Spring整合Shiro做权限控制模块详细案例分析
来源:互联网 发布:网络短剧 编辑:程序博客网 时间:2024/06/04 17:39
1.引入Shiro的Maven依赖
<!-- Spring 整合Shiro需要的依赖 --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.1</version> </dependency>
2.web.xml中配置
<!-- 配置shiro的核心拦截器 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
3. 编写自己的UserRealm类继承自Realm,主要实现认证和授权的管理操作
package com.jy.demo.shiro;import java.util.HashSet;import java.util.Iterator;import java.util.Set;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.LockedAccountException;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UnknownAccountException;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.springframework.beans.factory.annotation.Autowired;import com.jy.demo.bean.Permission;import com.jy.demo.bean.Role;import com.jy.demo.bean.User;import com.jy.demo.service.UserService;public class UserRealm extends AuthorizingRealm{ @Autowired private UserService userService; /** * 授权操作 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {//String username = (String) getAvailablePrincipal(principals); String username = (String) principals.getPrimaryPrincipal(); Set<Role> roleSet = userService.findUserByUsername(username).getRoleSet(); //角色名的集合 Set<String> roles = new HashSet<String>(); //权限名的集合 Set<String> permissions = new HashSet<String>(); Iterator<Role> it = roleSet.iterator(); while(it.hasNext()){ roles.add(it.next().getName()); for(Permission per:it.next().getPermissionSet()){ permissions.add(per.getName()); } } SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.addRoles(roles); authorizationInfo.addStringPermissions(permissions); return authorizationInfo; } /** * 身份验证操作 */ @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token) throws AuthenticationException { String username = (String) token.getPrincipal(); User user = userService.findUserByUsername(username); if(user==null){ //木有找到用户 throw new UnknownAccountException("没有找到该账号"); } /* if(Boolean.TRUE.equals(user.getLocked())) { throw new LockedAccountException(); //帐号锁定 } */ /** * 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以在此判断或自定义实现 */ SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(),getName()); return info; } @Override public String getName() { return getClass().getName(); }}4.在Spring的applicationContext.xml中进行Shiro的相关配置
1、添加shiroFilter定义
<!-- Shiro Filter --> < bean id = "shiroFilter" class = "org.apache.shiro.spring.web.ShiroFilterFactoryBean" > < property name = "securityManager" ref = "securityManager" /> < property name = "loginUrl" value = "/login" /> < property name = "successUrl" value = "/user/list" /> < property name = "unauthorizedUrl" value = "/login" /> < property name = "filterChainDefinitions" > < value > / login = anon /user/** = authc /role/edit/* = perms[role:edit] /role/ save = perms [role:edit] /role/ list = perms [role:view] /** = authc </ value > </ property > </ bean >
2、添加securityManager定义
< bean id = "securityManager" class = "org.apache.shiro.web.mgt.DefaultWebSecurityManager" > < property name = "realm" ref = "myRealm" /> </ bean >
3、添加realm定义
4、配置EhCache
< bean id = "cacheManager" class ="org.apache.shiro.cache.ehcache.EhCacheManager" />5、 保证实现了Shiro内部lifecycle函数的bean执行
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
特别注意:
如果使用Shiro相关的注解,需要在springmvc-servlet.xml中配置一下信息
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/><bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/></bean>
备注:Shiro权限管理的过滤器解释:
默认过滤器(10个) anon -- org.apache.shiro.web.filter.authc.AnonymousFilterauthc -- org.apache.shiro.web.filter.authc.FormAuthenticationFilterauthcBasic -- org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilterperms -- org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilterport -- org.apache.shiro.web.filter.authz.PortFilterrest -- org.apache.shiro.web.filter.authz.HttpMethodPermissionFilterroles -- org.apache.shiro.web.filter.authz.RolesAuthorizationFilterssl -- org.apache.shiro.web.filter.authz.SslFilteruser -- org.apache.shiro.web.filter.authc.UserFilterlogout -- org.apache.shiro.web.filter.authc.LogoutFilteranon:例子/admins/**=anon 没有参数,表示可以匿名使用。 authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数 roles:例子/admins/user/**=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/**=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。 perms:例子/admins/user/**=perms[user:add:*],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/**=perms["user:add:*,user:modify:*"],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法。 rest:例子/admins/user/**=rest[user],根据请求的方法,相当于/admins/user/**=perms[user:method] ,其中method为post,get,delete等。 port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。 authcBasic:例如/admins/user/**=authcBasic没有参数表示httpBasic认证 ssl:例子/admins/user/**=ssl没有参数,表示安全的url请求,协议为https user:例如/admins/user/**=user没有参数表示必须存在用户,当登入操作时不做检查
关于Shiro的标签应用:
<shiro:authenticated> 登录之后<shiro:notAuthenticated> 不在登录状态时<shiro:guest> 用户在没有RememberMe时<shiro:user> 用户在RememberMe时<shiro:hasAnyRoles name="abc,123" > 在有abc或者123角色时<shiro:hasRole name="abc"> 拥有角色abc<shiro:lacksRole name="abc"> 没有角色abc<shiro:hasPermission name="abc"> 拥有权限abc<shiro:lacksPermission name="abc"> 没有权限abc<shiro:principal> 显示用户登录名
以上是Shiro的相关配置,出于安全的考虑,一般都会使用ACL(基于角色的用户权限管理去控制用户登录后的权限)
ACL详细代码案例如下:
涉及到的表:3+2(User,Role,Permission + user-role,role-permission)
3张实体表+2张关系表
1.关于User类:
package com.jy.demo.bean;import java.util.HashSet;import java.util.Set;public class User { private String id; private String username; private String password; private Set<Role> roleSet = new HashSet<Role>(); public User() { } public String getId() { return id; } public void setId(String id) { this.id = id; } public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public Set<Role> getRoleSet() { return roleSet; } public void setRoleSet(Set<Role> roleSet) { this.roleSet = roleSet; } }2.关于Role表package com.jy.demo.bean;import java.io.Serializable;import java.util.HashSet;import java.util.Set;public class Role implements Serializable { private static final long serialVersionUID = -4987248128309954399L; private Integer id; private String name; private Set<Permission> permissionSet = new HashSet<Permission>(); public Role() { super(); } // -------------------------------------------------------------------------------- @Override public int hashCode() { final int prime = 31; int result = 1; result = prime * result + ((id == null) ? 0 : id.hashCode()); return result; } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (getClass() != obj.getClass()) return false; Role other = (Role) obj; if (id == null) { if (other.id != null) return false; } else if (!id.equals(other.id)) return false; return true; } // -------------------------------------------------------------------------------- public Integer getId() { return id; } public void setId(Integer id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public Set<Permission> getPermissionSet() { return permissionSet; } public void setPermissionSet(Set<Permission> permissionSet) { this.permissionSet = permissionSet; }}3.关于permission表package com.jy.demo.bean;import java.io.Serializable;public class Permission implements Serializable { private static final long serialVersionUID = -8025597823572680802L; private Integer id; private String name; public Permission() { super(); } // -------------------------------------------------------------------------------------- @Override public int hashCode() { final int prime = 31; int result = 1; result = prime * result + ((id == null) ? 0 : id.hashCode()); return result; } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (getClass() != obj.getClass()) return false; Permission other = (Permission) obj; if (id == null) { if (other.id != null) return false; } else if (!id.equals(other.id)) return false; return true; } // -------------------------------------------------------------------------------------- public Integer getId() { return id; } public void setId(Integer id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; }}4.dao层接口
package com.jy.demo.dao;import com.jay.demo.bean.User;public interface UserDao { User findUserByUsername(String username); }4.使用Mybatis完成的Dao层实现<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd" ><mapper namespace="com.jay.demo.dao.UserDao"> <resultMap id="userMap" type="com.jay.demo.bean.User"> <id property="id" column="USER_ID"/> <result property="username" column="USER_USERNAME"/> <result property="password" column="USER_PASSWORD"/> <!-- 进行 多表关联插叙,先关联user和role --> <collection property="roleSet" column="roleid" ofType="com.jay.demo.bean.Role"> <id property="id" column="ROLE_ID"/> <result property="name" column="ROLE_NAME"/> <!-- 再在role中关联role和permission --> <collection property="permissionSet" column="permissionid" ofType="com.jay.demo.bean.Permission"> <id property="id" column="permission_id"/> <result property="name" column="permission_name"/> </collection> </collection> </resultMap> <!-- 通过User来查找Role --> <!-- <select id="selectRoleByUser" parameterType="int" resultMap="RoleMap"> select * from tbl_role_user user_id = #{id} </select> <resultMap id="roleMap" type="com.jay.demo.bean.User"> <result property="id" column="ROLE_ID" /> <result property="name" column="ROLE_NAME" /> </resultMap> <resultMap id="permissionMap" type="com.jay.demo.bean.Permission"> <result property="id" column="PERMISSION_ID" /> <result property="name" column="PERMISSION_NAME" /> </resultMap> --> <sql id="select-base-01"> SELECT u.USER_ID, u.USER_USERNAME, u.USER_PASSWORD, r.ROLE_ID, r.ROLE_NAME, p.PERMISSION_ID, p.PERMISSION_NAME FROM tbl_user as u, tbl_role as r, tbl_permission as p, tbl_permission_role as pr, tbl_role_user as ru WHERE u.USER_ID = ru.USER_ID AND r.ROLE_ID = ru.ROLE_ID AND p.PERMISSION_ID = pr.PERMISSION_ID AND r.ROLE_ID = pr.ROLE_ID </sql> <select id="findUserByUsername" parameterType="string" resultMap="userMap"> <include refid="select-base-01" /> AND u.USER_USERNAME = #{username} <!-- select * from tbl_user u, tbl_role r, tbl_role_user tu where u.user_id = tu.user_id and r.role_id = tu.role_id and user_username=#{username} --> </select> </mapper> 0 0
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- Spring整合Shiro做权限控制模块详细案例分析
- 10035---Spring整合Shiro做权限控制模块详细案例分析
- shiro框架的权限控制(Spring整合)
- Spring+Shiro权限整合
- 【Shiro + Spring MVC整合】教程——权限控制
- 【Shiro + Spring MVC整合】教程——权限控制
- 【Shiro + Spring MVC整合】教程——权限控制
- centos lnmp环境搭配tomcat和jdk
- lucene学习四:索引库的优化
- 计算月和日
- 20个优秀的Python库
- Android app架构经验总结(转载)
- Spring整合Shiro做权限控制模块详细案例分析
- libcurl的封装库 libSkyChaserHttp,支持gzip,http,htpps,功能齐全
- 视频直播技术
- nginx配置参数释意
- 无线路由需求分析
- Java实验(1)数字金字塔
- HashMap与HashTable的区别
- 分享 兼容ie6
- Android项目重构之路:架构篇
