Spring Boot 整合 Shiro
虽然,直接用Spring Security和SpringBoot 进行“全家桶式”的合做是最好不过的,但现实老是欺负咱们这些没办法决定架构类型的娃子。java
Apache Shiro 也有其特殊之处滴。若需了解,能够转战到[Apache Shiro 简介]web
1. 添加Shiro依赖
shiro的版本,看我的喜爱哈,本文的版本为:spring
<shiro.version>1.3.2</shiro.version>
复制代码
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-aspectj</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-quartz</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>${shiro.version}</version>
</dependency>
复制代码
2. shiroRealm
受权认证具体实现之地。经过继承 AuthorizingRealm 进而实现,对登陆时的帐号密码校验功能apache
@Slf4j
public class ShiroRealm extends AuthorizingRealm {
@Autowired
private ShiroPermissionRepository shiroPermissionRepository;
/** * 受权 * * @param principalCollection 主要信息 * @return 受权信息 */
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
if (log.isInfoEnabled()){
log.info("Authorization begin");
}
String name= (String) principalCollection.getPrimaryPrincipal();
List<String> role = shiroPermissionRepository.queryRoleByName(name);
if (role.isEmpty()){
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.addRoles(role);
return simpleAuthorizationInfo;
}
return null;
}
/** * 认证 * * @param authenticationToken 认证token * @return 认证结果 * @throws AuthenticationException 认证异常 */
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
if (log.isInfoEnabled()){
log.info("Authentication begin");
}
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
Object principal =token.getPrincipal();
Object credentials = token.getCredentials();
//校验用户名
checkBlank(principal,"用户名不能为空");
//校验密码
checkBlank(credentials,"密码不能为空");
//校验姓名
String username = (String) principal;
UserPO userPO = shiroPermissionRepository.findAllByName(username);
if (userPO == null){
throw new AccountException("用户名错误");
}
//校验密码
String password = (String) credentials;
if (!StringUtils.equals(password,userPO.getPassword())){
throw new AccountException("密码错误");
}
return new SimpleAuthenticationInfo(principal, password, getName());
}
private void checkBlank(Object obj,String message){
if (obj instanceof String){
if (StringUtils.isBlank((String) obj)){
throw new AccountException(message);
}
}else if (obj == null){
throw new AccountException(message);
}
}
}
复制代码
3. 配置ShiroConfig
将ShiroConfig、SecurityManager、ShiroFilterFactoryBean交给Spring管理.c#
- ShiroRealm: 则上述所描述的ShiroRealm
- SecurityManager: 管理 全部用户 的安全操做
- ShiroFilterFactoryBean: 配置Shiro的过滤器
@Configuration
public class ShiroConfig {
private final static String AUTHC_STR = "authc";
private final static String ANON_STR = "anon";
/** * 验证受权、认证 * * @return shiroRealm 受权认证 */
@Bean
public ShiroRealm shiroRealm(){
return new ShiroRealm();
}
/** * session manager * * @param shiroRealm 受权认证 * @return 安全管理 */
@Bean
@ConditionalOnClass(ShiroRealm.class)
public SecurityManager securityManager(ShiroRealm shiroRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(shiroRealm);
return securityManager;
}
/** * Filter工厂,设置对应的过滤条件和跳转条件 * * @param securityManager session 管理 * @return shiro 过滤工厂 */
@Bean
@ConditionalOnClass(value = {SecurityManager.class})
public ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setFilters(filterMap);
//URI过滤
Map<String,String> map = Maps.newLinkedHashMap();
//可过滤的接口路径
//全部API路径进行校验
map.put("/api/**",AUTHC_STR);
shiroFilterFactoryBean.setFilterChainDefinitionMap(map);
return shiroFilterFactoryBean;
}
}
复制代码
3.1 Shiro 过滤器小插曲
shiro和security也有类似之处,都有本身的 filter chain。翻一番Shiro的源码,追溯一下。发下如下:后端
3.1.1 ShiroFilterFactoryBean——createFilterChainManager
protected FilterChainManager createFilterChainManager() {
DefaultFilterChainManager manager = new DefaultFilterChainManager();
Map<String, Filter> defaultFilters = manager.getFilters();
//apply global settings if necessary:
for (Filter filter : defaultFilters.values()) {
applyGlobalPropertiesIfNecessary(filter);
}
//Apply the acquired and/or configured filters:
Map<String, Filter> filters = getFilters();
if (!CollectionUtils.isEmpty(filters)) {
for (Map.Entry<String, Filter> entry : filters.entrySet()) {
String name = entry.getKey();
Filter filter = entry.getValue();
applyGlobalPropertiesIfNecessary(filter);
if (filter instanceof Nameable) {
((Nameable) filter).setName(name);
}
//'init' argument is false, since Spring-configured filters should be initialized
//in Spring (i.e. 'init-method=blah') or implement InitializingBean:
manager.addFilter(name, filter, false);
}
}
//build up the chains:
Map<String, String> chains = getFilterChainDefinitionMap();
if (!CollectionUtils.isEmpty(chains)) {
for (Map.Entry<String, String> entry : chains.entrySet()) {
String url = entry.getKey();
String chainDefinition = entry.getValue();
manager.createChain(url, chainDefinition);
}
}
return manager;
}
复制代码
从源码能够发现,shiro的过滤器链,添加顺序是:api
- defaultFilters: shiro默认的过滤器链
- filters: 我们自定义的过滤器链
- chains:明确指定要过滤的
3.1.2 DefaultFilterChainManager —— addDefaultFilters
这里咱看看DefaultFilterChainManager 到底添加了那些默认过滤器链,能够看到主要的是:DefaultFilter数组
protected void addDefaultFilters(boolean init) {
for (DefaultFilter defaultFilter : DefaultFilter.values()) {
addFilter(defaultFilter.name(), defaultFilter.newInstance(), init, false);
}
}
复制代码
3.1.3 DefaultFilter
anon(AnonymousFilter.class),
authc(FormAuthenticationFilter.class),
authcBasic(BasicHttpAuthenticationFilter.class),
logout(LogoutFilter.class),
noSessionCreation(NoSessionCreationFilter.class),
perms(PermissionsAuthorizationFilter.class),
port(PortFilter.class),
rest(HttpMethodPermissionFilter.class),
roles(RolesAuthorizationFilter.class),
ssl(SslFilter.class),
user(UserFilter.class);
复制代码
4. 测它
因为设置对全局接口进行校验,所以,预期结果就是不可以访问啦安全
map.put("/api/**",AUTHC_STR);
复制代码
4.1 IDAL
@RestController
@RequestMapping( SYSTEM_API +"shiro")
public class ShiroIdal {
@Resource
private IShiroService iShiroService;
@GetMapping
public HttpEntity obtain(@RequestParam String name){
return iShiroService.obtainUserByName(name);
}
}
复制代码
4.2 service
@Slf4j
@Service
public class ShiroServiceImpl implements IShiroService {
@Resource
private ShiroPermissionRepository shiroPermissionRepository;
public HttpEntity obtainUserByName(String name) {
UserPO userPO = shiroPermissionRepository.findAllByName(name);
return HttpResponseSupport.success(userPO);
}
}
复制代码
4.3 被劫持的状况
若没 login.jsp,则会直接报错,我的以为太不和谐了,毕竟如今都是先后端分离的。session
4.4 设置容许访问
在URI过滤Map加入如下:
map.put("/api/shiro",ANON_STR);
复制代码
注意: 要在“全局Api劫持”前添加。并且不要使用“HashMap”,为何?
4.4.1 HashMap
在说为何前,先了解HashMap这货是什么原理先。
for (Entry<String, String> entry : hashMap.entrySet()) {
MessageFormat.format("{0}={1}",entry.getKey(),entry.getValue());
}
复制代码
HashMap散列图是按“有利于随机查找的散列(hash)的顺序”。并不是按输入顺序。遍历时只能所有输出,而没有顺序。甚至能够rehash()从新散列,来得到更利于随机存取的内部顺序。
这会影响shiro哪里呢?
Map<String, String> chains = getFilterChainDefinitionMap();
if (!CollectionUtils.isEmpty(chains)) {
for (Map.Entry<String, String> entry : chains.entrySet()) {
String url = entry.getKey();
String chainDefinition = entry.getValue();
manager.createChain(url, chainDefinition);
}
}
复制代码
ShiroFilterFactoryBean 中,在构建shiro的filter chain时,会对咱们配置的FilterChainDefinitionMap 进行一次遍历,而且将其添加到DefaultFilterChainManager中。
设想如下,若“全局API劫持”在最前面,那么只要在/api/*裆下的,都早早被劫持了。轮获得配置的 anon 么?若因为HashMap的散列排序致使“全局API劫持”在最前面,emmmm,那玩锤子。
4.4.2 LinkedHashMap
所以,建议使用LinkedHashMap,为啥子?撸源码
static class Entry<K,V> extends HashMap.Node<K,V> {
Entry<K,V> before, after;
Entry(int hash, K key, V value, Node<K,V> next) {
super(hash, key, value, next);
}
}
transient LinkedHashMap.Entry<K,V> head;
transient LinkedHashMap.Entry<K,V> tail;
复制代码
内部类中多了两个Entry,一个记录前方entry,一个记录后方entry,这样的双向链表结构保证了插入顺序的有序。
LinkedHashMap底层是数组加单项链表加双向链表 。
- 数组加单向链表就是HashMap的结构,记录数据用,
- 双向链表,存储插入顺序用。
有点跑偏了,这些大伙确定都知道滴了......
相关文章
- 1. Spring Boot 整合 Shiro
- 2. Spring Boot整合Shiro
- 3. Spring整合Shiro
- 4. Spring Boot整合Shiro.md
- 5. Spring Boot:整合Shiro权限框架
- 6. Java后端避坑——Spring Boot整合Shiro
- 7. Spring Boot整合Apache Shiro小节
- 8. Spring Boot整合Spring Security
- 9. shiro与spring整合
- 10. shiro整合mybatis
- 更多相关文章...
- • MyBatis与Spring的整合实例 - MyBatis教程
- • Spring整合Redis详细步骤 - Redis教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • IntelliJ IDEA中SpringBoot properties文件不能自动提示问题解决
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 外部其他进程嵌入到qt FindWindow获得窗口句柄 报错无法链接的外部符号 [email protected] 无法被([email protected]@[email protected]@@引用
- 2. UVa 11524 - InCircle
- 3. The Monocycle(bfs)
- 4. VEC-C滑窗
- 5. 堆排序的应用-TOPK问题
- 6. 实例演示ElasticSearch索引查询term,match,match_phase,query_string之间的区别
- 7. 数学基础知识 集合
- 8. amazeUI 复择框问题解决
- 9. 背包问题理解
- 10. 算数平均-几何平均不等式的证明,从麦克劳林到柯西
欢迎关注本站公众号,获取更多信息
