Author：jeffrey

Date：2019-04-08

一、開發(fā)環(huán)境:

1、mysql - 5.72、navicat(mysql客戶端管理工具)3、idea 2017.24、jdk85、tomcat 8.56、springboot2.1.37、mybatis 38、shiro1.49、maven3.3.9

二、數(shù)據(jù)庫設計

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-CB46ByC1-1604249108144)(img/shiro01.png)]

三、創(chuàng)建springboot項目 3.1 添加組件

添加 web、lombok、thymeleaf、jdbc、mysql、mybatis等模塊；

3.2 pom.xml

<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.1.4.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-jdbc</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-thymeleaf</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.0.1</version></dependency><!--配置shiro依賴包--><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.4.0</version></dependency><!--配置數(shù)據(jù)庫連接池依賴--><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.0.26</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.32</version></dependency><!--配置lombok插件--><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build>3.3 創(chuàng)建項目包結(jié)構(gòu)

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-NNuns5Pt-1604249108145)(img/shiro02.png)]

3.4 配置初始化文件application.yml

#配置服務端口號server: port: 8080#配置數(shù)據(jù)源spring: datasource: type: com.alibaba.druid.pool.DruidDataSource driver-class-name: com.mysql.jdbc.Driver url: jdbc:mysql://localhost:3306/my_shiro?useUnicode=true&characterEncoding=utf-8 username: root password: 59852369#配置mybatismybatis: mapper-locations: classpath:mapper/*.xml type-aliases-package: com.qf.domain.pojo四、程序設計開發(fā)4.1 實體類開發(fā)

​ SysUser.java

package com.qf.domain;import lombok.Data;import java.io.Serializable;import java.util.Date;/** * Created by 54110 on 2019-07-05. */@Datapublic class SysUser implements Serializable { private int userId;//用戶id private String loginName;//登錄名 private String password;// private Integer state; private Date createTime; private String realname;}

SysPermission.java

package com.qf.domain;import lombok.Data;import java.io.Serializable;/** * Created by 54110 on 2019-07-05. */@Datapublic class SysPermission implements Serializable { private int permId; private String permName;//權(quán)限名稱 private String permUrl;//權(quán)限操作地址（路徑） private String menuName;//菜單名 private String menuLevel;//菜單級別（11：一級；12：二級。。。） private String menuCode;//菜單編碼（每級兩位數(shù)字） private int ifValid; private String parentCode;}4.2 數(shù)據(jù)訪問層接口開發(fā)

SysUserMapper.java

package com.qf.mapper;import com.qf.domain.SysUser;import org.apache.ibatis.annotations.Mapper;/** * Created by 54110 on 2019-07-05. */@Mapperpublic interface SysUserMapper { public SysUser findUserByUsername(String username);}

SysPermissionMapper

package com.qf.mapper;import com.qf.domain.SysPermission;import org.apache.ibatis.annotations.Mapper;import java.util.List;/** * Created by 54110 on 2019-07-05. */@Mapperpublic interface SysPermissionMapper { //根據(jù)用戶登錄名查詢其所擁有的權(quán)限 public List<SysPermission> findPermissionsByLoginName(String loginName);}4.3 Mybatis映射開發(fā)

SysUsersMapper.xml

<?xml version='1.0' encoding='UTF-8' ?><!DOCTYPE mapper PUBLIC '-//mybatis.org//DTD Mapper 3.0//EN' 'http://mybatis.org/dtd/mybatis-3-mapper.dtd'><mapper namespace='com.qf.mapper.SysUserMapper'> <resultMap type='com.qf.domain.SysUser' id='userMap'> <id column='USERID' property='userid' /> <result column='LOGIN_NAME' property='loginName' /> <result column='PASSWORD' property='password' /> <result column='STATE' property='state' /> <result column='CREATE_TIME' property='createTime' /> <result column='REALNAME' property='realname' /> </resultMap> <sql id='tbusers_columns'> PASSWORD,LOGIN_NAME,CREATE_TIME,REALNAME,STATE </sql> <!--根據(jù)用戶名查詢對象 --> <select parameterType='string' resultMap='userMap'> SELECT <include refid='tbusers_columns'></include> FROM TB_SYS_USER US WHERE US.LOGIN_NAME = #{name} </select></mapper>

SysPermissionMapper.xml

<?xml version='1.0' encoding='UTF-8' ?><!DOCTYPE mapper PUBLIC '-//mybatis.org//DTD Mapper 3.0//EN' 'http://mybatis.org/dtd/mybatis-3-mapper.dtd'><mapper namespace='com.qf.mapper.SysPermissionMapper'> <resultMap type='com.qf.domain.SysPermission' id='permMap'> <id column='PERMISSION_ID' property='permId' /> <result column='PER_NAME' property='permName' /> <result column='MENU_URL' property='permUrl' /> <result column='MENU_NAME' property='menuName' /> <result column='MENU_TYPE' property='menuLevel' /> <result column='MENU_CODE' property='menuCode' /> <result column='PARENT_CODE' property='parentCode' /> <result column='IF_ViLID' property='ifValid' /> </resultMap> <select parameterType='string' resultMap='permMap'> SELECT p.* FROM TB_SYS_USER us , TB_USER_ROLE ur, TB_SYS_ROLE r, TB_ROLE_PERMISSION rp, TB_SYS_PERMISSION p WHERE us.USERID = ur.USER_ID AND ur.ROLE_ID = r.ROLE_ID AND r.ROLE_ID = rp.ROLE_ID AND rp.PERMISSION_ID = p.PERMISSION_ID AND trim(us.LOGIN_NAME) = #{loginName} ORDER BY p.MENU_CODE </select></mapper>4.4 業(yè)務層開發(fā)

SysUsersServiceImpl.java

package com.qf.service.impl;import com.qf.domain.SysUser;import com.qf.mapper.SysUserMapper;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Service;/** * Created by 54110 on 2019-07-05. */@Servicepublic class SysUsersServiceImpl { @Autowired private SysUserMapper userMapper; public SysUser queryUserByLoginName(String loginName) { SysUser tbUsers = userMapper.findUserByUsername(loginName); return tbUsers; }}

​SysPermissionServiceImpl.java

package com.qf.service.impl;import com.qf.domain.SysPermission;import com.qf.mapper.SysPermissionMapper;import com.qf.service.SysPermissionService;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Service;import java.util.List;/** * Created by 54110 on 2019-07-05. */@Servicepublic class SysPermissionServiceImpl implements SysPermissionService { @Autowired private SysPermissionMapper permMapper; @Override public List<SysPermission> queryPermissionsByLoginName(String loginName) { List<SysPermission> list = permMapper.findPermissionsByLoginName(loginName); return list; }}4.5 控制層接口開發(fā)

UserController.java

package com.qf.controller;import com.qf.service.SysUserService;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.bind.annotation.RequestParam;import java.util.Map;/** * Created by 54110 on 2019-07-05. */@Controllerpublic class UserController { @Autowired private SysUserService userService; // 登錄頁(view)展示 @RequestMapping('/login') public String showlogin(){ return 'login'; } /** * 登錄處理 * @param map 用戶登錄表單數(shù)據(jù) * @return 邏輯視圖 */ @RequestMapping(value='dealLogin' ,method= RequestMethod.POST) public String dealLogin(@RequestParam Map<String,Object> map){ System.out.println( map.values().toString()); try { Subject subject = SecurityUtils.getSubject();//從安全管理器中獲取主體對象 UsernamePasswordToken token = new UsernamePasswordToken();//構(gòu)建令牌對象 token.setUsername(map.get('name').toString());//賦身份信息 token.setPassword(map.get('password').toString().toCharArray());//賦憑證信息 subject.login(token);//使用主體的login方法判定用戶的權(quán)限 if(subject.isAuthenticated()){ // 已登陸 // 用戶信息及權(quán)限信息的存儲（session|| redis） return 'main'; } } catch (AuthenticationException e) { e.printStackTrace(); System.out.println('登錄失敗'); } return 'login'; } // 登錄且擁有user： @RequestMapping('/one') public String showCaseOne(){ return 'one'; } @RequestMapping('/two') public String showCaseTwo(){ return 'two'; } // 權(quán)限不足時，響應的頁面 @RequestMapping('/unauth') public String showPermission(){ return 'unauth'; } // 用戶注銷操作 @RequestMapping('/logout') public String logout(){ Subject subject = SecurityUtils.getSubject(); subject.logout();//登出 return 'redirect:login'; }}4.6 關(guān)于shiro的開發(fā)

a、自定義安全策略

MyShiroRealm.java

package com.qf.shiro;import com.qf.domain.SysPermission;import com.qf.domain.SysUser;import com.qf.service.SysPermissionService;import com.qf.service.SysUserService;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.Subject;import org.springframework.beans.factory.annotation.Autowired;import java.util.Collection;import java.util.HashSet;import java.util.List;/** * Created by 54110 on 2019-07-05. */public class MyShiroRealm extends AuthorizingRealm { @Autowired private SysUserService sysUserServiceImpl; @Autowired private SysPermissionService sysPermissionServiceImpl; private String username; // 系統(tǒng)授權(quán) @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { Subject subject = SecurityUtils.getSubject();//獲取主體對象 String username =(String ) subject.getPrincipal();//獲取用戶身份信息 List<SysPermission> permissions = sysPermissionService.queryPermissionsByLoginName(username);//根據(jù)用戶名獲取用戶的權(quán)限信息// 權(quán)限去重 Collection<String > perms = new HashSet<>(); for (SysPermission perm: permissions ) { perms.add(perm.getPermName()); } SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); simpleAuthorizationInfo.addStringPermissions(perms);//授權(quán) return simpleAuthorizationInfo; } //用戶認證 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { String username = (String) token.getPrincipal();//獲取用戶信息 //根據(jù)用戶信息查詢數(shù)據(jù)庫獲取后端的用戶身份，轉(zhuǎn)交給securityManager判定 SysUser user1 = sysUserService.queryUserByLoginName(username);//從數(shù)據(jù)庫直接取 System.out.println(user1); if(user1!=null) { SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(user1.getLoginName(), user1.getPassword(), getName()); return simpleAuthenticationInfo; } return null; }}

b、自定義Shiro配置管理

ShiroConfig.java

package com.qf.config;import com.qf.shiro.MyShiroRealm;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import java.util.HashMap;import java.util.Map;/** * Created by 54110 on 2019-07-05. */@Configurationpublic class ShiroConfig { @Bean public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier('defaultWebSecurityManager') DefaultWebSecurityManager defaultWebSecurityManager){ ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager); Map<String ,String> map = new HashMap<>(); map.put('/main','authc'); //必須登錄才可訪問 map.put('/one','perms[user_edit]');//只有特定權(quán)限（“user_edit”）的用戶登錄后才可訪問 map.put('/two','perms[user_forbidden]');//只有特定權(quán)限（“user_forbidden”）的用戶登錄后才可訪問 shiroFilterFactoryBean.setLoginUrl('/login');//設置登錄頁（匿名） shiroFilterFactoryBean.setUnauthorizedUrl('/unauth');//權(quán)限不足的錯誤提示頁 shiroFilterFactoryBean.setFilterChainDefinitionMap(map);//裝配攔截策略 return shiroFilterFactoryBean; } // 配置安全管理器（注入Realm對象） @Bean(name='defaultWebSecurityManager') public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier('myShiroRealm') MyShiroRealm myShiroRealm){ DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager(); defaultWebSecurityManager.setRealm(myShiroRealm); return defaultWebSecurityManager; } @Bean(name='myShiroRealm') //使用該注解是的Realm對象由spring容器管理 public MyShiroRealm myShiroRealm(){ MyShiroRealm shiroRealm = new MyShiroRealm(); return shiroRealm; }}五、功能測試

​ 地址欄輸入http://localhost:8080/login

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-BdyHhsoT-1604249108147)(imgshiro03.png)]

​ 使用用戶：admin密碼：admin登錄，登錄成功后顯示頁面如下：

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-LdoaSOGM-1604249108149)(img/shiro04.png)]

​ 因為admin2用戶擁有case one功能的操作權(quán)限，所以當鼠標單擊case one鏈接時，顯示如下成功訪問頁面

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-Co1rUWJi-1604249108150)(img/shiro05.png)]

因為admin2沒有case two訪問權(quán)限，當用戶單擊case two時，會顯示無權(quán)限訪問的頁面：

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-geha4PCi-1604249108150)(img/shiro06.png)]

當單擊logout鏈接時，系統(tǒng)重回登錄頁。此時使用用戶test2密碼test2再次登錄。因test2用戶無case one權(quán)限，有case two權(quán)限，所以當test2用戶單擊case two時會顯示如下頁面：

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-AWZrOeGj-1604249108151)(img/shiro07.png)]

六、啟動shiro注解模式6.1、在ShiroConfig.java中注釋掉原先使用路徑過濾的權(quán)限攔截語句：

//只有特定權(quán)限（“user_edit”）的用戶登錄后才可訪問// map.put('/one','perms[user_edit]');//只有特定權(quán)限（“user_forbidden”）的用戶登錄后才可訪問// map.put('/two','perms[user_forbidden]');6.2、修改ShiroConfig.java類代碼添加如下內(nèi)容：

/** * 開啟Shiro注解(如@RequiresRoles,@RequiresPermissions), * 需借助SpringAOP掃描使用Shiro注解的類,并在必要時進行安全邏輯驗證 * 配置以下兩個bean(DefaultAdvisorAutoProxyCreator和AuthorizationAttributeSourceAdvisor) */ @Bean public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){ DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator(); advisorAutoProxyCreator.setProxyTargetClass(true); return advisorAutoProxyCreator; } /** * 開啟aop注解支持 */ @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager defaultWebSecurityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(defaultWebSecurityManager); return authorizationAttributeSourceAdvisor; }6.3、修改UserController.java控制器接口代碼：

// 登錄且擁有user： @RequiresPermissions(value={'user_edit'}) @RequestMapping('/one') public String showCaseOne(){ return 'one'; } @RequiresPermissions(value={'user_forbidden'}) @RequestMapping('/two') public String showCaseTwo(){ return 'two'; }6.4、測試

此事有權(quán)限訪問的也頁面正常，但未授權(quán)的頁面，無法進入提示頁，顯示如下：

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-pM9lRu2Z-1604249108152)(img/shiro08.png)]

​ 后臺亦拋出org.apache.shiro.authz.AuthorizationException異常：

[外鏈圖片轉(zhuǎn)存失敗,源站可能有防盜鏈機制,建議將圖片保存下來直接上傳(img-k8KTUuoi-1604249108152)(img/shiro09.png)]

6.5、此時使用aop攔截拋出的異常

package com.jeffrey.exception;import org.apache.shiro.authz.UnauthorizedException;import org.springframework.web.bind.annotation.ControllerAdvice;import org.springframework.web.bind.annotation.ExceptionHandler;import javax.servlet.http.HttpServletRequest;/** * Created by jeffrey on 2019/4/8. */@ControllerAdvicepublic class ExceptionController { @ExceptionHandler(value = UnauthorizedException.class)//處理訪問方法時權(quán)限不足問題 public String defaultErrorHandler(HttpServletRequest req, Exception e) { return 'unauth'; }}七、shiro密碼的MD5加密處理 7.1.密碼的加密

在數(shù)據(jù)表中存的密碼不應該是12345，而應該是12345加密之后的字符串，而且還要求這個加密算法是不可逆的，即由加密后的字符串不能反推回來原來的密碼，如果能反推回來那這個加密是沒有意義的。

著名的加密算法，比如 MD5，SHA1

7.2.MD5加密

1). 如何把一個字符串加密為MD5

2). 使用MD5加密算法后，前臺用戶輸入的字符串如何使用MD5加密，需要做的是將當前的Realm 的credentialsMatcher屬性，替換為Md5CredentialsMatcher 由于Md5CredentialsMatcher已經(jīng)過期了，推薦使用HashedCredentialsMatcher 并設置加密算法即可。

7.3.使用MD5加密

1). 修改ShiroConfig.java文件添加如下內(nèi)容；

/** * 密碼校驗規(guī)則HashedCredentialsMatcher * 這個類是為了對密碼進行編碼的 , * 防止密碼在數(shù)據(jù)庫里明碼保存 , 當然在登陸認證的時候 , * 這個類也負責對form里輸入的密碼進行編碼 * 處理認證匹配處理器：如果自定義需要實現(xiàn)繼承HashedCredentialsMatcher */ @Bean('hashedCredentialsMatcher') public HashedCredentialsMatcher hashedCredentialsMatcher() { HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher(); //指定加密方式為MD5 credentialsMatcher.setHashAlgorithmName('MD5'); //加密次數(shù) credentialsMatcher.setHashIterations(1024); credentialsMatcher.setStoredCredentialsHexEncoded(true); return credentialsMatcher; } @Bean('myShiroRealm') public MyShiroRealm myShiroRealm(@Qualifier('hashedCredentialsMatcher') HashedCredentialsMatcher matcher) { MyShiroRealm authRealm = new MyShiroRealm(); authRealm.setAuthorizationCachingEnabled(false); authRealm.setCredentialsMatcher(matcher); return authRealm; }

​ 2).修改MyRealm.java的認證邏輯如下：

//用戶認證 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { String username = (String) token.getPrincipal();//獲取用戶信息 SysUser user1 = sysUserService.queryUserByLoginName(username);//從數(shù)據(jù)庫直接取 System.out.println(user1); if(user1!=null) { //當前realm對象的name String realmName = getName(); //鹽值 ByteSource credentialsSalt = ByteSource.Util.bytes(username); //封裝用戶信息，構(gòu)建AuthenticationInfo對象并返回 AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(username, user1.getPassword(), credentialsSalt, realmName); return authcInfo; } return null; }

​ 3). 通過 new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations); 我們可以得到'12345'經(jīng)過MD5 加密1024后的字符串；

package com.jeffrey;import org.apache.shiro.crypto.hash.SimpleHash;import org.apache.shiro.util.ByteSource;/** * Created by jeffrey on 2019/4/8. */public class MD5Salt { public static void main(String[] args){ String hashAlgorithName = 'MD5';//加密算法 String password = '12345';//登陸時的密碼 int hashIterations =1024;//加密次數(shù) ByteSource credentialsSalt = ByteSource.Util.bytes('admin2');//使用登錄名做為salt SimpleHash simpleHash = new SimpleHash(hashAlgorithName, password, credentialsSalt, hashIterations); System.out.println('ok '+simpleHash); }}

​ 使用密文替換數(shù)據(jù)庫中的明文密碼；

7.4 測試 略。。。。7.5 后記 為什么使用 MD5 鹽值加密: 希望即使兩個原始密碼相同，加密得到的兩個字符串也不同。

為什么使用 MD5 鹽值加密:希望即使兩個原始密碼相同，加密得到的兩個字符串也不同。如何做到:1). 在 doGetAuthenticationInfo 方法返回值創(chuàng)建 SimpleAuthenticationInfo 對象的時候, 需要使用SimpleAuthenticationInfo(principal, credentials, credentialsSalt, realmName) 構(gòu)造器2). 使用 ByteSource.Util.bytes() 來計算鹽值.3). 鹽值需要唯一: 一般使用隨機字符串或 user id4). 使用 new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations); 來計算鹽值加密后的密碼的值.

到此這篇關(guān)于Springboot 整合shiro實現(xiàn)權(quán)限控制的文章就介紹到這了,更多相關(guān)Springboot權(quán)限控制內(nèi)容請搜索好吧啦網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持好吧啦網(wǎng)！