springboot整合shiro应用
一、Shiro是Apache下的一个开源项目,咱们称之为Apache Shiro。它是一个很易用与Java项目的的安全框架,提供了认证、受权、加密、会话管理,与spring Security 同样都是作一个权限的安全框架,可是与Spring Security 相比,在于 Shiro 使用了比较简单易懂易于使用的受权方式。shiro属于轻量级框架,相对于security简单的多,也没有security那么复杂。因此我这里也是简单介绍一下shiro的使用。mysql
二、很是简单;其基本功能点以下图所示:web
Authentication:身份认证/登陆,验证用户是否是拥有相应的身份;spring
Authorization:受权,即权限验证,验证某个已认证的用户是否拥有某个权限;即判断用户是否能作事情,常见的如:验证某个用户是否拥有某个角色。或者细粒度的验证某个用户对某个资源是否具备某个权限;sql
Session Manager:会话管理,即用户登陆后就是一次会话,在没有退出以前,它的全部信息都在会话中;会话能够是普通JavaSE环境的,也能够是如Web环境的;数据库
Cryptography:加密,保护数据的安全性,如密码加密存储到数据库,而不是明文存储;apache
Web Support:Web支持,能够很是容易的集成到Web环境;缓存
Caching:缓存,好比用户登陆后,其用户信息、拥有的角色/权限没必要每次去查,这样能够提升效率;安全
Concurrency:shiro支持多线程应用的并发验证,即如在一个线程中开启另外一个线程,能把权限自动传播过去;springboot
Testing:提供测试支持;多线程
Run As:容许一个用户伪装为另外一个用户(若是他们容许)的身份进行访问;
Remember Me:记住我,这个是很是常见的功能,即一次登陆后,下次再来的话不用登陆了。
记住一点,Shiro不会去维护用户、维护权限;这些须要咱们本身去设计/提供;而后经过相应的接口注入给Shiro便可。
三、这里我就简单介绍一下springboot和shiro整合与基本使用。
1)目录结构
2)须要的基础包:pom.xml
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.troy</groupId> <artifactId>springshiro</artifactId> <version>1.0-SNAPSHOT</version> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>1.5.6.RELEASE</version> </parent> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <version>1.5.6.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> <version>1.5.6.RELEASE</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-autoconfigure</artifactId> <version>1.5.6.RELEASE</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-Java</artifactId> <version>5.1.9</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.3.2</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>1.1.4</version> </dependency> </dependencies> </project>
3)基本配置application.yml
server: port: 8082 spring: datasource: driver-class-name: com.mysql.jdbc.Driver url: jdbc:mysql://localhost:3306/spring_shiro?useUnicode=true&characterEncoding=UTF-8 username: root password: root type: com.alibaba.druid.pool.DruidDataSource jpa: show-sql: true hibernate: ddl-auto: update http: encoding: charset: utf-8 enabled: true
4)这里咱们基本须要3个实体,用户,角色和权限
(1)角色:User.class
@Entity public class User { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; @Column(unique = true) private String name; private Integer password; @OneToMany(cascade = CascadeType.ALL,mappedBy = "user") private List<Role> roles; public Long getId() { return id; } public void setId(Long id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public List<Role> getRoles() { return roles; } public void setRoles(List<Role> roles) { this.roles = roles; } public Integer getPassword() { return password; } public void setPassword(Integer password) { this.password = password; } }
注:这里我只考虑一个用户对多个角色,不考虑多对多的关系
(2)角色:Role.class
@Entity public class Role { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; private String roleName; @ManyToOne(fetch = FetchType.EAGER) private User user; @OneToMany(cascade = CascadeType.ALL,mappedBy = "role") private List<Permission> permissions; public Long getId() { return id; } public void setId(Long id) { this.id = id; } public String getRoleName() { return roleName; } public void setRoleName(String roleName) { this.roleName = roleName; } public User getUser() { return user; } public void setUser(User user) { this.user = user; } public List<Permission> getPermissions() { return permissions; } public void setPermissions(List<Permission> permissions) { this.permissions = permissions; } }
(3)权限:Permission.class
@Entity public class Permission { @Id @GeneratedValue(strategy = GenerationType.AUTO) private Long id; private String permission; @ManyToOne(fetch = FetchType.EAGER) private Role role; public Long getId() { return id; } public void setId(Long id) { this.id = id; } public String getPermission() { return permission; } public void setPermission(String permission) { this.permission = permission; } public Role getRole() { return role; } public void setRole(Role role) { this.role = role; } }
5)而后就是配置对应的验证,以及过滤条件
(1)验证,以及权限的添加MyShiroRealm.class
//实现AuthorizingRealm接口用户用户认证 public class MyShiroRealm extends AuthorizingRealm{ //用于用户查询 @Autowired private ILoginService loginService; //角色权限和对应权限添加 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { //获取登陆用户名 String name= (String) principalCollection.getPrimaryPrincipal(); //查询用户名称 User user = loginService.findByName(name); //添加角色和权限 SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); for (Role role:user.getRoles()) { //添加角色 simpleAuthorizationInfo.addRole(role.getRoleName()); for (Permission permission:role.getPermissions()) { //添加权限 simpleAuthorizationInfo.addStringPermission(permission.getPermission()); } } return simpleAuthorizationInfo; } //用户认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { //加这一步的目的是在Post请求的时候会先进认证,而后在到请求 if (authenticationToken.getPrincipal() == null) { return null; } //获取用户信息 String name = authenticationToken.getPrincipal().toString(); User user = loginService.findByName(name); if (user == null) { //这里返回后会报出对应异常 return null; } else { //这里验证authenticationToken和simpleAuthenticationInfo的信息 SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(name, user.getPassword().toString(), getName()); return simpleAuthenticationInfo; } } }
(2)过滤配置:ShiroConfiguration.class
@Configuration public class ShiroConfiguration { //将本身的验证方式加入容器 @Bean public MyShiroRealm myShiroRealm() { MyShiroRealm myShiroRealm = new MyShiroRealm(); return myShiroRealm; } //权限管理,配置主要是Realm的管理认证 @Bean public SecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(myShiroRealm()); return securityManager; } //Filter工厂,设置对应的过滤条件和跳转条件 @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String,String> map = new HashMap<String, String>(); //登出 map.put("/logout","logout"); //对全部用户认证 map.put("/**","authc"); //登陆 shiroFilterFactoryBean.setLoginUrl("/login"); //首页 shiroFilterFactoryBean.setSuccessUrl("/index"); //错误页面,认证不经过跳转 shiroFilterFactoryBean.setUnauthorizedUrl("/error"); shiroFilterFactoryBean.setFilterChainDefinitionMap(map); return shiroFilterFactoryBean; } //加入注解的使用,不加入这个注解不生效 @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; } }
6)接下来就是数据访问层、业务层、以及控制层
(1)数据层:BaseRepository.class,UserRepository.class,RoleRepository.class
@NoRepositoryBean public interface BaseRepository<T,I extends Serializable> extends PagingAndSortingRepository<T,I>,JpaSpecificationExecutor<T>{ }
public interface UserRepository extends BaseRepository<User,Long>{ User findByName(String name); }
public interface RoleRepository extends BaseRepository<Role,Long> { }
(2)业务层:LoginServiceImpl.class
@Service @Transactional public class LoginServiceImpl implements ILoginService { @Autowired private UserRepository userRepository; @Autowired private RoleRepository roleRepository; //添加用户 @Override public User addUser(Map<String, Object> map) { User user = new User(); user.setName(map.get("username").toString()); user.setPassword(Integer.valueOf(map.get("password").toString())); userRepository.save(user); return user; } //添加角色 @Override public Role addRole(Map<String, Object> map) { User user = userRepository.findOne(Long.valueOf(map.get("userId").toString())); Role role = new Role(); role.setRoleName(map.get("roleName").toString()); role.setUser(user); Permission permission1 = new Permission(); permission1.setPermission("create"); permission1.setRole(role); Permission permission2 = new Permission(); permission2.setPermission("update"); permission2.setRole(role); List<Permission> permissions = new ArrayList<Permission>(); permissions.add(permission1); permissions.add(permission2); role.setPermissions(permissions); roleRepository.save(role); return role; } //查询用户经过用户名 @Override public User findByName(String name) { return userRepository.findByName(name); } }
(3)控制层:LoginResource.class
@RestController public class LoginResource { @Autowired private ILoginService loginService; //退出的时候是get请求,主要是用于退出 @RequestMapping(value = "/login",method = RequestMethod.GET) public String login(){ return "login"; } //post登陆 @RequestMapping(value = "/login",method = RequestMethod.POST) public String login(@RequestBody Map map){ //添加用户认证信息 Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken( map.get("username").toString(), map.get("password").toString()); //进行验证,这里能够捕获异常,而后返回对应信息 subject.login(usernamePasswordToken); return "login"; } @RequestMapping(value = "/index") public String index(){ return "index"; } //登出 @RequestMapping(value = "/logout") public String logout(){ return "logout"; } //错误页面展现 @RequestMapping(value = "/error",method = RequestMethod.POST) public String error(){ return "error ok!"; } //数据初始化 @RequestMapping(value = "/addUser") public String addUser(@RequestBody Map<String,Object> map){ User user = loginService.addUser(map); return "addUser is ok! \n" + user; } //角色初始化 @RequestMapping(value = "/addRole") public String addRole(@RequestBody Map<String,Object> map){ Role role = loginService.addRole(map); return "addRole is ok! \n" + role; } //注解的使用 @RequiresRoles("admin") @RequiresPermissions("create") @RequestMapping(value = "/create") public String create(){ return "Create success!"; } }
注:这里对于注解的使用,在最后一个很重要!
7)shiro的使用基本上就是这样子了,主要是权限的控制,其余的主要是作跳转和切换使用
8)最后配上数据库信息:结合控制层观看
user:
role:
permission:
相关文章
- 1. springboot整合shiro
- 2. Springboot 整合 shiro
- 3. Springboot整合Shiro
- 4. SpringBoot 整合shiro
- 5. springboot+shiro整合
- 6. SpringBoot整合Shiro
- 7. springboot+shiro 整合与基本应用
- 8. shiro + springBoot 整合 JWT
- 9. springboot 整合apache shiro
- 10. shiro+jwt+springboot整合
- 更多相关文章...
- • Maven Web 应用 - Maven教程
- • XML 应用程序 - XML 教程
- • TiDB 在摩拜单车在线数据业务的应用和实践
- • SpringBoot中properties文件不能自动提示解决方法
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
