目录
1.添加依赖
2.建立缓存文件
3. shiro配置类
4.授权认证类
5.登录的Controller类
6.shiro使用举例
简介:Shiro是apache旗下一个开源安全框架,它将软件系统的安全认证相关的功能抽取出来,实现用户身份认证、权限授权、加密、会话管理等功能,组成了一个通用的安全认证框架。
1.添加依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<!-- 兼容于thymeleaf的shiro -->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>
2.建立缓存文件
ehcache-shiro.xml (只需创建无需更改内容),放在如图位置
<ehcache updateCheck="false" name="cacheManagerConfigFile">
<!--
name:缓存名称。
maxElementsInMemory:缓存最大个数。
eternal:对象是否永久有效,一但设置了,timeout将不起作用。
timeToIdleSeconds:设置对象在失效前的允许闲置时间(单位:秒)。仅当eternal=false对象不是永久有效时使用,可选属性,默认值是0,也就是可闲置时间无穷大。
timeToLiveSeconds:设置对象在失效前允许存活时间(单位:秒)。最大时间介于创建时间和失效时间之间。仅当eternal=false对象不是永久有效时使用,默认是0.,也就是对象存活时间无穷大。
overflowToDisk:当内存中对象数量达到maxElementsInMemory时,Ehcache将会对象写到磁盘中。
diskSpoolBufferSizeMB:这个参数设置DiskStore(磁盘缓存)的缓存区大小。默认是30MB。每个Cache都应该有自己的一个缓冲区。
maxElementsOnDisk:硬盘最大缓存个数。
diskPersistent:是否缓存虚拟机重启期数据 Whether the disk store persists between restarts of the Virtual Machine. The default value is false.
diskExpiryThreadIntervalSeconds:磁盘失效线程运行时间间隔,默认是120秒。
memoryStoreEvictionPolicy:当达到maxElementsInMemory限制时,Ehcache将会根据指定的策略去清理内存。默认策略是LRU(最近最少使用)。你可以设置为FIFO(先进先出)或是LFU(较少使用)。
clearOnFlush:内存数量最大时是否清除。
-->
<defaultCache maxElementsInMemory="10000" eternal="false"
timeToIdleSeconds="120" timeToLiveSeconds="120" overflowToDisk="false"
diskPersistent="false" diskExpiryThreadIntervalSeconds="120"
memoryStoreEvictionPolicy="LRU"/>
<!-- 登录记录程序锁定1分钟 -->
<cache name="shiro-activeSessionCache" eternal="false"
maxElementsInMemory="10000" overflowToDisk="false" timeToIdleSeconds="0"
timeToLiveSeconds="0" statistics="true"/>
</ehcache>
3. shiro配置类
ShiroConfig.java中可以对资源地址的访问进行限制,在shirFilter方法中进行put操作即可实现,其他方法无需修改。
import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator;
import org.apache.shiro.session.mgt.eis.MemorySessionDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 必须设置 SecurityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
//访问的是后端url地址为 /login的接口,/未登录页面,会跳转到登录页面
shiroFilterFactoryBean.setLoginUrl("/login");
// 登录成功后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/index");
// 未授权界面;,基于AOP拦截,都会到登录页面
shiroFilterFactoryBean.setUnauthorizedUrl("/login");
// 拦截器.
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
// 配置不会被拦截的链接 顺序判断,anon放开,不会拦截,authc会拦截
filterChainDefinitionMap.put("/assets/**", "anon");
filterChainDefinitionMap.put("/css/**", "anon");
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/images/**", "anon");
filterChainDefinitionMap.put("/fonts/**", "anon");
filterChainDefinitionMap.put("/login", "anon");
filterChainDefinitionMap.put("/userLogin", "anon");
filterChainDefinitionMap.put("/registerUser", "anon");
filterChainDefinitionMap.put("/register", "anon");
filterChainDefinitionMap.put("/**", "authc");
System.out.println("Shiro拦截器工厂类注入成功");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
/**
* 缓存
* @return
*/
@Bean
public EhCacheManager getEhCacheCache() {
EhCacheManager em = new EhCacheManager();
em.setCacheManagerConfigFile("classpath:ehcache-shiro.xml");
return em;
}
/**
* 代理
* @return
*/
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator();
daap.setProxyTargetClass(true);
return daap;
}
@Bean
public DefaultWebSessionManager getDefaultWebSessionManager() {
DefaultWebSessionManager defaultWebSessionManager = new DefaultWebSessionManager();
defaultWebSessionManager.setSessionDAO(getMemorySessionDAO());
defaultWebSessionManager.setGlobalSessionTimeout(1 * 60 * 60 * 1000);
defaultWebSessionManager.setSessionValidationSchedulerEnabled(true);
defaultWebSessionManager.setSessionIdCookieEnabled(true);
defaultWebSessionManager.setSessionIdCookie(getSimpleCookie());
return defaultWebSessionManager;
}
@Bean
public MemorySessionDAO getMemorySessionDAO() {
MemorySessionDAO memorySessionDAO = new MemorySessionDAO();
memorySessionDAO.setSessionIdGenerator(javaUuidSessionIdGenerator());
return memorySessionDAO;
}
@Bean
public JavaUuidSessionIdGenerator javaUuidSessionIdGenerator() {
return new JavaUuidSessionIdGenerator();
}
/**
* cookie对象
* @return
*/
@Bean
public SimpleCookie getSimpleCookie() {
SimpleCookie simpleCookie = new SimpleCookie();
simpleCookie.setName("security.session.id");
//<!-- 记住我cookie生效时间30天 ,单位秒;-->
simpleCookie.setMaxAge(259200);
simpleCookie.setPath("/");
return simpleCookie;
}
/**
* cookie管理对象;
* @return
*/
/*@Bean
public CookieRememberMeManager rememberMeManager(){
System.out.println("ShiroConfiguration.rememberMeManager()");
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(getSimpleCookie());
return cookieRememberMeManager;
}*/
@Bean
public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* 注入 securityManager
*/
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(
ShiroRealm shiroRealm) {
DefaultWebSecurityManager dwsm = new DefaultWebSecurityManager();
// 关联realm.
dwsm.setRealm(shiroRealm);
//用户授权/认证信息Cache,采用EhCache缓存
dwsm.setCacheManager(getEhCacheCache());
dwsm.setSessionManager(getDefaultWebSessionManager());
//注入记住我管理器;
/* dwsm.setRememberMeManager(rememberMeManager());*/
return dwsm;
}
@Bean
public ShiroRealm shiroRealm(EhCacheManager cacheManager) {
ShiroRealm shiroRealm = new ShiroRealm();
shiroRealm.setCacheManager(cacheManager);
return shiroRealm;
}
//开启shiro注解支持
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(ShiroRealm shiroRealm){
AuthorizationAttributeSourceAdvisor aasa =new AuthorizationAttributeSourceAdvisor();
aasa.setSecurityManager(getDefaultWebSecurityManager(shiroRealm));
return aasa;
}
/**
* 配置前台页面thymeleaf页面的标签
* @return
*/
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
}
4.授权认证类
ShiroRealm.java 中,可以对对角色给予自定义授权和登录验证,权限命名由个人决定。
import com.management.novel.common.service.LoginService;
import com.management.novel.pojo.User;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.mgt.eis.SessionDAO;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.support.DefaultSubjectContext;
import org.springframework.beans.factory.annotation.Autowired;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
public class ShiroRealm extends AuthorizingRealm {
@Autowired
private SessionDAO sessionDAO;
@Autowired
private LoginService loginService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection auth) {
//授权
String userCode = (String)auth.getPrimaryPrincipal();
System.out.println("进入到授权Realm中:"+userCode);
List<String> roleList=new ArrayList<String>();
List<String> permissionList=new ArrayList<String>();
int role_level=loginService.getUserByUserCode(userCode).getUserRole();
//根据角色,自定义给予权限
if (role_level==1) {
roleList.add("STAFF");
permissionList.add("ADMIN:STAFF:NOVEL");
permissionList.add("ADMIN:STAFF:BILL");
}else if(role_level==2){
roleList.add("STAFF");
roleList.add("ADMIN");
permissionList.add("ADMIN:USER");
permissionList.add("ADMIN:NOVEL");
permissionList.add("ADMIN:BILL");
permissionList.add("ADMIN:STAFF:NOVEL");
permissionList.add("ADMIN:STAFF:BILL");
}
SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo();
simpleAuthorizationInfo.addRoles(roleList);
simpleAuthorizationInfo.addStringPermissions(permissionList);
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken auth) throws AuthenticationException {
//认证
String userCode = (String)auth.getPrincipal();
System.out.println("进入到认证Realm中:"+ userCode);
//在认证之前判断当前登录用户,只允许一个账号登录
Collection<Session> sessions = sessionDAO.getActiveSessions();
for (Session session : sessions){
String loginedUsername = String.valueOf(session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY));
if(userCode.equals(loginedUsername)){
session.setTimeout(0);
break;
}
}
//在数据库中查询用户,判断密码
User dbuser = loginService.getUserByUserCode(userCode);
//通过用户名在数据库中拿到,判断用户名和密码对不对
if(dbuser!=null ){
SimpleAuthenticationInfo authInfo = new SimpleAuthenticationInfo(userCode, dbuser.getPassWord(), "userRealm");
return authInfo;
}
return null;
}
}
5.登录的Controller类
使用shiro完成登录功能,登陆后会根据我们自己在ShiroRealm.java中定义的内容进行授权。
@RequestMapping("/userlogin")
public String userLogin(User user, Model model, HttpSession session){
User u = loginService.getUserByUserCode(user.getUserCode());
if(u==null){
model.addAttribute("userCode",user.getUserCode());
model.addAttribute("passWord",user.getPassWord());
model.addAttribute("message","用户名不存在");
return "login";
}
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken auth = new UsernamePasswordToken(user.getUserCode(), user.getPassWord());
try {
subject.login(auth);
session.setAttribute("userinfo",u);
if(u.getUserRole()==0) return "index";
if(u.getUserRole()==1) return "admin-index";
if(u.getUserRole()==2) return "admin-index";
}catch (Exception e){
model.addAttribute("userCode",user.getUserCode());
model.addAttribute("passWord",user.getPassWord());
model.addAttribute("message","用户名或密码有误");
}
return "login";
}
@RequestMapping("/loginOut")
public String loginOut(HttpSession session) {
// session.invalidate();
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "redirect:/login";
}
到此shiro框架整合成功,下面是使用方法。
6.shiro使用举例
前端界面需要在头部命名才可以使用shiro属性,对于无权限的用户在界面中相应的标签则不会加载。
<html lang="en" xmlns:th="http://www.thymeleaf.org" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<p shiro:hasRole="ADMIN">ADMIN角色</p>
<p shiro:hasRole="USER">USER角色</p>
<p shiro:hasRole="SUPERMANE">SUPERMAN角色</p>
<p shiro:hasPermission="ADMIN:USER:UPDATA">UPDATA权限</p>
<p shiro:hasPermission="ADMIN:USER:DELETE">DELETE权限</p>
<p shiro:hasPermission="ADMIN:USER:INSERT">INSERT权限</p>
<p shiro:hasPermission="ADMIN:USER:SELECT">SELECT权限</p>
后端接口shiro权限管理使用方法如下
@RequiresPermissions({"ADMIN:UPDATE"})
@PutMapping("/edit")
public String editBill(Bill bill){
billMapper.updateBill(bill);
System.out.println("成功修改为"+bill.toString());
return "bill";
}