該整合項目完全參照 狂神說java 的《springboot整合shiro框架》教學視頻完成,如有不懂的地方可以查看該教學視頻。
目錄:
1.該整合項目所需的依賴
<dependencies> <!-- subject 用戶 securityManager 管理所有用戶 realm 連接數據 --> <!--連接數據庫的依賴--> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>8.0.15</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.17</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>1.1.13</version> </dependency> <!--引入mybatis,這是mybatis官方提供的適配springboot的,而不是springboot自己的--> <dependency> <groupId>org.mybatis.spring.boot</groupId> <artifactId>mybatis-spring-boot-starter</artifactId> <version>2.1.2</version> </dependency> <!--不想書寫setter、getter方法,導入此依賴--> <dependency> <groupId>org.projectlombok</groupId> <artifactId>lombok</artifactId> <version>1.16.22</version> </dependency> <!--shiro整合spring的包--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.2</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> <exclusions> <exclusion> <groupId>org.junit.vintage</groupId> <artifactId>junit-vintage-engine</artifactId> </exclusion> </exclusions> </dependency> <!--導入thymeleaf依賴--> <dependency> <groupId>org.thymeleaf</groupId> <artifactId>thymeleaf-spring5</artifactId> <version>3.0.11.RELEASE</version> </dependency> <dependency> <groupId>org.thymeleaf.extras</groupId> <artifactId>thymeleaf-extras-java8time</artifactId> <version>3.0.4.RELEASE</version> </dependency> <!--shiro-thymeleaf整合--> <dependency> <groupId>com.github.theborakompanioni</groupId> <artifactId>thymeleaf-extras-shiro</artifactId> <version>2.0.0</version> </dependency> </dependencies> <repositories> <repository> <id>aliyun-repos</id> <url>http://maven.aliyun.com/nexus/content/groups/public/</url> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>aliyun-plugin</id> <url>http://maven.aliyun.com/nexus/content/groups/public/</url> <snapshots> <enabled>false</enabled> </snapshots> </pluginRepository> </pluginRepositories> <build> <plugins> <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> </plugin> </plugins> </build> </project>
2. application.yml設置連接數據庫的相關配置
spring: datasource: username: root password: 123456 #?serverTimezone=UTC解決時區的報錯 url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8 driver-class-name: com.mysql.cj.jdbc.Driver type: com.alibaba.druid.pool.DruidDataSource #Spring Boot 默認是不注入這些屬性值的,需要自己綁定 #druid 數據源專有配置 initialSize: 5 minIdle: 5 maxActive: 20 maxWait: 60000 timeBetweenEvictionRunsMillis: 60000 minEvictableIdleTimeMillis: 300000 validationQuery: SELECT 1 FROM DUAL testWhileIdle: true testOnBorrow: false testOnReturn: false poolPreparedStatements: true #配置監控統計攔截的filters,stat:監控統計、log4j:日志記錄、wall:防御sql注入 #如果允許時報錯 java.lang.ClassNotFoundException: org.apache.log4j.Priority #則導入 log4j 依賴即可,Maven 地址:https://mvnrepository.com/artifact/log4j/log4j filters: stat,wall,log4j maxPoolPreparedStatementPerConnectionSize: 20 useGlobalDataSourceStat: true connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
3.index.html
<!DOCTYPE html> <html lang="en" xmlns:th="http://www.w3.org/1999/xhtml?" xmlns:shiro="http://www.thymeleaf.org/thymeleaf-extras-shiro" > <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h1>首頁</h1> <div th:if="${session.loginUser==null}"> <a th:href="@{/toLogin}">登錄</a> </div> <p th:text="${msg}"></p> <hr> <div shiro:hasPermission="user:add"> <a th:href="@{/user/add}">add</a> </div> <div shiro:hasPermission="user:update"> <a th:href="@{/user/update}">update</a> </div> <a th:href="@{/logout}">注銷</a> </body> </html>
4.add.html和update.html
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h1>add</h1> </body> </html> ------------------------------------------------- <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h1>update</h1> </body> </html>
5.login.html
<!DOCTYPE html> <html lang="en" xmlns:th="http://www.w3.org/1999/xhtml?"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <h1>登錄</h1> <hr> <p th:text="${msg}" style="color:red;"></p> <form th:action="@{/login}"> 用戶名:<input type="text" name="username"><br> 密碼:<input type="password" name="password"> <br> <input type="submit" name="提交"> </form> </body> </html>
6.MyController.java
@Controller public class MyController { @RequestMapping({"/","/index"}) public String toIndex(Model model){ model.addAttribute("msg","hello,shiro!"); return "index"; } @RequestMapping("/user/add") public String add(){ return "user/add"; } @RequestMapping("/user/update") public String update(){ return "user/update"; } @RequestMapping("/toLogin") public String toLogin(){ return "login"; } @RequestMapping("/login") public String login(String username,String password,Model model){ //獲取當前用戶 Subject subject = SecurityUtils.getSubject(); //封裝用戶的登錄數據 UsernamePasswordToken token = new UsernamePasswordToken(username, password); try{ subject.login(token); //執行登錄的方法,如果沒有異常就說明ok了 return "index"; }catch (UnknownAccountException e){ //用戶名不存在 model.addAttribute("msg","用戶名不存在!"); return "login"; }catch (IncorrectCredentialsException e){ model.addAttribute("msg","密碼錯誤!"); return "login"; } } @RequestMapping("/noauth") @ResponseBody public String unauthorized(){ return "未授權無法訪問此頁面"; } @RequestMapping("/logout") public String logout(){ //獲取當前用戶 Subject subject = SecurityUtils.getSubject(); System.out.println(subject.getSession().getAttribute("loginUser")); subject.logout(); // session 會銷毀,在SessionListener監聽session銷毀,清理權限緩存 System.out.println(subject.getSession().getAttribute("loginUser")); System.out.println("執行了退出"); return "login"; } }
7.ShiroConfig.java
@Configuration public class ShiroConfig { //ShiroFilterFactoryBean (第三步:連接到前端) @Bean public ShiroFilterFactoryBean getShiroFilterBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager){ ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); //設置安全管理器 bean.setSecurityManager(defaultWebSecurityManager); //添加shiro的內置過濾器 /* anon: 無需認證即可訪問 authc: 必須認證才能用 user: 必須擁有 “記住我” 功能才能用 perms: 擁有對某個資源的權限才能用 role: 擁有某個角色權限才能訪問 */ Map<String,String> filterMap = new LinkedHashMap<>(); //攔截 filterMap.put("/user/add","authc"); filterMap.put("/user/update","authc"); //也可使用通配符* //filterMap.put("/user/*","authc"); //授權,正常情況下沒有授權會跳轉到未授權頁面 filterMap.put("/user/add","perms[user:add]"); filterMap.put("/user/update","perms[user:update]"); bean.setFilterChainDefinitionMap(filterMap); //若訪問時用戶未認證,則跳轉至登錄頁面 bean.setLoginUrl("/toLogin"); //若訪問時用戶未被授權,則跳轉至未授權頁面 bean.setUnauthorizedUrl("/noauth"); return bean; } //DefaultWebSecurityManager (第二步:管理realm對象) @Bean(name="securityManager") //@Bean注解后便被spring托管,不加name屬性,默認name值為方法名,這里就加一下吧 public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){ DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //關聯UserRealm securityManager.setRealm(userRealm); return securityManager; } //創建realm對象,需要自定義類 (第一步:創建realm對象) @Bean(name="userRealm") //@Bean注解后便被spring托管,不加name屬性,默認name值為方法名,這里就加一下吧 public UserRealm userRealm(){ return new UserRealm(); } //整合ShiroDialect:用來整合shiro thymeleaf @Bean public ShiroDialect getShiroDialect(){ return new ShiroDialect(); } }
8.UserRealm.java
//自定義UserRealm extends AuthorizingRealm public class UserRealm extends AuthorizingRealm { @Autowired UserService userService; //授權 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { System.out.println("執行了授權"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); //info.addStringPermission("user:add"); //拿到當前登錄的對象 Subject subject = SecurityUtils.getSubject(); User currentUser = (User) subject.getPrincipal(); //拿到user對象 info.addStringPermission(currentUser.getPerms()); return info; } //認證 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("執行了認證"); UsernamePasswordToken userToken = (UsernamePasswordToken) token; /* //用戶名、密碼 模擬從數據庫中獲取 String name = "root"; String password = "1111"; if (!userToken.getUsername().equals(name)){ return null; //拋出異常 UnknownAccountException } //密碼認證,shiro做~ return new SimpleAuthenticationInfo("",password,""); */ //連接真實數據庫 User user = userService.queryUserByName(userToken.getUsername()); if (user==null){ //沒有這個人 return null; //拋出異常 UnknownAccountException } Subject currentSubject = SecurityUtils.getSubject(); Session session = currentSubject.getSession(); session.setAttribute("loginUser",user); //可以加密: MD5加密 MD5鹽值加密 //密碼認證,shiro做~ return new SimpleAuthenticationInfo(user,user.getPwd(),""); } }
9.UserMapper.java
@Repository @Mapper public interface UserMapper { public User queryUserByName(String name); }
10.UserMapper.xml
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.ztx.mapper.UserMapper"> <select id="queryUserByName" parameterType="String" resultType="User"> select * from mybatis.user where name=#{name} </select> </mapper>
11.User.java
@Data @AllArgsConstructor @NoArgsConstructor public class User { private int id; private String name; private String pwd; private String perms; }
12.UserService.java和UserServiceImpl.java
public interface UserService { public User queryUserByName(String name); } ----------------------------------------------------- @Service public class UserServiceImpl implements UserService{ @Autowired UserMapper userMapper; @Override public User queryUserByName(String name) { return userMapper.queryUserByName(name); } }
13.數據庫中的user表
個人對該項目執行流程進行了梳理,如有錯誤,請指正:
1.ShiroConf.java中設置好攔截器,規定哪些頁面需要用戶具備何種要求才可訪問,同時還設置當用戶不滿足要求時應該跳轉至什么頁面。對應本項目的代碼:
2.用戶在未認證下,會跳轉到登陸頁面login.html。輸入用戶名密碼,提交執行controller中的login()方法,該方法內將用戶信息封裝成token對象,傳入subject.login()方法內進行登錄驗證。對應項目代碼:
3.執行登錄驗證時會跳轉到UserRealm類,首先執行認證(doGetAuthenticationInfo):連接數據庫判斷是否有此人,若沒有則返回結果null,若有,則將數據庫中的用戶信息存儲在subject的session中。接着進行密碼驗證,若驗證失敗,則將登錄不通過返回失敗認證信息,反之,返回成功的認證信息,並執行用戶授權(doGetAuthorizationInfo)操作,返回授權信息。對應項目代碼:
認證:
授權:
4.本項目中登錄成功后跳轉到index.html時依舊會再次執行授權操作,因為前端頁面需要一個判斷展示功能,代碼如下:
故控制台信息會是這樣:(出現兩次授權)
5.之后進入add.html或update.html時,因為會被攔截,所以都要進行授權驗證,而此時認證將不會在執行。