ApacheShiro是一个功能强大且易于使用的Java安全框架,提供了认证,授权,加密,和会话管理。
Shiro有三大核心组件:
1)、Subject 即当前用户,在权限管理的应用程序里往往需要知道谁能够操作什么,谁拥有操作该程序的权利,shiro中则需要通过Subject来提供基础的当前用户信息,Subject 不仅仅代表某个用户,与当前应用交互的任何用户都是Subject,如网络爬虫等。所有的Subject都要绑定到SecurityManager上,与Subject的交互实际上是被转换为与SecurityManager的交互。
2)、SecurityManager 即所有Subject的管理者 ,这是Shiro框架的核心组件,可以把他看做是一个Shiro框架的全局管理组件,用于调度各种Shiro框架的服务。作用类似于SpringMVC中的DispatcherServlet, 用于拦截所有请求并进行处理。
3)、Realm Realm是用户的信息认证器和用户的权限认证器,我们需要自己来实现Realm来自定义的管理我们自己系统内部的权限规则。 SecurityManager要验证用户,需要从Realm中获取用户。可以把Realm看做是数据源。
1)、创建maven工程 2)、引入依赖包
<!--shiro核心包--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.4.0</version> </dependency> <!--日志包--> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.1</version> </dependency>3)、log4j日志配置文件
log4j.rootLogger=INFO,stdout log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m%n4)、编写shiro的ini配置文件
[users] root=123456,admin test=666666,role1,role2 user1=666666,role1 user2=666666,role2 [roles] admin=* role1=user.html,index.html role2=user.html,menu.html配置文件中包含两个部分,用户[users]和角色[roles] 用户配置的格式是: 用户名=密码,角色1,角色…角色n
角色配置的格式是: 角色名=权限1,权限2… .权限n
5)、测试代码
import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; public class ShiroTest { public static void main(String[] args) { //1、加载配置文件,创建SecurityManager工厂对象 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini"); //2、解析配置文件,并返回一些securityManager实例 SecurityManager securityManager = factory.getInstance(); //3、将securityManager绑定给SecurityUtils SecurityUtils.setSecurityManager(securityManager); //安全操作,获取当前操作用户,只要程序和shiro有交互就存在Subject对象,和登录无关 Subject subject = SecurityUtils.getSubject(); System.out.println("当前用户是否登录:"+subject.isAuthenticated());//判断当前用户是否已通过身份验证(已登录) //创建token对象 UsernamePasswordToken token = new UsernamePasswordToken("user1", "666666"); try { //进行登录验证 subject.login(token); } catch (IncorrectCredentialsException e) { System.out.println("密码不正确!");; }catch (UnknownAccountException e){ System.out.println("账号不正确!"); } System.out.println("登录"); System.out.println("用户是否拥有admin权限:"+subject.hasRole("admin")); System.out.println("用户是否拥用index.html访问权限:"+subject.isPermitted("index.html")); subject.logout();//退出登录,登录状态都由SecurityManager管 System.out.println("当前用户是否登录:"+subject.isAuthenticated()); } }运行结果:
在实际开发中,用户名密码、角色、权限需要存在数据库中动态管理。 一个简单的Shiro+MySQL的项目需要三张表: 用户表shiro_user: 建表sql:
CREATE TABLE shiro_user ( id int PRIMARY KEY AUTO_INCREMENT, user_name varchar(50) NOT NULL, password varchar(50) );插入数据:
insert into shiro_user(user_name,password) values("admin","123456"); insert into shiro_user(user_name,password) values("test","666666"); insert into shiro_user(user_name,password) values("user1","666666"); insert into shiro_user(user_name,password) values("user2","666666");用户角色表shiro_user_role: 建表sql
CREATE TABLE shiro_user_role ( user_name varchar(50) NOT NULL, role_name varchar(50) NOT NULL );插入数据:
insert into shiro_user_role(user_name,role_name) values("admin","admin"); insert into shiro_user_role(user_name,role_name) values("test","test"); insert into shiro_user_role(user_name,role_name) values("user1","role1"); insert into shiro_user_role(user_name,role_name) values("user2","role2");角色权限表shiro_role_permission: 建表sql
CREATE TABLE shiro_role_permission ( role_name varchar(50) NOT NULL, perm_name varchar(50) NOT NULL );插入数据:
insert into shiro_role_permission(role_name,perm_name) values("admin","*"); insert into shiro_role_permission(role_name,perm_name) values("test","inde.html"); insert into shiro_role_permission(role_name,perm_name) values("role1","user.html");在上面的工程进行增加修改 增加数据库依赖包
<dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.24</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>4.3.11.RELEASE</version> </dependency>配置文件在使用jdbc数据源的时候,不需要指定user和roles,而是在配置文件中指定数据库连接信息和要执行的sql语句。 在resources文件夹下创建配置文件shiro-mysql.ini:
[main] dataSource=org.springframework.jdbc.datasource.DriverManagerDataSource dataSource.driverClassName=com.mysql.jdbc.Driver dataSource.url=jdbc:mysql://127.0.0.1:3306/数据库名 dataSource.username=用户名 #如果数据库没有密码,就不要写这行 dataSource.password=你的密码 jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm #是否检查权限 jdbcRealm.permissionsLookupEnabled = true jdbcRealm.dataSource=$dataSource #重写sql语句 #根据用户名查询出密码 jdbcRealm.authenticationQuery = select PASSWORD from SHIRO_USER where USER_NAME = ? #根据用户名查询出角色 jdbcRealm.userRolesQuery = select ROLE_NAME from SHIRO_USER_ROLE where USER_NAME = ? #根据角色名查询出权限 jdbcRealm.permissionsQuery = select PERM_NAME from SHIRO_ROLE_PERMISSION WHERE ROLE_NAME = ? securityManager.realms=$jdbcRealm注意: sq|语句,每次只查询一个shiro要求查询的字段,如果写select *就会报错了。 ini配置文件要求必须是key=value的形式,如果没有设置数据库的密码,就不要写对应的配置。只写"dataSource.password="等号右面没有值会报错。
测试代码除了读取文件其他和上面一样:
import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; public class ShiroTest { public static void main(String[] args) { //1、加载配置文件,创建SecurityManager工厂对象 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-mysql.ini"); //2、解析配置文件,并返回一些securityManager实例 SecurityManager securityManager = factory.getInstance(); //3、将securityManager绑定给SecurityUtils SecurityUtils.setSecurityManager(securityManager); //安全操作,获取当前操作用户,只要程序和shiro有交互就存在Subject对象,和登录无关 Subject subject = SecurityUtils.getSubject(); System.out.println("当前用户是否登录:"+subject.isAuthenticated());//判断当前用户是否已通过身份验证(已登录) //创建token对象 UsernamePasswordToken token = new UsernamePasswordToken("test", "666666"); try { //进行登录验证 subject.login(token); } catch (IncorrectCredentialsException e) { System.out.println("密码不正确!");; }catch (UnknownAccountException e){ System.out.println("账号不正确!"); } System.out.println("登录"); System.out.println("用户是否拥有admin权限:"+subject.hasRole("admin")); System.out.println("用户是否拥用index.html访问权限:"+subject.isPermitted("index.html")); subject.logout();//退出登录,登录状态都由SecurityManager管 System.out.println("当前用户是否登录:"+subject.isAuthenticated()); } }测试结果:
创建自定义Realm类MyRealm继承AuthorizingRealm重写方法
package com.booy.shiro; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; public class MyRealm extends AuthorizingRealm { //授权,authorizationInfo聚合授权信息,PrincipalCollection是身份信息集合 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { System.out.println(principalCollection.getPrimaryPrincipal()); //根据主键查询用户权限,获取相应的角色和权限 SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); //赋予角色 authorizationInfo.addRole("admin"); //赋予权限 authorizationInfo.addStringPermission("index.html"); return authorizationInfo; } //AuthenticationInfo有值表示登录成功 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken; System.out.println(token.getUsername()); if("admin".equals(token.getUsername())){ //唯一标志,真实密码,数据源名,shiro会根据返回的SimpleAuthenticationInfo对象进行比较 return new SimpleAuthenticationInfo("admin","123456",getName()); }else{ throw new UnknownAccountException();//用户名不存在 } } //返回Realm名,在shiro可以有多个Realm @Override public String getName() { return "MyRealm"; } //token类型判断 @Override public boolean supports(AuthenticationToken authenticationToken) { return authenticationToken instanceof UsernamePasswordToken; } }ini配置文件
MyRealm=com.booy.shiro.MyRealm securityManager.realms=$MyRealm测试代码和上面相同
import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; public class ShiroTest { public static void main(String[] args) { //1、加载配置文件,创建SecurityManager工厂对象 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-mysql.ini"); //2、解析配置文件,并返回一些securityManager实例 SecurityManager securityManager = factory.getInstance(); //3、将securityManager绑定给SecurityUtils SecurityUtils.setSecurityManager(securityManager); //安全操作,获取当前操作用户,只要程序和shiro有交互就存在Subject对象,和登录无关 Subject subject = SecurityUtils.getSubject(); System.out.println("当前用户是否登录:"+subject.isAuthenticated());//判断当前用户是否已通过身份验证(已登录) //创建token对象 UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456"); try { //进行登录验证 subject.login(token); } catch (IncorrectCredentialsException e) { System.out.println("密码不正确!");; }catch (UnknownAccountException e){ System.out.println("账号不正确!"); } System.out.println("登录"); System.out.println("用户是否拥有admin权限:"+subject.hasRole("admin")); System.out.println("用户是否拥用index.html访问权限:"+subject.isPermitted("index.html")); //subject.logout();//退出登录,登录状态都由SecurityManager管 System.out.println("当前用户是否登录:"+subject.isAuthenticated()); } }运行结果:
引入jar包
<!--shiro核心包--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.3</version> </dependency> <!--shiroweb类库--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.3</version> </dependency> <!--servlet--> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.0.1</version> </dependency> <!--日志包--> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.1</version> </dependency>web.xml中配置shiro
<context-param> <param-name>shiroEnvironmentClass</param-name> <param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value> </context-param> <context-param> <param-name>shiroConfigLocations</param-name> <param-value>classpath:shiro.ini</param-value> </context-param> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping>使用ini当数据源
[users] root=123456,admin test=666666,role1,role2 user1=666666,role1 user2=666666,role2 [roles] admin=* role1=user.html,index.html role2=user.html,menu.html [urls] ;固定过滤器,anon不进行任何验证,authc登录后才能访问 /login.html=anon /index.html=authc /role.html=authc,roles[admin] /menu/**=authc,roles[admin],perms[menu:*]创建servlet 登录页:
@WebServlet(urlPatterns = "/login.html") public class LoginServlet extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); String password = request.getParameter("password"); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(username,password); try { subject.login(token); } catch (AuthenticationException e) { System.out.println("登录失败!"); request.setAttribute("error","登录失败!"); //服务器端跳转转发,服务器内部才能访问到WEB-INF下的资源 request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request,response); return; } response.sendRedirect("/index.html"); } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request,response); }首页:
@WebServlet(urlPatterns = "/index.html") public class IndexServlet extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request,response); } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost(request,response); }菜单页和角色页也和首页一样直接返回一个页面 WEB-INF下创建四个jsp页面 登录页login.jsp:
<body> <h1>登录页</h1> <form action="/login.html" method="post"> 用户名:<input type="text" name="username"><br> 密码:<input type="password" name="password"><br> <input type="submit" value="登录"> </form> </body>首页index.jsp:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>这是主页</title> </head> <body> <h1>这是主页</h1> <shiro:hasRole name="admin"> <a href="/role.html">角色管理</a><br> </shiro:hasRole> <a href="/menu/user.html">菜单管理</a> </body> </html>菜单页和角色页任意内容
1)、创建maven工程 2)、引入jar包
<dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>4.3.22.RELEASE</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.0</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.1.0</version> </dependency>ini配置文件
[users] root=123456,admin test=666666,role1,role2 user1=666666,role1 user2=666666,role2 [roles] admin=* role1=user.html,index.html role2=user.html,menu:*springMVC-servlet.xml配置文件
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.2.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd"> <!--shiro配置--> <bean id="iniRealm" class="org.apache.shiro.realm.text.IniRealm"> <constructor-arg name="resourcePath" value="classpath:shiro.ini"/> </bean> <bean id="securityManger" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="iniRealm" /> </bean> <!-- 启动注解,注册服务--> <mvc:annotation-driven/> <!-- 启动自动扫描 --> <!-- 制定扫包规则 ,扫描controller包下面的类--> <context:component-scan base-package="controller"> <!-- 扫描使用@Controller注解的JAVA 类 --> <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/> </context:component-scan> <!--视图解析器--> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/"></property> <property name="suffix" value=".jsp"></property> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManger"/> <!--去登录的地址--> <property name="loginUrl" value="gologin.html"/> <!--登录成功的跳转地址--> <property name="successUrl" value="/index.html"/> <!--验证失败的跳转地址--> <property name="unauthorizedUrl" value="/error.html"/> <!--定义过滤的规则,直接在写在ini文件中只能是静态的--> <property name="filterChainDefinitions"> <value> /login.html=anon /index.html=authc /role.html=authc,roles[admin] /menu/**=authc,roles[admin],perms[menu:*] </value> </property> </bean> </beans>web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <!--将欢迎页设置成 index.html--> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <!--配置 DispatcherServlet --> <servlet> <servlet-name>springMVC</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>springMVC</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <!--解决乱码--> <filter> <filter-name>EncodingFilter</filter-name> <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> </filter> <filter-mapping> <filter-name>EncodingFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> <!--配置shiro的核心拦截器--> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> </web-app>controller代码
package controller; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import javax.servlet.http.HttpServletRequest; @Controller public class LoginController { @RequestMapping("/gologin.html") public String gologin(){ return "login"; } @RequestMapping("/index.html") public String index(){ return "index"; } @RequestMapping("/role.html") public String role(){ return "role"; } @RequestMapping("/menu/user.html") public String user(){ return "user"; } @RequestMapping("/login.html") public String login(String username, String password, HttpServletRequest request) { Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(username,password); try { subject.login(token); } catch (AuthenticationException e) { e.printStackTrace(); request.setAttribute("error","登录失败!"); return "login"; } return "redirect:/index.html"; } }jsp页面 登录页
<%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>登录页</title> </head> <body> <h1>登录页</h1> <form action="/login.html" method="post"> 用户名:<input type="text" name="username"><br> 密码:<input type="password" name="password"><br> <input type="submit" value="登录"> </form> </body> </html>主页:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %> <%@ page contentType="text/html;charset=UTF-8" language="java" %> <html> <head> <title>这是主页</title> </head> <body> <h1>这是主页</h1> <shiro:hasRole name="admin"> <a href="/role.html">角色管理</a><br> </shiro:hasRole> <a href="/menu/user.html">菜单管理</a> </body> </html>菜单和角色任意内容 再配置tomcat运行测试 1、没有登录的情况下访问index.html跳转到login.html登录页 2、登录后只能访问权限内的页面 3、admin可以看到全部菜单,非admin看不到角色管理菜单
参考地址:https://www.w3cschool.cn/shiro/oibf1ifh.html
以上roles[admin]和perms[menu:*]默认需要同时满足才能访问,如果需要只满足任意条件可访问,需要自定义拦截器继承AuthorizationFilter重写isAccessAllowed方法 任意角色或任意权限只要满足条件可访问,角色和权限需要单独自定义重写拦截器规则,若某一角色满足条件,将当前状态记录进session里,在权限拦截器若果获取到session值则直接放行,若没有再进行权限验证,实际项目中一般只判断角色即可。 角色拦截器:
public class MyRoleFilter extends AuthorizationFilter { @Override protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception { String[] roles = (String[]) mappedValue; Subject subject = SecurityUtils.getSubject(); Session session = subject.getSession(); for(String role:roles){ if(subject.hasRole(role)){ session.setAttribute("Allowed",true); return true; } } return false; } }权限拦截器:
public class MyPermFilter extends AuthorizationFilter { @Override protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception { String[] perms = (String[]) mappedValue; Subject subject = SecurityUtils.getSubject(); Session session = subject.getSession(); if(session.getAttribute("Allowed")!=null){ return true; } for(String perm:perms){ if(subject.isPermitted(perm)){ return true; } } System.out.println(Arrays.toString(perms)); return false; } }springMVC-servlet.xml生效filter配置
<!--自定义filter生效--> <property name="filters"> <map> <entry key="roles"> <bean class="filter.MyRoleFilter"/> </entry> <entry key="perms"> <bean class="filter.MyPermFilter"/> </entry> </map> </property>如需要拦截某个页面的按钮功能等
1)、@RequiresPermissions注解拦截,表示是否能点此按钮
@RequiresPermissions("menu:edit") @RequestMapping("/menu/list.html") public String list(){ return "user"; }修改menu的角色权限menu:*改为其他权限,如:
menu:add2)、在springMVC-servlet中加入配置文件开启shiro注解
<!--启用注解权限验证--> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManger"/> </bean> <!--注解权限验证要写在mvc自容器中--> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"></bean>再登录点击会出现如下异常 页面信息很不友好,可以自己定义页面 自定义AuthExceptionHandler
@ControllerAdvice public class AuthExceptionHandler { //异常增强,Controller有异常才增强,不是所有异常都会增强 @ExceptionHandler({UnauthorizedException.class})//验证不通过时,异常增强 @ResponseStatus(HttpStatus.UNAUTHORIZED) public ModelAndView processUnauthenticatedException(NativeWebRequest request, UnauthorizedException e){ ModelAndView mv = new ModelAndView(); //拿到异常并返回异常页面 mv.addObject("exception",e.getMessage()); mv.setViewName("error"); return mv; } }添加error.jsp页面
<body> ${exception} </body>设置filter包ControllerAdvice注解被扫描到
<context:component-scan base-package="controller,filter"> <!-- 扫描使用@Controller注解的JAVA 类 --> <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/> <context:include-filter type="annotation" expression="org.springframework.web.bind.annotation.ControllerAdvice"/> </context:component-scan>再登录访问就是自定义的信息
将静态规则动态化 重写ShiroFilterFactoryBean中的setFilterChainDefinitions方法
package filter; import org.apache.shiro.config.Ini; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.util.CollectionUtils; public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean { @Override public void setFilterChainDefinitions(String definitions) { Ini ini = new Ini(); ini.load(definitions); //设置针对url的过滤器 Ini.Section section = ini.getSection("urls"); if(CollectionUtils.isEmpty(section)){ section = ini.getSection(""); } ///如设置:menu/**=authc,roles[admin],每个url对应的权限可以从数据库中查出来 section.put("/menu/**","roles[admin]"); this.setFilterChainDefinitionMap(section); } } <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">修改为:
<bean id="shiroFilter" class="filter.MyShiroFilterFactoryBean">注意:在controller中验证失败,走的是切面,在filter里验证失败走的是直接是url
如securityManager实现了SessionsSecurityManager,其会自动判断SessionManager是否实现了CacheManagerAware接口,如果实现了会把CacheManager设置给它。然后sessionManager会判断相应的sessionDAO(如继承自CachingSessionDAO)是否实现了CacheManagerAware,如果实现了会把CacheManager设置给它;带缓存的SessionDAO会先查缓存,如果找不到才查数据库。
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"/> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="MyShiroRealm"/> <property name="cacheManager" ref="cacheManager"/> </bean>改造案例为前面的后台管理系统权限管理 原项目结构: 注释掉Interceptor两个类 引入依赖包
<groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.0</version>创建MyRealm继承AuthorizingRealm
package com.booy.ssm.exam.shiro; import com.booy.ssm.exam.dao.UserDAO; import com.booy.ssm.exam.pojo.User; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; @Component//把类交给Spring管理,可被扫描 public class MyRealm extends AuthorizingRealm { @Autowired private UserDAO userDAO; @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { return null; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken token =(UsernamePasswordToken)authenticationToken; User user = userDAO.getUserByAccount(token.getUsername()); //用户不存在 if(user==null){ return null; } return new SimpleAuthenticationInfo(user.getId(),user.getPassword(),getName()); } }注释掉service登录功能
// User dologin(String account,String password);SystemController代码改造 登录功能改造前
@RequestMapping("dologin.html") public String dologin(String account, String password, Model model, HttpSession session){ User user = userService.dologin(account, password); if(user==null){ model.addAttribute("message","用户名或密码错误!"); return "login"; } session.setAttribute(ExamConstants.SESSION_USER,user); return "redirect:index.html"; }登录功能改造后
//用户登录 @RequestMapping("dologin.html") public String dologin(String account, String password, Model model, HttpSession session){ Subject subject = SecurityUtils.getSubject(); User user = userDAO.getUserByAccount(account); UsernamePasswordToken token = new UsernamePasswordToken(account, MD5Utils.getLoginMD5(user.getSalt(), password)); try { subject.login(token); } catch (AuthenticationException e) { e.printStackTrace(); model.addAttribute("message","用户名或密码错误!"); return "login"; } return "redirect:index.html"; }和session相关的改造 登录退出改造
//用户注销 @RequestMapping("logout.html") public String logout(HttpSession session){ //session.invalidate(); Subject subject = SecurityUtils.getSubject(); subject.logout(); return "login"; }菜单树改造
User user =(User) session.getAttribute(ExamConstants.SESSION_USER); List<Menu> menuList = menuService.getUserMenuList(user.getId());修改为
// User user =(User) session.getAttribute(ExamConstants.SESSION_USER); Subject subject = SecurityUtils.getSubject(); List<Menu> menuList = menuService.getUserMenuList((int)subject.getPrincipal());运行程序,打开http://localhost:8080/login.html测试登录成功
根据菜单id查询角色的sql方法
//根据菜单查角色 List<String> getRoleIdsByMenuId(Integer menuId);doGetAuthorizationInfo方法
package com.booy.ssm.exam.shiro; import com.booy.ssm.exam.dao.PremissionDAO; import com.booy.ssm.exam.dao.UserDAO; import com.booy.ssm.exam.pojo.User; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import java.util.List; @Component//把类交给Spring管理,可被扫描 public class MyRealm extends AuthorizingRealm { @Autowired private UserDAO userDAO; @Autowired private PremissionDAO permissionDAO; @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { Subject subject = SecurityUtils.getSubject(); List<Integer> roleIds = permissionDAO.getRoleByUserId((int) subject.getPrincipal()); SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); if(roleIds!=null){ for(Integer roleId:roleIds){ simpleAuthorizationInfo.addRole(roleId.toString()); } } return simpleAuthorizationInfo; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken token =(UsernamePasswordToken)authenticationToken; User user = userDAO.getUserByAccount(token.getUsername()); //用户不存在 if(user==null){ return null; } return new SimpleAuthenticationInfo(user.getId(),user.getPassword(),getName()); } }继承AuthorizationFilter,实现拥有任意角色可访问相应的权限
package com.booy.ssm.exam.shiro; import org.apache.shiro.SecurityUtils; import org.apache.shiro.subject.Subject; import org.apache.shiro.web.filter.authz.AuthorizationFilter; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; public class MyFilter extends AuthorizationFilter { @Override protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception { String[] roles = (String[]) mappedValue; Subject subject = SecurityUtils.getSubject(); for(String role:roles){ if(subject.hasRole(role)){ return true; } } return false; } }