文章目錄
一、Shiro入門
1、簡介
ApacheShiro是一個功能強大且易於使用的Java安全框架,提供了認證,授權,加密,和會話管理。
Shiro有三大核心組件:
1)、Subject
即當前用戶,在權限管理的應用程序裏往往需要知道誰能夠操作什麼,誰擁有操作該程序的權利,shiro中則需要通過Subject來提供基礎的當前用戶信息,Subject 不僅僅代表某個用戶,與當前應用交互的任何用戶都是Subject,如網絡爬蟲等。所有的Subject都要綁定到SecurityManager上,與Subject的交互實際上是被轉換爲與SecurityManager的交互。
2)、SecurityManager
即所有Subject的管理者 ,這是Shiro框架的核心組件,可以把他看做是一個Shiro框架的全局管理組件,用於調度各種Shiro框架的服務。作用類似於SpringMVC中的DispatcherServlet, 用於攔截所有請求並進行處理。
3)、Realm
Realm是用戶的信息認證器和用戶的權限認證器,我們需要自己來實現Realm來自定義的管理我們自己系統內部的權限規則。
SecurityManager要驗證用戶,需要從Realm中獲取用戶。可以把Realm看做是數據源。
2、靜態權限測試
1)、創建maven工程
2)、引入依賴包
<!--shiro核心包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<!--日誌包-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.6.1</version>
</dependency>
3)、log4j日誌配置文件
log4j.rootLogger=INFO,stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m%n
4)、編寫shiro的ini配置文件
[users]
root=123456,admin
test=666666,role1,role2
user1=666666,role1
user2=666666,role2
[roles]
admin=*
role1=user.html,index.html
role2=user.html,menu.html
配置文件中包含兩個部分,用戶[users]和角色[roles]
用戶配置的格式是:
用戶名=密碼,角色1,角色…角色n
角色配置的格式是:
角色名=權限1,權限2… .權限n
5)、測試代碼
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroTest {
public static void main(String[] args) {
//1、加載配置文件,創建SecurityManager工廠對象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
//2、解析配置文件,並返回一些securityManager實例
SecurityManager securityManager = factory.getInstance();
//3、將securityManager綁定給SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//安全操作,獲取當前操作用戶,只要程序和shiro有交互就存在Subject對象,和登錄無關
Subject subject = SecurityUtils.getSubject();
System.out.println("當前用戶是否登錄:"+subject.isAuthenticated());//判斷當前用戶是否已通過身份驗證(已登錄)
//創建token對象
UsernamePasswordToken token = new UsernamePasswordToken("user1", "666666");
try {
//進行登錄驗證
subject.login(token);
} catch (IncorrectCredentialsException e) {
System.out.println("密碼不正確!");;
}catch (UnknownAccountException e){
System.out.println("賬號不正確!");
}
System.out.println("登錄");
System.out.println("用戶是否擁有admin權限:"+subject.hasRole("admin"));
System.out.println("用戶是否擁用index.html訪問權限:"+subject.isPermitted("index.html"));
subject.logout();//退出登錄,登錄狀態都由SecurityManager管
System.out.println("當前用戶是否登錄:"+subject.isAuthenticated());
}
}
運行結果:
二、Shiro+MySQL動態權限驗證
1、數據庫設計
在實際開發中,用戶名密碼、角色、權限需要存在數據庫中動態管理。
一個簡單的Shiro+MySQL的項目需要三張表:
用戶表shiro_user:
建表sql:
CREATE TABLE shiro_user (
id int PRIMARY KEY AUTO_INCREMENT,
user_name varchar(50) NOT NULL,
password varchar(50)
);
插入數據:
insert into shiro_user(user_name,password) values("admin","123456");
insert into shiro_user(user_name,password) values("test","666666");
insert into shiro_user(user_name,password) values("user1","666666");
insert into shiro_user(user_name,password) values("user2","666666");
用戶角色表shiro_user_role:
建表sql
CREATE TABLE shiro_user_role (
user_name varchar(50) NOT NULL,
role_name varchar(50) NOT NULL
);
插入數據:
insert into shiro_user_role(user_name,role_name) values("admin","admin");
insert into shiro_user_role(user_name,role_name) values("test","test");
insert into shiro_user_role(user_name,role_name) values("user1","role1");
insert into shiro_user_role(user_name,role_name) values("user2","role2");
角色權限表shiro_role_permission:
建表sql
CREATE TABLE shiro_role_permission (
role_name varchar(50) NOT NULL,
perm_name varchar(50) NOT NULL
);
插入數據:
insert into shiro_role_permission(role_name,perm_name) values("admin","*");
insert into shiro_role_permission(role_name,perm_name) values("test","inde.html");
insert into shiro_role_permission(role_name,perm_name) values("role1","user.html");
2、項目工程搭建
在上面的工程進行增加修改
增加數據庫依賴包
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.24</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>4.3.11.RELEASE</version>
</dependency>
配置文件在使用jdbc數據源的時候,不需要指定user和roles,而是在配置文件中指定數據庫連接信息和要執行的sql語句。
在resources文件夾下創建配置文件shiro-mysql.ini:
[main]
dataSource=org.springframework.jdbc.datasource.DriverManagerDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://127.0.0.1:3306/數據庫名
dataSource.username=用戶名
#如果數據庫沒有密碼,就不要寫這行
dataSource.password=你的密碼
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
#是否檢查權限
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource=$dataSource
#重寫sql語句
#根據用戶名查詢出密碼
jdbcRealm.authenticationQuery = select PASSWORD from SHIRO_USER where USER_NAME = ?
#根據用戶名查詢出角色
jdbcRealm.userRolesQuery = select ROLE_NAME from SHIRO_USER_ROLE where USER_NAME = ?
#根據角色名查詢出權限
jdbcRealm.permissionsQuery = select PERM_NAME from SHIRO_ROLE_PERMISSION WHERE ROLE_NAME = ?
securityManager.realms=$jdbcRealm
注意:
sq|語句,每次只查詢一個shiro要求查詢的字段,如果寫select *就會報錯了。
ini配置文件要求必須是key=value的形式,如果沒有設置數據庫的密碼,就不要寫對應的配置。只寫"dataSource.password="等號右面沒有值會報錯。
測試代碼除了讀取文件其他和上面一樣:
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroTest {
public static void main(String[] args) {
//1、加載配置文件,創建SecurityManager工廠對象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-mysql.ini");
//2、解析配置文件,並返回一些securityManager實例
SecurityManager securityManager = factory.getInstance();
//3、將securityManager綁定給SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//安全操作,獲取當前操作用戶,只要程序和shiro有交互就存在Subject對象,和登錄無關
Subject subject = SecurityUtils.getSubject();
System.out.println("當前用戶是否登錄:"+subject.isAuthenticated());//判斷當前用戶是否已通過身份驗證(已登錄)
//創建token對象
UsernamePasswordToken token = new UsernamePasswordToken("test", "666666");
try {
//進行登錄驗證
subject.login(token);
} catch (IncorrectCredentialsException e) {
System.out.println("密碼不正確!");;
}catch (UnknownAccountException e){
System.out.println("賬號不正確!");
}
System.out.println("登錄");
System.out.println("用戶是否擁有admin權限:"+subject.hasRole("admin"));
System.out.println("用戶是否擁用index.html訪問權限:"+subject.isPermitted("index.html"));
subject.logout();//退出登錄,登錄狀態都由SecurityManager管
System.out.println("當前用戶是否登錄:"+subject.isAuthenticated());
}
}
測試結果:
三、自定義Realm
創建自定義Realm類MyRealm繼承AuthorizingRealm重寫方法
package com.booy.shiro;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class MyRealm extends AuthorizingRealm {
//授權,authorizationInfo聚合授權信息,PrincipalCollection是身份信息集合
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println(principalCollection.getPrimaryPrincipal());
//根據主鍵查詢用戶權限,獲取相應的角色和權限
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
//賦予角色
authorizationInfo.addRole("admin");
//賦予權限
authorizationInfo.addStringPermission("index.html");
return authorizationInfo;
}
//AuthenticationInfo有值表示登錄成功
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
System.out.println(token.getUsername());
if("admin".equals(token.getUsername())){
//唯一標誌,真實密碼,數據源名,shiro會根據返回的SimpleAuthenticationInfo對象進行比較
return new SimpleAuthenticationInfo("admin","123456",getName());
}else{
throw new UnknownAccountException();//用戶名不存在
}
}
//返回Realm名,在shiro可以有多個Realm
@Override
public String getName() {
return "MyRealm";
}
//token類型判斷
@Override
public boolean supports(AuthenticationToken authenticationToken) {
return authenticationToken instanceof UsernamePasswordToken;
}
}
ini配置文件
MyRealm=com.booy.shiro.MyRealm
securityManager.realms=$MyRealm
測試代碼和上面相同
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
public class ShiroTest {
public static void main(String[] args) {
//1、加載配置文件,創建SecurityManager工廠對象
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-mysql.ini");
//2、解析配置文件,並返回一些securityManager實例
SecurityManager securityManager = factory.getInstance();
//3、將securityManager綁定給SecurityUtils
SecurityUtils.setSecurityManager(securityManager);
//安全操作,獲取當前操作用戶,只要程序和shiro有交互就存在Subject對象,和登錄無關
Subject subject = SecurityUtils.getSubject();
System.out.println("當前用戶是否登錄:"+subject.isAuthenticated());//判斷當前用戶是否已通過身份驗證(已登錄)
//創建token對象
UsernamePasswordToken token = new UsernamePasswordToken("admin", "123456");
try {
//進行登錄驗證
subject.login(token);
} catch (IncorrectCredentialsException e) {
System.out.println("密碼不正確!");;
}catch (UnknownAccountException e){
System.out.println("賬號不正確!");
}
System.out.println("登錄");
System.out.println("用戶是否擁有admin權限:"+subject.hasRole("admin"));
System.out.println("用戶是否擁用index.html訪問權限:"+subject.isPermitted("index.html"));
//subject.logout();//退出登錄,登錄狀態都由SecurityManager管
System.out.println("當前用戶是否登錄:"+subject.isAuthenticated());
}
}
運行結果:
四、Web中使用Shiro
1、Servlet使用Shiro
引入jar包
<!--shiro核心包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>
<!--shiroweb類庫-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>
<!--servlet-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
</dependency>
<!--日誌包-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.6.1</version>
</dependency>
web.xml中配置shiro
<context-param>
<param-name>shiroEnvironmentClass</param-name>
<param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value>
</context-param>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>classpath:shiro.ini</param-value>
</context-param>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
使用ini當數據源
[users]
root=123456,admin
test=666666,role1,role2
user1=666666,role1
user2=666666,role2
[roles]
admin=*
role1=user.html,index.html
role2=user.html,menu.html
[urls]
;固定過濾器,anon不進行任何驗證,authc登錄後才能訪問
/login.html=anon
/index.html=authc
/role.html=authc,roles[admin]
/menu/**=authc,roles[admin],perms[menu:*]
創建servlet
登錄頁:
@WebServlet(urlPatterns = "/login.html")
public class LoginServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("username");
String password = request.getParameter("password");
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
} catch (AuthenticationException e) {
System.out.println("登錄失敗!");
request.setAttribute("error","登錄失敗!");
//服務器端跳轉轉發,服務器內部才能訪問到WEB-INF下的資源
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request,response);
return;
}
response.sendRedirect("/index.html");
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request,response);
}
首頁:
@WebServlet(urlPatterns = "/index.html")
public class IndexServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request,response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request,response);
}
菜單頁和角色頁也和首頁一樣直接返回一個頁面
WEB-INF下創建四個jsp頁面
登錄頁login.jsp:
<body>
<h1>登錄頁</h1>
<form action="/login.html" method="post">
用戶名:<input type="text" name="username"><br>
密碼:<input type="password" name="password"><br>
<input type="submit" value="登錄">
</form>
</body>
首頁index.jsp:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>這是主頁</title>
</head>
<body>
<h1>這是主頁</h1>
<shiro:hasRole name="admin">
<a href="/role.html">角色管理</a><br>
</shiro:hasRole>
<a href="/menu/user.html">菜單管理</a>
</body>
</html>
菜單頁和角色頁任意內容
2、SpringMVC使用Shiro
1)、創建maven工程
2)、引入jar包
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.22.RELEASE</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
ini配置文件
[users]
root=123456,admin
test=666666,role1,role2
user1=666666,role1
user2=666666,role2
[roles]
admin=*
role1=user.html,index.html
role2=user.html,menu:*
springMVC-servlet.xml配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation=" http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.2.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd">
<!--shiro配置-->
<bean id="iniRealm" class="org.apache.shiro.realm.text.IniRealm">
<constructor-arg name="resourcePath" value="classpath:shiro.ini"/>
</bean>
<bean id="securityManger" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="iniRealm" />
</bean>
<!-- 啓動註解,註冊服務-->
<mvc:annotation-driven/>
<!-- 啓動自動掃描 -->
<!-- 制定掃包規則 ,掃描controller包下面的類-->
<context:component-scan base-package="controller">
<!-- 掃描使用@Controller註解的JAVA 類 -->
<context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
</context:component-scan>
<!--視圖解析器-->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManger"/>
<!--去登錄的地址-->
<property name="loginUrl" value="gologin.html"/>
<!--登錄成功的跳轉地址-->
<property name="successUrl" value="/index.html"/>
<!--驗證失敗的跳轉地址-->
<property name="unauthorizedUrl" value="/error.html"/>
<!--定義過濾的規則,直接在寫在ini文件中只能是靜態的-->
<property name="filterChainDefinitions">
<value>
/login.html=anon
/index.html=authc
/role.html=authc,roles[admin]
/menu/**=authc,roles[admin],perms[menu:*]
</value>
</property>
</bean>
</beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<!--將歡迎頁設置成 index.html-->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<!--配置 DispatcherServlet -->
<servlet>
<servlet-name>springMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>springMVC</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<!--解決亂碼-->
<filter>
<filter-name>EncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>EncodingFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
<!--配置shiro的核心攔截器-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
</web-app>
controller代碼
package controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpServletRequest;
@Controller
public class LoginController {
@RequestMapping("/gologin.html")
public String gologin(){
return "login";
}
@RequestMapping("/index.html")
public String index(){
return "index";
}
@RequestMapping("/role.html")
public String role(){
return "role";
}
@RequestMapping("/menu/user.html")
public String user(){
return "user";
}
@RequestMapping("/login.html")
public String login(String username, String password, HttpServletRequest request) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
request.setAttribute("error","登錄失敗!");
return "login";
}
return "redirect:/index.html";
}
}
jsp頁面
登錄頁
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>登錄頁</title>
</head>
<body>
<h1>登錄頁</h1>
<form action="/login.html" method="post">
用戶名:<input type="text" name="username"><br>
密碼:<input type="password" name="password"><br>
<input type="submit" value="登錄">
</form>
</body>
</html>
主頁:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>這是主頁</title>
</head>
<body>
<h1>這是主頁</h1>
<shiro:hasRole name="admin">
<a href="/role.html">角色管理</a><br>
</shiro:hasRole>
<a href="/menu/user.html">菜單管理</a>
</body>
</html>
菜單和角色任意內容
再配置tomcat運行測試
1、沒有登錄的情況下訪問index.html跳轉到login.html登錄頁
2、登錄後只能訪問權限內的頁面
3、admin可以看到全部菜單,非admin看不到角色管理菜單
五、攔截器
參考地址:https://www.w3cschool.cn/shiro/oibf1ifh.html
1、改寫攔截器
/menu/**=authc,roles[admin,role2],perms[menu:*]
以上roles[admin]和perms[menu:*]默認需要同時滿足才能訪問,如果需要只滿足任意條件可訪問,需要自定義攔截器繼承AuthorizationFilter重寫isAccessAllowed方法
任意角色或任意權限只要滿足條件可訪問,角色和權限需要單獨自定義重寫攔截器規則,若某一角色滿足條件,將當前狀態記錄進session裏,在權限攔截器若果獲取到session值則直接放行,若沒有再進行權限驗證,實際項目中一般只判斷角色即可。
角色攔截器:
public class MyRoleFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
String[] roles = (String[]) mappedValue;
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
for(String role:roles){
if(subject.hasRole(role)){
session.setAttribute("Allowed",true);
return true;
}
}
return false;
}
}
權限攔截器:
public class MyPermFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
String[] perms = (String[]) mappedValue;
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
if(session.getAttribute("Allowed")!=null){
return true;
}
for(String perm:perms){
if(subject.isPermitted(perm)){
return true;
}
}
System.out.println(Arrays.toString(perms));
return false;
}
}
springMVC-servlet.xml生效filter配置
<!--自定義filter生效-->
<property name="filters">
<map>
<entry key="roles">
<bean class="filter.MyRoleFilter"/>
</entry>
<entry key="perms">
<bean class="filter.MyPermFilter"/>
</entry>
</map>
</property>
2、註解細粒度攔截
如需要攔截某個頁面的按鈕功能等
1)、@RequiresPermissions註解攔截,表示是否能點此按鈕
@RequiresPermissions("menu:edit")
@RequestMapping("/menu/list.html")
public String list(){
return "user";
}
修改menu的角色權限menu:*改爲其他權限,如:
menu:add
2)、在springMVC-servlet中加入配置文件開啓shiro註解
<!--啓用註解權限驗證-->
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManger"/>
</bean>
<!--註解權限驗證要寫在mvc自容器中-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"></bean>
再登錄點擊會出現如下異常
頁面信息很不友好,可以自己定義頁面
自定義AuthExceptionHandler
@ControllerAdvice
public class AuthExceptionHandler {
//異常增強,Controller有異常才增強,不是所有異常都會增強
@ExceptionHandler({UnauthorizedException.class})//驗證不通過時,異常增強
@ResponseStatus(HttpStatus.UNAUTHORIZED)
public ModelAndView processUnauthenticatedException(NativeWebRequest request, UnauthorizedException e){
ModelAndView mv = new ModelAndView();
//拿到異常並返回異常頁面
mv.addObject("exception",e.getMessage());
mv.setViewName("error");
return mv;
}
}
添加error.jsp頁面
<body>
${exception}
</body>
設置filter包ControllerAdvice註解被掃描到
<context:component-scan base-package="controller,filter">
<!-- 掃描使用@Controller註解的JAVA 類 -->
<context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
<context:include-filter type="annotation" expression="org.springframework.web.bind.annotation.ControllerAdvice"/>
</context:component-scan>
再登錄訪問就是自定義的信息
六、動態驗證規則
將靜態規則動態化
重寫ShiroFilterFactoryBean中的setFilterChainDefinitions方法
package filter;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
@Override
public void setFilterChainDefinitions(String definitions) {
Ini ini = new Ini();
ini.load(definitions);
//設置針對url的過濾器
Ini.Section section = ini.getSection("urls");
if(CollectionUtils.isEmpty(section)){
section = ini.getSection("");
}
///如設置:menu/**=authc,roles[admin],每個url對應的權限可以從數據庫中查出來
section.put("/menu/**","roles[admin]");
this.setFilterChainDefinitionMap(section);
}
}
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
修改爲:
<bean id="shiroFilter" class="filter.MyShiroFilterFactoryBean">
注意:在controller中驗證失敗,走的是切面,在filter裏驗證失敗走的是直接是url
七、緩存
如securityManager實現了SessionsSecurityManager,其會自動判斷SessionManager是否實現了CacheManagerAware接口,如果實現了會把CacheManager設置給它。然後sessionManager會判斷相應的sessionDAO(如繼承自CachingSessionDAO)是否實現了CacheManagerAware,如果實現了會把CacheManager設置給它;帶緩存的SessionDAO會先查緩存,如果找不到才查數據庫。
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"/>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="MyShiroRealm"/>
<property name="cacheManager" ref="cacheManager"/>
</bean>
八、Shiro改造springboot權限管理項目
改造案例爲前面的後臺管理系統權限管理
原項目結構:
註釋掉Interceptor兩個類
引入依賴包
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
1、Shiro實現項目登錄改造
1)、自定義Realm
創建MyRealm繼承AuthorizingRealm
package com.booy.ssm.exam.shiro;
import com.booy.ssm.exam.dao.UserDAO;
import com.booy.ssm.exam.pojo.User;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component//把類交給Spring管理,可被掃描
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserDAO userDAO;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token =(UsernamePasswordToken)authenticationToken;
User user = userDAO.getUserByAccount(token.getUsername());
//用戶不存在
if(user==null){
return null;
}
return new SimpleAuthenticationInfo(user.getId(),user.getPassword(),getName());
}
}
2)、登錄功能改造
註釋掉service登錄功能
// User dologin(String account,String password);
SystemController代碼改造
登錄功能改造前
@RequestMapping("dologin.html")
public String dologin(String account, String password, Model model, HttpSession session){
User user = userService.dologin(account, password);
if(user==null){
model.addAttribute("message","用戶名或密碼錯誤!");
return "login";
}
session.setAttribute(ExamConstants.SESSION_USER,user);
return "redirect:index.html";
}
登錄功能改造後
//用戶登錄
@RequestMapping("dologin.html")
public String dologin(String account, String password, Model model, HttpSession session){
Subject subject = SecurityUtils.getSubject();
User user = userDAO.getUserByAccount(account);
UsernamePasswordToken token = new UsernamePasswordToken(account, MD5Utils.getLoginMD5(user.getSalt(), password));
try {
subject.login(token);
} catch (AuthenticationException e) {
e.printStackTrace();
model.addAttribute("message","用戶名或密碼錯誤!");
return "login";
}
return "redirect:index.html";
}
和session相關的改造
登錄退出改造
//用戶註銷
@RequestMapping("logout.html")
public String logout(HttpSession session){
//session.invalidate();
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "login";
}
菜單樹改造
User user =(User) session.getAttribute(ExamConstants.SESSION_USER);
List<Menu> menuList = menuService.getUserMenuList(user.getId());
修改爲
// User user =(User) session.getAttribute(ExamConstants.SESSION_USER);
Subject subject = SecurityUtils.getSubject();
List<Menu> menuList = menuService.getUserMenuList((int)subject.getPrincipal());
3)、創建配置類
package com.booy.ssm.exam;
import com.booy.ssm.exam.shiro.MyRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration//定義配置類
public class ShiroConfig {
//配置securityManager
@Bean
public DefaultWebSecurityManager securityManager(MyRealm realm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm);
return securityManager;
}
//設置shiroFilter
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/login.html");//登錄頁
shiroFilterFactoryBean.setSuccessUrl("/index.html");//登錄成功
shiroFilterFactoryBean.setUnauthorizedUrl("/error.html");//驗證失敗
return shiroFilterFactoryBean;
}
}
運行程序,打開http://localhost:8080/login.html測試登錄成功
2、改造角色權限功能
1)、增加查詢方法
根據菜單id查詢角色的sql方法
//根據菜單查角色
List<String> getRoleIdsByMenuId(Integer menuId);
2)、重寫ShiroFilterFactoryBean
package com.booy.ssm.exam.shiro;
import com.booy.ssm.exam.dao.MenuDAO;
import com.booy.ssm.exam.dao.PremissionDAO;
import com.booy.ssm.exam.pojo.Menu;
import org.apache.shiro.config.Ini;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.util.CollectionUtils;
import org.springframework.util.StringUtils;
import java.util.List;
public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
private PremissionDAO premissionDAO;
private MenuDAO menuDAO;
@Override
public void setFilterChainDefinitions(String definitions) {
Ini ini = new Ini();
ini.load(definitions);
//設置針對url的過濾器
Ini.Section section = ini.getSection("urls");
if(CollectionUtils.isEmpty(section)){
section = ini.getSection("");
}
//數據庫查詢動態的角色權限
//獲取所有菜單
List<Menu> menus = menuDAO.getAllMenu();
for (Menu menu:menus){
//有url的目錄進行角色綁定
if(!StringUtils.isEmpty(menu.getUrl())){
List<String> roleIds = premissionDAO.getRoleIdsByMenuId(menu.getId());
if(roleIds!=null&&roleIds.size()>0){
section.put(menu.getUrl(),"roles"+roleIds);
}
}
}
// section.put("/menu/**","roles[admin]");
this.setFilterChainDefinitionMap(section);
}
//set方法注入PremissionDAO和MenuDAO
public void setPremissionDAO(PremissionDAO premissionDAO) {
this.premissionDAO = premissionDAO;
}
public void setMenuDAO(MenuDAO menuDAO) {
this.menuDAO = menuDAO;
}
}
3)、配置類
package com.booy.ssm.exam;
import com.booy.ssm.exam.dao.MenuDAO;
import com.booy.ssm.exam.dao.PremissionDAO;
import com.booy.ssm.exam.shiro.MyFilter;
import com.booy.ssm.exam.shiro.MyRealm;
import com.booy.ssm.exam.shiro.MyShiroFilterFactoryBean;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.Filter;
import java.util.HashMap;
@Configuration//定義配置類
public class ShiroConfig {
//配置securityManager
@Bean
public DefaultWebSecurityManager securityManager(MyRealm realm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(realm);
securityManager.setCacheManager(cacheManager());//開啓緩存
return securityManager;
}
//設置shiroFilter
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager, PremissionDAO premissionDAO, MenuDAO menuDAO){
MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setLoginUrl("/login.html");//登錄頁
shiroFilterFactoryBean.setSuccessUrl("/index.html");//登錄成功
shiroFilterFactoryBean.setUnauthorizedUrl("/error.html");//驗證失敗
shiroFilterFactoryBean.setPremissionDAO(premissionDAO);
shiroFilterFactoryBean.setMenuDAO(menuDAO);
HashMap<String, Filter> map = new HashMap<>();
map.put("roles",new MyFilter());
shiroFilterFactoryBean.setFilters(map);
//配置靜態權限路徑
shiroFilterFactoryBean.setFilterChainDefinitions(
"/login.html=anon\n" +
"/dologin.html=anon\n" +
"/error.html=anon\n");
return shiroFilterFactoryBean;
}
//配置緩存
@Bean
public MemoryConstrainedCacheManager cacheManager(){
return new MemoryConstrainedCacheManager();
}
//讓權限註解生效
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager){
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
4)、完善MyRealm
doGetAuthorizationInfo方法
package com.booy.ssm.exam.shiro;
import com.booy.ssm.exam.dao.PremissionDAO;
import com.booy.ssm.exam.dao.UserDAO;
import com.booy.ssm.exam.pojo.User;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.List;
@Component//把類交給Spring管理,可被掃描
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserDAO userDAO;
@Autowired
private PremissionDAO permissionDAO;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Subject subject = SecurityUtils.getSubject();
List<Integer> roleIds = permissionDAO.getRoleByUserId((int) subject.getPrincipal());
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
if(roleIds!=null){
for(Integer roleId:roleIds){
simpleAuthorizationInfo.addRole(roleId.toString());
}
}
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token =(UsernamePasswordToken)authenticationToken;
User user = userDAO.getUserByAccount(token.getUsername());
//用戶不存在
if(user==null){
return null;
}
return new SimpleAuthenticationInfo(user.getId(),user.getPassword(),getName());
}
}
5)、自定義MyFilter
繼承AuthorizationFilter,實現擁有任意角色可訪問相應的權限
package com.booy.ssm.exam.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
public class MyFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object mappedValue) throws Exception {
String[] roles = (String[]) mappedValue;
Subject subject = SecurityUtils.getSubject();
for(String role:roles){
if(subject.hasRole(role)){
return true;
}
}
return false;
}
}