shiro權限控制 · TUNA-daily

[TOC] ## 1. 整合 mybatis+beetl+shiro+durid 實例代碼： https://github.com/dailinlernhard/springboot 1. admin登錄 ![](https://box.kancloud.cn/1ac0ad9e5725bfa0c5370e8116f0220e_559x304.png) ![](https://box.kancloud.cn/dfd7bfda931eaf02411e633dc0844904_632x281.png) **可以訪問/listall** ![](https://box.kancloud.cn/ab87f844f270b8f4e6090340aa8ab8e1_686x640.png) 2. employee登錄 ![](https://box.kancloud.cn/bcfe8befd508b61ccc2b7f3150223ea9_632x276.png) ![](https://box.kancloud.cn/99e450f31f0b1dbe39379e0f9bf3f140_892x240.png) **不能訪問** ![](https://box.kancloud.cn/c608637c4c08bf7fbba2760c66ca45d4_1073x471.png) ## 2. shiro關鍵代碼 > Realm > 1. doGetAuthorizationInfo： > 從數據庫中讀取權限信息，并注冊到SecurityManager，通過注解和標簽觸發權限校驗 > > 2. doGetAuthenticationInfo： > 從數據庫中讀取用戶名和密碼注冊到SecurityManager，并由shiro完成用戶登錄的用戶名和密碼與數據庫中的對比，完成用戶登錄驗證 ~~~ @Component("aexitShrioRealm") public class AexitShrioRealm extends AuthorizingRealm { @Resource UserInfoService userService; @Resource RoleService roleService; @Resource PermissionService menuService; /** * 配置用戶權限 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { if (principals == null) { throw new AuthorizationException("PrincipalCollection method argument cannot be null."); } String userId = (String) getAvailablePrincipal(principals); List<String> roleList = roleService.getRoles(userId); //用戶角色獲取用戶功能id Set<String> roleSet = new HashSet<>(); //角色集合 Set<String> menuSet = new HashSet<>(); //菜單集合 List<String> menus; for(String roleId : roleList){ roleSet.add(roleId); menus = menuService.getPermissones(roleId); Collections.addAll(menuSet,menus.toArray(new String[menus.size()])); } SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(roleSet); authorizationInfo.setStringPermissions(menuSet); return authorizationInfo; } /** * 配置登錄認證信息 * * @param authenticationToken * @return * @throws AuthenticationException */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; String userId = token.getUsername(); if (userId == null) { throw new AccountException("Null usernames are not allowed by this realm."); } //查出是否有此用戶 Userinfo curUser = userService.findByUsername(userId); if(curUser == null) throw new AccountException("account error:one user name must have one and only one user! "); //密碼加密 String password = ShiroKit.md5(curUser.getPassword(),curUser.getSalt()); return new SimpleAuthenticationInfo(userId, password, getName()); } } ~~~ ShiroConfiguration ~~~ /** * shiro生命周期配置項 */ @Configuration public class ShiroConfiguration { // @Resource // SysMenuExtMapper sysMenuExtMapper; @Bean(name = "lifecycleBeanPostProcessor") public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } @Bean(name = "shiroRealm") @DependsOn("lifecycleBeanPostProcessor") public AexitShrioRealm shiroRealm() { AexitShrioRealm realm = new AexitShrioRealm(); return realm; } @Bean(name = "ehCacheManager") @DependsOn("lifecycleBeanPostProcessor") public EhCacheManager ehCacheManager() { EhCacheManager ehCacheManager = new EhCacheManager(); return ehCacheManager; } @Bean(name = "securityManager") public DefaultWebSecurityManager securityManager() { DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); securityManager.setRealm(shiroRealm()); securityManager.setCacheManager(ehCacheManager());//用戶授權/認證信息Cache, 采用EhCache 緩存 return securityManager; } @Bean(name = "shiroFilter") public ShiroFilterFactoryBean shiroFilterFactoryBean(DefaultWebSecurityManager securityManager) { ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); shiroFilterFactoryBean.setSecurityManager(securityManager); Map<String, String> filterChainDefinitionManager = new LinkedHashMap<>(); filterChainDefinitionManager.put("/druid/**", "anon"); filterChainDefinitionManager.put("/static/**", "anon");//靜態資源不攔截 filterChainDefinitionManager.put("/login", "anon");//anon 可以理解為不攔截 filterChainDefinitionManager.put("/logout", "anon");//anon 可以理解為不攔截 filterChainDefinitionManager.put("/kaptcha", "anon");//anon 可以理解為不攔截 filterChainDefinitionManager.put("/", "anon"); filterChainDefinitionManager.put("/**", "authc");//authc未登錄攔截 myperm 菜單url權限攔截 shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionManager); shiroFilterFactoryBean.setLoginUrl("/"); //shiroFilterFactoryBean.setSuccessUrl("/"); shiroFilterFactoryBean.setUnauthorizedUrl("/"); //設置未通過，跳轉URL return shiroFilterFactoryBean; } @Bean @ConditionalOnMissingBean public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator daap = new DefaultAdvisorAutoProxyCreator(); daap.setProxyTargetClass(true); return daap; } @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) { AuthorizationAttributeSourceAdvisor aasa = new AuthorizationAttributeSourceAdvisor(); aasa.setSecurityManager(securityManager); return aasa; } //thymeleaf模板引擎和shiro整合時使用 /*@Bean(name = "shiroDialect") public ShiroDialect shiroDialect(){ return new ShiroDialect(); }*/ } ~~~ ## 2. 記住我 1. 登錄信息存儲在cookie中 2. 權限對用戶的校驗依然起作用 Shiro記住密碼記住密碼實現起來也是比較簡單的，主要看下是如何實現的。 **在ShiroConfiguration加入兩個方法：** ~~~ /** * cookie對象; * @return */ @Bean public SimpleCookie rememberMeCookie(){ System.out.println("ShiroConfiguration.rememberMeCookie()"); //這個參數是cookie的名稱，對應前端的checkbox的name = rememberMe SimpleCookie simpleCookie = new SimpleCookie("rememberMe"); // simpleCookie.setMaxAge(259200); returnsimpleCookie; } /** * cookie管理對象; * @return */ @Bean public CookieRememberMeManager rememberMeManager(){ System.out.println("ShiroConfiguration.rememberMeManager()"); CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager(); cookieRememberMeManager.setCookie(rememberMeCookie()); returncookieRememberMeManager; } ~~~ 將rememberMeManager注入到SecurityManager中 ~~~ @Bean public SecurityManager securityManager(){ DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //設置realm. securityManager.setRealm(myShiroRealm()); //注入緩存管理器; securityManager.setCacheManager(ehCacheManager());//這個如果執行多次，也是同樣的一個對象; //注入記住我管理器; securityManager.setRememberMeManager(rememberMeManager()); returnsecurityManager; } ~~~ 在ShiroFilterFactoryBean添加記住我過濾器： ~~~ @Bean public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager){ System.out.println("ShiroConfiguration.shirFilter()"); ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); // 必須設置 SecurityManager shiroFilterFactoryBean.setSecurityManager(securityManager); //攔截器. Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>(); //配置退出過濾器,其中的具體的退出代碼Shiro已經替我們實現了 filterChainDefinitionMap.put("/logout", "logout"); //配置記住我或認證通過可以訪問的地址 filterChainDefinitionMap.put("/index", "user"); filterChainDefinitionMap.put("/", "user"); //:這是一個坑呢，一不小心代碼就不好使了; // filterChainDefinitionMap.put("/**", "authc"); // 如果不設置默認會自動尋找Web工程根目錄下的"/login.jsp"頁面 shiroFilterFactoryBean.setLoginUrl("/login"); // 登錄成功后要跳轉的鏈接 shiroFilterFactoryBean.setSuccessUrl("/index"); //未授權界面; shiroFilterFactoryBean.setUnauthorizedUrl("/403"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); returnshiroFilterFactoryBean; } ~~~ 主要是加入了： //配置記住我或認證通過可以訪問的地址 ~~~ filterChainDefinitionMap.put("/index", "user"); filterChainDefinitionMap.put("/", "user"); ~~~ 修改登錄界面加入rememberMe復選框：在login.html中加入： ~~~ <P><input type="checkbox" name="rememberMe" />記住我</P> ~~~ 關閉瀏覽器，重新打開瀏覽器，admin就可以訪問http://localhost:8090/listall ，不用登錄，employee就不行了 ![](https://box.kancloud.cn/929fca4c374ae9f3c99b403da5852b95_581x634.png)