SpringBoot廿SpringBoot中整合Shiro實現(xiàn)權(quán)限管理

1、SpringBoot廿三、SpringBoot 中整合 Shiro 實現(xiàn)權(quán)限管理2020-07-12 16:53:31之前在SSM項目中使用過shiro,發(fā)現(xiàn)shiro的權(quán)限管理做的真不錯，但是在SSM 項目中的配置太繁雜了，于是這次在SpringBoot中使用了 shiro,下面一起看看 吧一、簡介Apache Shiro是一個強大且易用的Java安全框架，執(zhí)行身份驗證、授權(quán)、密碼和會 話管理。使用Shiro的易于理解的API,您可以快速、輕松地獲得任何應(yīng)用程序，從 最小的移動應(yīng)用程序到最大的網(wǎng)絡(luò)和企業(yè)應(yīng)用程序。三個核心組件：1、Subject即“當(dāng)前操作用戶”。但是，在Shiro中，Sub

2、ject這一概念并不僅僅指人，也可以是 第三方進程、后臺帳戶（DaemonAccount）或其他類似事物。它僅僅意味著當(dāng)前 跟軟件交互的東西。Subject代表了當(dāng)前用戶的安全操作，SecurityManager則管 理所有用戶的安全操作。2、SecurityManager它是Shiro框架的核心，典型的Facade模式，Shiro通過SecurityManager來管理 內(nèi)部組件實例，并通過它來提供安全管理的各種服務(wù)。3、RealmRealm充當(dāng)了 Shiro與應(yīng)用安全數(shù)據(jù)間的“橋梁”或者“連接器”。也就是說，當(dāng)對用 戶執(zhí)行認證（登錄）和授權(quán)（訪問控制）驗證時，Shiro會從應(yīng)用配置的Rea

3、lm中 查找用戶及其權(quán)限信息。從這個意義上講，Realm實質(zhì)上是一個安全相關(guān)的DA0： 它封裝了數(shù)據(jù)源的連接細節(jié)，并在需要時將相關(guān)數(shù)據(jù)提供給Shiro。當(dāng)配置Shiro 時，你必須至少指定一個Realm,用于認證和（或）授權(quán)。配置多個Realm是可 以的，但是至少需要一個。Shiro內(nèi)置了可以連接大量安全數(shù)據(jù)源（乂名日錄）的 Realm,如LDAP、關(guān)系數(shù)據(jù)庫（JDBC）、類似INI的文本配置資源以及屬性文件 等。如果缺省的Realm不能滿足需求，你還可以插入代表自定義數(shù)據(jù)源的自己的 Realm實現(xiàn)。二、整合 shiro4引入maven依賴 ! - web 支持org sp”ingframew

4、ork bootspTing-boot-starter-weborg sp”ingframework bootspringboot-starter-thymeleafv/antifactldorg apache shiroartifacin g1.24com.githubtheborakompanioni/groupldthymeleaf-extras-shirxx/a”tifactld2.00我使用的SpringBoot版本是2.3.1,其它依賴自己看著引入吧2、創(chuàng)建shiro配置文件關(guān)于shiro的配置信息，我們都放在ShiroConfig.java文件中import at polluxt

5、hymeleaf shiro dialect ShiroDialect;import org apache shiro authc credentialHashedCredentialsMatcher;import org apache shiromgt SecurityManage”;import org.apache.shiro.spring.LifecycleBeanPostProcesso”;import org.apache.shiro.spring.securityinterceptor.AuthorizationAttrib uteSourceAdvisor;import org

6、.apache.shino.spring.web.ShinoFiltenFactoryBean;import org apache shirowebmgt DefaultWebSecurityManager;import ong springframework aop framework autoproxy DefaultAdvisorAutoPr oxyCreator;import org springframework contextannotation Bean;import org springframework contextannotationConfiguration;impor

7、t org springframework context annotation DependsOn;import java.util.LinkedHashMap;import java.util.Map;* shiro配置類*/Configurationpublic class ShiroConfig /*注入這個是是為了在thymeleaf中使用shiro的口定義tag。*/Bean(name = shiroDialect) public ShiroDialect shiroDialect() return new ShiroDialect();/*地址過濾器* param securit

8、yManage”* return*/Beanpublic ShiroFilterFactoryBean shiroFilterFactonyBean(SecurityManage r securityManage”) ShiroFilterFactonyBean shiroFilterFactoryBean = new ShiroFilten FactoryBean();/ 設(shè)置 securityManagershiroFi It erFac toryBea n. set SecurityMa/設(shè)置登錄u shiroFiIterFactoryBean.setLoginUrl(/login);/

9、設(shè)置主頁url shiroFiIterFactonyBean.setSuccessUrlC/)；/設(shè)置未授權(quán)的urlshiroF ilt erFac tonyBea n. set Unau 七110廣匚20111廣.(/11 nauthonized);Map filterChainDefinitionMap = new LinkedHashMa P()；/開放登錄接口filterChainDefinitionMap.put(/doLogin， anon);/開放靜態(tài)資源文件 filterChainDefinitionMap.put(/css/anon); filterChainDefiniti

10、onMap.put(/img/*M， anon); filterChainDefinitionMap.put(/js/* anon); filterChainDefinitionMap.put(,/layui/*, anon);/其余url全部攔截，必須放在最后 filterChainDefinitionMap.put(，7* authc); shiroFiIterFactoryBean.setFilterChainDefinitionMap(fiIterChainD efinitionMap);return shiroFilterFactoyBean;* 口定義安全管理策略*/Beanpub

11、lic SecurityManager securityManager() DefaultWebSecurityManage” securityManager = new DefaultWebSecur ityManager();/*設(shè)置自定義的relam*/securityManager.setRealm(loginRelam(); return securityManagen;/*登錄驗證*/Beanpublic LoginRelam loginRelam() return new LoginRelam();*以下是為了能夠使用RequiresPermission()等標(biāo)簽*/Beanpu

12、blic DefauItAdvisorAutoProxyCreator advisorAut0卩廠0乂(031：0() DefauItAdvisorAutoProxyCreator advisorAutoProxyCreato” = new De faultAdvisorAu 七0卩0%?！?81：0廣();advisorAutoProxyCreaton.setProxyTargetClass(tnue); return advisorAutoProxyCreator;Beanpublic static LifecycleBeanPostProcesso” lifecycleBeanPostP

13、rocesso” ()return new LifecycleBeanPostProcessoO;Beanpublic AuthorizationAttribu七0$011“。6人1/150廣 authorizationAttributeSo urceAdvisor() AuthorizationAttributeSourceAdviso” authorizationAttributeSounc eAdvisor = new AuthorizationAttributeSourceAdvisor();authorizationAttributeSourceAdviso”.setSecurity

14、Manager(security Manager();return authorizationAttributeSouTceAdvisor;上面開放靜態(tài)資源文件，其它博客說的是*filterChainDefinitionMap. put (/stat Hanonu);*，但我發(fā)現(xiàn)，我們在html文件中引入靜態(tài)文件時，請求路徑根 本沒有經(jīng)過static, thymeleaf 口動默認配置*static/*下面就是靜態(tài)資源文件, 所以，我們開放靜態(tài)資源文件需要指定響應(yīng)的目錄路徑2、登錄驗證管理關(guān)于登錄驗證的一些邏輯，以及賦權(quán)等操作，我們都放在LoginRelamJava文件中import com

15、baomidoumybatisplus core conditions query QueryWrapper; import com zyxx sbm entityUserlnfo;import comzyxxsbm.serviceRolePenmissionService;import com zyxx sbm service UserlnfoService;import com zyxx sbm service UserRoleService;import org.apache.shino.authc*;import org apache shiro authc credentialCre

16、dentialsMatcher;import org.apache.shino.authz.Authorizationlnfo;import org apache shiro authzSimpleAuthonizationlnfo;import org apache shiro realmAuthorizingRealm;import org apache shiro subject PrincipalCollection;import org apache shiro util ByteSource;import org springframework beans factony anno

17、tation Autowired;import java.util.Set;*登錄授權(quán)*/public class LoginRelam extends AuthorizingRealm Autowiredprivate UserlnfoService userlnfoService;Autowiredprivate UserRoleService userRoleService;Autowired private RolePermissionService rolePermissionService;*身份認證* param authenticationToken* return* thro

18、ws AuthenticationException*/Overrideprotected Authenticationinfo doGetAuthenticationlnfo(AuthenticationToken authenticationToken) throws AuthenticationException /獲取基用戶名和密碼的令牌：實際上這個authcToken是從LoginContr oiler 里面 currentuser. login(token)傳過來的UsernamePasswodToken token 二(Use”namePasswordToken) authent

19、ic ationToken;根據(jù)用戶名查找到用戶信息QueryWrapper queryWrapper = new QueryWrapper(); queryWrappereq(account tokengetUsername();Userinfo userInfo = userlnfoServicegetOneCqueryWrapper);/沒找到帳號if (null 二二 userInfo) throw new UnknownAccountException();/校驗用戶狀態(tài)if (I.equals(userinfo.getStatus() throw new DisabledAccou

20、ntException();/認證緩存信息return new SimpleAuthenticationlnfo(userlnfo, userlnfo.getPassw ord() ByteSourceUtilbytes(userinfo.getAccount(), getName();/*角色授權(quán)* param principalCollection* return*/Overrideprotected Authorizationlnfo doGetAuthorizationlnfo(PrincipalCollect ion pnincipalCollection) Userinfo aut

21、horizingUse” = (Userlnfo) principalCollection.getP” imaryPrincipal();if (null != authorizingUsen) /權(quán)限信息對象info,用來存放査出的用戶的所有的角色(role)及權(quán)限(permission)SimpleAuthorizationInfo simpleAuthordzationlnfo = new Simpl eAuthorizationlnfo();獲得用戶角色列表Set roleSigns = userRoleService.listUsenRoleByUserl d(authonizing

22、User getld();SimpleAuthorizationInfo.addRoles(roleSigns);/獲得權(quán)限列表Set permissionSigns = rolePermissionService.listRol ePermissionByUserId(authorizingUsengetld();simpleAuthorizationInfo.addStringPermissions(permissionSign s)；retu“n simpleAuthorizationlnfo;return null;/*自定義加密規(guī)則* param credentialsMatche”

23、*/Overridepublic void setCredentialsMatcher(C“edentialsMatchen credentialsMat cher) /自定義認證加密方式CustomCredentialsMatche” customCedentialsMatche = new CustomC redentialsMatche“()；/設(shè)置自定義認證加密方式super setCnede ntialsMa;以上就是登錄時，需要指明shiro對用戶的一些驗證、授權(quán)等操作，還有自定義密 碼驗證規(guī)則，在笫3步會講到，獲取角色列表，權(quán)限列表，需要獲取到角色與權(quán) 限的標(biāo)識，每一個角色，每一

24、個權(quán)限都有唯一的標(biāo)識，裝入Set中3、自定義密碼驗證規(guī)則密碼的驗證規(guī)則，我們放在了 CustomCredentialsMatcher.java文件中import org apache shiro authc Authenticationlnfo;import ong apache shiroauthc AuthenticationToken;import org.apache.shiro.authc.UsernamePasswordToken;import ong apache shiro authc credentialSimpleCredentialsMatcher;import orga

25、pacheshirocryptohashSimpleHash;/* ClassName CustomOedentialsMatcher*自定義密碼加密規(guī)則* Author Lizhou* Date 2020-07-10 16:24:24* /public class CustomCredentialsMatcher extends SimpleCredentialsMatcherOverridepublic boolean doCredentialsMatch(AuthenticationToken authcToken? A uthenticationlnfo info) UsernameP

26、asswordToken token = (UsernamePasswordToken) authcToke n；加密類型，密碼，鹽值，迭代次數(shù)Object tokenCredentials = new SimpleHash(md5J token.getPasswo “d() token.getUsername(力 6).toHex();/數(shù)據(jù)庫存儲密碼Object accountCnedentials = getCredentials(info);/將密碼加密與系統(tǒng)加密后的密碼校驗，內(nèi)容一致就返回true,不一致就返回 falsereturn equals(tokenCredentials,

27、 accountCredentials);我們采用的密碼加密方式為MD5加密，加密6次，使用登錄賬戶作為加密密碼的 鹽進行加密4、密碼加密工具上面我們自定義了密碼加密規(guī)則，我們創(chuàng)建一個密碼加密的工具類PasswordUtils.java 文件import org apache shiro crypto hashMd5Hash;/*密碼加密的處理工具類*/public class Passwordlltils /*迭代次數(shù)*/private static final int ITERATIONS = 6;private PasswordUtils() throw new AssertionErr

28、or();/*字符串加密函數(shù)MD5實現(xiàn)* param password 密碼* param loginName 用戶名* return*/public static String getPassword(String passwords String loginName)return new Md5Hash(password? loginName ITERATIONS).toString();上面，我們已經(jīng)配置了 shiro的一系列操作，從登錄驗證、密碼驗證規(guī)則、用戶授 權(quán)等等，下面我們就開始登錄，登錄的操作，放在了 Logincontroller.java文件中 import com zyx

29、x commonconsts SystemConst;import com mon enums StatusEnums; import com mon kaptcha.KaptchaUtil;import com mon shiroSingletonLoginUtils;import mon utilsPasswordlltiIs;import com mon utils ResponseResult;import com zyxx.sbm entityUserinfo;import comzyxx.sbm.servicePermissionInfoSenvice;import io.swag

30、ger.annotationsApi;import io.swagger.annotationsApilmplicitParam;import io.swagger.annotationsApilmplicitParams;import io swagger annotations ApiOperation;import org.apache.shiro.SecurityUtiIs;import org.apache.shiro.authc*;import org.apache.shiro.subjectSubject;import ong springframework beans fact

31、o“y annotation Autowired; import org springframework stereotype Controller;import org springframework web.bind annotation GetMapping; import ong springframework web bindannotation PostMapping; import org springframework web.bind annotation ResponseBody;import javaxservlethttpHttpServletRequest; impo

32、rt javax servlet http HttpServletResponse;/* ClassName LoginController* Description* Author Lizhou* Date 2020-07-02 10:54:54 Api(tags二“后臺管理端一登錄”)Controllerpublic class LoginController Autowiredprivate PermissionlnfoService permissionInfoService;ApiOperation（value =請求登錄頁面notes =請求登錄頁面）GetMapping(logi

33、n)public String init() return login;ApiOperation(value =請求主頁面notes =請求主頁面)GetMapping(*7 )public String index() return index;ApiOperation(value =登錄驗證,notes =登錄驗證)ApiImplicitParams(ApiImplicitParam(name = account value =賬號J require d = true),ApiImplic it Param (n ame = password value =密 fi 馬requir ed

34、= true)ApiImplicitParam(name = resCode value =驗證碼篤 requi red = true),ApiImplicitParam(name = rememberMe1, value =記住登錄，r equired = true)PostMapping( l,doLoginH)ResponseBodypublic ResponseResult doLogin(Strying account. String password, Stri ng resCode Boolean rememberMe HttpServletRequest request Htt

35、pServlet Response response) throws Exception /驗證碼if (!Kaptchallti 1validate(resCode，request) retunn ResponseResultgetlnstance()error(StatusEnumsKAPTCH_ERROR);/驗證帳號和密碼Subject subject 二 SecurityUtils.getSubject();UsernamePasswordToken token 二 new UsernamePasswordToken(account, password);/記住登錄狀態(tài)token s

36、etRememberMe(rememberMe);Wy /執(zhí)行登錄subject login(token);/將用戶保存至j session中Userinfo userInfo = (UserInfo) subjectgetPrincipal(); request.getSession().setAttribute(SystemConst.SYSTEM_USER_S ESSION, userinfo);retunn ResponseResultgetInstance()success(); catch (UnknownAccountException e) return ResponseResult .getInstance().error(賬戶不存在11); catch (DisabledAccountException e) return ResponseResult .getInstance().error(賬戶已被凍結(jié)”)； catch (IncorrectCredentialsException e) return R