springboot+shiro

1.springboot整合shiro

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.1.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.qiao</groupId>
    <artifactId>hello-shiro</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>hello-shiro</name>
    <description>Demo project for Spring Boot</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <!-- shiro thymeleaf整合 -->
        <dependency>
            <groupId>com.github.theborakompanioni</groupId>
            <artifactId>thymeleaf-extras-shiro</artifactId>
            <version>2.0.0</version>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
        <!-- 引入mysql驱动包 -->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.27</version>
        </dependency>
        <!-- 引入Druid依赖，阿里巴巴所提供的数据源 -->
        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.0.29</version>
        </dependency>
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.1.0</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.4.1</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>

        </plugins>

    </build>

</project>

其中shiro整合spring的依赖是

<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-spring</artifactId>
    <version>1.4.1</version>
</dependency>

shiro和thymeleaf整合的依赖是

 <dependency>
     <groupId>com.github.theborakompanioni</groupId>
     <artifactId>thymeleaf-extras-shiro</artifactId>
     <version>2.0.0</version>
  </dependency>

2.shiro核心的API

　　1.Subject：主体，当前用户，与当前应用进行交互。所有Subject都要绑定到SercurityManager。

　　2.SecurityManager：安全管理器 ，管理所有的Subject，所有关于安全的操作都会与之交互。

　　3.Realm：域，Shiro从Realm获取授权，认证，安全管理器认证用户身份就需要从Realm获取用户进行比较。

　　使用Shiro需要自定义Realm继承AuthorizingRealm

　　覆写两个方法即可

　　

 　　AuthenticationInfo 用于认证

　　AuthorizationInfo 用于授权

3.使用shiro

配置ShiroConfig

@Configuration
public class ShiroConfig {
    //ShiroFilterFactoryBean 3.
    @Bean
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
        //设置安全管理器
        bean.setSecurityManager(securityManager);
        //添加shiro的内置管理器
        /**
         * anon：无需认证即可访问
         * authc：必须认证才能访问
         * user：必须拥有 记住我 功能
         * perms：拥有对某个资源的权限才能访问
         * role：拥有某个角色权限才能访问
         * filter.put("/user/add", "authc");
         * filter.put("/user/update", "authc");
         */
        //拦截
        Map<String, String> filter = new LinkedHashMap<>();
        //授权 必须是user:add权限的才能访问
        filter.put("/user/add", "perms[user:add]");
        //授权 必须是user:add权限的才能访问
        filter.put("/user/update", "perms[user:update]");
        filter.put("/user/*", "authc");
        bean.setFilterChainDefinitionMap(filter);
        //设置登录的请求
        bean.setLoginUrl("/toLogin");
        //设置未授权请求页面
        bean.setUnauthorizedUrl("/unAuthor");
        return bean;
    }

    //DefaultWebSecurityManager 2.
    @Bean(name = "securityManager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(UserRealm userRealm){
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        //关联UserRealm
        securityManager.setRealm(userRealm);
        return securityManager;
    }

    //创建realm类，自定义
    @Bean
    public UserRealm userRealm(){
        return new UserRealm();
    }

    //整合shiroDialect 用于thymeleaf和shiro标签配合使用
    @Bean
    public ShiroDialect shiroDialect(){
        return new ShiroDialect();
    }
}

自定义UserRealm

public class UserRealm extends AuthorizingRealm {
    @Autowired
    UserService userService;
    //授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        System.out.println("执行授权==》doGetAuthorizationInfo");

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

        //拿到当前登录的这个对象
        Subject subject = SecurityUtils.getSubject();
        User currentUser = (User) subject.getPrincipal();
        //如果没有权限，权限为null，就返回null
        if (currentUser.getPerms() == null){
            return null;
        }
        //设置权限~从数据库查寻
        info.addStringPermission(currentUser.getPerms());
        return info;
    }
    //认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
            throws AuthenticationException {
        System.out.println("执行认证==》AuthenticationInfo");
       //连接真实的数据库
        UsernamePasswordToken userToken = (UsernamePasswordToken) token;
        User user = userService.queryUserByName(userToken.getUsername());
        //把登录用户塞进shiro的session shiro有自己独立的session~这也是为什么shiro可以脱离web使用
        Subject subject = SecurityUtils.getSubject();
        Session session = subject.getSession();
        session.setAttribute("loginUser", user);
        if(user == null){
            throw new UnknownAccountException();
        }
        //盐值
        String saltPassword = ShiroUtil.saltPassword(userToken.getPassword(), user.getSaltValue());
        // userToken.getPassword() 获取用户输入的密码
        if (!user.getPwd().equals(saltPassword)){
            throw new IncorrectCredentialsException();
        }
        //密码认证，由shiro做~ 为了防止密码泄露  第4个参数是realm名称
        return new SimpleAuthenticationInfo(user, userToken.getPassword(), ByteSource.Util.bytes(user.getSaltValue()), this.getName());
    }
}

需要密码加密，创建工具类ShiroUtil

public class ShiroUtil {
    public static String createSalt(){
        //生成32的随机盐值
        return UUID.randomUUID().toString().replaceAll("-", "");
    }
    /**
     * @param srcPwd    原始密码
     * @param saltValue 盐值
     */
    public static String saltPassword(Object srcPwd, String saltValue){
        return new SimpleHash("MD5", srcPwd, saltValue, 1024).toString();
    }
}

创建实体类User

@Data
@AllArgsConstructor
@NoArgsConstructor
public class User {
    private Integer id;
    private String name;
    private String pwd;
    private String perms;
    /**
     * 盐值
     */
    private String saltValue;

}

我这里使用的mybatis，创建UserMapper接口，直接使用注解写sql(不喜欢XML)

@Repository
@Mapper
public interface UserMapper {
    @Select("select * from mybatis.user where name = #{name}")
    public User queryUserByName(String name);
    @Insert("insert into mybatis.user(name,pwd,perms,saltValue) values(#{name},#{pwd},#{perms},#{saltValue})")
    public void insertUser(User user);
}

创建Service接口和实现类，用于获取数据

public interface UserService {
    public User queryUserByName(String name);
    public void insertUser(User user);
}

@Service
public class UserServiceImpl implements UserService {
    @Autowired
    UserMapper userMapper;
    @Override
    public User queryUserByName(String name) {
        return userMapper.queryUserByName(name);
    }

    @Override
    public void insertUser(User user) {
        userMapper.insertUser(user);
    }
}

创建一个简陋的主页、登录和注册页面

index.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
      xmlns:shiro="http://www.thymeleaf.org/thymeleaf-extras-shiro">
<head>
    <meta charset="UTF-8">
    <title>首页</title>
</head>
<body>
    <h1>首页</h1>
    <div th:if="${session.loginUser==null}">
        <a th:href="@{/toLogin}">登录</a>
    </div>
    <div th:if="${session.loginUser==null}">
        <a th:href="@{/toRegister}">注册</a>
    </div>
    <div th:if="${session.loginUser!=null}">
        <a th:href="@{/logout}">退出</a>
    </div>
    <p>hello,shiro</p>
    <div shiro:hasPermission="user:add">
        <a th:href="@{/user/add}">add</a>
    </div>
    <div shiro:hasPermission="user:update">
    <a th:href="@{/user/update}">update</a>
    </div>
</body>
</html>

   xmlns:shiro="http://www.thymeleaf.org/thymeleaf-extras-shiro" 在thymeleaf中使用shiro标签的命名空间

login.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>登录</title>
</head>
<body>
<p th:text="${msg}" style="color: red;"></p>
<form th:action="@{/login}" method="post">
    <p>用户名：<input type="text" name="username"></p>
    <p>密&emsp;码：<input type="text" name="password"></p>
    <input type="submit">
</form>
</body>
</html>

register.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>注册</title>
</head>
<body>
<h1>注册</h1>
<form th:action="@{/register}" method="post">
    <p>用户名：<input type="text" name="username"></p>
    <p>密&emsp;码：<input type="text" name="password"></p>
    <input type="submit">
</form>
</body>
</html>

yml配置文件

spring:
  datasource:
    username: root
    password: 123456
    #?serverTimezone=UTC解决时区的报错
    url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8
    driver-class-name: com.mysql.jdbc.Driver
    type: com.alibaba.druid.pool.DruidDataSource

    #Spring Boot 默认是不注入这些属性值的，需要自己绑定
    #druid 数据源专有配置
    initialSize: 5
    minIdle: 5
    maxActive: 20
    maxWait: 60000
    timeBetweenEvictionRunsMillis: 60000
    minEvictableIdleTimeMillis: 300000
    validationQuery: SELECT 1 FROM DUAL
    testWhileIdle: true
    testOnBorrow: false
    testOnReturn: false
    poolPreparedStatements: true

    #配置监控统计拦截的filters，stat:监控统计、log4j：日志记录、wall：防御sql注入
    #如果允许时报错  java.lang.ClassNotFoundException: org.apache.log4j.Priority
    #则导入 log4j 依赖即可，Maven 地址： https://mvnrepository.com/artifact/log4j/log4j
    filters: stat,wall,log4j
    maxPoolPreparedStatementPerConnectionSize: 20
    useGlobalDataSourceStat: true
    connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500

数据表

非原创，仅是在学习西部狂神-秦疆的课程的基础上加了撒盐加密的功能

附上参考代码，继续努力~ https://github.com/Sevenwsq/springboot-shiro.git