开发环境搭建参见《【原】无脑操作:IDEA + maven + SpringBoot + JPA + Thymeleaf实现CRUD及分页》
需求:
① 除了登录页面,在地址栏直接访问其他URL,均跳转至登录页面
② 登录涉及帐号和密码,帐号错误提示帐号错误,密码错误提示密码错误
③ 登录成功跳转至首页,首页显示登录者帐号信息,并有注销帐号功能,点击注销退出系统
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
分析:
典型的运用认证权限的需求,考虑使用Shiro。了解一下Shiro框架,Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。
关键词汇:
① Subject:安全术语,本意是“当前的操作用户”。
在安全领域,术语“Subject”可以是人,也可以是第三方进程、后台帐户(Daemon Account)、定时作业(Corn Job)或其他类似事物。
它仅仅意味着“当前跟软件交互的东西”。但考虑到大多数目的和用途,你可以把它认为是Shiro的“用户”概念。
在程序中能轻易获得Subject,允许在任何需要的地方进行安全操作。
每个Subject对象都必须与一个SecurityManager进行绑定,访问Subject对象其实都是在与SecurityManager里的特定Subject进行交互。
② SecurityManager:安全管理器。
Subject代表了当前用户的安全操作,SecurityManager则管理所有用户的安全操作。
③ Realm:域,Shiro从Realm获取安全数据(如用户、角色、权限),
即SecurityManager要验证用户身份,需要从Realm获取相应用户进行比较以确定用户身份是否合法;
也就是说需要从Realm得到用户相应的角色/权限进行验证用户是否能进行操作;可以把Realm看成DataSource,安全数据源。
④ authentication:认证(发音:[ɔ:ˌθentɪ'keɪʃn])
⑤ authorization:授权(发音:[ˌɔ:θərəˈzeɪʃn])
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0、数据库建表init.sql
DROP TABLE sys_user; CREATE TABLE sys_user
(
userid INT AUTO_INCREMENT PRIMARY KEY COMMENT '用户编号',
username VARCHAR(10) NOT NULL COMMENT '用户名称',
`password` VARCHAR(10) NOT NULL COMMENT '用户密码'
); INSERT INTO sys_user VALUES(NULL, 'admin', ''), (NULL, 'test', ''); SELECT * FROM sys_user;
1、编写项目对象模型文件pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <groupId>cn.temptation</groupId>
<artifactId>studyShiro</artifactId>
<version>1.0-SNAPSHOT</version> <parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.4.RELEASE</version>
</parent> <dependencies>
<!-- web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- thymeleaf -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<!-- spring data jpa -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!-- mariadb -->
<dependency>
<groupId>org.mariadb.jdbc</groupId>
<artifactId>mariadb-java-client</artifactId>
<version>2.2.5</version>
</dependency>
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<!-- 热启动 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<optional>true</optional>
</dependency>
</dependencies>
</project>
2、编写项目配置文件application.properties
# 数据库访问配置
# 对应MariaDB驱动
spring.datasource.driverClassName=org.mariadb.jdbc.Driver
# 数据源配置
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/test
spring.datasource.username=root
spring.datasource.password=sa
# 配置Springboot默认支持的Hikari数据库连接池
spring.datasource.type=com.zaxxer.hikari.HikariDataSource
spring.datasource.hikari.minimum-idle=5
spring.datasource.hikari.maximum-pool-size=15
spring.datasource.hikari.auto-commit=true
spring.datasource.hikari.idle-timeout=30000
spring.datasource.hikari.pool-name=DatebookHikariCP
spring.datasource.hikari.max-lifetime=1800000
spring.datasource.hikari.connection-timeout=30000
spring.datasource.hikari.connection-test-query=SELECT 1
# Spring Data JPA配置
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect
spring.jpa.properties.hibernate.hbm2ddl.auto=update
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.format_sql=true
# 格式化输出的json字符串
spring.jackson.serialization.indent_output=true
# 设置控制台彩色打印
spring.output.ansi.enabled=ALWAYS
3、编写项目启动类Application.java
package cn.temptation; import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication; @SpringBootApplication
public class Application {
public static void main(String[] args) {
// SpringBoot项目启动
SpringApplication.run(Application.class, args);
}
}
4、编写登录页面login.html 和 首页页面index.html
登录页面:login.html
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>系统登录</title>
</head>
<body>
<div th:text="${msg}" style="color: red"></div>
<form action="doLogin" method="post">
帐号:<input type="text" id="txtUsername" name="username" /><br/>
密码:<input type="password" id="txtPassword" name="password" /><br/><br/>
<input type="submit" value="提交" /> <input type="reset" value="重置" />
</form>
</body>
</html>
首页页面:index.html
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>系统首页</title>
</head>
<body>
<div th:text="${'欢迎您,' + currentuser}" style="color: red;float: left;"></div>
<div style="color: red;float: right;"><a href="doLogout">注销</a></div>
</body>
</html>
5、编写Shiro框架用配置类ShiroConfig.java 和 自定义Realm类MyRealm.java
配置类ShiroConfig.java
package cn.temptation.shiro; import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import java.util.LinkedHashMap;
import java.util.Map; /**
* Shiro配置类
*/
@Configuration
public class ShiroConfig {
// 1、创建ShiroFilterFactoryBean
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager defaultWebSecurityManager) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 设置安全管理器
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager); // 设置登录跳转页面
shiroFilterFactoryBean.setLoginUrl("/login"); /**
* Shiro内置过滤器:实现权限相关的拦截
* 常用过滤器:
* anon(认证用):无需认证(登录)即可访问
* authc(认证用):必须认证才可访问
* user(少用):使用rememberMe功能可以访问
* perms(授权用):必须得到资源权限才可访问
* role(授权用):必须得到角色权限才可访问
*/
Map<String, String> filterMap = new LinkedHashMap<>(); // 放行登录请求
filterMap.put("/doLogin", "anon"); // 配置退出过滤器,退出代码Shiro已经实现
filterMap.put("/logout", "logout"); // 过滤链定义,从上向下顺序执行,一般将/*放在最下边
filterMap.put("/*", "authc"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap); return shiroFilterFactoryBean;
} // 2、创建DefaultWebSecurityManager
@Bean(name = "securityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("myRealm") MyRealm myRealm) {
DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager(); // 关联Realm
defaultWebSecurityManager.setRealm(myRealm); return defaultWebSecurityManager;
} // 3、创建Realm
@Bean(name = "myRealm")
public MyRealm getRealm() {
return new MyRealm();
}
}
自定义Realm类MyRealm.java
package cn.temptation.shiro; import cn.temptation.dao.UserDao;
import cn.temptation.domain.User;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired; /**
* 自定义Realm
*/
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserDao userDao; // 授权处理
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
} // 认证处理
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// 编写Shiro判断逻辑,判断账号和密码
// 1、判断账号
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; User user = userDao.findByUsername(token.getUsername());
if (user == null) {
// 账号错误,Shiro底层会抛出UnknownAccountException异常
return null;
} // 2、判断密码
return new SimpleAuthenticationInfo("", user.getPassword(), "");
}
}
6、编写实体类User.java
package cn.temptation.domain; import javax.persistence.*; @Entity
@Table(name = "sys_user")
public class User {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "userid")
private Integer userid; @Column(name = "username")
private String username; @Column(name = "password")
private String password; public Integer getUserid() {
return userid;
} public void setUserid(Integer userid) {
this.userid = userid;
} public String getUsername() {
return username;
} public void setUsername(String username) {
this.username = username;
} public String getPassword() {
return password;
} public void setPassword(String password) {
this.password = password;
}
}
7、编写控制器类UserController.java
package cn.temptation.web; import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping; @Controller
public class UserController {
// 访问登录页
@RequestMapping("/login")
public String login() {
return "login";
} // 访问首页
@RequestMapping("/index")
public String index() {
return "index";
} // 登录处理
@RequestMapping("/doLogin")
public String doLogin(String username, String password, Model model) {
// 使用Shiro编写认证处理
// 1、获取Subject
Subject subject = SecurityUtils.getSubject(); // 2、封装用户数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password); // 3、执行登录
try {
// 登录成功
subject.login(token); // 返回当前用户的帐号
model.addAttribute("currentuser", token.getUsername()); return "index";
} catch (UnknownAccountException exception) {
// 返回错误信息
model.addAttribute("msg", "账号错误!"); return "login";
} catch (IncorrectCredentialsException exception) {
// 返回错误信息
model.addAttribute("msg", "密码错误!"); return "login";
}
} // 注销处理
@RequestMapping("/doLogout")
public String doLogout() {
// 1、获取Subject
Subject subject = SecurityUtils.getSubject(); // 2、执行注销
try {
subject.logout();
} catch (Exception ex) {
ex.printStackTrace();
} finally {
return "login";
}
}
}
8、编写数据访问接口UserDao.java
package cn.temptation.dao; import cn.temptation.domain.User;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.query.Param; public interface UserDao extends JpaRepository<User, Integer> {
// 根据账号查询用户
@Query(value = "SELECT * FROM sys_user WHERE username=:username", nativeQuery = true)
User findByUsername(@Param("username") String username);
}
9、项目结构
10、运行效果