Shiro
简介
入门
Shiro架构
认证
授权
Realm
入门程序
maven
<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.7.0</version></dependency>
ShiroTest.java
@Testpublic void test() {//创建安全管理器对象DefaultSecurityManager securityManager = new DefaultSecurityManager();//为安全管理器设置realmsecurityManager.setRealm(new IniRealm("classpath:shiro.ini"));//为SecurityUtils设置安全管理器SecurityUtils.setSecurityManager(securityManager);//获得subject主体Subject currentUser = SecurityUtils.getSubject();//创建令牌UsernamePasswordToken token = new UsernamePasswordToken("xiaochen", "123456");//用户使用令牌登入try {currentUser.login(token);System.out.println(currentUser.isAuthenticated() ? "认证成功" : "认证失败");} catch (UnknownAccountException uae) {System.out.println("用户不存在");} catch (IncorrectCredentialsException ice) {System.out.println("密码错误");} catch (LockedAccountException lae) {System.out.println("用户被锁定");}}
shiro.ini
#用户信息[users]xiaochen = 123456zhangsan = 123456lisi = 123456
自定义认证
CustomerRealm.java
public class CustomerRealm extends AuthorizingRealm {//授权protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {return null;}//认证protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {String principal = String.valueOf(token.getPrincipal());//TODO 从数据库获得用户名if("xiaochen".equals(principal)){return new SimpleAuthenticationInfo(principal,token.getCredentials() , this.getName());}return null;}}
设置Realm
securityManager.setRealm(new CustomerRealm());
自定义授权
CustomerRealm.java
//授权protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {System.out.println("该用户主身份: " + principals.getPrimaryPrincipal());//TODO 从数据库查询角色信息赋值给用户SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();simpleAuthorizationInfo.addRole("user");simpleAuthorizationInfo.addStringPermission("user:*:01");simpleAuthorizationInfo.addStringPermission("product:create:*");return simpleAuthorizationInfo;}
自定义加密
test.java ```java //创建安全管理器对象 DefaultSecurityManager securityManager = new DefaultSecurityManager(); //设置自定义realm CustomerRealm realm = new CustomerRealm(); //创建凭证匹配器 HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(); //设置算法 matcher.setHashAlgorithmName(“md5”); //散列次数 matcher.setHashIterations(1024); realm.setCredentialsMatcher(matcher);
securityManager.setRealm(realm);
- CustomerRealm.java```java//认证protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {String principal = String.valueOf(token.getPrincipal());if ("xiaochen".equals(principal)) {//用户名,,md5+salt后的密码,salt,realm名称return new SimpleAuthenticationInfo(principal, new Md5Hash("123456", "x0*7ps", 1024).toHex(), ByteSource.Util.bytes("x0*7ps"), this.getName());}return null;}
MD5
//使用md5Md5Hash md5Hash = new Md5Hash("123");System.out.println(md5Hash.toHex());//使用md5 + saltMd5Hash md5Hash1 = new Md5Hash("123","x0*7ps");System.out.println(md5Hash1.toHex());//使用md5 + salt + hash散列Md5Hash md5Hash2 = new Md5Hash("123","x0*7ps",1024);System.out.println(md5Hash2.toHex());
异常
Subject subject = SecurityUtils.getSubject();try {subject.login(new UsernamePasswordToken(userName,password));return "redirect:/index";}catch (UnknownAccountException e){model.addAttribute("message","用户不存在");}catch (IncorrectCredentialsException e) {model.addAttribute("message","密码错误");}
整合SpringBoot
maven
<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring-boot-starter</artifactId><version>1.7.0</version></dependency>
ShiroConfig
@Configurationpublic class ShiroConfig {//创建ShiroFilter 截拦所有请求@Beanpublic ShiroFilterFactoryBean shiroFilterFactoryBean(@Autowired DefaultWebSecurityManager defaultWebSecurityManager){ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();//为Filter配置安全管理器shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);//配置截拦资源HashMap<String, String> map = new HashMap<String, String>();map.put("/user/login","anon"); //login设置为公共资源map.put("/user/register","anon");map.put("/register","anon");map.put("/user/getImage","anon");map.put("/**","authc"); //截拦所有资源shiroFilterFactoryBean.setFilterChainDefinitionMap(map);//默认认证界面shiroFilterFactoryBean.setLoginUrl("/login");return shiroFilterFactoryBean;}//创建安全管理器@Beanpublic DefaultWebSecurityManager defaultWebSecurityManager(@Autowired Realm realm){DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();defaultWebSecurityManager.setRealm(realm);return defaultWebSecurityManager;}@Beanpublic Realm realm(){CustomerRealm realm = new CustomerRealm();HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();//设置算法matcher.setHashAlgorithmName("md5");//散列次数matcher.setHashIterations(1024);realm.setCredentialsMatcher(matcher);//开启缓存管理realm.setCacheManager(new EhCacheManager()); //设置缓存管理器realm.setCachingEnabled(true); //开启缓存realm.setAuthenticationCachingEnabled(true); //开启认证缓存realm.setAuthenticationCacheName("authenticationCache"); //缓存名realm.setAuthorizationCachingEnabled(true); //开启授权缓存realm.setAuthorizationCacheName("authorizationCache"); //缓存名return realm;}}
CustomerRealm
public class CustomerRealm extends AuthorizingRealm {@Autowiredprivate UserService userService;@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {//主身份(用户名)String principal = String.valueOf(principals.getPrimaryPrincipal());//根据主身份获取角色List<Role> roles = userService.findUserWithRole(principal).getRoles();if(!roles.isEmpty()){SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();for(Role r : roles){simpleAuthorizationInfo.addRole(r.getRoleName());System.out.println(r.getRoleName());List<Perms> perms = userService.findPermsByRoleId(r.getId());if(!perms.isEmpty()){for(Perms p : perms){simpleAuthorizationInfo.addStringPermission(p.getPermsName());System.out.println(p.getPermsName());}}}//simpleAuthorizationInfo.addStringPermission("user:*:*");return simpleAuthorizationInfo;}return null;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {String username = String.valueOf(token.getPrincipal());QueryWrapper<User> queryWrapper = new QueryWrapper<User>();queryWrapper.eq("user_name", username);User user = userService.getOne(queryWrapper);if (user != null) {return new SimpleAuthenticationInfo(username, user.getPassword(), ByteSource.Util.bytes(user.getSalt()), this.getName());}return null;}}
常见过滤器
| 配置缩写 | 对应的过滤器 | 功能 | | —- | —- | —- | | anon | AnonymousFilter | 指定url可以匿名访问 | | authc | FormAuthenticationFilter | 指定url需要form表单登录,默认会从请求中获取
username、password,rememberMe等参数并尝试登录,如果登录不了就会跳转到loginUrl配置的路径。我们也可以用这个过滤器做默认的登录逻辑,但是一般都是我们自己在控制器写登录逻辑的,自己写的话出错返回的信息都可以定制嘛。 | | authcBasic | BasicHttpAuthenticationFilter | 指定url需要basic登录 | | logout | LogoutFilter | 登出过滤器,配置指定url就可以实现退出功能,非常方便 | | noSessionCreation | NoSessionCreationFilter | 禁止创建会话 | | perms | PermissionsAuthorizationFilter | 需要指定权限才能访问 | | port | PortFilter | 需要指定端口才能访问 | | rest | HttpMethodPermissionFilter | 将http请求方法转化成相应的动词来构造一个权限字符串,这个感觉意义不大,有兴趣自己看源码的注释 | | roles | RolesAuthorizationFilter | 需要指定角色才能访问 | | ssl | SslFilter | 需要https请求才能访问 | | user | UserFilter | 需要已登录或“记住我”的用户才能访问 |
页面授权
使用jsp
引入标签库
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
验证认证情况
user
- 用户通过认证或通过记住我登录
- guest
- 用户没有身份认证
- authenticated
- 用户通过身份认证
验证权限和角色
- hasRole
- 含有角色XX
- hasAnyRoles
- 至少含有其中一个角色
- hasPermission
- 对某个操作具有权限
- lacksPermission
- 用户没有相应权限
lacksRole
principal
maven
<dependency><groupId>com.github.theborakompanioni</groupId><artifactId>thymeleaf-extras-shiro</artifactId><version>2.0.0</version></dependency>
xmlns
xmlns:shiro="http://www.pollix.at/thymeleaf/shiro"
shirpconfig加入shiro方言配置
@Beanpublic ShiroDialect shiroDialect(){return new ShiroDialect();}
使用 ```html
Please login
Welcome back John! Not John? Click here to login.
Hello, , how are you today?
Update your contact informationHello,
Please login in order to update your credit card information.
Sorry, you are not allowed to developer the system.
You are a developer and a admin.
You are a admin, vip, or developer.
Sorry, you are not allowed to delete user accounts.
You can see or add users.
You can see or delete users.
Create a new User
<a name="badff791"></a>### 方法授权<a name="a4V5d"></a>#### 代码授权<a name="y9yhR"></a>#### [注解授权](https://wiki.jikexueyuan.com/project/shiro/jsp-label.html)- @RequiresRoles({"admin","user"})- 主体需要同时拥有角色admin和user- 否则抛出异常**AuthorizationException**- @RequiresPermissions("user:update:01")- 主体需要对应的操作权限- 否则抛出异常**AuthorizationException**<a name="abUzX"></a>### CacheManager<a name="BRbmJ"></a>#### 结合echache- maven```xml<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-ehcache</artifactId><version>1.7.0</version></dependency>
- ShiroConfig.java
//开启缓存管理realm.setCacheManager(new EhCacheManager()); //设置缓存管理器realm.setCachingEnabled(true); //开启缓存realm.setAuthenticationCachingEnabled(true); //开启认证缓存realm.setAuthenticationCacheName("authenticationCache"); //缓存名realm.setAuthorizationCachingEnabled(true); //开启授权缓存realm.setAuthorizationCacheName("authorizationCache"); //缓存名
结合Redis
视频多Realm
参考
https://blog.csdn.net/visket2008/article/details/78539334
https://blog.csdn.net/cckevincyh/article/details/79629022
https://blog.csdn.net/xiangwanpeng/article/details/54802509
https://blog.csdn.net/cckevincyh/article/details/79629824ModularRealmAuthorizer
https://wiki.jikexueyuan.com/project/shiro/right.html
数据库设计
实例
加密算法
MD5
- MD5算法不可逆
- 相同的内容加密后结果一致
生成内容始终为16进制32为字符串
若有收获,就点个赞吧
0 人点赞
