shiro权限
使用url配置控制鉴权授权:
配置缩写 功能
anon 指定url可以匿名访问
authc 指定url需要form表单登录,注销不关闭浏览器也会清除session
authcBasic 指定url需要basic登录,注销不关闭浏览器就不清除session
logout 登出过滤器,配置指定url就可以实现退出功能
noSessionCreation 禁止创建会话
roles 需要指定角色才能访问
perms 需要指定权限才能访问
port 需要指定端口才能访问
rest 将http请求方法转化成相应的动词来构造一个权限字符串,意义不大
ssl 需要https请求才能访问
user 需要已登录或“记住我”的用户才能访问
如果使用thymeleaf模板渲染需要加入标签
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-VhCytnx5-1621867672512)(…/Typoraimage/1607063188497.png)]
导入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.6.0</version>
</dependency>
<!-- thymeleaf整合shiro标签 -->
<!--https://mvnrepository.com/artifact/com.github.theborakompanioni/thymeleaf-extras-shiro->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
<!--redis-shiro-->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>3.3.1</version>
</dependency>
<!--@ConfigurationProperties导入配置yml文件的依赖-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
配置yml文件
server:
servlet:
context-path: /shiro
port: 2001
mybatis:
type-aliases-package: com.lhh.pojo
configuration:
auto-mapping-behavior: full
use-generated-keys: true
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql:///roles?serverTimezone=UTC
username: root
password: 123
jackson:
date-format: yyyy-MM-dd HH:mm
time-zone: GMT+8
#spring:
#静态文件请求匹配方式
mvc:
static-path-pattern: /**
resources:
static-locations: classpath:/templates/,classpath:/META-INF/resources/,classpath:/resources/,classpath:/static/,classpath:/public/
thymeleaf:
encoding: UTF-8
cache: false
redis: #配置redis 使用redis session
database: 0
host: 127.0.0.1
port: 6379
#password:
timeout: 60s
jedis:
pool:
max-active: 8
max-wait: -1
max-idle: 5
min-idle: -1
shiro: #把常用和直接放行的页面配置到yml文件
perms:
- url: /js/**
permission: anon
- url: /index
permission: anon
- url: /doRegist
permission: anon
- url: /doLogin
permission: anon
- url: /logout
permission: logout
- url: /**
permission: authc
获取yml文件里面的shiro配置,创建类
@EnableConfigurationProperties(ShiroProperties.class) //可有可无
@ConfigurationProperties(prefix = "shiro") //获取yml文件里面的shiro
@Component
@Data
public class ShiroProperties {
private List<Map<String,String>> perms; //要和yml文件中的shiro下面的perms一样,上面一样的
}
MD5配置类
public class MD5Pwd {
public static final String ALGORITHM_NAME = "MD5"; // 基础散列算法
public static final int HASH_ITERATIONS = 15; // 自定义散列次数
/**
* MD5加密
* @param username
* @param password
* @return
*/
public static String MD5Pwd(String username, String password) {
// salt盐值 username
ByteSource salt = ByteSource.Util.bytes(username);
String md5Pwd = new SimpleHash(ALGORITHM_NAME, password,
salt, HASH_ITERATIONS).toHex();
return md5Pwd;
}
/* public static void main(String[] args) {
//加密的字符串
String pwd = "123456";
//盐值,用于和密码混合起来用
ByteSource salt = ByteSource.Util.bytes("accp");
//通过SimpleHash来进行加密操作
SimpleHash hash = new SimpleHash(ALGORITHM_NAME, pwd, salt, HASH_ITERATIONS);
System.out.println("admin:" + MD5Pwd("admin", pwd));
//toString()就是调用toHex()
System.out.println("accp:" + hash.toString());
System.out.println(salt.toHex() + "\t" + ByteSource.Util.bytes("admin").toHex());
}*/
}
创建用户realm
package com.lhh.shiro;
import com.lhh.pojo.Users;
import com.lhh.service.UsersService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
/**
* 认证和授权
* Created by tym
*/
public class UsersRealm extends AuthorizingRealm {
@Autowired //调用业务逻辑层
private UsersService service;
/**
* 鉴权(认证)
* 控制器调用subject.login(token)将调用该方法
* @param authenticationToken
* @return
* @throws AuthenticationException
* 身份验证 验证账户和密码,并返回相关信息
*/
/*@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("进入鉴权:");
UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;
//调用service根据用户名查询数据库获得Users对象
Users user = service.findUsersByName(token.getUsername());
System.out.println("user:"+user);
if(user==null){
//抛出UnknownAccountException
return null;
}
return new SimpleAuthenticationInfo(user,user.getPassword(),"");
}*/
/**
* 授权
* @param principalCollection
* @return
* 权限获取 获取指定身份的权限,并返回相关信息
*/
/*@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("进入授权:"+service);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//获得当前登录用户
Subject subject = SecurityUtils.getSubject();
//
Object user = subject.getPrincipal();
//System.out.println("class:"+user.getClass());
//和上面一样,都是可以获取到查询到的用户
Users user2 = (Users)principalCollection.getPrimaryPrincipal();
System.out.println(user+"\t"+user2);
//info.addStringPermissions(new ArrayList<>());
info.addStringPermission(user2.getPermission());
info.addRole(user2.getRoles());
//获取用户的权限
System.out.println("permissions:"+user2.getPermission());
//获取用户的角色
System.out.println("roles:"+user2.getRoles());
return info;
}*/
/**
* 加密认证,
执行步骤,先进行鉴权,同时把明文密码进行MD5加密与数据库比较,在进行授权
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
System.out.println("登录鉴权:");
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
//调用service根据用户名查询数据库获得Users对象
Users user = service.findUsersByName(token.getUsername());
if (user == null) {
//抛出UnknownAccountException
return null;
}
//第三个参数:盐值(这个盐是 username)解释:根据这个盐值进行随机加密
ByteSource salt = ByteSource.Util.bytes(user.getUsername());
//第四个参数:获取这个Realm的信息
String name = this.getName();
// salt-->aGg= com.lhh.shiro.UsersRealm_0
System.out.println("salt-->"+salt + "\t" + name);
return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), salt, name);
}
/**
* 授权
*
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("授权:" + service);
//创建授权
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//获得当前登录用户
Subject subject = SecurityUtils.getSubject();
String username = (String) subject.getPrincipal();
Users user = service.findUsersByName(username);
info.addRole(user.getRoles()); //添加角色
info.addStringPermission(user.getPermission()); //添加权限
System.out.println("permissions:" + user.getPermission());
System.out.println("roles:" + user.getRoles());
return info;
}
/**
* 自定义清空缓存方法
*/
public void clearCached(){
//清空缓存
//super.clearCachedAuthenticationInfo(SecurityUtils.getSubject().getPrincipals());
super.clearCachedAuthorizationInfo(SecurityUtils.getSubject().getPrincipals());
//super.clearCache(SecurityUtils.getSubject().getPrincipals());
}
}
创建shiro权限配置
package com.lhh.shiro;
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.crazycake.shiro.RedisCacheManager;
import org.crazycake.shiro.RedisManager;
import org.crazycake.shiro.RedisSessionDAO;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.annotation.Resource;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
/**
* Created by tym
*/
@Configuration
public class ShiroConfig {
//注入配置文件的类
@Resource
private ShiroProperties shiroProperties;
/**
* 创建ShiroFilterFactoryBean
*/
//@Bean
//public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
// 1.定义shiroFactoryBean
// ShiroFilterFactoryBean factory = new ShiroFilterFactoryBean();
// 2.设置securityManager
// factory.setSecurityManager(securityManager);
// 3.LinkedHashMap是有序的,进行顺序拦截器配置,也就是前面匹配放过后不会执行后面拦截,不用HashMaps是因为他是无序的
//anon:无须认证 authc:必须认证 perms:授权 roles:角色
// Map<String, String> filterMap = new LinkedHashMap<>();
//放过静态资源,默认静态映射static,所以不要加
// filterMap.put("/**", "authc");
// filterMap.put("/js/**", "anon");//anon代表游客可以直接通过
// filterMap.put("/index", "anon");
// filterMap.put("/doRegist", "anon");
// filterMap.put("/unauth", "anon");
// filterMap.put("/doLogin", "anon");
// 4.配置logout过滤器
// filterMap.put("/logout", "logout");//登出过滤器,配置指定url就可以实现退出功能
// 5.除了上面的其他url必须通过认证才可以访问
// filterMap.put("/add","roles[admins]"); //登录用户的角色
//filterMap.put("/update","roles[manager]");
//filterMap.put("/update","perms [user:update]");//登录用户的权限
//filterMap.put("/**", "authc");
//注意顺序:这里的已经被上面拦截不能过去
//filterMap.put("/index","anon");
// 6.设置默认登录的url
// factory.setLoginUrl("/login");
// 7.设置未授权界面
// factory.setUnauthorizedUrl("/unauth");
// 8.设置shiroFilterFactoryBean的FilterChainDefinitionMap
// factory.setFilterChainDefinitionMap(filterMap);
// return factory;
// }
/**
* 创建ShiroFilterFactoryBean
*/
@Bean //已启动就读取配置文件
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean factory = new ShiroFilterFactoryBean();
factory.setSecurityManager(securityManager);
/**
* 为什么使用LinkedHashMap 是因为有序的,而不使用HashMap是因为他是无序的
*
*/
Map<String, String> filterMap = new LinkedHashMap<>();
//获取配置文件
List<Map<String, String>> perms = shiroProperties.getPerms();
//将List<Map<String,Obejct>> 转换为LinkedHashMap
perms.forEach(m -> {
System.out.println(m);
//使用url作为键,使用permission作为值
filterMap.put(m.get("url"), m.get("permission"));
});
System.out.println("map2:" + filterMap);
//追加设置
factory.setLoginUrl("/login"); //设置默认登录页面
factory.setUnauthorizedUrl("/unauth"); //设置默认的未授权页面
factory.setFilterChainDefinitionMap(filterMap);
return factory;
}
/**
* 创建DefaultWebSecurityManager
*/
@Bean
public DefaultWebSecurityManager securityManager(Realm usersRealm) {
DefaultWebSecurityManager sm = new DefaultWebSecurityManager();
// 将自定义的realm交给SecurityManager管理
sm.setRealm(usersRealm);
// 自定义缓存实现 使用redis
sm.setCacheManager(cacheManager());
// 自定义session管理 使用redis
sm.setSessionManager(sessionManager());
return sm;
}
/**
* 创建Realm
*
*/
@Bean
public UsersRealm usersRealm(HashedCredentialsMatcher hcm) {
//创建realm自己创建,这里使用
UsersRealm realm = new UsersRealm();
realm.setCachingEnabled(true);
realm.setAuthorizationCachingEnabled(true);
//设置加密
realm.setCredentialsMatcher(hcm);
return realm;
}
@Bean //密码加密配置
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hcm = new HashedCredentialsMatcher();
hcm.setHashAlgorithmName(MD5Pwd.ALGORITHM_NAME); // 散列算法
hcm.setHashIterations(MD5Pwd.HASH_ITERATIONS); // 散列次数
return hcm;
}
/**
* 用于thymeleaf和shiro标签整合
* 没有标签不起作用
*
* @return
*/
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
/**
* redisManager
*/
public RedisManager redisManager() {
RedisManager redisManager = new RedisManager();
//单位秒,默认2000,设置缓存时间
// redisManager.setTimeout(500);
return redisManager;
}
/**
* cacheManager
*/
public RedisCacheManager cacheManager() {
RedisCacheManager redisCacheManager = new RedisCacheManager();
redisCacheManager.setRedisManager(redisManager());
//设置redis中的缓存时间
redisCacheManager.setExpire(300);
return redisCacheManager;
}
/**
* redisSessionDAO
* 跟会话有关系
*/
public RedisSessionDAO redisSessionDAO() {
RedisSessionDAO redisSessionDAO = new RedisSessionDAO();
redisSessionDAO.setRedisManager(redisManager());
return redisSessionDAO;
}
/**
* sessionManager
*/
public DefaultWebSessionManager sessionManager() {
DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setSessionDAO(redisSessionDAO());
//设置redis session的时间 ,如果设置这个那么在redis界面展示的就是-1,这的值没有效果
// sessionManager.setGlobalSessionTimeout(500);
return sessionManager;
}
}
Controller 权限的控制是配置文件和注解一起使用
package com.lhh.controller;
import com.lhh.pojo.Users;
import com.lhh.service.UsersService;
import com.lhh.shiro.MD5Pwd;
import com.lhh.shiro.UsersRealm;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.mgt.RealmSecurityManager;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.*;
@Controller
public class UsersController {
@Autowired
private UsersService service;
@RequestMapping("/index")
public String index() {
System.out.println("index:");
return "index";
}
@RequestMapping("/login")
public String login() {
System.out.println("login:");
return "login";
}
/**
* 登陆方法
* @param user
* @param model
* @return
*/
@RequestMapping("/doLogin")
public String doLogin(Users user, Model model) {
System.out.println("doLogin:");
/**
* 通常我们会将Subject对象理解为一个用户,同样的它也有可能是一个三方程序,
* 它是一个抽象的概念,可以理解为任何与系统交互的“东西”都是Subject
*/
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword());
try {
//登录
subject.login(token);
return "success";
} catch (UnknownAccountException e) {
//用户不存在
model.addAttribute("msg", "用户不存在");
return "login";
} catch (IncorrectCredentialsException e) {
//密码不正确
model.addAttribute("msg", "密码不正确");
return "login";
}
}
@PostMapping("/doRegist") //注册方法
public String doRegist(Users user) {
user.setPassword(MD5Pwd.MD5Pwd(user.getUsername(), user.getPassword()));
if (service.saveUsers(user))
return "login";
return "index";
}
/**
* 角色和权限同时满足
*
* @return
*/
@RequestMapping("/add")
@RequiresRoles("admins") //代表需要角色
@RequiresPermissions({"user:add"}) //代表需要权限
public String add() {
System.out.println("add:");
return "add";
}
@RequestMapping("/update")
@RequiresRoles("manager")//代表需要角色
@RequiresPermissions("user:update")//代表需要权限
//@RequiresPermissions({"user:update","user:add"}) //同时拥有,既要有角色还需要拥有权限必须同时存在
public String update() {
System.out.println("update:");
return "update";
}
@RequestMapping("/unauth")
public String unauth() {
System.out.println("unauth:");
return "unauth";
}
@ExceptionHandler(UnauthorizedException.class)
public String handleShiroException(Exception ex) {
return "unauth";
}
/**
* 清空缓存
* @return
*/
@ResponseBody
@GetMapping("/clear")
public String clear(){
RealmSecurityManager rsm = (RealmSecurityManager)SecurityUtils.getSecurityManager();
UsersRealm realm = (UsersRealm)rsm.getRealms().iterator().next();
realm.clearCached();
return "success";
}
}
问题:只传用户名为什么但是数据库存储的是使用MD5加密的密码,但是也会进验证
1.首先我们在shiro权限配置文件里面进行加密配置,设置使用方法加密,在HashedCredentialsMatcher
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Z1dlRq8b-1621867672515)(…/Typoraimage/1607070469614.png)]
进行配置
2.在创建自定义realm的时候进行配置
.class)
public String handleShiroException(Exception ex) {
return “unauth”;
}
/**
* 清空缓存
* @return
*/
@ResponseBody
@GetMapping("/clear")
public String clear(){
RealmSecurityManager rsm = (RealmSecurityManager)SecurityUtils.getSecurityManager();
UsersRealm realm = (UsersRealm)rsm.getRealms().iterator().next();
realm.clearCached();
return "success";
}
}
### 问题:只传用户名为什么但是数据库存储的是使用MD5加密的密码,但是也会进验证
1.首先我们在shiro权限配置文件里面进行加密配置,设置使用方法加密,在HashedCredentialsMatcher
[外链图片转存中...(img-Z1dlRq8b-1621867672515)]
进行配置
2.在创建自定义realm的时候进行配置
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-XhQvQT3Y-1621867672516)(../Typoraimage/1607070445265.png)]
扫一扫
278
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
