一、概述
Shiro是一款主流的Java安全框架,不依赖任何容器,可以运行在JavaSE和JavaEE项目中。
它的作用是对访问系统的用户进行身份认证、授权、会话管理、加密等操作。
Shiro就是用来解决安全管理的系统化框架。
二、Shiro核心组件
核心组件
UsernamePasswordToken:shiro用来封装用户登录信息,使用用户的登录信息来创建令牌Token
SecurityManager:Shiro的核心部分,负责安全认证和授权
Subject:Shiro的一个抽象概念,包含了用户信息。
Realm:开发者自定义的模块,根据项目的需求,验证和授权的逻辑全部写在Realm中。
AuthenticationInfo:用户的角色信息集合,认证时使用。
AuthorzationInfo:角色的权限。
DefaultWebSecurityManager:安全管理器,开发者自定义的Realm需要注入到DefaultWebSecurityManager进行管理才能生效
ShiroFilterFactoryBean:过滤器工厂,shiro的基本运行机制是开发者定制规则,shiro去执行。具体的执行操作就是ShiroFilterFactoryBean创建的一个个Filter来完成。
三、SpringBoot整合Shiro
3.1 环境
pom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
| <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.1</version>
<relativePath/>
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.12</version>
</dependency>
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus-boot-starter</artifactId>
<version>3.1.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</exclude>
</excludes>
</configuration>
</plugin>
</plugins>
</build>
</project>
|
3.2 自定义shiro
ShiroConfig
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| @Configuration
public class ShiroConfig {
@Bean
public AccountRealm accountRealm(){
return new AccountRealm();
}
@Bean
public DefaultWebSecurityManager securityManager(@Qualifier("accountRealm") AccountRealm accountRealm){
return new DefaultWebSecurityManager(accountRealm);
}
@Bean
public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
Map<String,String> map=new HashMap<>();
map.put("/main","authc");
map.put("/manager","perms[manager]");
map.put("/admin","roles[admin]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
shiroFilterFactoryBean.setLoginUrl("/login");
shiroFilterFactoryBean.setLoginUrl("/unauth");
return shiroFilterFactoryBean;
}
}
|
AccountController
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| @Controller
public class AccountController {
@GetMapping("/{url}")
public String redirect(@PathVariable("url") String url){
return url;
}
@PostMapping("/login")
public String login(String username, String password, Model model){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
try{
subject.login(token);
Account account=(Account)subject.getPrincipal();
subject.getSession().setAttribute("account",account);
return "index";
}catch (UnknownAccountException e){
e.printStackTrace();
model.addAttribute("msg","用户名错误");
return "login";
}catch(IncorrectCredentialsException e){
e.printStackTrace();
model.addAttribute("msg","密码错误");
return "login";
}
}
@GetMapping("/unauth")
@ResponseBody
public String unauth(){
return "未授权、无法访问";
}
@GetMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
subject.logout();
return "login";
}
}
|
Account
1
2
3
4
5
6
7
8
| @Data
public class Account {
private Integer id;
private String username;
private String password;
private String perms;
private String role;
}
|
AccountMapper
1
2
3
| @Mapper
public interface AccountMapper extends BaseMapper<Account> {
}
|
AccountRealm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| public class AccountRealm extends AuthorizingRealm {
@Autowired
private AccountService accountService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
Subject subject = SecurityUtils.getSubject();
Account account=(Account)subject.getPrincipal();
Set<String> roles=new HashSet<>();
roles.add(account.getRole());
SimpleAuthorizationInfo info =new SimpleAuthorizationInfo(roles);
info.addStringPermission(account.getPerms());
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token=(UsernamePasswordToken)authenticationToken;
Account account = accountService.findByUsername(token.getUsername());
if(account!=null){
return new SimpleAuthenticationInfo(account,account.getPassword(),getName());
}
return null;
}
}
|
AccountServiceImpl
1
2
3
4
5
6
7
8
9
10
11
| @Service
public class AccountServiceImpl implements AccountService {
@Autowired
private AccountMapper accountMapper;
@Override
public Account findByUsername(String username) {
QueryWrapper queryWrapper=new QueryWrapper();
queryWrapper.eq("username",username);
return accountMapper.selectOne(queryWrapper);
}
}
|
3.3 编写认证和授权规则
认证过滤器
- anon:无需认证
- authc:必须认证
- authcBasic:需要通过HttpBasic认证
- user:不一定通过认证,只要曾经被Shiro记录即可。比如记住密码。
授权过滤器
- perms:必须拥有某个权限才能访问
- role:必须拥有某个角色才能访问
- port:请求的端口必须是指定值才可以
- rest:请求必须基于RESTful,post、put、get、delete
- ssl:必须是安全的url请求,协议https
创建三个页面,main.html、manager.html、admin.html
访问权限如下
- 必须登录才能访问main.html
- 当前用户必须拥有manager授权才能访问manager.html
- 当前用户必须拥有admin授权才能访问admin.html
