Shiro 整合 Web

文章目录

Shiro的Web流程

Shiro整合SSM

  • 准备SSM的配置
  • 准备经典五张表(见Shiro基本使用),完成测试
  • 准备Shiro的配置
    • 核心过滤器

      xml 复制代码
      <!--    配置Shiro整合web的过滤器-->
      <filter>
          <!--        默认情况下,请求到达这个过滤器,会去Spring容器中名字为filter-name的实例去处理-->
          <filter-name>shiroFilter</filter-name>
          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
          <filter-name>shiroFilter</filter-name>
          <url-pattern>/*</url-pattern>
      </filter-mapping>
    • 准备shiroFilter实例

      xml 复制代码
      <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
      	.....
      </bean>
    • 注入SecurityManager,登录页面路径,过滤器链

      java 复制代码
      <!--    构建realm-->
      <bean id="realm" class="com.xxx.realm.ShiroRealm" />
      
      <!--    构建securityManager-->
      <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
          <property name="realm" ref="realm"/>
      </bean>
      
      <!--    构建ShiroFilter实例-->
      <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
          <property name="securityManager" ref="securityManager"/>
          <property name="loginUrl" value="/login.html" />
          <property name="filterChainDefinitionMap">
              <map>
                  <entry key="/login.html" value="anon" />
                  <entry key="/user/**" value="anon" />
                  <entry key="/**" value="authc" />
              </map>
          </property>
      </bean>
    • 将ShiroRealm的模拟数据库操作,修改为与数据库交互(见Shiro基本使用

    • 编写登录功能,并测试效果

      java 复制代码
      @PostMapping("/login")
      public String login(String username,String password){
          // 执行Shiro的认证操作
          //1. 直接基于SecurityUtils获取subject主体,不需要手动的将SecurityManager和SecurityUtils手动整合,Spring已经奥丁
          Subject subject = SecurityUtils.getSubject();
      
          //2. 发起认证
          try {
              subject.login(new UsernamePasswordToken(username,password));
              return "SUCCESS";
          } catch (UnknownAccountException exception){
              return "username fail!!!";
          } catch (IncorrectCredentialsException exception){
              return "password fail!!!";
          } catch (AuthenticationException e) {
              return "donot know...!!!";
          }
      }

Shiro整合SpringBoot

  • 搭建SpringBoot工程

  • 配置Shiro整合SpringBoot内容

    java 复制代码
    @Configuration
    public class ShiroConfig {
    
        @Bean
        public DefaultWebSecurityManager securityManager(ShiroRealm realm){
            DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
            securityManager.setRealm(realm);
            return securityManager;
        }
    
        @Bean
        public DefaultShiroFilterChainDefinition shiroFilterChainDefinition(){
            DefaultShiroFilterChainDefinition shiroFilterChainDefinition = new DefaultShiroFilterChainDefinition();
    
            Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
            filterChainDefinitionMap.put("/login.html","anon");
            filterChainDefinitionMap.put("/user/**","anon");
            filterChainDefinitionMap.put("/**","authc");
    
            shiroFilterChainDefinition.addPathDefinitions(filterChainDefinitionMap);
    
            return shiroFilterChainDefinition;
        }
    }

Shiro授权方式

过滤器链

java 复制代码
public enum DefaultFilter {
	// ....
    perms(PermissionsAuthorizationFilter.class),
    roles(RolesAuthorizationFilter.class),
	// ....
}
java 复制代码
filterChainDefinitionMap.put("/item/select","roles[超级管理员,运营]");
filterChainDefinitionMap.put("/item/delete","perms[item:delete,item:insert]");

自定义过滤器

  • 仿照RolesAuthorizationFilter实现自定义过滤器

    java 复制代码
    /**
     * 在要求的多个角色中,有一个满足要求,就放行
     * @author zjw
     * @description
     */
    public class RolesOrAuthorizationFilter extends AuthorizationFilter {
        @Override
        protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
            // 获取主体subject
            Subject subject = getSubject(request, response);
            // 将传入的角色转成数组操作
            String[] rolesArray = (String[]) mappedValue;
            // 健壮性校验
            if (rolesArray == null || rolesArray.length == 0) {
                return true;
            }
            // 开始校验
            for (String role : rolesArray) {
                if(subject.hasRole(role)){
                    return true;
                }
            }
    
            return false;
        }
    }
  • 将自定义过滤器配置给Shiro

    java 复制代码
    @Configuration
    public class ShiroConfig {
    
        @Bean
        public DefaultWebSecurityManager securityManager(ShiroRealm realm){
            DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
            securityManager.setRealm(realm);
            return securityManager;
        }
    
        @Bean
        public DefaultShiroFilterChainDefinition shiroFilterChainDefinition(){
            DefaultShiroFilterChainDefinition shiroFilterChainDefinition = new DefaultShiroFilterChainDefinition();
    
            Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();
            filterChainDefinitionMap.put("/login.html","anon");
            filterChainDefinitionMap.put("/user/**","anon");
            filterChainDefinitionMap.put("/item/select","rolesOr[超级管理员,运营]");
            filterChainDefinitionMap.put("/item/delete","perms[item:delete,item:insert]");
            filterChainDefinitionMap.put("/**","authc");
    
            shiroFilterChainDefinition.addPathDefinitions(filterChainDefinitionMap);
    
            return shiroFilterChainDefinition;
        }
    
        @Value("#{ @environment['shiro.loginUrl'] ?: '/login.jsp' }")
        protected String loginUrl;
    
        @Value("#{ @environment['shiro.successUrl'] ?: '/' }")
        protected String successUrl;
    
        @Value("#{ @environment['shiro.unauthorizedUrl'] ?: null }")
        protected String unauthorizedUrl;
    
    
        @Bean
        protected ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager,ShiroFilterChainDefinition shiroFilterChainDefinition) {
            //1. 构建ShiroFilterFactoryBean工厂
            ShiroFilterFactoryBean filterFactoryBean = new ShiroFilterFactoryBean();
    
            //2. 设置了大量的路径
            filterFactoryBean.setLoginUrl(loginUrl);
            filterFactoryBean.setSuccessUrl(successUrl);
            filterFactoryBean.setUnauthorizedUrl(unauthorizedUrl);
    
            //3. 设置安全管理器
            filterFactoryBean.setSecurityManager(securityManager);
    
            //4. 设置过滤器链
            filterFactoryBean.setFilterChainDefinitionMap(shiroFilterChainDefinition.getFilterChainMap());
    
            //5. 设置自定义过滤器 , 这里一定要手动的new出来这个自定义过滤器,如果使用Spring管理自定义过滤器,会造成无法获取到Subject
            filterFactoryBean.getFilters().put("rolesOr",new RolesOrAuthorizationFilter());
    
            //6. 返回工厂
            return filterFactoryBean;
        }
    }

注解

  • 注解进行授权时,是基于对Controller类进行代理,在前置增强中对请求进行权限校验

  • 因为咱们使用SpringBoot的测试方式,直接在Controller方法上添加注解即可

    java 复制代码
    @GetMapping("/update")
    @RequiresRoles(value = {"超级管理员","运营"})
    public String update(){
        return "item Update!!!";
    }
    
    @GetMapping("/insert")
    @RequiresRoles(value = {"超级管理员","运营"},logical = Logical.OR)
    public String insert(){
        return "item Update!!!";
    }
    
    //    @RequiresPermissions(value = "",logical = Logical.AND)
  • 在SpringBoot中注解默认就生效,是因为自动装配中,已经配置好了对注解的支持

    java 复制代码
    @Configuration
    @ConditionalOnProperty(name = "shiro.annotations.enabled", matchIfMissing = true)
    public class ShiroAnnotationProcessorAutoConfiguration extends AbstractShiroAnnotationProcessorConfiguration {
    
        @Bean
        @DependsOn("lifecycleBeanPostProcessor")
        @ConditionalOnMissingBean
        @Override
        public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
            return super.defaultAdvisorAutoProxyCreator();
        }
    
        @Bean
        @ConditionalOnMissingBean
        @Override
        public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
            return super.authorizationAttributeSourceAdvisor(securityManager);
        }
    }
  • 注解的形式无法将错误页面的信息定位到401.html,因为配置的这种路径,只针对过滤器链有效,注解无效。为了实现友好提示的效果,可以配置异常处理器,@RestControllerAdvice,@ControllerAdvice

记住我

记住我在开启后,可以针对一些安全级别相对更低的页面采用user过滤器拦截,只要登录过,不需要重新登录就可以访问。

准备两个接口

java 复制代码
    @GetMapping("/rememberMe")
    public String rememberMe(){
        return "rememberMe!!!";
    }

    @GetMapping("/authentication")
    public String authentication(){
        return "authentication!!!";
    }

配置不同的过滤器

java 复制代码
    filterChainDefinitionMap.put("/item/rememberMe","user");
    filterChainDefinitionMap.put("/item/authentication","authc");

在页面追加记住我按钮,并且在登录是,添加rememberMe效果

html 复制代码
<form action="/user/login" method="post">
    用户名:<input  name="username" />  <br />
    密码:<input name="password" />  <br />
    记住我:<input type="checkbox" name="rememberMe" value="on" />  <br />
    <button type="submit">登录</button>
</form>
相关推荐
憨子周42 分钟前
2M的带宽怎么怎么设置tcp滑动窗口以及连接池
java·网络·网络协议·tcp/ip
霖雨2 小时前
使用Visual Studio Code 快速新建Net项目
java·ide·windows·vscode·编辑器
SRY122404192 小时前
javaSE面试题
java·开发语言·面试
Fiercezm3 小时前
JUC学习
java
无尽的大道3 小时前
Java 泛型详解:参数化类型的强大之处
java·开发语言
ZIM学编程3 小时前
Java基础Day-Sixteen
java·开发语言·windows
我不是星海3 小时前
1.集合体系补充(1)
java·数据结构
P.H. Infinity3 小时前
【RabbitMQ】07-业务幂等处理
java·rabbitmq·java-rabbitmq
爱吃土豆的程序员3 小时前
java XMLStreamConstants.CDATA 无法识别 <![CDATA[]]>
xml·java·cdata
2401_857610034 小时前
多维视角下的知识管理:Spring Boot应用
java·spring boot·后端