spring-boot + mybatis-plus + shiro 的集成demo我用了五天
关于shiro框架,我还是从飞机哪里听来的,就连小贱都知道,可我母鸡啊。简单百度了下,结论很好上手,比spring的security要简单许多...于是我就是开始了我的shiro学习之路 。正巧这几天在研究spring-boot集成mybatis-plus 于是乎我就把shiro也揉了进去,但是效果并不像我预期想象的那样。
以下是我这几天血泪换来的成果-->
基本概念
shiro :隶属Apache 简单易用的java安全框架 三大件 :Subject, SecurityManager 和 Realm
Subject:即当前操作用户
SecurityManager:安全管理器
Realm:用户数据的概念,域
过程:
1)建表 数据库一般至少有五张表
1-user:用户账号密码
2-role:角色ID,一个账户可以有很多角色
3-permission权限ID,一个角色可以有很多权限
4-user_role关系对照表:记录每个userID有的角色
5-role_permission关系对照表,记录每个role有的permission
-- 用户表
DROP TABLE IF EXISTS `user_info`;
CREATE TABLE `user_info` (
`uid` int(11) NOT NULL,
`name` varchar(255) DEFAULT NULL,
`pass_word` varchar(255) DEFAULT NULL COMMENT '密码',
`salt` varchar(255) DEFAULT NULL COMMENT '加密',
`state` tinyint(4) NOT NULL COMMENT '状态',
`username` varchar(255) DEFAULT NULL COMMENT '用户名',
`email` varchar(64) DEFAULT NULL COMMENT '邮箱',
`crtime` datetime DEFAULT NULL COMMENT '创建时间',
PRIMARY KEY (`uid`),
UNIQUE KEY(`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8; -- 角色表
DROP TABLE IF EXISTS `sys_role`;
CREATE TABLE `sys_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`available` bit(1) DEFAULT NULL,
`description` varchar(255) DEFAULT NULL,
`role` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8; -- 用户角色表
DROP TABLE IF EXISTS `sys_user_role`;
CREATE TABLE `sys_user_role` (
`uid` int(11) NOT NULL,
`role_id` int(11) NOT NULL,
PRIMARY KEY(`uid`,`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8; -- 权限表
DROP TABLE IF EXISTS `sys_permission`;
CREATE TABLE `sys_permission` (
`id` int(11) NOT NULL COMMENT 'PMK',
`available` bit(1) DEFAULT NULL COMMENT '是否激活',
`name` varchar(255) DEFAULT NULL,
`parent_id` bigint(20) DEFAULT NULL,
`parent_ids` varchar(255) DEFAULT NULL,
`permission` varchar(255) DEFAULT NULL COMMENT '权限',
`resource_type` enum('menu','button') DEFAULT NULL,
`url` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8; -- 角色权限表
DROP TABLE IF EXISTS `sys_role_permission`;
CREATE TABLE `sys_role_permission` (
`permission_id` int(11) NOT NULL,
`role_id` int(11) NOT NULL,
PRIMARY KEY(`role_id`,`permission_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
2)项目搭建
spring-boot mybatis-plus shiro
1.pom.xml 贴出部分
<!-- mybits-plus -starter-->
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatisplus-spring-boot-starter</artifactId>
<version>1.0.5</version>
</dependency>
<!-- MP 核心库 -->
<dependency>
<groupId>com.baomidou</groupId>
<artifactId>mybatis-plus</artifactId>
<version>2.1.8</version>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.2</version>
</dependency>
<!-- 模板引擎 代码生成 -->
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>1.7</version>
</dependency>
<!-- mybits-plus -end-->
<!--shiro 登录认证-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<!--mysql-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>5.1.35</scope>
</dependency>
<!--druid 数据库连接池监控-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>1.1.0</version>
</dependency>
<!--jasypt 数据库加解密-->
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>1.8</version>
</dependency>
2.先集成mybatis-plus 利用自动生成方法生成 新建5张表的POJO 和 Mapper Service文件
3.编写ShiroConfig配置类
package com.zxt.ms.configs; import lombok.extern.slf4j.Slf4j;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver; import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties; /**
* @ClassName ShiroConfig
* @Description ms 梦想家
* @Author Zhai XiaoTao https://www.cnblogs.com/zhaiyt
* @Date 2019/1/26 17:27
* @Version 1.0
*/
@Slf4j
@Configuration
public class ShiroConfig { @Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
} /**
* shiro自带过滤器,无需再另外设置filter
*
* @param securityManager
* @return
*/
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) { log.info("ShiroConfig.shirFilter() start ..."); ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
//设置安全管理器
shiroFilterFactoryBean.setSecurityManager(securityManager);
//配置过滤器
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); //没登录的页面
shiroFilterFactoryBean.setLoginUrl("/notLogin");
// 设置无权限时跳转的 url;
shiroFilterFactoryBean.setUnauthorizedUrl("/notRole"); /*
* shiro 内置枚举
* anon 表示可以匿名使用
* authc 表示需要认证(登录)才能使用,没有参数
*/
//静态资源允许访问
filterChainDefinitionMap.put("/css/**", "anon");
filterChainDefinitionMap.put("/images/**", "anon");
filterChainDefinitionMap.put("/js/**", "anon");
filterChainDefinitionMap.put("/layer/**", "anon"); //游客,开发权限
filterChainDefinitionMap.put("/guest/**", "anon");
//用户,需要角色权限 “user”
filterChainDefinitionMap.put("/user/**", "roles[user]");
//管理员,需要角色权限 “admin”
filterChainDefinitionMap.put("/admin/**", "roles[admin]");
//开放登陆接口
filterChainDefinitionMap.put("/login", "anon");
filterChainDefinitionMap.put("/loginUser", "anon");
//其余接口一律拦截
//主要这行代码必须放在所有权限设置的最后,不然会导致所有 url 都被拦截
filterChainDefinitionMap.put("/**", "authc"); //过滤器注入工厂类
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap); log.info("ShiroConfig.shirFilter() end ...");
return shiroFilterFactoryBean;
} /**
* @return org.apache.shiro.mgt.SecurityManager
* @Description <安全管理器Bean>
* @Author Zhaiyt
* @Date 14:35 2019/1/28
* @Param
**/
@Bean
public SecurityManager securityManager() {
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//注入realm
securityManager.setRealm(myShiroRealm());
return securityManager;
} /**
* @return com.zxt.ms.configs.ShiroRealm
* @Description <域 的概念 Shiro 从从Realm获取安全数据(如用户、角色、权限),就是说SecurityManager要验证用户身份,
* 那么它需要从Realm获取相应的用户进行比较以确定用户身份是否合法也需要从Realm得到用户相应的角色/权限进行验证用户是否能进行操作;
* 可以把Realm看成DataSource , 即安全数据源>
* @Author Zhaiyt
* @Date 14:38 2019/1/28
* @Param
**/
@Bean
public ShiroRealm myShiroRealm() {
ShiroRealm myShiroRealm = new ShiroRealm();
myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
return myShiroRealm;
} /**
* @return org.springframework.web.servlet.handler.SimpleMappingExceptionResolver
* @Description <异常处理>
* @Author Zhaiyt
* @Date 15:20 2019/1/28
* @Param
**/
@Bean(name = "simpleMappingExceptionResolver")
public SimpleMappingExceptionResolver createSimpleMappingExceptionResolver() {
SimpleMappingExceptionResolver exceptionResolver = new SimpleMappingExceptionResolver();
Properties mappings = new Properties();
mappings.setProperty("DatabaseException", "databaseError");//数据库异常处理
mappings.setProperty("UnauthorizedException", "403");
exceptionResolver.setExceptionMappings(mappings); // None by default
exceptionResolver.setDefaultErrorView("error"); // No default
exceptionResolver.setExceptionAttribute("ex"); // Default is "exception"
return exceptionResolver;
} /**
* 因为我们的密码是加过密的,所以,如果要Shiro验证用户身份的话,需要告诉它我们用的是md5加密的,并且是加密了两次。
* @Description <加密>
* @Author Zhaiyt
* @Date 16:18 2019/1/29
* @Param
* @return org.apache.shiro.authc.credential.HashedCredentialsMatcher
**/
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName("md5");//散列算法:这里使用MD5算法;
hashedCredentialsMatcher.setHashIterations(2);//散列的次数,比如散列两次,相当于 md5(md5(""));
return hashedCredentialsMatcher;
} /**
* @Description <因为只有开启了AOP才执行doGetAuthorizationInfo(),也就权限拦截>
* @Author Zhaiyt
* @Date 16:18 2019/1/29
* @Param
* @return org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor
**/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
}
shiro配置类编写主要需要注意以下几点:
1.Shiro 过滤器
2.SecurityManager 安全管理器
3.加密方式
4.域需要注入到SecurityManager中
4.自定义ShiroRealm编写:
package com.zxt.ms.configs; import com.zxt.ms.entity.UserInfo;
import com.zxt.ms.service.IUserInfoService;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.stereotype.Component; import java.util.Set; /**
* @ClassName ShiroRealm
* @Description ms 梦想家
* @Author Zhai XiaoTao https://www.cnblogs.com/zhaiyt
* @Date 2019/1/26 16:54
* @Version 1.0
*/
@Slf4j
@Component
public class ShiroRealm extends AuthorizingRealm { @Autowired
private IUserInfoService userInfoServiceImpl; /**
* @Description <权限验证>
* @Author Zhaiyt
* @Date 14:57 2019/1/28
* @Param
* @return org.apache.shiro.authz.AuthorizationInfo
**/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { //因为非正常退出,即没有显式调用 SecurityUtils.getSubject().logout()
if (!SecurityUtils.getSubject().isAuthenticated()) {
log.info("非正常退出,清除缓存");
doClearCache(principalCollection);
SecurityUtils.getSubject().logout();
return null;
} UserInfo userInfo = (UserInfo)principalCollection.getPrimaryPrincipal();
String username = userInfo.getUsername();
//用户存在 授权
if(StringUtils.isNotBlank(username)){
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
Set<String> roles=userInfoServiceImpl.findRoleByUser(userInfo.getUsername());
Set<String> permissions=userInfoServiceImpl.findPermissionByUser(userInfo.getUsername());
authorizationInfo.setRoles(roles);
authorizationInfo.setStringPermissions(permissions);
return authorizationInfo;
}
return null;
} /**
* @Description <身份验证>
* @Author Zhaiyt
* @Date 14:58 2019/1/28
* @Param
* @return org.apache.shiro.authc.AuthenticationInfo
**/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
log.info("shiroRealm.doGetAuthenticationInfo() start ...");
//获取用户的输入的账号.
String username = (String)authenticationToken.getPrincipal(); //实际项目中,这里可以根据实际情况做缓存,如果不做,Shiro自己也是有时间间隔机制,2分钟内不会重复执行该方法
if(StringUtils.isNotBlank(username)){ UserInfo userInfo = userInfoServiceImpl.findByUsername(username); if(userInfo == null){
log.error("用户不存在");
throw new UnknownAccountException("用户名或密码错误!");
} SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
userInfo, //用户名
userInfo.getPassword(), //密码
ByteSource.Util.bytes(userInfo.getCredentialsSalt()),//salt=username+salt
getName() //realm name
);
return authenticationInfo;
}
throw new UnknownAccountException("用户名或密码错误!");
}
@Bean
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();
creator.setProxyTargetClass(true);
return creator;
} /**
* 清除权限缓存
* 使用方法:在需要清除用户权限的地方注入 ShiroRealm,
* 然后调用其clearCache方法。
*/
public void clearCache() {
PrincipalCollection principals = SecurityUtils.getSubject().getPrincipals();
super.clearCache(principals);
} public static void main(String[] args) {
String hashAlgorithmName = "MD5";
String credentials = "123456";
int hashIterations = 2;
ByteSource credentialsSalt = ByteSource.Util.bytes("zhaizhai");
Object obj = new SimpleHash(hashAlgorithmName, credentials, credentialsSalt, hashIterations);
System.out.println(obj);
}
}
ShiroRealm 需要集成 AuthorizingRealm 这个里面要实现两个方法,一个认证 doGetAuthenticationInfo,一个授权 doGetAuthorizationInfo
5.测试controller编写
package com.zxt.ms.controller; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.collections4.MapUtils;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.HashMap;
import java.util.Map; /**
* @ClassName TestController
* @Description ms 梦想家
* @Author Zhai XiaoTao https://www.cnblogs.com/zhaiyt
* @Date 2019/1/28 16:16
* @Version 1.0
*/
@Slf4j
@Controller
public class HomeController { @RequiresPermissions(value = "admin")
@RequestMapping(value = "/index")
public String test(){
return "index";
} @GetMapping(value = "/login")
public String login(){
return "login";
} @RequestMapping("/loginUser")
@ResponseBody
public Map<String,Object> login(HttpServletRequest request, HttpServletResponse response) throws Exception{
log.info("HomeController.login()");
String username = request.getParameter("username");
String password = request.getParameter("password");
String rememberMe = request.getParameter("rememberMe");
Map<String,Object> map = new HashMap<>();
String ret="";
Subject currentUser = SecurityUtils.getSubject();
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
token.setRememberMe(rememberMe=="true");
map.put("code","FAILD");
try {
currentUser.login(token);
map.put("code","SUCCESS");
map.put("msg","登陆成功");
} catch (UnknownAccountException ex) {
map.put("msg","账号错误");
log.error(MapUtils.getString(map,"msg"));
} catch (IncorrectCredentialsException ex) {
map.put("msg","密码错误");
log.error(MapUtils.getString(map,"msg"));
} catch (LockedAccountException ex) {
map.put("msg","账号已被锁定,请与管理员联系");
log.error(MapUtils.getString(map,"msg"));
} catch (AuthenticationException ex) {
map.put("msg","您没有授权");
log.error(MapUtils.getString(map,"msg"));
}
}
return map;
}
}
代码基本上就上面那些,但是我深知,仅仅只有上面那些东西根本就跑不起来,我不知道我为什么要写这样的东西,可能某个小哥在看我写的博客时候也会骂我吧,写的什么鬼鸡仔。。。 我是没有办法把所有东西都整到这来,没有任何意义,有些坑必须自己去踩,只有踩过了,也许才会记得更清楚。
下面我要说坑了:
1.编写shiroFilter的时候我没有将静态数据过滤,导致页面展示格式错乱
2.登陆使用的是ajax,而shiro当做是表单的提交,所以一开始的 login controller 写的是有问题,导致一直报 302
3.认证无法通过,在shiro配置类中我指定了加密方式,为MD5 2次离散 ,在Realm中我指定了需要加 salt 的加密方式,因此密码的加密方式为 MD5 + salt 我使用main 跑出来加密后的数据,添加至数据库,可是一直无法认证成功,后发现在SecurityManager注入的ShiroRealm实体没有set加密方法...
4.认证成功后无法回调授权方法,原因,需要权限校验的方法上添加 @RequiresPermissions(value = "admin") OK