SpringBoot + Shiro实战:实现Web应用的用户登录认证、Cookie自动登录和注销

一、后端

1.1 Shiro依赖

pom.xml


	org.apache.shiro
	shiro-spring
	1.4.0-RC2


1.2 登录实体类

用于存放登录的用户名、密码,并且回显员工姓名的实体类:
Employee.java

package com.jake.bpmmanager.pojo;

import lombok.Data;

@Data
public class Employee {

    private String account;

    private String password;

    private String familyName;

    private String firstName;
}

1.3 Shiro域

Realm:域,Shiro 从从 Realm 获取安全数据(如用户、角色、权限),就是说 SecurityManager 要验证用户身份,那么它需要从 Realm 获取相应的用户进行比较以确定用户身份是否合法;也需要从 Realm 得到用户相应的角色 / 权限进行验证用户是否能进行操作;可以把 Realm 看成 DataSource,即安全数据源。
BPMShiroRealm.java

package com.jake.bpmmanager.realm;

import com.jake.bpmmanager.pojo.Employee;
import com.jake.bpmmanager.service.EmployeeService;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;

public class BPMShiroRealm extends SimpleAccountRealm {

    @Autowired
    private EmployeeService employeeService;

    @Autowired
    private RedisTemplate redisTemplate;

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        String account = token.getPrincipal().toString();
        Employee emp = employeeService.getEmployeeByAccount(account);
        String empName = emp.getFamilyName() + emp.getFirstName();
        redisTemplate.opsForValue().set(account, empName);
        String password = emp.getPassword();
        if (password == null) {
            return null;
        }

        return new SimpleAuthenticationInfo(account, password, getName());

    }
}

1.4 Shiro配置

Shiro的核心配置类
ShiroConfig.java

package com.jake.bpmmanager.config;

import com.jake.bpmmanager.realm.BPMShiroRealm;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.web.filter.authc.LogoutFilter;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;

@Configuration
public class ShiroConfig {

    @Bean
    public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);
        shiroFilterFactoryBean.setLoginUrl("/login.html");
        shiroFilterFactoryBean.setSuccessUrl("/index.html");

        Map filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/css/**", "anon");
        filterChainDefinitionMap.put("/authentication", "anon"); // 认证接口,最好位于根路径下。
        filterChainDefinitionMap.put("/logout", "logout"); // Shiro自带的注销接口
        filterChainDefinitionMap.put("/**", "user"); // 已经登录后,所有接口都能被当前用户访问。
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        Map filterMap = new HashMap<>();
        filterMap.put("logout", logoutFilter());
        shiroFilterFactoryBean.setFilters(filterMap);

        return shiroFilterFactoryBean;
    }

    private LogoutFilter logoutFilter() {
        LogoutFilter logoutFilter = new LogoutFilter();
        logoutFilter.setRedirectUrl("/login.html");
        return  logoutFilter;
    }

    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        securityManager.setRealm(BPMShiroRealm());
        securityManager.setRememberMeManager(cookieRememberMeManager());
        return securityManager;
    }

    @Bean
    public Realm BPMShiroRealm() {
        return new BPMShiroRealm();
    }

    @Bean
    public CookieRememberMeManager cookieRememberMeManager() {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        cookieRememberMeManager.setCookie(rememberMeCookie());
        return cookieRememberMeManager;
    }

    @Bean
    public SimpleCookie rememberMeCookie() {
        SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
        simpleCookie.setMaxAge(3600);
        return simpleCookie;
    }

}

1.5 登录接口

authentication:用户名密码+是否自动登录的校验接口
visitor:index.html的访客姓名回显接口
LoginController.java

package com.jake.bpmmanager.controller;

import com.jake.bpmmanager.constant.URL;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@RestController
public class LoginController {

    @Autowired
    private RedisTemplate redisTemplate;

    @GetMapping("authentication")
    public void authenticate(String account, String password, String rememberMe,
                             HttpServletResponse response) {
        Boolean isRemembered = StringUtils.isNotEmpty(rememberMe);
        UsernamePasswordToken token = new UsernamePasswordToken(account, password, isRemembered);
        Subject subject = SecurityUtils.getSubject();
        URL url = new URL();
        try {
            subject.login(token);
            url.setRedirectURL("");
        } catch (AuthenticationException e) {
            e.printStackTrace();
            url.setRedirectURL(URL.LOGIN_PAGE);
        } finally {
            try {
                response.sendRedirect(url.getRedirectURL());
            } catch (IOException e) {
                e.printStackTrace();
            }
        }

    }

    @GetMapping("visitor")
    public String getEmployeeName() {
        Subject currentSubject = SecurityUtils.getSubject();
        if (currentSubject == null || currentSubject.getPrincipal() == null) {
            return "ERROR";
        }
        return redisTemplate.opsForValue().get(currentSubject.getPrincipal().toString());
    }

}

二、前端

2.1 登录页面

login.html




    
    BPM后台管理系统登录页面
    


    
    

后台管理系统


记住我:

2.2 注销

注:注销和用户名回显的HTML均包含在首页index.html中

注销

2.3 用户名回显

HTML部分:

欢迎

JS部分:

/**
 * 获取登录者姓名
 */
$.ajax({
	method: 'GET',
	cache: false,
	url: rootPath + "/visitor",
	success: function (name) {
		$('#visitor').html('' + name + '');
	}
});

你可能感兴趣的:(Spring,Boot,Shiro,JQuery)