springboot+shiro(学习demo的搭建)

springboot+shiro(java安全框架学习使用)

1、认识Shiro

Apache Shiro提供了一个强大而灵活的安全框架,可以为任何应用提供安全保障。用于认证和访问授权:满足对用户、角色、权限(操作权限)、资源(url),即用户分配角色,角色定义权限,访问授权时支持角色或者权限,并且支持多级的权限定义。
Shiro主要有三个核心组件:Subject、SecurityManager、Realms。
以下摘自:https://blog.csdn.net/qq_32786139/article/details/82658197
1、 Subject:即“当前操作用户”。但是,在Shiro中,Subject这一概念并不仅仅指人,也可以是第三方进程、后台帐户(Daemon Account)或其他类似事物。它仅仅意味着“当前跟软件交互的东西”。但考虑到大多数目的和用途,你可以把它认为是Shiro的“用户”概念。
  Subject代表了当前用户的安全操作,SecurityManager则管理所有用户的安全操作。
2、 SecurityManager:它是Shiro框架的核心,典型的Facade模式,Shiro通过SecurityManager来管理内部组件实例,并通过它来提供安全管理的各种服务。
3、 Realm: Realm充当了Shiro与应用安全数据间的“桥梁”或者“连接器”。也就是说,当对用户执行认证(登录)和授权(访问控制)验证时,Shiro会从应用配置的Realm中查找用户及其权限信息。
  从这个意义上讲,Realm实质上是一个安全相关的DAO:它封装了数据源的连接细节,并在需要时将相关数据提供给Shiro。当配置Shiro时,你必须至少指定一个Realm,用于认证和(或)授权。配置多个Realm是可以的,但是至少需要一个。
  Shiro内置了可以连接大量安全数据源(又名目录)的Realm,如LDAP、关系数据库(JDBC)、类似INI的文本配置资源以及属性文件等。如果缺省的Realm不能满足需求,你还可以插入代表自定义数据源的自己的Realm实现。

2、开始demo项目搭建

2.1、创建项目

创建一个普通的springboot-web的项目,取名为springboot-shiro-demo
可以先不用选择依赖,然后把各个模块的包建好备用。
springboot+shiro(学习demo的搭建)_第1张图片

2.2、配置pom.xml文件

其中需要注意的mysql的依赖包,如果出错了,就把runtime
这个去掉,pom文件如下:



    4.0.0
    
        org.springframework.boot
        spring-boot-starter-parent
        2.1.6.RELEASE
         
    
    com.springboot.shiro
    demo
    0.0.1-SNAPSHOT
    demo
    Demo project for Spring Boot

    
        UTF-8
        UTF-8
        1.8
    

    
        
            org.springframework.boot
            spring-boot-starter-freemarker
        
        
            org.springframework.boot
            spring-boot-starter-jdbc
        
        
            org.springframework.boot
            spring-boot-starter-web
        
        
            org.mybatis.spring.boot
            mybatis-spring-boot-starter
            1.3.2
        

        
            mysql
            mysql-connector-java
        
        
            org.springframework.boot
            spring-boot-starter-test
            test
        

        
        
            com.alibaba
            druid
            1.1.10
        

        
        
            org.apache.shiro
            shiro-spring
            1.3.2
        

        
        
            log4j
            log4j
            1.2.17
        
        
            org.springframework.boot
            spring-boot-devtools
            true
        

    

    
        
            
                org.springframework.boot
                spring-boot-maven-plugin
            
        
    


2.3、配置application.yml文件

主要是设置数据库连接池和mvc的静态资源路径等,注意application.yml文件的编码格式和中文中文注释,实在不行就不要中文注释了。还有一定要注意这个文件的缩进,不能使用空格代替TAB,并且有严格的缩进要求(要对齐)。
application.yml文件如下:

spring:
  datasource:
    url: jdbc:mysql://10.10.38.54:3306/tao_dev?useUnicode=true&characterEncoding=UTF-8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
    username: root
    password: 123456
    driver-class-name: com.mysql.cj.jdbc.Driver
    type: com.alibaba.druid.pool.DruidDataSource
    initialSize: 5
    minInle: 5
    maxActive: 20
    maxWait: 60000
    timeBetweenEvictionRunsMillis: 60000
    minEvictableIdleTimeMillis: 300000
    validationQuery: SELECT 1 FROM DUAL
    testOnBorrow: false
    testOnReturn: false
    testWhileIdle: true
    poolPreparedStatements: false
    filters: stat,wall,log4j
  freemarker:
    suffix: .html
    charset: utf-8
  mvc:
    static-path-pattern: /static/**
mybatis:
    mapper-locations: classpath:mappers/*.xml
    type-aliases-package: com.springboot.shiro.demo.pojo

2.4、建表

在数据库中建五张表:shiro_user(用户表)、shiro_role(角色表)、shiro_permission(权限表)、shiro_user_role(用户角色关联表)、shiro_role_permission(角色资源关联表)。表结构和具体关联信息如下:
springboot+shiro(学习demo的搭建)_第2张图片
建完表之后给各个表填入基础数据:

INSERT INTO `shiro_user` VALUES ('1', 'hutao', 'f7c3aea7e18076502c9e29fc4d4d16f9');
INSERT INTO `shiro_user` VALUES ('2', 'vip', '01ffb6fc48048d105ba5061f8df5a35e');

其他的表手动填一下,就不用运行sql语句了:
shiro_role表:
springboot+shiro(学习demo的搭建)_第3张图片

shiro_user_role表:
springboot+shiro(学习demo的搭建)_第4张图片
shiro_permission表:
springboot+shiro(学习demo的搭建)_第5张图片
shiro_role_permission表:

springboot+shiro(学习demo的搭建)_第6张图片

2.5、各个类

整个项目的文件目录如下:
springboot+shiro(学习demo的搭建)_第7张图片

2.5.1、三个实体类

package com.springboot.shiro.demo.pojo;

import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;

/**
 * @Name:
 * @Description: 用户实体类
 * @Author:[email protected]
 * @Date:2019/7/19 10:17
 */
public class UserBean implements Serializable {
    private String id;
    private String name;
    private String password;
    private Set roles = new HashSet<>();

    public Set getRoles() {
        return roles;
    }

    public void setRoles(Set roles) {
        this.roles = roles;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getId() {
        return id;
    }

    public void setId(String id) {
        this.id = id;
    }
}

package com.springboot.shiro.demo.pojo;

import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;

/**
 * @Name: 角色实体类
 * @Description:
 * @Author:[email protected]
 * @Date:2019/7/19 10:17
 */
public class RoleBean implements Serializable {
    private String id;
    private String name;
    private Set permissions = new HashSet<>();

    public Set getPermissions() {
        return permissions;
    }

    public void setPermissions(Set permissions) {
        this.permissions = permissions;
    }

    public String getId() {
        return id;
    }

    public void setId(String id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }


}

package com.springboot.shiro.demo.pojo;

import java.io.Serializable;

/**
 * @Name:  权限实体类
 * @Description:
 * @Author:[email protected]
 * @Date:2019/7/19 10:17
 */
public class PermissionBean implements Serializable {
    private String id;
    private String name;
    private String url;

    public String getId() {
        return id;
    }

    public void setId(String id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getUrl() {
        return url;
    }

    public void setUrl(String url) {
        this.url = url;
    }
}

2.5.2、mapper和xml文件

package com.springboot.shiro.demo.mapper;

import com.springboot.shiro.demo.pojo.UserBean;

/**
 * @Name:
 * @Description:
 * @Author:[email protected]
 * @Date:2019/7/19 10:17
 */
public interface UserMapper {

    //查询用户信息
    UserBean findByName(String name);

    //查询用户信息、角色、权限
    UserBean findById(String id);
}





    
        
        
        
        
            
            
            
                
                
                
            
    
    

    

    


注意:xml文件中报错不影响运行。

2.5.3、两个config

package com.springboot.shiro.demo.config;

import com.alibaba.druid.pool.DruidDataSource;
import com.alibaba.druid.support.http.StatViewServlet;
import com.alibaba.druid.support.http.WebStatFilter;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.sql.DataSource;
import java.util.HashMap;
import java.util.Map;

/**
 * @Name:
 * @Description:
 * @Author:[email protected]
 * @Date:2019/7/19 10:15
 */

@Configuration
public class DruidConfig {
    @ConfigurationProperties(prefix="spring.datasource")
    @Bean(destroyMethod = "close", initMethod = "init")
    public DataSource druid(){
        return new DruidDataSource();
    }
    /**
     * 配置监控服务器
     */
    @Bean
    public ServletRegistrationBean statViewServlet(){
        ServletRegistrationBean bean = new ServletRegistrationBean(new StatViewServlet(),"/druid/*");
        Map initParams = new HashMap<>();
        //druid后台管理员
        initParams.put("loginUsername","admin");
        initParams.put("loginPassword","123456");
        //是否能够重置数据
        initParams.put("resetEnable","false");

        bean.setInitParameters(initParams);
        return bean;
    }

    /**
     * 配置web监控的过滤器
     */
    @Bean
    public FilterRegistrationBean webStatFilter(){
        FilterRegistrationBean bean = new FilterRegistrationBean(new WebStatFilter());
        //添加过滤规则
        bean.addUrlPatterns("/*");
        Map initParams = new HashMap<>();
        //忽略过滤格式
        initParams.put("exclusions","*.js,*.css,*.icon,*.png,*.jpg,/druid/*");
        bean.setInitParameters(initParams);
        return  bean;
    }

}

package com.springboot.shiro.demo.config;

import com.springboot.shiro.demo.realm.UserRealm;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.LinkedHashMap;
import java.util.Map;

/**
 * @Name:
 * @Description: shiro配置类
 * @Author:[email protected]
 * @Date:2019/7/19 10:16
 */

@Configuration
public class ShiroConfig {
    @Bean("hashedCredentialsMatcher")
    public HashedCredentialsMatcher hashedCredentialsMatcher() {
        HashedCredentialsMatcher credentialsMatcher =
                new HashedCredentialsMatcher();
        //指定加密方式为MD5
        credentialsMatcher.setHashAlgorithmName("MD5");
        //加密次数
        credentialsMatcher.setHashIterations(1024);
        credentialsMatcher.setStoredCredentialsHexEncoded(true);
        return credentialsMatcher;
    }

    @Bean("userRealm")
    public UserRealm userRealm(@Qualifier("hashedCredentialsMatcher")
                                       HashedCredentialsMatcher matcher) {

        UserRealm userRealm = new UserRealm();
        userRealm.setCredentialsMatcher(matcher);
        return userRealm;
    }

    @Bean
    public ShiroFilterFactoryBean shirFilter(@Qualifier("securityManager")
                                                     DefaultWebSecurityManager securityManager) {

        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
        // 设置 SecurityManager
        bean.setSecurityManager(securityManager);
        // 设置登录成功跳转Url
        bean.setSuccessUrl("/main");
        // 设置登录跳转Url
        bean.setLoginUrl("/toLogin");
        // 设置未授权提示Url
        bean.setUnauthorizedUrl("/error/unAuth");

        /**
         * anon:匿名用户可访问
         * authc:认证用户可访问
         * user:使用rememberMe可访问
         * perms:对应权限可访问
         * role:对应角色权限可访问
         **/
        Map filterMap = new LinkedHashMap<>();
        filterMap.put("/login","anon");
        filterMap.put("/user/index","authc");
        filterMap.put("/vip/index","roles[vip]");
        filterMap.put("/druid/**", "anon");
        filterMap.put("/static/**","anon");

        filterMap.put("/**","authc");
        filterMap.put("/logout", "logout");

        bean.setFilterChainDefinitionMap(filterMap);
        return bean;
    }

    /**
     * 注入 securityManager
     */
    @Bean(name="securityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(
            HashedCredentialsMatcher hashedCredentialsMatcher) {

        DefaultWebSecurityManager securityManager =
                new DefaultWebSecurityManager();
        // 关联realm.
        securityManager.setRealm(userRealm(hashedCredentialsMatcher));
        return securityManager;
    }
}

2.5.4、realm

package com.springboot.shiro.demo.realm;

import com.springboot.shiro.demo.pojo.PermissionBean;
import com.springboot.shiro.demo.pojo.RoleBean;
import com.springboot.shiro.demo.pojo.UserBean;
import com.springboot.shiro.demo.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;

/**
 * @Name:
 * @Description: 自定义Realm,实现授权与认证
 * @Author:[email protected]
 * @Date:2019/7/19 10:18
 */
public class UserRealm extends AuthorizingRealm {
    @Autowired
    private UserService userService;

    /**
     * 用户授权
     **/
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(
            PrincipalCollection principalCollection) {

        System.out.println("===执行授权===");

        Subject subject = SecurityUtils.getSubject();
        UserBean user = (UserBean)subject.getPrincipal();
        if(user != null){
            SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
            // 角色与权限字符串集合
            Collection rolesCollection = new HashSet<>();
            Collection premissionCollection = new HashSet<>();
            // 读取并赋值用户角色与权限
            Set roles = user.getRoles();
            for(RoleBean role : roles){
                rolesCollection.add(role.getName());
                Set permissions = role.getPermissions();
                for (PermissionBean permission : permissions){
                    premissionCollection.add(permission.getUrl());
                }
                info.addStringPermissions(premissionCollection);
            }
            info.addRoles(rolesCollection);
            return info;
        }
        return null;
    }

    /**
     * 用户认证
     **/
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken authenticationToken) throws AuthenticationException {

        System.out.println("===执行认证===");

        UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
        UserBean bean = userService.findByName(token.getUsername());

        if(bean == null){
            throw new UnknownAccountException();
        }

        ByteSource credentialsSalt = ByteSource.Util.bytes(bean.getName());

        return new SimpleAuthenticationInfo(bean, bean.getPassword(),
                credentialsSalt, getName());
    }

    // 模拟Shiro用户加密,假设用户密码为123456
    public static void main(String[] args){
        // 用户名
        String username = "hutao";
        // 用户密码
        String password = "123456";
        // 加密方式
        String hashAlgorithName = "MD5";
        // 加密次数
        int hashIterations = 1024;
        ByteSource credentialsSalt = ByteSource.Util.bytes(username);
        Object obj = new SimpleHash(hashAlgorithName, password,
                credentialsSalt, hashIterations);
        System.out.println(obj);
    }
}

2.5.5、service层

接口类:

package com.springboot.shiro.demo.service;

import com.springboot.shiro.demo.pojo.UserBean;

/**
 * @Name:
 * @Description: UserService抽象接口
 * @Author:[email protected]
 * @Date:2019/7/19 10:18
 */
public interface UserService {
    UserBean findByName(String name);
}

接口实现类:

package com.springboot.shiro.demo.service.impl;

import com.springboot.shiro.demo.mapper.UserMapper;
import com.springboot.shiro.demo.pojo.UserBean;
import com.springboot.shiro.demo.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

/**
 * @Name:
 * @Description: Userservice实现类
 * @Author:[email protected]
 * @Date:2019/7/19 10:19
 */
@Service
public class UserServiceImpl implements UserService {
    @Autowired
    private UserMapper userMapper;

    @Override
    public UserBean findByName(String name) {
        // 查询用户是否存在
        UserBean bean = userMapper.findByName(name);
        if (bean != null) {
            // 查询用户信息、角色、权限
            bean = userMapper.findById(bean.getId());
        }
        return bean;
    }
}

2.5.6、controller层

MainController:

package com.springboot.shiro.demo.controller;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * @Name:
 * @Description: 用户登录、登出、错误页面跳转控制器
 * @Author:[email protected]
 * @Date:2019/7/19 10:16
 */
@Controller
public class MainController {
    @RequestMapping("/main")
    public String index(HttpServletRequest request, HttpServletResponse response){
        response.setHeader("root", request.getContextPath());
        return "index";
    }

    @RequestMapping("/toLogin")
    public String toLogin(HttpServletRequest request, HttpServletResponse response){
        response.setHeader("root", request.getContextPath());
        return "login";
    }

    @RequestMapping("/login")
    public String login(HttpServletRequest request, HttpServletResponse response){
        response.setHeader("root", request.getContextPath());
        String userName = request.getParameter("username");
        String password = request.getParameter("password");

        // 1.获取Subject
        Subject subject = SecurityUtils.getSubject();
        // 2.封装用户数据
        UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
        // 3.执行登录方法
        try{
            subject.login(token);
            return "redirect:/main";
        } catch (UnknownAccountException e){
            e.printStackTrace();
            request.setAttribute("msg","用户名不存在!");
        } catch (IncorrectCredentialsException e){
            request.setAttribute("msg","密码错误!");
        }

        return "login";
    }

    @RequestMapping("/logout")
    public String logout(){
        Subject subject = SecurityUtils.getSubject();
        if (subject != null) {
            subject.logout();
        }
        return "redirect:/main";
    }

    @RequestMapping("/error/unAuth")
    public String unAuth(){
        return "/error/unAuth";
    }
}

UserController:

package com.springboot.shiro.demo.controller;

import com.springboot.shiro.demo.pojo.UserBean;
import org.apache.shiro.SecurityUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

import javax.servlet.http.HttpServletRequest;

/**
 * @Name:
 * @Description: 用户页面跳转
 * @Author:[email protected]
 * @Date:2019/7/19 10:16
 */
@Controller
public class UserController {
    /**
     * 个人中心,需要认证可访问
     */
    @RequestMapping("/user/index")
    public String add(HttpServletRequest request){
        UserBean bean = (UserBean) SecurityUtils.getSubject().getPrincipal();
        request.setAttribute("userName", bean.getName());
        return "/user/index";
    }

    /**
     * 会员中心,需认证且角色为vip可访问
     */
    @RequestMapping("/vip/index")
    public String update(){
        return "/vip/index";
    }
}

2.5.7、项目页面

1、login.html:




    
    登录


用户登录


用户名
密码
${msg!}

index.html 首页:




    首页


    

首页


/user/index.html 用户中心:




    用户中心


    

用户中心


欢迎${userName!},这里是用户中心

/vip/index.html 会员中心:




    会员中心


    

会员中心


欢迎来到会员中心

/error/unAuth.html 未授权展示页面:




    未授权提示


    

您还不是会员,没有权限访问这个页面!

3、运行结果

普通用户身份:
springboot+shiro(学习demo的搭建)_第8张图片输入账号密码后,进入页面:
springboot+shiro(学习demo的搭建)_第9张图片
点击个人中心:
springboot+shiro(学习demo的搭建)_第10张图片
若是点击会员中心:
springboot+shiro(学习demo的搭建)_第11张图片
会员身份登录:
因为会员拥有最高权限,所以可以访问所有页面:
springboot+shiro(学习demo的搭建)_第12张图片
springboot+shiro(学习demo的搭建)_第13张图片

4、说明

本次demo学习全是借鉴 https://blog.csdn.net/qq_34802416/article/details/84959457
这篇文章来进行的,通过自己亲手搭建了一遍这个简单的demo,更加容易的学习到了springboot+shiro的整合以及shiro的工作原理。

你可能感兴趣的:(java学习之路)