Springboot 集成 shrio
1 緣起
因爲最近對 shiro 比較感興趣, 也在網上看了很多教程 , 感覺網上寫的 shiro 教程,要麼太簡單, 簡單到 你不知道 shiro 爲你做了什麼,也有些很複雜, 讓人一看就想睡覺。本文的目的是 通過儘可能少的代碼,讓你學習 shiro,並且將 shiro 整合到項目中。
2 所用到的技術
Jpa + Shiro + thymeleaf
3 開幹
3.1 導入依賴
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>net.sourceforge.nekohtml</groupId>
<artifactId>nekohtml</artifactId>
<version>1.9.22</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
3.2 配置 yml
spring:
datasource:
url: jdbc:mysql://localhost:3306/test
username: root
password: 123456
driver-class-name: com.mysql.jdbc.Driver
jpa:
database: mysql
show-sql: true
hibernate:
ddl-auto: update
naming:
strategy: org.hibernate.cfg.DefaultComponentSafeNamingStrategy
properties:
hibernate:
dialect: org.hibernate.dialect.MySQL5Dialect
thymeleaf:
cache: false
mode: LEGACYHTML5
3.3 HTML 頁面
多個 頁面
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
</head>
<body>
錯誤信息:<h4 th:text="${msg}"></h4>
<form action="login" method="post">
<p>賬號:<input type="text" name="username" value="admin"/></p>
<p>密碼:<input type="text" name="password" value="123456"/></p>
<p><input type="submit" value="登錄"/></p>
</form>
</body>
</html>
3.4 實體類 (通過jpa 自動生成表結構)
SysPermission
package org.study.entity;
import lombok.Data;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.*;
import java.util.List;
/**
* Created by jun on 2018/6/20.
*/
@Getter
@Setter
@Entity
public class SysPermission {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
/**
* 權限名稱
*/
private String name;
/**
* 資源類型,[menu|button]
*/
@Column(columnDefinition="enum('menu','button')")
private String resourceType;
/**
* 資源路徑
*/
private String url;
/**
* 權限字符串,menu例子:role:*,button例子:role:create,role:update,role:delete,role:view
*/
private String permission;
/**
* 父編號
*/
private Long parentId;
/**
* 父編號列表
*/
private String parentIds;
/**
* 是否可用
*/
private Boolean available = Boolean.FALSE;
@ManyToMany
@JoinTable(name="SysRolePermission",joinColumns={@JoinColumn(name="permissionId")},inverseJoinColumns={@JoinColumn(name="roleId")})
private List<SysRole> roles;
}
SysRole
package org.study.entity;
import lombok.Data;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.*;
import javax.persistence.Entity;
import java.util.List;
/**
* Created by jun on 2018/6/20.
*/
@Getter
@Setter
@Entity
public class SysRole {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer id;
/**
* 角色標識程序中判斷使用,如"admin",這個是唯一的:
*/
private String role;
/**
* 角色描述,UI界面顯示使用
*/
private String description;
/**
* 是否可用,如果不可用將不會添加給用戶
*/
private Boolean available = Boolean.FALSE;
//角色 -- 權限關係:多對多關係;
@ManyToMany(fetch= FetchType.EAGER)
@JoinTable(name="SysRolePermission",joinColumns={@JoinColumn(name="roleId")},inverseJoinColumns={@JoinColumn(name="permissionId")})
private List<SysPermission> permissions;
// 用戶 - 角色關係定義;
@ManyToMany
@JoinTable(name="SysUserRole",joinColumns={@JoinColumn(name="roleId")},inverseJoinColumns={@JoinColumn(name="uid")})
private List<SysUser> userInfos;// 一個角色對應多個用戶
public SysRole() {
}
}
SysUser
package org.study.entity;
import lombok.Getter;
import lombok.Setter;
import javax.persistence.*;
import java.util.List;
/**
* Created by jun on 2018/6/20.
*/
@Getter
@Setter
@Entity
public class SysUser {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Integer uid;
/**
* 帳號
*/
@Column(unique =true)
private String username;
/**
* 名稱(暱稱或者真實姓名,不同系統不同定義)
*/
private String name;
/**
* 密碼
*/
private String password;
/**
* 加密密碼的鹽
*/
private String salt;
/**
* 用戶狀態,0:創建未認證(比如沒有激活,沒有輸入驗證碼等等)--等待驗證的用戶 , 1:正常狀態,2:用戶被鎖定.
*/
private byte state;
@ManyToMany(fetch= FetchType.EAGER)//立即從數據庫中進行加載數據;
@JoinTable(name = "SysUserRole", joinColumns = { @JoinColumn(name = "uid") }, inverseJoinColumns ={@JoinColumn(name = "roleId") })
private List<SysRole> roleList;// 一個用戶具有多個角色
}
3.5 關於 shiro 的配置
CredenttiaMatcher
package org.study.config;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.SimpleCredentialsMatcher;
/**
* 自定義密碼匹配器
*
* Created by jun on 2018/6/28.
*/
public class CredenttiaMatcher extends SimpleCredentialsMatcher {
/**
* 自定義 匹配規則
*
* token 包含用戶輸入的 用戶名 和密碼
*
* info 用戶認證時候傳入的信息 (SimpleAuthenticationInfo )
* @param token
* @param info
* @return
*/
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String password = new String(usernamePasswordToken.getPassword());
String dbPassword = (String) info.getCredentials();
return this.equals(password, dbPassword);
}
}
MyShiroRealm
package org.study.config;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.study.entity.SysPermission;
import org.study.entity.SysRole;
import org.study.entity.SysUser;
import org.study.service.SysUserService;
/**
* Created by jun on 2018/6/21.
*/
@Component
public class MyShiroRealm extends AuthorizingRealm {
@Autowired
SysUserService sysUserService;
/**
* 用戶授權,每次需要權限判斷的時候調用
*
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("權限配置-->MyShiroRealm.doGetAuthorizationInfo()");
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
SysUser sysUser = (SysUser) principals.getPrimaryPrincipal();
for (SysRole role : sysUser.getRoleList()) {
authorizationInfo.addRole(role.getRole());
for (SysPermission p : role.getPermissions()) {
authorizationInfo.addStringPermission(p.getPermission());
}
}
return authorizationInfo;
}
/**
* 用戶認證方法
*
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//獲取用戶的輸入的賬號.
String username = (String) token.getPrincipal();
System.out.println(token.getCredentials());
//通過username從數據庫中查找 User對象,如果找到,沒找到.
//實際項目中,這裏可以根據實際情況做緩存,如果不做,Shiro自己也是有時間間隔機制,2分鐘內不會重複執行該方法
SysUser sysUser = sysUserService.findByUsername(username);
System.out.println("----->>userInfo=" + username);
if (sysUser == null) {
return null;
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
sysUser,// 用戶
sysUser.getPassword(), //密碼
getName() //realm name
);
return authenticationInfo;
}
}
ShiroConfig
package org.study.config;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
/**
* Created by jun on 2018/6/21.
*/
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
System.out.println("ShiroConfiguration.shirFilter()");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
//攔截器.
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
// 配置不會被攔截的鏈接 順序判斷
filterChainDefinitionMap.put("/static/**", "anon");
//配置退出 過濾器,其中的具體的退出代碼Shiro已經替我們實現了
filterChainDefinitionMap.put("/logout", "logout");
//<!-- 過濾鏈定義,從上向下順序執行,一般將/**放在最爲下邊 -->:這是一個坑呢,一不小心代碼就不好使了;
//<!-- authc:所有url都必須認證通過纔可以訪問; anon:所有url都都可以匿名訪問-->
filterChainDefinitionMap.put("/**", "authc");
// 如果不設置默認會自動尋找Web工程根目錄下的"/login.jsp"頁面
shiroFilterFactoryBean.setLoginUrl("/login");
// 登錄成功後要跳轉的鏈接
shiroFilterFactoryBean.setSuccessUrl("/index");
//未授權界面;
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
/**
* 採用自定義密碼比對器
* @return
*/
@Bean
public MyShiroRealm myShiroRealm(){
MyShiroRealm myShiroRealm = new MyShiroRealm();
myShiroRealm.setCredentialsMatcher(new CredenttiaMatcher());
return myShiroRealm;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
/**
* 開啓shiro aop註解支持.
* 使用代理方式;所以需要開啓代碼支持;
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
@Bean(name="simpleMappingExceptionResolver")
public SimpleMappingExceptionResolver createSimpleMappingExceptionResolver() {
SimpleMappingExceptionResolver r = new SimpleMappingExceptionResolver();
Properties mappings = new Properties();
mappings.setProperty("DatabaseException", "databaseError");//數據庫異常處理
mappings.setProperty("UnauthorizedException","403");
r.setExceptionMappings(mappings); // None by default
r.setDefaultErrorView("error"); // No default
r.setExceptionAttribute("ex"); // Default is "exception"
//r.setWarnLogCategory("example.MvcLogger"); // No default
return r;
}
}
3.6 Controller
HomeController
package org.study.controller;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.study.entity.SysUser;
import org.study.service.SysUserService;
import org.study.util.MD5Util;
import javax.servlet.http.HttpServletRequest;
import java.util.Map;
@Slf4j
@Controller
public class HomeController {
@Autowired
SysUserService sysUserService;
@RequestMapping({"/","/index"})
public String index(){
return"/index";
}
@RequestMapping("login")
public String login(HttpServletRequest request, Map<String, Object> map) throws Exception{
String username = request.getParameter("username");
String passwordInput = request.getParameter("password");
try {
if (StringUtils.isNotBlank(username) && StringUtils.isNotBlank(passwordInput)) {
SysUser user = sysUserService.findByUsername(username);
if (user != null) {
// TODO 這裏簡單的使用了 salt + md5
String encodePassword = MD5Util.encode(user.getSalt() + passwordInput);
AuthenticationToken token = new UsernamePasswordToken(username, encodePassword);
SecurityUtils.getSubject().login(token);
}
return "index";
}
} catch (Exception e) {
// TODO 這裏可以根據不同的異常 獲取不同的登錄失敗的原因
log.error("登錄失敗");
}
return "login";
}
@RequestMapping("403")
public String unauthorizedRole(){
System.out.println("------沒有權限-------");
return "403";
}
}
UserInfoController
package org.study.controller;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/userInfo")
public class UserInfoController {
/**
* 用戶查詢.
* @return
*/
@RequestMapping("/userList")
@RequiresPermissions("userInfo:view")//權限管理;
public String userInfo(){
return "userInfo";
}
/**
* 用戶添加;
* @return
*/
@RequestMapping("/userAdd")
@RequiresRoles("admin")
public String userInfoAdd(){
return "userInfoAdd";
}
/**
* 用戶刪除;
* @return
*/
@RequestMapping("/userDel")
@RequiresPermissions("userInfo:del")
public String userDel(){
return "userInfoDel";
}
}
3.7 餘下的內容
剩下的內容就比較簡單了,無非就是一些 dao service。。 這裏貼一個關鍵的
package org.study.dao;
import org.springframework.data.jpa.repository.JpaRepository;
import org.study.entity.SysUser;
/**
* Created by jun on 2018/6/21.
*/
public interface SysUserDao extends JpaRepository<SysUser, Integer> {
SysUser findByUsername(String userame);
}
4 結束
搞完收工,如果你喜歡博主的文章的話麻煩點一下關注,如果發現博主文章的錯誤的話 麻煩指出, 謝謝大家。