Subject:主体,可以看到主体可以是任何可以与应用交互的“用户”;
SecurityManager:相当于SpringMVC中的DispatcherServlet或者Struts2中的FilterDispatcher;是Shiro的心脏;所有具体的交互都通过SecurityManager进行控制;它管理着所有Subject、且负责进行认证和授权、及会话、缓存的管理。
Authenticator:认证器,负责主体认证的,这是一个扩展点,如果用户觉得Shiro默认的不好,可以自定义实现;其需要认证策略(Authentication Strategy),即什么情况下算用户认证通过了;
Authrizer:授权器,或者访问控制器,用来决定主体是否有权限进行相应的操作;即控制着用户能访问应用中的哪些功能;
Realm:可以有1个或多个Realm,可以认为是安全实体数据源,即用于获取安全实体的;可以是JDBC实现,也可以是LDAP实现,或者内存实现等等;由用户提供;注意:Shiro不知道你的用户/权限存储在哪及以何种格式存储;所以我们一般在应用中都需要实现自己的Realm;
SessionManager:如果写过Servlet就应该知道Session的概念,Session呢需要有人去管理它的生命周期,这个组件就是SessionManager;而Shiro并不仅仅可以用在Web环境,也可以用在如普通的JavaSE环境、EJB等环境;所有呢,Shiro就抽象了一个自己的Session来管理主体与应用之间交互的数据;这样的话,比如我们在Web环境用,刚开始是一台Web服务器;接着又上了台EJB服务器;这时想把两台服务器的会话数据放到一个地方,这个时候就可以实现自己的分布式会话(如把数据放到Memcached服务器);
SessionDAO:DAO大家都用过,数据访问对象,用于会话的CRUD,比如我们想把Session保存到数据库,那么可以实现自己的SessionDAO,通过如JDBC写到数据库;比如想把Session放到Memcached中,可以实现自己的Memcached SessionDAO;另外SessionDAO中可以使用Cache进行缓存,以提高性能;
CacheManager:缓存控制器,来管理如用户、角色、权限等的缓存的;因为这些数据基本上很少去改变,放到缓存中后可以提高访问的性能
Cryptography:密码模块,Shiro提高了一些常见的加密组件用于如密码加密/解密的。
登录成功后,要存入subject,不然后续一点击菜单就会弹出
//登录成功时 controller中
// 根据获取的用户名和密码封装成Token
UsernamePasswordToken token = new UsernamePasswordToken(
account, systemAdmin.getSaPwd());
// 是否记住用户
token.setRememberMe(false);
token.setHost(request.getRemoteHost());
// 获取当前的subject
Subject subject = SecurityUtils.getSubject();
subject.login(token);
spring-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<!-- 自定义的Realm -->
<bean id="shiroRealm" class="com.komlin.component.shiro.ShiroRealm"></bean>
<!-- Ehcache缓存管理器 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager" >
<property name="cacheManagerConfigFile" value="classpath:/spring/ehcache-shiro.xml"></property>
</bean>
<!-- Shiro默认会使用Servlet容器的Session,可通过sessionMode属性来指定使用Shiro原生Session -->
<!-- 即<property name="sessionMode" value="native"/>,详细说明见官方文档 -->
<!-- 这里主要是设置自定义的单Realm应用,若有多个Realm,可使用'realms'属性代替 -->
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="shiroRealm"></property>
<property name="cacheManager" ref="cacheManager"></property>
</bean>
<!-- Shiro主过滤器本身功能十分强大,其强大之处就在于它支持任何基于URL路径表达式的、自定义的过滤器的执行 -->
<!-- Web应用中,Shiro可控制的Web请求必须经过Shiro主过滤器的拦截,Shiro对基于Spring的Web应用提供了完美的支持 -->
<bean id="shiroFilter" class="com.komlin.component.shiro.ShiroPermissionFactory">
<!-- shiro的安全接口,必须配置的属性 -->
<property name="securityManager" ref="securityManager"></property>
<!-- 登录时的链接 -->
<property name="loginUrl" value="/"></property>
<!-- <property name="successUrl" value="/member/main"></property> -->
<!-- 用户访问未对其授权的资源时,所显示的连接 -->
<property name="unauthorizedUrl" value="/403.jsp"></property>
<!-- /error.jsp -->
<!-- Shiro连接约束配置,即过滤链的定义 -->
<!-- 此处可配合我的这篇文章来理解各个过滤连的作用http://blog.csdn.net/jadyer/article/details/12172839 -->
<!-- 下面value值的第一个'/'代表的路径是相对于HttpServletRequest.getContextPath()的值来的 -->
<!-- anon:它对应的过滤器里面是空的,什么都没做,这里.do和.jsp后面的*表示参数,比方说login.jsp?main这种 -->
<!-- authc:该过滤器下的页面必须验证后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter -->
<property name="filters">
<map>
<entry key="role">
<bean class="com.komlin.component.shiro.RoleAuthorizationFilter"/>
</entry>
<!-- <entry key="authc">
<bean
class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter" />
</entry> -->
</map>
</property>
<property name="filterChainDefinitions">
<value>
/system/login.do = anon
</value>
</property>
</bean>
<!-- 权限资源配置 -->
<!-- 保证实现了shiro内部Lifecycle函数的bean的执行 (生命周期) -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
</beans>
ehcache-shiro.xml<ehcache updateCheck="false" name="shiroCache">
<!-- name:Cache的唯一标识 maxElementsInMemory:内存中最大缓存对象数 maxElementsOnDisk:磁盘中最大缓存对象数,若是0表示无穷大
eternal:Element是否永久有效,一但设置了,timeout将不起作用 overflowToDisk:配置此属性,当内存中Element数量达到maxElementsInMemory时,Ehcache将会Element写到磁盘中
timeToIdleSeconds:设置Element在失效前的允许闲置时间。仅当element不是永久有效时使用,可选属性,默认值是0,也就是可闲置时间无穷大
timeToLiveSeconds:设置Element在失效前允许存活时间。最大时间介于创建时间和失效时间之间。仅当element不是永久有效时使用,默认是0.,也就是element存活时间无穷大
diskPersistent:是否缓存虚拟机重启期数据 diskExpiryThreadIntervalSeconds:磁盘失效线程运行时间间隔,默认是120秒
diskSpoolBufferSizeMB:这个参数设置DiskStore(磁盘缓存)的缓存区大小。默认是30MB。每个Cache都应该有自己的一个缓冲区
memoryStoreEvictionPolicy:当达到maxElementsInMemory限制时,Ehcache将会根据指定的策略去清理内存。默认策略是LRU(最近最少使用)。你可以设置为FIFO(先进先出)或是LFU(较少使用) -->
<defaultCache maxElementsInMemory="10000" eternal="false"
timeToIdleSeconds="600" timeToLiveSeconds="600" overflowToDisk="false"
diskPersistent="false" diskExpiryThreadIntervalSeconds="600"/>
</ehcache>
整理权限
package com.komlin.component.shiro;
/**
* Created by zql on 2017/7/3.
*/
public interface IFilterChainDefinitionsService {
void reloadFilterChains();
}
package com.komlin.component.shiro;
import com.komlin.modular.system.model.entity.TbSystemMenu;
import com.komlin.modular.system.model.service.RolePermService;
import com.komlin.modular.system.model.service.TbSystemMenuService;
import org.apache.log4j.Logger;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.*;
@Service
public class FilterChainDefinitionsServiceImpl implements
IFilterChainDefinitionsService {
private static Logger logger = Logger.getLogger(FilterChainDefinitionsServiceImpl.class);
@Autowired
private ShiroPermissionFactory permissFactory;
@Autowired
private RolePermService userPermService;
@Autowired
private TbSystemMenuService menuService;
@Override
public void reloadFilterChains() {
// TODO Auto-generated method stub
synchronized (permissFactory) { // 强制同步,控制线程安全
AbstractShiroFilter shiroFilter = null;
try {
shiroFilter = (AbstractShiroFilter) permissFactory.getObject();
PathMatchingFilterChainResolver resolver = (PathMatchingFilterChainResolver) shiroFilter
.getFilterChainResolver();
// 过滤管理器
DefaultFilterChainManager manager = (DefaultFilterChainManager) resolver
.getFilterChainManager();
// 清除权限配置
manager.getFilterChains().clear();
permissFactory.getFilterChainDefinitionMap().clear();
// 重新设置权限
permissFactory
.setFilterChainDefinitions(ShiroPermissionFactory.definition);// 传入配置中的filterchains
Map<String, String> chains = permissFactory
.getFilterChainDefinitionMap();
// 重新生成过滤链
if (!CollectionUtils.isEmpty(chains)) {
for (String key : chains.keySet()) {
String val = chains.get(key);
manager.createChain(key, val);
}
// manager.createChain("/system/top.do", "roles[admin]");
// manager.createChain("/system/left.do", "roles[123]");
}
List<Map<String, Object>> myChainsList = userPermService
.getShiroPerm();
Map<String, Set<String>> myChains = new HashMap<String, Set<String>>();
if (myChainsList != null) {
// 超级管理员权限
List<TbSystemMenu> menuList = menuService.getShiroMenu();
for (TbSystemMenu sm : menuList) {
Set<String> set = new HashSet<String>();
set.add("admin");
myChains.put(sm.getSmUrl(), set);
}
// 整理权限信息
for (Map<String, Object> map : myChainsList) {
String url = map.get("url").toString();
String role = map.get("role").toString();
if (myChains.get(url) == null) {
Set<String> set = new HashSet<String>();
set.add(role);
myChains.put(url, set);
} else {
Set<String> set = myChains.get(url);
set.add(role);
}
}
// 写入权限信息
for (String key : myChains.keySet()) {
Set<String> roleSet = myChains.get(key);
String role = "";
if (roleSet.size() > 0) {
for (String r : roleSet)
role += r + ",";
role = role.substring(0, role.length() - 1);
logger.debug("/" + key + ",role[" + role + "]");
manager.createChain("/" + key, "role[" + role + "]");
}
}
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
角色过滤器
package com.komlin.component.shiro;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
/**
* 重写角色权限过滤器,是当前请求只需满足一个角色即可访问
*
* @author Asan
*
*/
public class RoleAuthorizationFilter extends RolesAuthorizationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue) throws IOException {
final Subject subject = getSubject(request, response);
final String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
// no roles specified, so nothing to check - allow access.
return true;
}
for (String roleName : rolesArray) {
if (subject.hasRole(roleName)) {
return true;
}
}
return false;
}
}
package com.komlin.component.shiro;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.web.config.IniFilterChainResolverFactory;
import java.util.HashMap;
import java.util.Map;
/**
* Created by zql on 2017/7/3.
*/
public class ShiroPermissionFactory extends ShiroFilterFactoryBean {
/** 记录配置中的过滤链 */
public static String definition = "";
/**
* 初始化设置过滤链
*/
@Override
public void setFilterChainDefinitions(String definitions) {
definition = definitions;// 记录配置的静态过滤链
Map<String, String> otherChains = new HashMap<String, String>();
// 加载配置默认的过滤链
Ini ini = new Ini();
ini.load(definitions);
Ini.Section section = ini
.getSection(IniFilterChainResolverFactory.URLS);
if (CollectionUtils.isEmpty(section)) {
section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
}
// 加上数据库中过滤链
section.putAll(otherChains);
setFilterChainDefinitionMap(section);
}
}
登录验证与授权
package com.komlin.component.shiro; import com.komlin.component.utils.SpringContextUtils; import com.komlin.modular.system.model.entity.TbSystemAdmin; import com.komlin.modular.system.model.service.RolePermService; import com.komlin.modular.system.model.service.TbSystemAdminService; import com.komlin.modular.system.model.service.UserRoleService; import org.apache.commons.lang.builder.ReflectionToStringBuilder; import org.apache.commons.lang.builder.ToStringStyle; import org.apache.log4j.Logger; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.session.Session; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import java.util.ArrayList; import java.util.List; /** * Created by zql on 2017/7/3. */ public class ShiroRealm extends AuthorizingRealm { private static Logger logger = Logger.getLogger(ShiroRealm.class); private static TbSystemAdminService userService = null; private static UserRoleService userRoleService = null; private static RolePermService userPermService = null; private void initService() { if (userService == null) { userService = (TbSystemAdminService) SpringContextUtils .getBean("systemAdminService"); } if (userRoleService == null) { userRoleService = (UserRoleService) SpringContextUtils .getBean("roleService"); } if (userPermService == null) { userPermService = (RolePermService) SpringContextUtils .getBean("permService"); } } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) { initService(); SimpleAuthorizationInfo info = null; // TODO Auto-generated method stub // 获取当前登录的用户名 String username = (String) super.getAvailablePrincipal(arg0); // 根据用户名从数据库中获取用户信息 TbSystemAdmin user = userService.getUserByAccount(username); List<String> roleList = new ArrayList<String>(); List<String> permList = new ArrayList<String>(); logger.info("对当前用户:[" + username + "]进行授权!"); if (null != user) { if ("sa".equals(user.getSaRole())) { roleList.add("admin"); } else { roleList.add(user.getSaRole()); } info = new SimpleAuthorizationInfo(); info.addRoles(roleList); info.addStringPermissions(permList); } else { throw new AuthorizationException(); } // 若该方法什么都不做直接返回null的话,就会导致任何用户访问/admin/listUser.jsp时都会自动跳转到unauthorizedUrl指定的地址 return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken arg0) throws AuthenticationException { initService(); UsernamePasswordToken token = (UsernamePasswordToken) arg0; logger.info("验证当前Subject时获取到token为" + ReflectionToStringBuilder.toString(token, ToStringStyle.MULTI_LINE_STYLE)); TbSystemAdmin user = userService.getUserByAccount(token.getUsername()); if (user != null) { AuthenticationInfo info = new SimpleAuthenticationInfo( user.getSaAccount(), user.getSaPwd(), getName()); this.setSession("user", user); return info; } return null; } /** * 将一些数据放到ShiroSession中,以便于其它地方使用 * 比如Controller,使用时直接用HttpSession.getAttribute(key)就可以取到 * @see */ private void setSession(Object key, Object value) { Subject currSubject = SecurityUtils.getSubject(); if (currSubject != null) { Session session = currSubject.getSession(); if (session != null) { logger.info("Session默认超时时间为[" + session.getTimeout() + "]毫秒"); session.setAttribute(key, value); } } } }
点击子菜单,会进下面这个来判断有木有权限
package com.komlin.component.shiro;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* Created by zql on 2017/7/3.
*/
public class SimpleFormAuthenticationFilter extends FormAuthenticationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue) {
final Subject subject = getSubject(request, response);
final String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
// no roles specified, so nothing to check - allow access.
return true;
}
for (String roleName : rolesArray) {
if (subject.hasRole(roleName))
return true;
}
return false;
}
}
mapper.xml
<select id="getShiroPerm" resultType="java.util.HashMap">
select ur_id role ,sm_url url from tb_role_perm inner join tb_system_menu where
rp_sm_id = sm_id
</select>
<select id="getShiroMenu" resultMap="BaseResultMap">
select
<include refid="Base_Column_List" />
from tb_system_menu where sm_type =1 order by sm_order
</select>