spring整合shiro
- 我使用的是Gradle,spring整合shiro需要的依賴
//安全限制框架shiro
'org.apache.shiro:shiro-web:1.2.4',
'org.apache.shiro:shiro-core:1.2.4',
'org.apache.shiro:shiro-spring:1.2.4',
'org.apache.shiro:shiro-ehcache:1.2.4',
- web.xml中的配置:
<!-- 配置Shiro過濾器,先讓Shiro過濾系統接收到的請求 -->
<!-- 這裏filter-name必須對應applicationContext.xml中定義的<bean id="shiroFilter"/> -->
<!-- 使用[/*]匹配所有請求,保證所有的可控請求都經過Shiro的過濾 -->
<!-- 通常會將此filter-mapping放置到最前面(即其他filter-mapping前面),以保證它是過濾器鏈中第一個起作用的 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!-- 該值缺省爲false,表示生命週期由SpringApplicationContext管理,設置爲true則表示由ServletContainer管理 -->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- 編寫自己的UserRealm類繼承自Realm,主要實現認證和授權的管理操作
package com.jay.demo.shiro;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.jay.demo.bean.Permission;
import com.jay.demo.bean.Role;
import com.jay.demo.bean.User;
import com.jay.demo.service.UserService;
public class UserRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
/**
* 授權操作
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// String username = (String) getAvailablePrincipal(principals);
String username = (String) principals.getPrimaryPrincipal();
Set<Role> roleSet = userService.findUserByUsername(username).getRoleSet();
//角色名的集合
Set<String> roles = new HashSet<String>();
//權限名的集合
Set<String> permissions = new HashSet<String>();
Iterator<Role> it = roleSet.iterator();
while(it.hasNext()){
roles.add(it.next().getName());
for(Permission per:it.next().getPermissionSet()){
permissions.add(per.getName());
}
}
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roles);
authorizationInfo.addStringPermissions(permissions);
return authorizationInfo;
}
/**
* 身份驗證操作
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
User user = userService.findUserByUsername(username);
if(user==null){
//木有找到用戶
throw new UnknownAccountException("沒有找到該賬號");
}
/* if(Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); //帳號鎖定
} */
/**
* 交給AuthenticatingRealm使用CredentialsMatcher進行密碼匹配,如果覺得人家的不好可以在此判斷或自定義實現
*/
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(),getName());
return info;
}
@Override
public String getName() {
return getClass().getName();
}
}
- spring-shiro.xml配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd">
<description>Shiro 配置</description>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/500.jsp"/>
<property name="successUrl" value="/500.jsp"/>
<property name="unauthorizedUrl" value="/500.jsp"/>
<property name="filterChainDefinitions">
<value>
<!--anno 不攔截-->
<!--authc 攔截-->
/login.jsp* = anon
/login.do* = anon
/index.jsp*= anon
/error/noperms.jsp*= anon
/*.jsp* = authc
/*.do* = authc
</value>
</property>
</bean>
<!--添加securityManager定義 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--設置自定義realm -->
<property name="realm" ref="monitorRealm"/>
</bean>
<!--配置ehcache-->
<bean id = "cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"/>
<!-- 保證實現了Shiro內部lifecycle函數的bean執行-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!--自定義Realm 繼承自AuthorizingRealm -->
<bean id="monitorRealm" class="com.tutechan.service.MonitorRealm"></bean>
<!-- securityManager -->
<!--<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager" />
<property name="arguments" ref="securityManager" />
</bean>-->
<!--如果使用Shiro相關的註解,需要在springmvc-servlet.xml中配置一下信息-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
</beans>
- Shiro權限管理的過濾器解釋
默認過濾器(10個)
anon -- org.apache.shiro.web.filter.authc.AnonymousFilter
authc -- org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic -- org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
perms -- org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port -- org.apache.shiro.web.filter.authz.PortFilter
rest -- org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles -- org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl -- org.apache.shiro.web.filter.authz.SslFilter
user -- org.apache.shiro.web.filter.authc.UserFilter
logout -- org.apache.shiro.web.filter.authc.LogoutFilter| 過濾器名字 | 例子 | 解釋 |
|---|---|---|
| anon | /admins/**=anon | 沒有參數,表示可以匿名使用 |
| authc | /admins/user/**=authc | 表示需要認證(登錄)才能使用,沒有參數 |
| roles | /admins/user/**=roles[admin] | 參數可以寫多個,多個時必須加上引號,並且參數之間用逗號分割,當有多個參數時,例如admins/user/**=roles[“admin,guest”],每個參數通過纔算通過,相當於hasAllRoles()方法。 |
| perms | /admins/user/*=perms[user:add:] | 參數可以寫多個,多個時必須加上引號,並且參數之間用逗號分割,例如/admins/user/*=perms[“user:add:,user:modify:*”],當有多個參數時必須每個參數都通過才通過,想當於isPermitedAll()方法。 |
| rest | /admins/user/**=rest[user] | 根據請求的方法,相當於/admins/user/**=perms[user:method] ,其中method爲post,get,delete等。 |
| port | /admins/user/**=port[8081] | 當請求的url的端口不是8081是跳轉到 |
| schemal | //serverName:8081?queryStrin | 其中schmal是協議http或https等, |
| serverName | 是你訪問的host,8081是url配置裏port的端口 | queryString是你訪問的url裏的?後面的參數。 |
| authcBasic | /admins/user/**=authcBasic | 有參數表示httpBasic認證 |
| ssl | /admins/user/**=ssl | 沒有參數,表示安全的url請求,協議爲https |
| user | /admins/user/**=user | 沒有參數表示必須存在用戶,當登入操作時不做檢查 |
- 關於shiro標籤的使用
| 標籤 | 釋義 |
|---|---|
| < shiro:authenticated> | 登錄之後 |
| < shiro:notAuthenticated> | 不在登錄狀態時 |
| < shiro:guest> | 用戶在沒有RememberMe時 |
| < shiro:user> | 用戶在RememberMe時 |
| < shiro:hasAnyRoles name=”abc,123” > | 在有abc或者123角色時 |
| < shiro:hasRole name=”abc”> | 擁有角色abc |
| < shiro:lacksRole name=”abc”> | 沒有角色abc |
| < shiro:hasPermission name=”abc”> | 擁有權限abc |
| < shiro:lacksPermission name=”abc”> | 沒有權限abc |
| < shiro:principal> | 顯示用戶登錄名 |
從零開始學shiro
- 1 shiro.ini
[users]
benny=123456
- 2 TestShiroController
package com.ttc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author by benny on 2016/1/30.
* @version 1.0
* @description
*/
public class TestShiroController {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
public static void main(String[] args) {
//讀取配置文件,初始化SecurityManger工廠
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//獲取secirutimanager實例
SecurityManager securityManager = factory.getInstance();
//把SecurityManager實例綁定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//得到當前用戶
Subject currentUser = SecurityUtils.getSubject();
//創建token令牌,用戶名/密碼
UsernamePasswordToken token = new UsernamePasswordToken("benny", "1234");
try {
currentUser.login(token);
LOGGER.info("登錄成功");
} catch (AuthenticationException e) {
e.printStackTrace();
LOGGER.info("登錄成功");
}
}
}
- 3 打印結果
2016-01-30 11:11:05 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager(230) - Enabling session validation scheduler...
2016-01-30 11:11:05 [main] INFO com.ttc.controller.TestShiroController(35) - 登錄成功從零開始學shiro第二部
上述的內容在實際中,基本不會用,因爲用戶名在實際生產中都是存在數據庫中的,下面我們來學習jdbcRealm(此單詞是域的意思).
- 1:配置jdbc_realm.ini
[main]
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
//配置的是alibab的數據庫連接池druid
dataSource=com.alibaba.druid.pool.DruidDataSource
//driverClassName
dataSource.driverClassName=com.mysql.jdbc.Driver
//url
dataSource.url=jdbc:mysql://localhost:3306/blog
dataSource.username=root
dataSource.password=1314
jdbcRealm.dataSource=$dataSource
securityManager.realm=$jdbcRealm配置c3p0數據庫連接池
[main]
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
//配置c3p0數據庫連接池與druid不同的是參數不同
dataSource=com.mychange.v2.c3p0.ComboPooledDataSource
//driverClass
dataSource.driverClass=com.mysql.jdbc.Driver
//jdbcUrl
dataSource.jdbcUrl=jdbc:mysql://localhost:3306/blog
//user
dataSource.user=root
dataSource.password=1314
jdbcRealm.dataSource=$dataSource
securityManager.realm=$jdbcRealm建立數據庫
- 1:新建數據庫(名字任意取)
- 2:新建用戶表(名字必須爲users)
- 3:新建字段用戶名和密碼(用戶名:username,密碼:password)
測試的Controller
package com.ttc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author by benny on 2016/1/30.
* @version 1.0
* @description
*/
public class TestShiroController {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
public static void main(String[] args) {
//讀取配置文件,初始化SecurityManger工廠
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:jdbc_realm.ini");
//獲取secirutimanager實例
SecurityManager securityManager = factory.getInstance();
//把SecurityManager實例綁定到SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//得到當前用戶
Subject currentUser = SecurityUtils.getSubject();
//創建token令牌,用戶名/密碼
UsernamePasswordToken token = new UsernamePasswordToken("benny", "1234");
try {
currentUser.login(token);
LOGGER.info("登錄成功");
} catch (AuthenticationException e) {
e.printStackTrace();
LOGGER.info("登錄成功");
}
//退出當前用戶
benny.logout();
}
}打印結果
2016-01-30 23:52:27 [main] INFO org.apache.shiro.realm.AuthorizingRealm(248) - No cache or cacheManager properties have been set. Authorization cache cannot be obtained.
2016-01-30 23:52:27 [main] INFO org.apache.shiro.config.IniSecurityManagerFactory(112) - Realms have been explicitly set on the SecurityManager instance - auto-setting of realms will not occur.
2016-01-30 23:52:27 [main] INFO com.alibaba.druid.pool.DruidDataSource(669) - {dataSource-1} inited
2016-01-30 23:52:28 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager(230) - Enabling session validation scheduler...
2016-01-30 23:52:28 [main] INFO com.ttc.controller.TestShiroController(31) - 登錄成功
Disconnected from the target VM, address: '127.0.0.1:50480', transport: 'socket'從零開始shiro——授權
- 1:權限認證,
也就是訪問控制,即在應用中控制能訪問哪些資源。
在權限認證中,最核心的三個要素是,權限,角色,用戶。
權限:及操作資源的權利,比如訪問某個頁面,以及對某個模塊的數據的添加,修改,刪除,查看的權利,url的請求。
角色:權限的集合,一個角色可以有很多權限。
用戶,在shiro中,代表訪問系統的用戶,即subject。
- 2:授權
- (1):編程式授權
- 基於角色的訪問控制
ShiroUtil:封裝成一個工具類,方便調用。
package com.ttc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* @author by benny on 2016/1/31.
* @version 1.0
* @description
*/
public final class ShiroUtil {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
public static Subject login(String iniPath, String username, String password) {
Factory<SecurityManager> factory = new IniSecurityManagerFactory(iniPath);
SecurityManager instance = factory.getInstance();
SecurityUtils.setSecurityManager(instance);
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token);
LOGGER.info("登錄成功");
} catch (AuthenticationException e) {
e.printStackTrace();
}
return subject;
}
}shiro_role.ini
//注意:此處是[users]
[users]
benny=1234,role1,role2,role3
jack=1234,role1測試的Controller
package com.ttc.controller;
import org.apache.shiro.subject.Subject;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.util.Arrays;
/**
* @author by benny on 2016/1/30.
* @version 1.0
* @description
*/
public class TestShiroController {
public static final Logger LOGGER = LoggerFactory.getLogger(TestShiroController.class);
@Test
public void testShiroRole() {
//獲得登錄用戶
Subject benny = ShiroUtil.login("shiro_role.ini", "benny", "1234");
//判斷用戶是否有role1的權限
LOGGER.info(benny.hasRole("role1") ? "有role1的權限" : "沒有role1的權限");
//數組的形式判斷是否有此權限
boolean results[] = benny.hasRoles(Arrays.asList("role1", "role2"));
LOGGER.info(results[0] ? "有role1的權限" : "沒有role1的權限");
LOGGER.info(results[1] ? "有role2的權限" : "沒有role2的權限");
//判斷用戶是否有此權限
LOGGER.info(benny.hasAllRoles(Arrays.asList("role1", "role2")) ? "有role1和role2的權限" : "沒有role1和role2的權限");
//checkRole沒有返回值,如果沒有此權限直接拋出異常
benny.checkRole("role1");
benny.checkRoles(Arrays.asList("role1", "role2"));
//或者
benny.checkRoles("role1", "role2");
//退出當前用戶
benny.logout();
}
}
- 基於權限的訪問控制
shiro_permitted.ini
[users]
benny=1234,role1,role2
jack =1234,role3
[roles]
role1=user:select,user:update
role2=user:insert
role3=user:delete測試方法:
/**
* 判斷用戶是否有此權限
*/
@Test
public void TestIsPermitted(){
Subject benny = ShiroUtil.login("shiro_permitted.ini", "benny", "1234");
//判斷用戶是否有select的權限
LOGGER.info(benny.isPermitted("user:select")?"有select權限":"沒有select的權限");
//判斷用戶是否有以下所有的權限
boolean[] permitted = benny.isPermitted("user:select", "user:update", "user:delete");
LOGGER.info(permitted[0]?"有select的權限":"沒有select的權限");
LOGGER.info(permitted[1]?"有update的權限":"沒有update的權限");
LOGGER.info(permitted[2]?"有delete的權限":"沒有delete的權限");
//判斷用戶是否有所有權限
LOGGER.info(benny.isPermittedAll("user:select", "user:update","user:delete")?"擁有權限":"沒有權限");
//檢查用戶是否有所有權限,有則通過,沒有拋出異常
benny.checkPermission("user:select");
//檢查用戶是否有所有權限
benny.checkPermissions("user:select", "user:update", "user:delete");
//退出當前用戶
benny.logout();
}打印結果:
2016-01-31 10:51:52 JRebel: 2016-01-31 10:51:53 JRebel: Monitoring Log4j configuration in 'file:/E:/hellofdssd/ttc-blog/ttc-core/build/resources/main/log4j.properties'.2016-01-31 10:51:53 [main] INFO org.apache.shiro.session.mgt.AbstractValidatingSessionManager(230) - Enabling session validation scheduler...
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(29) - 登錄成功
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(51) - 有select權限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(55) - 有select的權限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(56) - 有update的權限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(57) - 沒有delete的權限
2016-01-31 10:51:53 [main] INFO com.ttc.controller.TestShiroController(60) - 沒有權限
- (2):註解式授權
(3):jsp標籤授權
3:授權流程