Subject:主體,可以看到主體可以是任何可以與應用交互的“用戶”;
SecurityManager:相當於SpringMVC中的DispatcherServlet或者Struts2中的FilterDispatcher;是Shiro的心臟;所有具體的交互都通過SecurityManager進行控制;它管理着所有Subject、且負責進行認證和授權、及會話、緩存的管理。
Authenticator:認證器,負責主體認證的,這是一個擴展點,如果用戶覺得Shiro默認的不好,可以自定義實現;其需要認證策略(Authentication Strategy),即什麼情況下算用戶認證通過了;
Authrizer:授權器,或者訪問控制器,用來決定主體是否有權限進行相應的操作;即控制着用戶能訪問應用中的哪些功能;
Realm:可以有1個或多個Realm,可以認爲是安全實體數據源,即用於獲取安全實體的;可以是JDBC實現,也可以是LDAP實現,或者內存實現等等;由用戶提供;注意:Shiro不知道你的用戶/權限存儲在哪及以何種格式存儲;所以我們一般在應用中都需要實現自己的Realm;
SessionManager:如果寫過Servlet就應該知道Session的概念,Session呢需要有人去管理它的生命週期,這個組件就是SessionManager;而Shiro並不僅僅可以用在Web環境,也可以用在如普通的JavaSE環境、EJB等環境;所有呢,Shiro就抽象了一個自己的Session來管理主體與應用之間交互的數據;這樣的話,比如我們在Web環境用,剛開始是一臺Web服務器;接着又上了臺EJB服務器;這時想把兩臺服務器的會話數據放到一個地方,這個時候就可以實現自己的分佈式會話(如把數據放到Memcached服務器);
SessionDAO:DAO大家都用過,數據訪問對象,用於會話的CRUD,比如我們想把Session保存到數據庫,那麼可以實現自己的SessionDAO,通過如JDBC寫到數據庫;比如想把Session放到Memcached中,可以實現自己的Memcached SessionDAO;另外SessionDAO中可以使用Cache進行緩存,以提高性能;
CacheManager:緩存控制器,來管理如用戶、角色、權限等的緩存的;因爲這些數據基本上很少去改變,放到緩存中後可以提高訪問的性能
Cryptography:密碼模塊,Shiro提高了一些常見的加密組件用於如密碼加密/解密的。
登錄成功後,要存入subject,不然後續一點擊菜單就會彈出
//登錄成功時 controller中
// 根據獲取的用戶名和密碼封裝成Token
UsernamePasswordToken token = new UsernamePasswordToken(
account, systemAdmin.getSaPwd());
// 是否記住用戶
token.setRememberMe(false);
token.setHost(request.getRemoteHost());
// 獲取當前的subject
Subject subject = SecurityUtils.getSubject();
subject.login(token);
spring-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<!-- 自定義的Realm -->
<bean id="shiroRealm" class="com.komlin.component.shiro.ShiroRealm"></bean>
<!-- Ehcache緩存管理器 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager" >
<property name="cacheManagerConfigFile" value="classpath:/spring/ehcache-shiro.xml"></property>
</bean>
<!-- Shiro默認會使用Servlet容器的Session,可通過sessionMode屬性來指定使用Shiro原生Session -->
<!-- 即<property name="sessionMode" value="native"/>,詳細說明見官方文檔 -->
<!-- 這裏主要是設置自定義的單Realm應用,若有多個Realm,可使用'realms'屬性代替 -->
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="shiroRealm"></property>
<property name="cacheManager" ref="cacheManager"></property>
</bean>
<!-- Shiro主過濾器本身功能十分強大,其強大之處就在於它支持任何基於URL路徑表達式的、自定義的過濾器的執行 -->
<!-- Web應用中,Shiro可控制的Web請求必須經過Shiro主過濾器的攔截,Shiro對基於Spring的Web應用提供了完美的支持 -->
<bean id="shiroFilter" class="com.komlin.component.shiro.ShiroPermissionFactory">
<!-- shiro的安全接口,必須配置的屬性 -->
<property name="securityManager" ref="securityManager"></property>
<!-- 登錄時的鏈接 -->
<property name="loginUrl" value="/"></property>
<!-- <property name="successUrl" value="/member/main"></property> -->
<!-- 用戶訪問未對其授權的資源時,所顯示的連接 -->
<property name="unauthorizedUrl" value="/403.jsp"></property>
<!-- /error.jsp -->
<!-- Shiro連接約束配置,即過濾鏈的定義 -->
<!-- 此處可配合我的這篇文章來理解各個過濾連的作用http://blog.csdn.net/jadyer/article/details/12172839 -->
<!-- 下面value值的第一個'/'代表的路徑是相對於HttpServletRequest.getContextPath()的值來的 -->
<!-- anon:它對應的過濾器裏面是空的,什麼都沒做,這裏.do和.jsp後面的*表示參數,比方說login.jsp?main這種 -->
<!-- authc:該過濾器下的頁面必須驗證後才能訪問,它是Shiro內置的一個攔截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter -->
<property name="filters">
<map>
<entry key="role">
<bean class="com.komlin.component.shiro.RoleAuthorizationFilter"/>
</entry>
<!-- <entry key="authc">
<bean
class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter" />
</entry> -->
</map>
</property>
<property name="filterChainDefinitions">
<value>
/system/login.do = anon
</value>
</property>
</bean>
<!-- 權限資源配置 -->
<!-- 保證實現了shiro內部Lifecycle函數的bean的執行 (生命週期) -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
</beans>
ehcache-shiro.xml<ehcache updateCheck="false" name="shiroCache">
<!-- name:Cache的唯一標識 maxElementsInMemory:內存中最大緩存對象數 maxElementsOnDisk:磁盤中最大緩存對象數,若是0表示無窮大
eternal:Element是否永久有效,一但設置了,timeout將不起作用 overflowToDisk:配置此屬性,當內存中Element數量達到maxElementsInMemory時,Ehcache將會Element寫到磁盤中
timeToIdleSeconds:設置Element在失效前的允許閒置時間。僅當element不是永久有效時使用,可選屬性,默認值是0,也就是可閒置時間無窮大
timeToLiveSeconds:設置Element在失效前允許存活時間。最大時間介於創建時間和失效時間之間。僅當element不是永久有效時使用,默認是0.,也就是element存活時間無窮大
diskPersistent:是否緩存虛擬機重啓期數據 diskExpiryThreadIntervalSeconds:磁盤失效線程運行時間間隔,默認是120秒
diskSpoolBufferSizeMB:這個參數設置DiskStore(磁盤緩存)的緩存區大小。默認是30MB。每個Cache都應該有自己的一個緩衝區
memoryStoreEvictionPolicy:當達到maxElementsInMemory限制時,Ehcache將會根據指定的策略去清理內存。默認策略是LRU(最近最少使用)。你可以設置爲FIFO(先進先出)或是LFU(較少使用) -->
<defaultCache maxElementsInMemory="10000" eternal="false"
timeToIdleSeconds="600" timeToLiveSeconds="600" overflowToDisk="false"
diskPersistent="false" diskExpiryThreadIntervalSeconds="600"/>
</ehcache>
整理權限
package com.komlin.component.shiro;
/**
* Created by zql on 2017/7/3.
*/
public interface IFilterChainDefinitionsService {
void reloadFilterChains();
}
package com.komlin.component.shiro;
import com.komlin.modular.system.model.entity.TbSystemMenu;
import com.komlin.modular.system.model.service.RolePermService;
import com.komlin.modular.system.model.service.TbSystemMenuService;
import org.apache.log4j.Logger;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager;
import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver;
import org.apache.shiro.web.servlet.AbstractShiroFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.*;
@Service
public class FilterChainDefinitionsServiceImpl implements
IFilterChainDefinitionsService {
private static Logger logger = Logger.getLogger(FilterChainDefinitionsServiceImpl.class);
@Autowired
private ShiroPermissionFactory permissFactory;
@Autowired
private RolePermService userPermService;
@Autowired
private TbSystemMenuService menuService;
@Override
public void reloadFilterChains() {
// TODO Auto-generated method stub
synchronized (permissFactory) { // 強制同步,控制線程安全
AbstractShiroFilter shiroFilter = null;
try {
shiroFilter = (AbstractShiroFilter) permissFactory.getObject();
PathMatchingFilterChainResolver resolver = (PathMatchingFilterChainResolver) shiroFilter
.getFilterChainResolver();
// 過濾管理器
DefaultFilterChainManager manager = (DefaultFilterChainManager) resolver
.getFilterChainManager();
// 清除權限配置
manager.getFilterChains().clear();
permissFactory.getFilterChainDefinitionMap().clear();
// 重新設置權限
permissFactory
.setFilterChainDefinitions(ShiroPermissionFactory.definition);// 傳入配置中的filterchains
Map<String, String> chains = permissFactory
.getFilterChainDefinitionMap();
// 重新生成過濾鏈
if (!CollectionUtils.isEmpty(chains)) {
for (String key : chains.keySet()) {
String val = chains.get(key);
manager.createChain(key, val);
}
// manager.createChain("/system/top.do", "roles[admin]");
// manager.createChain("/system/left.do", "roles[123]");
}
List<Map<String, Object>> myChainsList = userPermService
.getShiroPerm();
Map<String, Set<String>> myChains = new HashMap<String, Set<String>>();
if (myChainsList != null) {
// 超級管理員權限
List<TbSystemMenu> menuList = menuService.getShiroMenu();
for (TbSystemMenu sm : menuList) {
Set<String> set = new HashSet<String>();
set.add("admin");
myChains.put(sm.getSmUrl(), set);
}
// 整理權限信息
for (Map<String, Object> map : myChainsList) {
String url = map.get("url").toString();
String role = map.get("role").toString();
if (myChains.get(url) == null) {
Set<String> set = new HashSet<String>();
set.add(role);
myChains.put(url, set);
} else {
Set<String> set = myChains.get(url);
set.add(role);
}
}
// 寫入權限信息
for (String key : myChains.keySet()) {
Set<String> roleSet = myChains.get(key);
String role = "";
if (roleSet.size() > 0) {
for (String r : roleSet)
role += r + ",";
role = role.substring(0, role.length() - 1);
logger.debug("/" + key + ",role[" + role + "]");
manager.createChain("/" + key, "role[" + role + "]");
}
}
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
角色過濾器
package com.komlin.component.shiro;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.RolesAuthorizationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import java.io.IOException;
/**
* 重寫角色權限過濾器,是當前請求只需滿足一個角色即可訪問
*
* @author Asan
*
*/
public class RoleAuthorizationFilter extends RolesAuthorizationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue) throws IOException {
final Subject subject = getSubject(request, response);
final String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
// no roles specified, so nothing to check - allow access.
return true;
}
for (String roleName : rolesArray) {
if (subject.hasRole(roleName)) {
return true;
}
}
return false;
}
}
package com.komlin.component.shiro;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
import org.apache.shiro.web.config.IniFilterChainResolverFactory;
import java.util.HashMap;
import java.util.Map;
/**
* Created by zql on 2017/7/3.
*/
public class ShiroPermissionFactory extends ShiroFilterFactoryBean {
/** 記錄配置中的過濾鏈 */
public static String definition = "";
/**
* 初始化設置過濾鏈
*/
@Override
public void setFilterChainDefinitions(String definitions) {
definition = definitions;// 記錄配置的靜態過濾鏈
Map<String, String> otherChains = new HashMap<String, String>();
// 加載配置默認的過濾鏈
Ini ini = new Ini();
ini.load(definitions);
Ini.Section section = ini
.getSection(IniFilterChainResolverFactory.URLS);
if (CollectionUtils.isEmpty(section)) {
section = ini.getSection(Ini.DEFAULT_SECTION_NAME);
}
// 加上數據庫中過濾鏈
section.putAll(otherChains);
setFilterChainDefinitionMap(section);
}
}
登錄驗證與授權
package com.komlin.component.shiro; import com.komlin.component.utils.SpringContextUtils; import com.komlin.modular.system.model.entity.TbSystemAdmin; import com.komlin.modular.system.model.service.RolePermService; import com.komlin.modular.system.model.service.TbSystemAdminService; import com.komlin.modular.system.model.service.UserRoleService; import org.apache.commons.lang.builder.ReflectionToStringBuilder; import org.apache.commons.lang.builder.ToStringStyle; import org.apache.log4j.Logger; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.session.Session; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.Subject; import java.util.ArrayList; import java.util.List; /** * Created by zql on 2017/7/3. */ public class ShiroRealm extends AuthorizingRealm { private static Logger logger = Logger.getLogger(ShiroRealm.class); private static TbSystemAdminService userService = null; private static UserRoleService userRoleService = null; private static RolePermService userPermService = null; private void initService() { if (userService == null) { userService = (TbSystemAdminService) SpringContextUtils .getBean("systemAdminService"); } if (userRoleService == null) { userRoleService = (UserRoleService) SpringContextUtils .getBean("roleService"); } if (userPermService == null) { userPermService = (RolePermService) SpringContextUtils .getBean("permService"); } } @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) { initService(); SimpleAuthorizationInfo info = null; // TODO Auto-generated method stub // 獲取當前登錄的用戶名 String username = (String) super.getAvailablePrincipal(arg0); // 根據用戶名從數據庫中獲取用戶信息 TbSystemAdmin user = userService.getUserByAccount(username); List<String> roleList = new ArrayList<String>(); List<String> permList = new ArrayList<String>(); logger.info("對當前用戶:[" + username + "]進行授權!"); if (null != user) { if ("sa".equals(user.getSaRole())) { roleList.add("admin"); } else { roleList.add(user.getSaRole()); } info = new SimpleAuthorizationInfo(); info.addRoles(roleList); info.addStringPermissions(permList); } else { throw new AuthorizationException(); } // 若該方法什麼都不做直接返回null的話,就會導致任何用戶訪問/admin/listUser.jsp時都會自動跳轉到unauthorizedUrl指定的地址 return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken arg0) throws AuthenticationException { initService(); UsernamePasswordToken token = (UsernamePasswordToken) arg0; logger.info("驗證當前Subject時獲取到token爲" + ReflectionToStringBuilder.toString(token, ToStringStyle.MULTI_LINE_STYLE)); TbSystemAdmin user = userService.getUserByAccount(token.getUsername()); if (user != null) { AuthenticationInfo info = new SimpleAuthenticationInfo( user.getSaAccount(), user.getSaPwd(), getName()); this.setSession("user", user); return info; } return null; } /** * 將一些數據放到ShiroSession中,以便於其它地方使用 * 比如Controller,使用時直接用HttpSession.getAttribute(key)就可以取到 * @see */ private void setSession(Object key, Object value) { Subject currSubject = SecurityUtils.getSubject(); if (currSubject != null) { Session session = currSubject.getSession(); if (session != null) { logger.info("Session默認超時時間爲[" + session.getTimeout() + "]毫秒"); session.setAttribute(key, value); } } } }
點擊子菜單,會進下面這個來判斷有木有權限
package com.komlin.component.shiro;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* Created by zql on 2017/7/3.
*/
public class SimpleFormAuthenticationFilter extends FormAuthenticationFilter {
@Override
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue) {
final Subject subject = getSubject(request, response);
final String[] rolesArray = (String[]) mappedValue;
if (rolesArray == null || rolesArray.length == 0) {
// no roles specified, so nothing to check - allow access.
return true;
}
for (String roleName : rolesArray) {
if (subject.hasRole(roleName))
return true;
}
return false;
}
}
mapper.xml
<select id="getShiroPerm" resultType="java.util.HashMap">
select ur_id role ,sm_url url from tb_role_perm inner join tb_system_menu where
rp_sm_id = sm_id
</select>
<select id="getShiroMenu" resultMap="BaseResultMap">
select
<include refid="Base_Column_List" />
from tb_system_menu where sm_type =1 order by sm_order
</select>