia.mapper;
import java.util.List;
import org.apache.ibatis.annotations.Mapper;
import com.huangjia.domain.User;
@Mapper
public interface UserMapper {
public User findUser(User user);
}
Mapper.xml
下面写几个简单页面
login.html(登陆页面)
Insert title here
sse.html(功能选择)
Insert title here
one.html(功能一)
Insert title here
欢迎来到one
two.html
Insert title here
欢迎来到two
permission.html(权限拦截页面)
Insert title here
对不起,你没有该权限