Shiro框架

1、Shiro简介

1.1、什么是Shiro?

  • Apache Shiro是一个Java的安全(权限)框架。
  • Shiro可以非常容易的开发出足够好的应用,其不仅可以用在JavaSE环境,也可以用在JavaEE环境。
  • Shiro可以完成,认证,授权,加密,会话管理,Web集成,缓存等。
  • 下载地址:http://shiro.apache.org/

SpringBoot整合Shiro框架 - 图1

1.2、有哪些功能?

SpringBoot整合Shiro框架 - 图2

  • Authentication:身份认证、登录,验证用户是不是拥有相应的身份;

  • Authorization:授权,即权限验证,验证某个已认证的用户是否拥有某个权限,即判断用户能否进行什么操作,如:验证某个用户是否拥有某个角色,或者细粒度的验证某个用户对某个资源是否具有某个权限!

  • Session Manager:会话管理,即用户登录后就是第一次会话,在没有退出之前,它的所有信息都在会话中;
    会话可以是普通的JavaSE环境,也可以是Web环境;

  • Cryptography:加密,保护数据的安全性,如密码加密存储到数据库中,而不是明文存储;

  • Web Support:Web支持,可以非常容易的集成到Web环境

  • Caching:缓存,比如用户登录后,其用户信息,拥有的角色、权限不必每次去查,这样可以提高效率

  • Concurrency:Shiro支持多线程应用的并发验证,即,如在一个线程中开启另一个线程,能把权限自动的传播过去

  • Testing:提供测试支持;

  • RunAs:允许一个用户假装为另一个用户(如果他们允许)的身份进行访问;

  • Remember Me:记住我,这个是非常常见的功能,即一次登录后,下次再来的话不用登录了

1.3、Shiro架构(外部)

  1. 从外部来看Shiro,即从应用程序角度来观察如何使用shiro完成工作

SpringBoot整合Shiro框架 - 图3

  • subject:应用代码直接交互的对象是Subject,也就是说Shiro的对外API核心就是Subject,Subject代表了当前的用户,这个用户不一定是一个具体的人,与当前应用交互的任何东西都是Subject,如网络爬虫,机器人等,与Subject的所有交互都会委托给SecurityManager;Subject其实是一个门面,SecurityManageer才是实际的执行者

  • SecurityManager:安全管理器,即所有与安全有关的操作都会与SercurityManager交互,并且它管理着所有的Subject,可以看出它是Shiro的核心,它负责与Shiro的其他组件进行交互,它相当于SpringMVC的DispatcherServlet的角色

  • Realm:Shiro从Realm获取安全数据(如用户,角色,权限),就是说SecurityManager要验证用户身份,那么它需要从Realm获取相应的用户进行比较,来确定用户的身份是否合法;也需要从Realm得到用户相应的角色、权限,进行验证用户的操作是否能够进行,可以把Realm看成DataSource;

1.4、Shiro架构(内部)

SpringBoot整合Shiro框架 - 图4

  • Subject:任何可以与应用交互的用户;
  • Security Manager:相当于SpringMVC中的DispatcherServlet;是Shiro的心脏,所有具体的交互都通过
    Security Manager进行控制,它管理者所有的Subject,且负责进行认证,授权,会话,及缓存的管理。
  • Authenticator:负责Subject认证,是一个扩展点,可以自定义实现;可以使用认证策略(AuthenticationStrategy),即什么情况下算用户认证通过了;
  • Authorizer:授权器,即访问控制器,用来决定主体是否有权限进行相应的操作;即控制着用户能访问应用中的那些功能;
  • Realm:可以有一个或者多个的realm,可以认为是安全实体数据源,即用于获取安全实体的,可以用JDBC实现,也可以是内存实现等等,由用户提供;所以一般在应用中都需要实现自己的realm
  • SessionManager:管理Session生命周期的组件,而Shiro并不仅仅可以用在Web环境,也可以用在普通的JavaSE环境中
  • CacheManager:缓存控制器,来管理如用户,角色,权限等缓存的;因为这些数据基本上很少改变,放到缓存中后可以提高访问的性能;
  • Cryptography:密码模块,Shiro提高了一些常见的加密组件用于密码加密,解密等

2、HelloWorld

2.2、快速实战

查看官网文档:http://shiro.apache.org/tutorial.html

官方的quickstart:https://github.com/apache/shiro/tree/master/samples/quickstart/

  1. 创建一个maven父工程,用于学习Shiro,删掉不必要的东西

  2. 创建一个普通的Maven子工程:shiro-01-helloworld

  3. 根据官方文档,我们来导入Shiro的依赖

    1. <dependencies>
    2.  <dependency>
    3.      <groupId>org.apache.shiro</groupId>
    4.      <artifactId>shiro-core</artifactId>
    5.      <version>1.4.1</version>
    6.  </dependency>
    7.  <dependency>
    8.      <groupId>org.slf4j</groupId>
    9.      <artifactId>slf4j-simple</artifactId>
    10.      <version>1.7.21</version>
    11.  </dependency>
    12.  <dependency>
    13.      <groupId>org.slf4j</groupId>
    14.      <artifactId>jcl-over-slf4j</artifactId>
    15.      <version>1.7.21</version>
    16.  </dependency>
    17.  <dependency>
    18.      <groupId>log4j</groupId>
    19.      <artifactId>log4j</artifactId>
    20.      <version>1.2.17</version>
    21.  </dependency>
    22. </dependencies>
  1. 配置文件
    shiro.ini ```ini [users] root = secret, admin guest = guest, guest presidentskroob = 12345, president darkhelmet = ludicrousspeed, darklord, schwartz lonestarr = vespa, goodguy, schwartz

——————————————————————————————————————-

Roles with assigned permissions

roleName = perm1, perm2, …, permN

——————————————————————————————————————-

[roles] admin = schwartz = lightsaber: goodguy = winnebago:drive:eagle5

  2. <br />log4j.properties
  3. ```properties
  4. log4j.rootLogger=INFO, stdout
  6. log4j.appender.stdout=org.apache.log4j.ConsoleAppender
  7. log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
  8. log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n
  10. # General Apache libraries
  11. log4j.logger.org.apache=WARN
  13. # Spring
  14. log4j.logger.org.springframework=WARN
  16. # Default Shiro logging
  17. log4j.logger.org.apache.shiro=INFO
  19. # Disable verbose logging
  20. log4j.logger.org.apache.shiro.util.ThreadContext=WARN
  21. log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN

  1. Quickstart ```java import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.session.Session; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /*

    • Simple Quickstart application showing how to use Shiro’s API. *

    • @since 0.9 RC2 */ public class Quickstart {

      //使用log来输出 private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);

  1. public static void main(String[] args) {
  3.     // The easiest way to create a Shiro SecurityManager with configured
  4.     // realms, users, roles and permissions is to use the simple INI config.
  5.     // We'll do that by using a factory that can ingest a .ini file and
  6.     // return a SecurityManager instance:
  7.     //创建带有配置的Shiro SecurityManager的最简单方法
  8.     //领域,用户,角色和权限是使用简单的INI配置。
  9.     //我们将使用可提取.ini文件的工厂来完成此操作,
  10.     //返回一个SecurityManager实例:
  12.     // Use the shiro.ini file at the root of the classpath
  13.     // (file: and url: prefixes load from files and urls respectively):
  14.     //在类路径的根目录下使用shiro.ini文件
  15.     //(file:和url:前缀分别从文件和url加载):
  16.     Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
  17.     SecurityManager securityManager = factory.getInstance();
  19.     // for this simple example quickstart, make the SecurityManager
  20.     // accessible as a JVM singleton.  Most applications wouldn't do this
  21.     // and instead rely on their container configuration or web.xml for
  22.     // webapps.  That is outside the scope of this simple quickstart, so
  23.     // we'll just do the bare minimum so you can continue to get a feel
  24.     // for things.
  25.     //对于这个简单的示例快速入门,请使SecurityManager
  26.     //作为JVM 单例 访问。大多数应用程序都不会这样做
  27.     //,而是依靠其容器配置或web.xml进行
  28.     // webapps。这超出了此简单快速入门的范围,因此
  29.     //我们只做最低限度的工作,所以您可以继续感受一下
  30.     // 为了这些事。
  31.     SecurityUtils.setSecurityManager(securityManager);
  33.     // Now that a simple Shiro environment is set up, let's see what you can do:
  37.     //获取当前正在用户对象Subject:
  38.     Subject currentUser = SecurityUtils.getSubject();
  40.     //通过当前用户获取Session
  41.     Session session = currentUser.getSession();
  42.     session.setAttribute("someKey", "aValue");
  43.     String value = (String) session.getAttribute("someKey");
  44.     if (value.equals("aValue")) {
  45.         log.info("Subject===>session [" + value + "]");
  46.     }
  48.     // 判断当前用户是否被认证
  49.     if (!currentUser.isAuthenticated()) {
  50.         // token 令牌     没有获取,随机
  51.         UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
  52.         // 设置记住我
  53.         token.setRememberMe(true);
  54.         try {
  55.             // 执行了登陆操作
  56.             currentUser.login(token);
  57.         } catch (UnknownAccountException uae) {
  58.             // 未知账号
  59.             log.info("There is no user with username of " + token.getPrincipal());
  60.         } catch (IncorrectCredentialsException ice) {
  61.             // 密码错误
  62.             log.info("Password for account " + token.getPrincipal() + " was incorrect!");
  63.         } catch (LockedAccountException lae) {
  64.             // 账号锁定
  65.             log.info("The account for username " + token.getPrincipal() + " is locked.  " +
  66.                     "Please contact your administrator to unlock it.");
  67.         }
  68.         // ... catch more exceptions here (maybe custom ones specific to your application?
  69.         catch (AuthenticationException ae) {
  70.             // 认证异常
  71.             //unexpected condition?  error?
  72.         }
  73.     }
  75.     //say who they are:
  76.     //print their identifying principal (in this case, a username):
  77.     // 获取当前用户认证码,可以存储信息
  78.     log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");
  80.     //test a role:
  81.     // 测试角色
  82.     if (currentUser.hasRole("schwartz")) {
  83.         log.info("May the Schwartz be with you!");
  84.     } else {
  85.         log.info("Hello, mere mortal.");
  86.     }
  88.     //test a typed permission (not instance-level)
  89.     // 测试输入的权限 粗粒度权限
  90.     if (currentUser.isPermitted("lightsaber:wield")) {
  91.         log.info("You may use a lightsaber ring.  Use it wisely.");
  92.     } else {
  93.         log.info("Sorry, lightsaber rings are for schwartz masters only.");
  94.     }
  96.     //a (very powerful) Instance Level permission:
  97.     // 细粒度权限
  98.     if (currentUser.isPermitted("winnebago:drive:eagle5")) {
  99.         log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +
  100.                 "Here are the keys - have fun!");
  101.     } else {
  102.         log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
  103.     }
  105.     // 注销
  106.     //all done - log out!
  107.     currentUser.logout();
  109.     System.exit(0);
  110. }

}

  4. ```java
  5.  //获取当前正在用户对象Subject:
  6. Subject currentUser = SecurityUtils.getSubject();
  8. //通过当前用户获取Session
  9. Session session = currentUser.getSession();
  11.  //用户认证
  12. currentUser.isAuthenticated();
  14. //获取当前用户认证码,(可以存储信息)
  15. currentUser.getPrincipal();
  17. //用户——>角色
  18. currentUser.hasRole("schwartz");
  20. //角色权限
  21. currentUser.isPermitted("lightsaber:wield");
  24. //注销
  25. currentUser.logout();

3、SpringBoot整合Shiro

3.1、环境搭建

1、导入依赖

  1. <!--shiro整合spring-->
  2.  <dependency>
  3.      <groupId>org.apache.shiro</groupId>
  4.      <artifactId>shiro-spring</artifactId>
  5.      <version>1.4.1</version>
  6. </dependency>
  7. <!--thymeleaf模板-->
  8. <dependency>
  9.     <groupId>org.thymeleaf</groupId>
  10.     <artifactId>thymeleaf-spring5</artifactId>
  11. </dependency>
  12. <dependency>
  13.     <groupId>org.thymeleaf.extras</groupId>
  14.     <artifactId>thymeleaf-extras-java8time</artifactId>
  15. </dependency>

2、编写Config配置类

  1. //自定义Realm
  2. public class UserRealm extends AuthorizingRealm {
  4.     //授权
  5.     @Override
  6.     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
  7.         System.out.println("==执行了授权==");
  8.         return null;
  9.     }
  11.     //认证
  12.     @Override
  13.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
  14.         System.out.println("==执行了认证==");
  15.         return null;
  16.     }
  17. }
  1. @Configuration
  2. public class ShiroConfig {
  4.     //ShiroFilterFactoryBean:3
  5.     @Bean
  6.     public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager) {
  7.         ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
  8.         //设置安全管理器
  9.         bean.setSecurityManager(defaultWebSecurityManager);
  10.         return bean;
  11.     }
  13.     //DefaultWebSecurityManager:2
  14.     @Bean(name = "securityManager")
  15.     public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm) {
  16.         DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
  17.         //关联Realm
  18.         securityManager.setRealm(userRealm());
  19.         return securityManager;
  20.     }
  22.     //创建realm对象, 需要自定义类:1
  23.     @Bean
  24.     public UserRealm userRealm() {
  25.         return new UserRealm();
  26.     }
  27. }
  1. 页面跳转
  1. @Controller
  2. public class MyController {
  4.     @RequestMapping({"/","index"})
  5.     public String index(Model model) {
  6.         model.addAttribute("msg","hello,Shiro");
  7.         return "index";
  8.     }
  10.      @RequestMapping("/user/add")
  11.     public String add() {
  12.         return "user/add";
  13.     }
  15.     @RequestMapping("/user/update")
  16.     public String update() {
  17.         return "user/update";
  18.     }
  19. }

3.2、登录拦截

增加配置

  1. //添加shiro的内置过滤器
  2. /*
  3.     anon:无需认证就可以访问
  4.     authc:必须认证了才能让问
  5.     user:必须拥有记住我功能才能用
  6.     perms:拥有对某个资源的权限才能访问
  7.     role:拥有某个角色权限才能访问
  8. */
  9. /*
  10.     filterMap.put("/user/add","authc");
  11.     filterMap.put("/user/update","authc");
  12. */
  14. //登录拦截
  15. Map<String, String> filterMap = new LinkedHashMap<>();
  16. filterMap.put("/user/*","authc");
  17. bean.setFilterChainDefinitionMap(filterMap);
  19. //设置登录请求
  20. bean.setLoginUrl("/toLogin");

跳转

  1. @RequestMapping("/toLogin")
  2. public String toLogin() {
  3.     return "login";
  4. }

3.3、用户认证

增加用户判断

  1. @RequestMapping("/login")
  2. public String login(String username, String password, Model model) {
  3.     //获取当前用户
  4.     Subject subject = SecurityUtils.getSubject();
  5.     //封装用户登录数据
  6.     UsernamePasswordToken token = new UsernamePasswordToken(username, password);
  8.     try {
  9.         //执行登录方法
  10.         subject.login(token);
  11.         return "index";
  12.     } catch (UnknownAccountException e) {
  13.         //用户名不存在
  14.         model.addAttribute("msg","用户名错误");
  15.         return "login";
  16.     } catch (IncorrectCredentialsException e) {
  17.         //密码不正确
  18.         model.addAttribute("msg","密码错误");
  19.         return "login";
  20.     }
  21. }

给UserRealm增加新的配置

  1. //认证
  2. @Override
  3. protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  4.     System.out.println("==执行了认证==");
  6.     //用户名,密码 数据中取
  7.     String name="root";
  8.     String password="root";
  10.     UsernamePasswordToken userToken = (UsernamePasswordToken) token;
  12.     if (!userToken.getUsername().equals(name)) {
  13.         //抛出异常  UnknownAccountException
  14.         return null;
  15.     }
  17.     //密码认证Shiro做
  18.     return new SimpleAuthenticationInfo("",password,"");
  19. }

3.4、整合Mybatis

导入依赖

  1. <dependency>
  2.     <groupId>org.projectlombok</groupId>
  3.     <artifactId>lombok</artifactId>
  4.     <version>1.16.10</version>
  5. </dependency>
  6. <!--
  7.     Subject用户
  8.     SecurityManager 管理所有用户
  9.     Realm连接数据
  10.  -->
  11. <!--连接mysql-->
  12. <dependency>
  13.     <groupId>mysql</groupId>
  14.     <artifactId>mysql-connector-java</artifactId>
  15. </dependency>
  16. <!--druid-->
  17. <dependency>
  18.     <groupId>com.alibaba</groupId>
  19.     <artifactId>druid</artifactId>
  20.     <version>1.1.12</version>
  21. </dependency>
  22. <!--mybatis-->
  23. <dependency>
  24.     <groupId>org.mybatis.spring.boot</groupId>
  25.     <artifactId>mybatis-spring-boot-starter</artifactId>
  26.     <version>2.1.0</version>
  27. </dependency>
  28. <!--log4j-->
  29. <dependency>
  30.     <groupId>log4j</groupId>
  31.     <artifactId>log4j</artifactId>
  32.     <version>1.2.17</version>
  33. </dependency>

配置application.yml 数据库和mybatis

  1. spring:
  2.   datasource:
  3.     username: root
  4.     password: 123456
  5.     #?serverTimezone=UTC解决时区的报错
  6.     url: jdbc:mysql://localhost:3306/mybatisK?useUnicode=true&characterEncoding=utf-8
  7.     driver-class-name: com.mysql.cj.jdbc.Driver
  8.     type: com.alibaba.druid.pool.DruidDataSource
  10.     #Spring Boot 默认是不注入这些属性值的,需要自己绑定
  11.     #druid 数据源专有配置
  12.     initialSize: 5
  13.     minIdle: 5
  14.     maxActive: 20
  15.     maxWait: 60000
  16.     timeBetweenEvictionRunsMillis: 60000
  17.     minEvictableIdleTimeMillis: 300000
  18.     validationQuery: SELECT 1 FROM DUAL
  19.     testWhileIdle: true
  20.     testOnBorrow: false
  21.     testOnReturn: false
  22.     poolPreparedStatements: true
  24.     #配置监控统计拦截的filters,stat:监控统计、log4j:日志记录、wall:防御sql注入
  25.     #如果允许时报错  java.lang.ClassNotFoundException: org.apache.log4j.Priority
  26.     #则导入 log4j 依赖即可,Maven 地址:https://mvnrepository.com/artifact/log4j/log4j
  27.     filters: stat,wall,log4j
  28.     maxPoolPreparedStatementPerConnectionSize: 20
  29.     useGlobalDataSourceStat: true
  30.     connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
  32. # 整合 mybatis
  33. mybatis:
  34.   type-aliases-package: cn.dafran.pojo
  35.   mapper-locations: classpath:mapper/*.xml
  37. #  #缓存
  38. #  thymeleaf:
  39. #    cache: false
  40. #
  41. #  #我们的配置文件的真实位置
  42. #  messages:
  43. #    basename: i18n.login
  44. #
  45. #  mvc:
  46. #    #时间日期格式化
  47. #    date-format: yyyy-MM-dd
  48. #    #是否开启默认图标
  49. #    favicon:
  50. #      enabled: false
  51. #
  52. #

修改UserRealm配置

  1. @Autowired
  2. UserServiceImpl userService;
  5. //认证
  6. @Override
  7. protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  8.     System.out.println("==执行了认证==");
  10.     UsernamePasswordToken userToken = (UsernamePasswordToken) token;
  11.     //连接真实数据库
  12.     User user = userService.queryUserByName(userToken.getUsername());
  14.     if (user == null) {
  15.         return null;
  16.     }
  18.     //密码认证Shiro做
  19.     return new SimpleAuthenticationInfo("",user.getPwd(),"");
  20. }

编写pojo、dao、service

3.5、请求授权实现

增加权限配置

ShiroConfig

  1. public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager) {
  2.     //授权,正常的情况下,没有授权会跳转到未授权页面
  3.     filterMap.put("/user/add","perms[user:add]");
  4.     filterMap.put("/user/update","perms[user:update]");
  6.     filterMap.put("/user/*","authc");
  7.     bean.setFilterChainDefinitionMap(filterMap);
  9.     //设置登录请求
  10.     bean.setLoginUrl("/toLogin");
  12.     //设置未授权页面
  13.     bean.setUnauthorizedUrl("/noauth");
  14. }

Controller增加

  1. @RequestMapping("/noauth")
  2. @ResponseBody
  3. public String unauthorized() {
  4.     return "未经授权无法访问";
  5. }

修改Realm

  1. public class UserRealm extends AuthorizingRealm {
  3.     @Autowired
  4.     UserServiceImpl userService;
  5.     //授权
  6.     @Override
  7.     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
  8.         System.out.println("==执行了授权==");
  10.         //SimpleAuthenticationInfo
  11.         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
  12.         //增加权限
  13.         /*info.addStringPermission("user:add");*/
  15.         Subject subject = SecurityUtils.getSubject();
  16.         User currentUser = (User) subject.getPrincipal();   //拿到user对象
  18.         //设置当前用户对象
  19.         info.addStringPermission(currentUser.getPerms());
  21.         return info;
  22.     }
  24.     //认证
  25.     @Override
  26.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  27.         System.out.println("==执行了认证==");
  28.         UsernamePasswordToken userToken = (UsernamePasswordToken) token;
  29.         //连接真实数据库
  30.         User user = userService.queryUserByName(userToken.getUsername());
  31.         if (user == null) {
  32.             return null;
  33.         }
  34.         return new SimpleAuthenticationInfo(user,user.getPwd(),"");
  35.     }
  36. }

3.6、整合Thymelafe

导入依赖

  1. <!--shiro整合thymeleaf-->
  2. <dependency>
  3.     <groupId>com.github.theborakompanioni</groupId>
  4.     <artifactId>thymeleaf-extras-shiro</artifactId>
  5.     <version>2.0.0</version>
  6. </dependency>

ShiroConfig 增加配置

  1. //整合ShiroDialect:用来整合 shiro thymeleaf
  2. @Bean
  3. public ShiroDialect getShiroDialect() {
  4.     return new ShiroDialect();
  5. }

验证session

  1. //认证
  2. @Override
  3. protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  4.     System.out.println("==执行了认证==");
  5.     UsernamePasswordToken userToken = (UsernamePasswordToken) token;
  6.     //连接真实数据库
  7.     User user = userService.queryUserByName(userToken.getUsername());
  8.     if (user == null) {
  9.         return null;
  10.     }
  11.     /*//加密方式
  12.     String hashAlgorithmName = "MD5";
  13.     ByteSource credential = ByteSource.Util.bytes(user.getPwd());
  14.     String realpwd=user.getPwd();
  15.     //密码认证Shiro做*/
  17.     /*判断是否有用户*/
  18.     Subject currentSubject = SecurityUtils.getSubject();
  19.     Session session = currentSubject.getSession();
  20.     session.setAttribute("loginUser",user);
  22.     return new SimpleAuthenticationInfo(user,user.getPwd(),"");
  23. }

修改页面

  1. <div shiro:hasPermission="user:add">
  2.     <a th:href="@{/user/add}">add</a>|
  3. </div>
  4. <div shiro:hasPermission="user:update">
  5.     <a th:href="@{/user/update}">update</a>
  6. </div>
  1. <div th:if="${session.loginUser==null}">
  2.     <a th:href="@{/toLogin}">登录</a>
  3. </div>