Shiro

時間 2019-11-07

標籤 shiro 简体版

原文原文鏈接

1.shiro簡介

官網介紹主要實現四個功能：html

Authentication: Sometimes referred to as ‘login’, this is the act of proving a user is who they say they are.java
Authorization: The process of access control, i.e. determining ‘who’ has access to ‘what’.web
Session Management: Managing user-specific sessions, even in non-web or EJB applications.數據庫
Cryptography: Keeping data secure using cryptographic algorithms while still being easy to use.apache

2.架構

三個概念：session

1.Subject:當前用戶，能夠是一我的也但是服務，表示與當前軟件交互的任何事件架構

2.SecurityManager:管理全部Subject,爲Shiro架構的核心app

3.Realms:用於進行權限信息的驗證，由本身實現jsp

3.配置

1.編寫ShiroConfig配置類，用到註解@Configuration交由spirng管理,經過url來進行過濾和權限劃分ide

首先new出ShiroFilterFactoryBean 將securityManager添加進去，再設置登陸路徑、成功路徑及無權限登陸路徑

// setLoginUrl 若是不設置值，默認會自動尋找Web工程根目錄下的"/login.jsp"頁面 或 "/login" 映射
        shiroFilterFactoryBean.setLoginUrl("/login");
        shiroFilterFactoryBean.setSuccessUrl("/index/main");
        // 設置無權限時跳轉的 url;
        shiroFilterFactoryBean.setUnauthorizedUrl("/error/404");

添加url規則Map

// 設置攔截器
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        //遊客，開發權限

        filterChainDefinitionMap.put("/static/**", "anon");
        filterChainDefinitionMap.put("/druid/**", "anon");

        //開放登錄接口
        filterChainDefinitionMap.put("/main", "anon");
        filterChainDefinitionMap.put("/login", "authc");
        filterChainDefinitionMap.put("/index/logout", "logout");
        //其他接口一概攔截
        //主要這行代碼必須放在全部權限設置的最後，否則會致使全部 url 都被攔截
         filterChainDefinitionMap.put("/**", "user,sysUser");

        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

2.注入Realm

 @Bean
    public CustomRealm customRealm() {
        CustomRealm customRealm = new CustomRealm();
        customRealm.setCredentialsMatcher(hashedCredentialsMatcher());
        customRealm.setCachingEnabled(false);
        return customRealm;
    }

其中有個加密方法

    @Bean
   public HashedCredentialsMatcher hashedCredentialsMatcher() {
       /*受權匹配 */
       HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
       hashedCredentialsMatcher.setHashAlgorithmName("MD5");
       hashedCredentialsMatcher.setHashIterations(2);
       return hashedCredentialsMatcher;
   }

散列兩次的加密方式，參考

[ https://muguang.me/it/2721.html] Shiro的屢次散列

3.注入SecurityManager

   /**
     * 注入 securityManager
     */
    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        securityManager.setAuthenticator(authenticator());

        // 設置realm.
        securityManager.setRealms(getRealms());
        return securityManager;
    }

這個也是將Realms集合添加進去

4.自定義Realm

package com.btw.config.shiro;

import com.btw.entity.sys.User;
import com.btw.service.sys.UserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.apache.shiro.util.ByteSource;

import javax.annotation.Resource;

public class CustomRealm extends AuthorizingRealm {

    @Resource
    private UserService userService;


    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;

            // 從數據庫獲取對應用戶名密碼的用戶
            User user = userService.findUserByLoginName(token.getUsername());
            String url = new String((char[]) token.getCredentials());
            if (null == user) {
                throw new AccountException("用戶名不正確");
            }
            if (user.isLocked()) {
                throw new LockedAccountException(); //賬號鎖定
            }
            ByteSource credentialsSalt = ByteSource.Util.bytes(user.getLoginName());//使用帳號做爲鹽值
            SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
                    user.getLoginName(),//用戶名
                    user.getPasswd(),//密碼
                    credentialsSalt,
                    getName()  //realm name
            );
            return authenticationInfo;
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        String username = (String) principals.getPrimaryPrincipal();
        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
        authorizationInfo.setRoles(userService. findRoles(username));  //角色
        authorizationInfo.setStringPermissions(userService.findPermissions(username));  //權限
        return authorizationInfo;
    }

    public void removeUserAuthorizationInfoCache(String username) {
        SimplePrincipalCollection pc = new SimplePrincipalCollection();
        pc.add(username, super.getName());
        super.clearCachedAuthorizationInfo(pc);
    }
}

View Code

第一個doGetAuthenticationInfo()方法爲登陸認證的實現

該方法主要執行如下操做:

一、檢查提交的進行認證的令牌信息
二、根據令牌信息從數據源(一般爲數據庫)中獲取用戶信息
三、對用戶信息進行匹配驗證。
四、驗證經過將返回一個封裝了用戶信息的AuthenticationInfo實例。
五、驗證失敗則拋出AuthenticationException異常信息。

第二個doGetAuthorizationInfo()方法爲受權的實現

set 集合：roles 是從數據庫查詢的當前用戶的角色，stringPermissions 是從數據庫查詢的當前用戶對應的權限

就是說若是在shiro配置文件中添加了filterChainDefinitionMap.put(「/add」, 「perms[權限添加]」);就說明訪問/add這個連接必需要有「權限添加」這個權限才能夠訪問，若是在shiro配置文件中添加了filterChainDefinitionMap.put(「/add」, 「roles[100002]，perms[權限添加]」);就說明訪問/add這個連接必需要有「權限添加」這個權限和具備「100002」這個角色才能夠訪問。

5.登陸接口

這個主要是處理異常的相關信息


@Controller
@Slf4j
public class LoginController {

    private final static String errorAttributeName = "shiroLoginFailure";

    @Autowired
    private UserService userService;

    // 五分鐘
    private ExpiryMap<String, Integer> resetMap = new ExpiryMap<>(1000 * 60 * 5);

    @RequestMapping(value = "/login")
    public String showLoginForm(HttpServletRequest req, Model model, @RequestParam(value = errorAttributeName, required = false) String errorMsg) {

        String exceptionClassName = (String) req.getAttribute(errorAttributeName);
        String error;
        if (UnknownAccountException.class.getName().equals(exceptionClassName)) {
            error = "用戶名/密碼錯誤"; //帳戶不存在
        } else if (IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {
            error = "用戶名/密碼錯誤";
        } else if (ExcessiveAttemptsException.class.getName().equals(exceptionClassName)) {
            error = "密碼錯誤次數已達上限（3次），請稍後再試";
        } else if (exceptionClassName != null) {
            error = "用戶名/密碼錯誤";
        } else {
            error = errorMsg;
        }
        model.addAttribute("error", error);
        return "login";
    }

    private boolean isAuthenticated() {
        return SecurityUtils.getSubject().isAuthenticated();
    }


}

View Code

tips:

public static void main(String[] args) {
   String hashAlgorithmName = "md5";//加密方式
   Object crdentials = "123456";//密碼原值
   Object salt = "admin";//鹽值
   int hashIterations = 2;//散列次數
   SimpleHash simpleHash = new SimpleHash(hashAlgorithmName, crdentials, salt, hashIterations);
   System.out.println(simpleHash);
}

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。