Shiro基本介紹
Apache Shiro是Java的一個安全框架。功能強大,使用簡單的Java安全框架,它爲開發人員提供一個直觀而全面的認證,授權,加密及會話管理的解決方案。
ps:結合Springboot的話,shiro就不一定就那麼簡單了!
起步依賴
<dependencies>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.47</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.10</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- lombok依賴需要導入插件 -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
這邊我無腦把所有依賴都加上了,主要是shiro-spring這個依賴。
在數據庫裏建表
CREATE TABLE `user` (
`id` int(45) NOT NULL COMMENT 'id',
`username` varchar(255) DEFAULT NULL COMMENT '用戶名',
`password` varchar(255) DEFAULT NULL COMMENT '密碼',
`perms` varchar(255) CHARACTER SET utf8 DEFAULT NULL COMMENT '權限',
PRIMARY KEY (`id`) USING BTREE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
配置文件application.yml
spring:
datasource:
url: jdbc:mysql://localhost:3306/leotemp?useUnicode=true&useSSL=false&characterEncodig=utf-8
username: root
password: 123456
driver-class-name: com.mysql.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
#參考來源: https://www.cnblogs.com/KuroNJQ/p/11171263.html
#配置druid數據源
druid:
#初始化大小
initialSize: 5
#最小值
minIdle: 5
#最大值
maxActive: 20
#最大等待時間,配置獲取連接等待超時,時間單位都是毫秒ms
maxWait: 60000
#配置間隔多久才進行一次檢測,檢測需要關閉的空閒連接
timeBetweenEvictionRunsMillis: 60000
#配置一個連接在池中最小生存的時間
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
poolPreparedStatements: true
# 配置監控統計攔截的filters,去掉後監控界面sql無法統計,
#'wall'用於防火牆,SpringBoot中沒有log4j,我改成了log4j2
filters: stat,wall,log4j2
#最大PSCache連接
maxPoolPreparedStatementPerConnectionSize: 20
useGlobalDataSourceStat: true
# 通過connectProperties屬性來打開mergeSql功能;慢SQL記錄
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
mybatis:
mapper-locations: classpath:mapper/*.xml
type-aliases-package: com.example.bean
實體類 User.java
下面三個註解是lombok的,如果你沒有lombok插件要麼重新安裝,要麼自己寫getset方法和有參無參構造!
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
/**
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 23:32
*/
@Data
@NoArgsConstructor
@AllArgsConstructor
public class User
{
private int id;
private String username;
private String password;
private String perms;
}
沒什麼好說的,不解釋
UserMapper.java
import org.springframework.stereotype.Repository;
/**
* @Repository註解,不加也行,但是引用mapper會報錯!
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 23:34
*/
@Repository
public interface UserMapper
{
User queryUserByName(@Param("username") String name, @Param("password") String password);
}
沒什麼好說的,不解釋
UserMapper.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper
PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.example.mapper.UserMapper">
<select id="queryUserByName" parameterType="String" resultType="com.example.bean.User">
select * from user where username= #{username} and password= #{password}
</select>
</mapper>
沒什麼好說的,不解釋
UserService.java
/**
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 23:40
*/
public interface UserService
{
User queryUserByName(String name,String password);
}
沒什麼好說的,不解釋
UserServiceImpl.java
import com.example.bean.User;
import com.example.mapper.UserMapper;
import com.example.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
/**
* 去除idea @AutoWired下的黃線
* https://blog.csdn.net/ligh_sqh/article/details/79384839?utm_source=blogxgwz3?utm_medium=distribute.pc_relevant.none-task-blog-baidujs-1
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 23:41
*/
@Service
public class UserServiceImpl implements UserService
{
@Autowired
private UserMapper userMapper;
@Override
public User queryUserByName(String name,String password)
{
return userMapper.queryUserByName(name,password);
}
}
沒什麼好說的,不解釋
HelloController.java
控制頁面跳轉
package com.example.controller;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 21:40
*/
@Controller
@Slf4j
public class HelloController
{
@RequestMapping({"/", "/index"})
public String toIndex(Model model)
{
model.addAttribute("msg", "hello");
return "index";
}
@RequestMapping("/user/add")
public String add()
{
return "/user/add";
}
@RequestMapping("/user/update")
public String update()
{
return "/user/update";
}
@RequestMapping("/toLogin")
public String toLogin()
{
return "login";
}
@RequestMapping("/login")
public String login(String username, String password)
{
//獲取當前用戶
Subject subject = SecurityUtils.getSubject();
//封裝用戶的登陸數據
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try
{
subject.login(token);
return "index";
} catch (UnknownAccountException e)
{
e.printStackTrace();
return "login";
}
}
@RequestMapping("/unAuthorized")
@ResponseBody
public String unAuthorized()
{
return "未經授權無法訪問此頁面!";
}
@RequestMapping("/logout")
public String logout(HttpServletResponse resp)
{
//得到當前 Subject
Subject currentSubject = SecurityUtils.getSubject();
//註銷當前 Subject
currentSubject.logout();
resp.setStatus(302);
return "redirect:login";
}
}
這裏面和shiro有關係的代碼其實就是最後那點,其餘的就是跳轉頁面用的。
//獲取當前用戶
Subject subject = SecurityUtils.getSubject();
//封裝用戶的登陸數據
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);
進入Subject.java
void login(AuthenticationToken token) throws AuthenticationException;
看UsernamePasswordToken.java
/**
* Constructs a new UsernamePasswordToken encapsulating the username and password submitted
* during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and
* a <tt>rememberMe</tt> default of <tt>false</tt>
* <p/>
* 譯文:
* 構造一個新的UsernamePasswordToken,封裝提交的用戶名和密碼
*在驗證過程中,使用null {@link #getHost()主機}和
* a rememberMe默認false
* <p>This is a convenience constructor and maintains the password internally via a character
* array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a String
* in your code could have possible security implications as noted in the class JavaDoc.</p>
*
* @param username the username submitted for authentication
* @param password the password string submitted for authentication
*/
public UsernamePasswordToken(final String username, final String password) {
this(username, password != null ? password.toCharArray() : null, false, null);
}
UsernamePasswordToken的實現類HostAuthenticationToken, RememberMeAuthenticationToken都繼承了AuthenticationToken
shiro配置
ShiroConfig.java
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
/**
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 21:51
*/
@Configuration
public class ShiroConfig
{
/**
* anon: 無需認證即可訪問
* authc: 需要認證纔可訪問
* user: 點擊“記住我”功能可訪問
* perms: 擁有權限纔可以訪問
* role: 擁有某個角色權限才能訪問
*/
@Bean
public UserRealm userRealm()
{
return new UserRealm();
}
@Bean
public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm)
{
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(userRealm);
return manager;
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager)
{
//設置安全管理器
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
LinkedHashMap<String, String> map = new LinkedHashMap<>();
map.put("/user/add","perms[user:add]");
map.put("/user/update","perms[user:update]");
// map.put("/user/update","authc");
//設置登出
map.put("/logout","logout");
//設置授權
shiroFilterFactoryBean.setUnauthorizedUrl("/unAuthorized");
shiroFilterFactoryBean.setLoginUrl("/toLogin");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
}
shiro配置的三元素
- realm
- DefaultWebSecurityManager
- ShiroFilterFactoryBean
這三個配置元素是一個套着一個的,第二個套着第一個,第三個套着第二個
shiro的過濾器
使用LinkedHashMap,設置每個頁面的權限;
anon: 無需認證即可訪問
authc: 需要認證纔可訪問
user: 點擊“記住我”功能可訪問
perms: 擁有權限纔可以訪問
role: 擁有某個角色權限才能訪問
anon:例子/admins/**=anon 沒有參數,表示可以匿名使用。
authc:例如/admins/user/**=authc表示需要認證(登錄)才能使用,沒有參數
roles(角色):例子/admins/user/=roles[admin],參數可以寫多個,多個時必須加上引號,並且參數之間用逗號分割,當有多個參數時,例如admins/user/=roles[“admin,guest”],每個參數通過纔算通過,相當於hasAllRoles()方法。
perms(權限):例子/admins/user/=perms[user:add:*],參數可以寫多個,多個時必須加上引號,並且參數之間用逗號分割,例如/admins/user/=perms[“user:add:,user:modify:”],當有多個參數時必須每個參數都通過才通過,想當於isPermitedAll()方法。
rest:例子/admins/user/=rest[user],根據請求的方法,相當於/admins/user/=perms[user:method] ,其中method爲post,get,delete等。
port:例子/admins/user/**=port[8081],當請求的url的端口不是8081是跳轉到schemal://serverName:8081?queryString,其中schmal是協議http或https等,serverName是你訪問的host,8081是url配置裏port的端口,queryString是你訪問的url裏的?後面的參數。
authcBasic:例如/admins/user/**=authcBasic沒有參數表示httpBasic認證
ssl:例子/admins/user/**=ssl沒有參數,表示安全的url請求,協議爲https
user:例如/admins/user/**=user沒有參數表示必須存在用戶,當登入操作時不做檢查
UserRealm.java
import com.example.bean.User;
import com.example.service.UserService;
import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
/**
* @author 朝花不遲暮
* @version 1.0
* @date 2020/6/15 21:55
*/
@Slf4j
public class UserRealm extends AuthorizingRealm
{
@Autowired
UserService userService;
//授權
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection)
{
log.info("------------------>執行了授權");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// info.addStringPermission("user:add");
//獲取當前登錄用戶的信息
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();
info.addStringPermission(currentUser.getPerms());
return info;
}
//認證
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException
{
log.info("------------------>執行了認證");
//token裏有用戶名和密碼,因爲強轉成了UsernamePasswordToken
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
char[] password = token.getPassword();
String password1 = String.valueOf(password);
log.info("{password}---->"+password1);
User user = userService.queryUserByName(token.getUsername(),password1);
log.info("{user}---->"+user.toString());
if (user == null)
{
return null;
}
return new SimpleAuthenticationInfo(user, user.getPassword(), "");
}
}
Realm核心:
通過繼承AuthorizingRealm重寫其中的方法
一、認證:
token裏有用戶名和密碼,因爲強轉成了UsernamePasswordToken,之前在控制層裏存放了用戶名和密碼;
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
通過token裏面的名字獲取用戶信息!
User user = userService.queryUserByName(token.getUsername());
把通過認證的用戶信息返回!
return new SimpleAuthenticationInfo(user, user.getPassword(), "");
二、授權:
//獲取當前登錄用戶的信息
Subject subject = SecurityUtils.getSubject();
User currentUser = (User) subject.getPrincipal();
通過SimpleAuthorizationInfo中addStringPermission方法,給當前用戶添加權限。代碼中是獲取數據庫中的權限!
前臺模板
index.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>首頁</title>
</head>
<body>
<p th:text="${msg}"></p>
<hr>
<a th:href="@{/user/add}">add</a>|<a th:href="@{/user/update}">update</a>
</body>
</html>
login.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>登陸</title>
</head>
<body>
<h1>登陸</h1>
<form th:action="@{/login}">
<input type="text" name="username" placeholder="請輸入用戶名">
<input type="password" name="password" placeholder="請輸入密碼">
<input type="submit">
</form>
</body>
</html>
logout.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>logout</title>
</head>
<body>
<div th:fragment="myfooter">
<div class="footer">
<a th:href="@{/logout}">退出登錄</a>
</div>
</div>
</body>
</html>
創建user文件夾裏面再放兩個HTML
add.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>add</title>
</head>
<body>
<p>add</p>
<hr/>
<div th:replace="logout :: myfooter"></div>
</body>
</html>
update.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>update</title>
</head>
<body>
<p>update</p>
<hr/>
<div th:replace="logout :: myfooter"></div>
</body>
</html>
最後在數據庫裏插入兩個用戶並配置權限
登陸首頁
點擊add,跳轉到登錄頁面
使用root角色進入,而root正好有add頁面的權限
成功,而再看看能不能進入update頁面?
就會報沒有權限的提示,這個是在配置類裏面,有個未授權的跳轉配置
shiroFilterFactoryBean.setUnauthorizedUrl("/unAuthorized");
碼雲:https://gitee.com/thirtyleo/java_training_ground/tree/master/Character4
ps:對這篇博客做了一次改動
增加了logout登出功能;
修改了前端頁面,增加了登出模塊;
修改了用戶認證方式,由原來的校驗數據庫名稱改爲校驗用戶名和密碼;