Apache Shiro提供了一个强大而灵活的安全框架,可以为任何应用提供安全保障。用于认证和访问授权:满足对用户、角色、权限(操作权限)、资源(url),即用户分配角色,角色定义权限,访问授权时支持角色或者权限,并且支持多级的权限定义。
Shiro主要有三个核心组件:Subject、SecurityManager、Realms。
以下摘自:https://blog.csdn.net/qq_32786139/article/details/82658197
1、 Subject:即“当前操作用户”。但是,在Shiro中,Subject这一概念并不仅仅指人,也可以是第三方进程、后台帐户(Daemon Account)或其他类似事物。它仅仅意味着“当前跟软件交互的东西”。但考虑到大多数目的和用途,你可以把它认为是Shiro的“用户”概念。
Subject代表了当前用户的安全操作,SecurityManager则管理所有用户的安全操作。
2、 SecurityManager:它是Shiro框架的核心,典型的Facade模式,Shiro通过SecurityManager来管理内部组件实例,并通过它来提供安全管理的各种服务。
3、 Realm: Realm充当了Shiro与应用安全数据间的“桥梁”或者“连接器”。也就是说,当对用户执行认证(登录)和授权(访问控制)验证时,Shiro会从应用配置的Realm中查找用户及其权限信息。
从这个意义上讲,Realm实质上是一个安全相关的DAO:它封装了数据源的连接细节,并在需要时将相关数据提供给Shiro。当配置Shiro时,你必须至少指定一个Realm,用于认证和(或)授权。配置多个Realm是可以的,但是至少需要一个。
Shiro内置了可以连接大量安全数据源(又名目录)的Realm,如LDAP、关系数据库(JDBC)、类似INI的文本配置资源以及属性文件等。如果缺省的Realm不能满足需求,你还可以插入代表自定义数据源的自己的Realm实现。
创建一个普通的springboot-web的项目,取名为springboot-shiro-demo
可以先不用选择依赖,然后把各个模块的包建好备用。
其中需要注意的mysql的依赖包,如果出错了,就把runtime
这个去掉,pom文件如下:
4.0.0
org.springframework.boot
spring-boot-starter-parent
2.1.6.RELEASE
com.springboot.shiro
demo
0.0.1-SNAPSHOT
demo
Demo project for Spring Boot
UTF-8
UTF-8
1.8
org.springframework.boot
spring-boot-starter-freemarker
org.springframework.boot
spring-boot-starter-jdbc
org.springframework.boot
spring-boot-starter-web
org.mybatis.spring.boot
mybatis-spring-boot-starter
1.3.2
mysql
mysql-connector-java
org.springframework.boot
spring-boot-starter-test
test
com.alibaba
druid
1.1.10
org.apache.shiro
shiro-spring
1.3.2
log4j
log4j
1.2.17
org.springframework.boot
spring-boot-devtools
true
org.springframework.boot
spring-boot-maven-plugin
主要是设置数据库连接池和mvc的静态资源路径等,注意application.yml文件的编码格式和中文中文注释,实在不行就不要中文注释了。还有一定要注意这个文件的缩进,不能使用空格代替TAB,并且有严格的缩进要求(要对齐)。
application.yml文件如下:
spring:
datasource:
url: jdbc:mysql://10.10.38.54:3306/tao_dev?useUnicode=true&characterEncoding=UTF-8&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=UTC
username: root
password: 123456
driver-class-name: com.mysql.cj.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
initialSize: 5
minInle: 5
maxActive: 20
maxWait: 60000
timeBetweenEvictionRunsMillis: 60000
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testOnBorrow: false
testOnReturn: false
testWhileIdle: true
poolPreparedStatements: false
filters: stat,wall,log4j
freemarker:
suffix: .html
charset: utf-8
mvc:
static-path-pattern: /static/**
mybatis:
mapper-locations: classpath:mappers/*.xml
type-aliases-package: com.springboot.shiro.demo.pojo
在数据库中建五张表:shiro_user(用户表)、shiro_role(角色表)、shiro_permission(权限表)、shiro_user_role(用户角色关联表)、shiro_role_permission(角色资源关联表)。表结构和具体关联信息如下:
建完表之后给各个表填入基础数据:
INSERT INTO `shiro_user` VALUES ('1', 'hutao', 'f7c3aea7e18076502c9e29fc4d4d16f9');
INSERT INTO `shiro_user` VALUES ('2', 'vip', '01ffb6fc48048d105ba5061f8df5a35e');
其他的表手动填一下,就不用运行sql语句了:
shiro_role表:
shiro_user_role表:
shiro_permission表:
shiro_role_permission表:
package com.springboot.shiro.demo.pojo;
import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;
/**
* @Name:
* @Description: 用户实体类
* @Author:[email protected]
* @Date:2019/7/19 10:17
*/
public class UserBean implements Serializable {
private String id;
private String name;
private String password;
private Set roles = new HashSet<>();
public Set getRoles() {
return roles;
}
public void setRoles(Set roles) {
this.roles = roles;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
}
package com.springboot.shiro.demo.pojo;
import java.io.Serializable;
import java.util.HashSet;
import java.util.Set;
/**
* @Name: 角色实体类
* @Description:
* @Author:[email protected]
* @Date:2019/7/19 10:17
*/
public class RoleBean implements Serializable {
private String id;
private String name;
private Set permissions = new HashSet<>();
public Set getPermissions() {
return permissions;
}
public void setPermissions(Set permissions) {
this.permissions = permissions;
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
}
package com.springboot.shiro.demo.pojo;
import java.io.Serializable;
/**
* @Name: 权限实体类
* @Description:
* @Author:[email protected]
* @Date:2019/7/19 10:17
*/
public class PermissionBean implements Serializable {
private String id;
private String name;
private String url;
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getUrl() {
return url;
}
public void setUrl(String url) {
this.url = url;
}
}
package com.springboot.shiro.demo.mapper;
import com.springboot.shiro.demo.pojo.UserBean;
/**
* @Name:
* @Description:
* @Author:[email protected]
* @Date:2019/7/19 10:17
*/
public interface UserMapper {
//查询用户信息
UserBean findByName(String name);
//查询用户信息、角色、权限
UserBean findById(String id);
}
注意:xml文件中报错不影响运行。
package com.springboot.shiro.demo.config;
import com.alibaba.druid.pool.DruidDataSource;
import com.alibaba.druid.support.http.StatViewServlet;
import com.alibaba.druid.support.http.WebStatFilter;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.sql.DataSource;
import java.util.HashMap;
import java.util.Map;
/**
* @Name:
* @Description:
* @Author:[email protected]
* @Date:2019/7/19 10:15
*/
@Configuration
public class DruidConfig {
@ConfigurationProperties(prefix="spring.datasource")
@Bean(destroyMethod = "close", initMethod = "init")
public DataSource druid(){
return new DruidDataSource();
}
/**
* 配置监控服务器
*/
@Bean
public ServletRegistrationBean statViewServlet(){
ServletRegistrationBean bean = new ServletRegistrationBean(new StatViewServlet(),"/druid/*");
Map initParams = new HashMap<>();
//druid后台管理员
initParams.put("loginUsername","admin");
initParams.put("loginPassword","123456");
//是否能够重置数据
initParams.put("resetEnable","false");
bean.setInitParameters(initParams);
return bean;
}
/**
* 配置web监控的过滤器
*/
@Bean
public FilterRegistrationBean webStatFilter(){
FilterRegistrationBean bean = new FilterRegistrationBean(new WebStatFilter());
//添加过滤规则
bean.addUrlPatterns("/*");
Map initParams = new HashMap<>();
//忽略过滤格式
initParams.put("exclusions","*.js,*.css,*.icon,*.png,*.jpg,/druid/*");
bean.setInitParameters(initParams);
return bean;
}
}
package com.springboot.shiro.demo.config;
import com.springboot.shiro.demo.realm.UserRealm;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* @Name:
* @Description: shiro配置类
* @Author:[email protected]
* @Date:2019/7/19 10:16
*/
@Configuration
public class ShiroConfig {
@Bean("hashedCredentialsMatcher")
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher credentialsMatcher =
new HashedCredentialsMatcher();
//指定加密方式为MD5
credentialsMatcher.setHashAlgorithmName("MD5");
//加密次数
credentialsMatcher.setHashIterations(1024);
credentialsMatcher.setStoredCredentialsHexEncoded(true);
return credentialsMatcher;
}
@Bean("userRealm")
public UserRealm userRealm(@Qualifier("hashedCredentialsMatcher")
HashedCredentialsMatcher matcher) {
UserRealm userRealm = new UserRealm();
userRealm.setCredentialsMatcher(matcher);
return userRealm;
}
@Bean
public ShiroFilterFactoryBean shirFilter(@Qualifier("securityManager")
DefaultWebSecurityManager securityManager) {
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
// 设置 SecurityManager
bean.setSecurityManager(securityManager);
// 设置登录成功跳转Url
bean.setSuccessUrl("/main");
// 设置登录跳转Url
bean.setLoginUrl("/toLogin");
// 设置未授权提示Url
bean.setUnauthorizedUrl("/error/unAuth");
/**
* anon:匿名用户可访问
* authc:认证用户可访问
* user:使用rememberMe可访问
* perms:对应权限可访问
* role:对应角色权限可访问
**/
Map filterMap = new LinkedHashMap<>();
filterMap.put("/login","anon");
filterMap.put("/user/index","authc");
filterMap.put("/vip/index","roles[vip]");
filterMap.put("/druid/**", "anon");
filterMap.put("/static/**","anon");
filterMap.put("/**","authc");
filterMap.put("/logout", "logout");
bean.setFilterChainDefinitionMap(filterMap);
return bean;
}
/**
* 注入 securityManager
*/
@Bean(name="securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(
HashedCredentialsMatcher hashedCredentialsMatcher) {
DefaultWebSecurityManager securityManager =
new DefaultWebSecurityManager();
// 关联realm.
securityManager.setRealm(userRealm(hashedCredentialsMatcher));
return securityManager;
}
}
package com.springboot.shiro.demo.realm;
import com.springboot.shiro.demo.pojo.PermissionBean;
import com.springboot.shiro.demo.pojo.RoleBean;
import com.springboot.shiro.demo.pojo.UserBean;
import com.springboot.shiro.demo.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
/**
* @Name:
* @Description: 自定义Realm,实现授权与认证
* @Author:[email protected]
* @Date:2019/7/19 10:18
*/
public class UserRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
/**
* 用户授权
**/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principalCollection) {
System.out.println("===执行授权===");
Subject subject = SecurityUtils.getSubject();
UserBean user = (UserBean)subject.getPrincipal();
if(user != null){
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 角色与权限字符串集合
Collection rolesCollection = new HashSet<>();
Collection premissionCollection = new HashSet<>();
// 读取并赋值用户角色与权限
Set roles = user.getRoles();
for(RoleBean role : roles){
rolesCollection.add(role.getName());
Set permissions = role.getPermissions();
for (PermissionBean permission : permissions){
premissionCollection.add(permission.getUrl());
}
info.addStringPermissions(premissionCollection);
}
info.addRoles(rolesCollection);
return info;
}
return null;
}
/**
* 用户认证
**/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("===执行认证===");
UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
UserBean bean = userService.findByName(token.getUsername());
if(bean == null){
throw new UnknownAccountException();
}
ByteSource credentialsSalt = ByteSource.Util.bytes(bean.getName());
return new SimpleAuthenticationInfo(bean, bean.getPassword(),
credentialsSalt, getName());
}
// 模拟Shiro用户加密,假设用户密码为123456
public static void main(String[] args){
// 用户名
String username = "hutao";
// 用户密码
String password = "123456";
// 加密方式
String hashAlgorithName = "MD5";
// 加密次数
int hashIterations = 1024;
ByteSource credentialsSalt = ByteSource.Util.bytes(username);
Object obj = new SimpleHash(hashAlgorithName, password,
credentialsSalt, hashIterations);
System.out.println(obj);
}
}
接口类:
package com.springboot.shiro.demo.service;
import com.springboot.shiro.demo.pojo.UserBean;
/**
* @Name:
* @Description: UserService抽象接口
* @Author:[email protected]
* @Date:2019/7/19 10:18
*/
public interface UserService {
UserBean findByName(String name);
}
接口实现类:
package com.springboot.shiro.demo.service.impl;
import com.springboot.shiro.demo.mapper.UserMapper;
import com.springboot.shiro.demo.pojo.UserBean;
import com.springboot.shiro.demo.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
/**
* @Name:
* @Description: Userservice实现类
* @Author:[email protected]
* @Date:2019/7/19 10:19
*/
@Service
public class UserServiceImpl implements UserService {
@Autowired
private UserMapper userMapper;
@Override
public UserBean findByName(String name) {
// 查询用户是否存在
UserBean bean = userMapper.findByName(name);
if (bean != null) {
// 查询用户信息、角色、权限
bean = userMapper.findById(bean.getId());
}
return bean;
}
}
MainController:
package com.springboot.shiro.demo.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* @Name:
* @Description: 用户登录、登出、错误页面跳转控制器
* @Author:[email protected]
* @Date:2019/7/19 10:16
*/
@Controller
public class MainController {
@RequestMapping("/main")
public String index(HttpServletRequest request, HttpServletResponse response){
response.setHeader("root", request.getContextPath());
return "index";
}
@RequestMapping("/toLogin")
public String toLogin(HttpServletRequest request, HttpServletResponse response){
response.setHeader("root", request.getContextPath());
return "login";
}
@RequestMapping("/login")
public String login(HttpServletRequest request, HttpServletResponse response){
response.setHeader("root", request.getContextPath());
String userName = request.getParameter("username");
String password = request.getParameter("password");
// 1.获取Subject
Subject subject = SecurityUtils.getSubject();
// 2.封装用户数据
UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
// 3.执行登录方法
try{
subject.login(token);
return "redirect:/main";
} catch (UnknownAccountException e){
e.printStackTrace();
request.setAttribute("msg","用户名不存在!");
} catch (IncorrectCredentialsException e){
request.setAttribute("msg","密码错误!");
}
return "login";
}
@RequestMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
if (subject != null) {
subject.logout();
}
return "redirect:/main";
}
@RequestMapping("/error/unAuth")
public String unAuth(){
return "/error/unAuth";
}
}
UserController:
package com.springboot.shiro.demo.controller;
import com.springboot.shiro.demo.pojo.UserBean;
import org.apache.shiro.SecurityUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
/**
* @Name:
* @Description: 用户页面跳转
* @Author:[email protected]
* @Date:2019/7/19 10:16
*/
@Controller
public class UserController {
/**
* 个人中心,需要认证可访问
*/
@RequestMapping("/user/index")
public String add(HttpServletRequest request){
UserBean bean = (UserBean) SecurityUtils.getSubject().getPrincipal();
request.setAttribute("userName", bean.getName());
return "/user/index";
}
/**
* 会员中心,需认证且角色为vip可访问
*/
@RequestMapping("/vip/index")
public String update(){
return "/vip/index";
}
}
1、login.html:
登录
用户登录
index.html 首页:
首页
首页
/user/index.html 用户中心:
用户中心
用户中心
欢迎${userName!},这里是用户中心
/vip/index.html 会员中心:
会员中心
会员中心
欢迎来到会员中心
/error/unAuth.html 未授权展示页面:
未授权提示
您还不是会员,没有权限访问这个页面!
普通用户身份:
输入账号密码后,进入页面:
点击个人中心:
若是点击会员中心:
会员身份登录:
因为会员拥有最高权限,所以可以访问所有页面:
本次demo学习全是借鉴 https://blog.csdn.net/qq_34802416/article/details/84959457
这篇文章来进行的,通过自己亲手搭建了一遍这个简单的demo,更加容易的学习到了springboot+shiro的整合以及shiro的工作原理。