在SpringBoot项目中使用shiro框架实现权限管理

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了在SpringBoot项目中使用shiro框架实现权限管理相关的知识,希望对你有一定的参考价值。

1、建立spring boot项目

目录结构这个样子的

<hr>

2、项目的jar包依赖

 <dependencies>
        <!--整合shiro
            subject:用户
            security manager:管理所有的用户
            realm:连接数据库

        -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.4.1</version>
        </dependency>

        <dependency>
            <groupId>com.github.theborakompanioni</groupId>
            <artifactId>thymeleaf-extras-shiro</artifactId>
            <version>2.0.0</version>
        </dependency>


        <!--整合mybatis-->
        <!-- https://mvnrepository.com/artifact/org.mybatis.spring.boot/mybatis-spring-boot-starter -->
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.1.0</version>
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <!--   JDBC-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>

        <!--  mysql-->
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>com.alibaba</groupId>
            <artifactId>druid</artifactId>
            <version>1.1.6</version>
        </dependency>

        <!-- 导入页面依赖
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>    -->

        <!--        thymeleaf,都是基于3.x开发的-->
        <dependency>
            <groupId>org.thymeleaf</groupId>
            <artifactId>thymeleaf-spring5</artifactId>
        </dependency>

        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-java8time</artifactId>
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

    </dependencies>

<hr>

3、配置文件.properties

#整合mybatis
mybatis.type-aliases-package=com.zheng.pojo
mybatis.mapper-locations=classpath:mybatis/mapper/*.xml

<hr>

4、连接数据库的yml文件


thymeleaf:
  prefix: classpath:/templates/  #prefix:指定模板所在的目录
  check-template-location: true  #check-tempate-location: 检查模板路径是否存在
  cache: false  #cache: 是否缓存,开发模式下设置为false,避免改了模板还要重启服务器,线上设置为true,可以提高性能。
  suffix: .html
  encoding: UTF-8
  content-type: text/html
  mode: HTML5



spring:
  datasource:
    username: root
    password: root
    url: jdbc:mysql://localhost:3306/managebook?allowMultiQueries=true&characterEncoding=UTF-8&characterSetResults=UTF-8&zeroDateTimeBehavior=convertToNull&useSSL=false
    driver-class-name: com.mysql.cj.jdbc.Driver
    type: com.alibaba.druid.pool.DruidDataSource

    #spring boot 默认是不注入这些属性的,需要自己绑定
    #druid 数据源专有配置
    initiaSize: 5
    minIdle: 5
    maxActive: 20
    maxWait: 60000
    timeBetweenEvictionRunsmMillis: 60000
    minEvictableIdleTimeMillis: 300000
    validationQuery: SELECT 1 FROM DUAL
    testWhileIdle: true
    testOnBorrow: false
    testOnReturn: false
    poolPreparedStatements: true

    filters: stat,wall,log4j
    maxPoolPrepareStatementPerConnectionSize: 20
    useGlobalDataSourceStat: true
    connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500


<hr>

5、实体类

==提示:建议使用Lombok==

package com.zheng.pojo;

public class User 
    private String name;
    private String password;
    private String perm;

    public User() 

    

    public User(String name, String password, String perm) 
        this.name = name;
        this.password = password;
        this.perm = perm;
    

    public String getName() 
        return name;
    

    public void setName(String name) 
        this.name = name;
    

    public String getPassword() 
        return password;
    

    public void setPassword(String password) 
        this.password = password;
    

    public String getPerm() 
        return perm;
    

    public void setPerm(String perm) 
        this.perm = perm;
    


<hr>

6、controller层

package com.zheng.controller;


import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller

public class UserController 


    @RequestMapping("/toLogin")
    public String index()
        return "login";
    

    //跳转到未授权界面
    @RequestMapping("/ungrant")
    public String ungrant()
        return "ungrant";
    

    //跳转到怎加
    @RequestMapping("/admin/add")
    public String addpPage()
        return "add";
    

    @RequestMapping("/admin/update")
    public String updatePage()
        return "update";
    

    @RequestMapping("/index")
    public String toIndex()
        return "index";
    

    



    @RequestMapping("/login")
    public String login(String username, String password, Model model)
        //获取当前的用户
        Subject subject= SecurityUtils.getSubject();

        //封装用户的登录数据
        UsernamePasswordToken token= new UsernamePasswordToken(username,password);
        try 
            subject.login(token);//执行登陆的方法,如果没有异常则是正确的
            return "index";//进入个人信息界面
         catch (UnknownAccountException e) 
            model.addAttribute("msg","用户名错误");
            return "login";
        catch (IncorrectCredentialsException e)
            model.addAttribute("msg","密码不存在");
            return "login";

        


    


<hr>

7、service层

package com.zheng.service;

import com.zheng.pojo.User;

public interface UserService 
    //查询用户信息
    User login(String name);



<hr>

8、serviceImpl层

package com.zheng.service.impl;

import com.zheng.mapper.UserMapper;
import com.zheng.pojo.User;
import com.zheng.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
public class UserServiceImpl implements UserService 

    @Autowired
    UserMapper userMapper;
    @Override
    public User login(String name) 
        return userMapper.login(name);
    


<hr>

9、mapper层

package com.zheng.mapper;

import com.zheng.pojo.User;
import org.apache.ibatis.annotations.Mapper;
import org.springframework.stereotype.Repository;

@Mapper    //这个注解表示这个是mybatis的mapeper
@Repository
public interface UserMapper 

    //查询用户信息
    User login(String name);





<hr>

10、mapper文件层(编写SQL语句)

<?xml version="1.0" encoding="UTF8"?>
<!DOCTYPE mapper
        PUBLIC "-//mybatis.org//DTD Config 3.0//EN"
        "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.zheng.mapper.UserMapper">

    <!--查询某一个用户的信息-->
    <select id="login" resultType="com.zheng.pojo.User" >
        select  * from user where name=#name
    </select>


</mapper>

11、前端页面简单的表示(这里制作简单的演示、前端框架也很多)

11.1、index.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>首页</title>
</head>
<body>

<a rel="nofollow" th:href="@/admin/add">add</a>&nbsp;&nbsp;&nbsp;&nbsp;<a rel="nofollow" th:href="@/admin/update">update</a>

</body>
</html>

11.2、login.htm

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8">
    <title>登录</title>
</head>
<body>

<form th:action="@/login" >
    用户名:<input type="text" name="username" placeholder="请输入姓名" ><br>
    密码:<input type="text" name="password" placeholder="请输入密码"> <br>
    <button type="submit" >登录</button>
</form>

</body>
</html>

11.3、ungrant.html未授权页面

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>未授权页面</title>
</head>
<body>
未授权页面
</body>
</html>

11.4、add.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>增加页面</title>
</head>
<body>
add
</body>
</html>

11.5、update.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>修改页面</title>
</head>
<body>
update
</body>
</html>

<hr>

12、实际效果展示

12.1、第一种情况、还未登录直接访问首页中的链接

<hr>

12.2、第二种情况、登录后访问首页中的链接

首先看一下数据库中数据、更加具有说服力

在首页中测试add 在首页中测试update <hr>

13、解析说明 、过滤器的代码

package com.zheng.config;

import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.LinkedHashMap;
import java.util.Map;

@Configuration
public class ShiroConfig 
    //ShiroFilterFactoryBean
    @Bean
    public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securitymanager") DefaultWebSecurityManager defaultWebSecurityManager) 
        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
        //设置安全管理器
        bean.setSecurityManager(defaultWebSecurityManager);
        //添加shiro的内置过滤器
        /**
         *  anon:无需认证就可访问  *  authc:必须认证才能访问*  User:必须拥有 记住我 功能才能用
         *  perms:拥有对某个资源的权限才能访问*  role:拥有某个角色权限才能访问
         */
        Map<String, String> filterMap = new LinkedHashMap<>();
        //授权,正常的情况下,没有授权会跳转到未授权页面
//        filterMap.put("/admin/*","authc");//admin请求下的都需要认证
        filterMap.put("/admin/add", "perms[user:add]");
        filterMap.put("/admin/update", "perms[user:update]");

        bean.setFilterChainDefinitionMap(filterMap);
        //如果没有认证、设置登录的请求
        bean.setLoginUrl("/toLogin");
        //如果没有授权,跳转到未收取页面
        bean.setUnauthorizedUrl("/ungrant");
        return bean;

    

    //DefaultWebSecurityManager
    @Bean(name = "securitymanager")
    public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm) 
        DefaultWebSecurityManager securitymanager = new DefaultWebSecurityManager();
        //关联UserRealm
        securitymanager.setRealm(userRealm);
        return securitymanager;


    

    //创建realm对象,需要自定义安装
    @Bean
    public UserRealm userRealm() 

        return new UserRealm();
    


    //整合ShiroDialect:用来整合shiro thymeleaf
    @Bean
    public ShiroDialect getShiroDialect() 
        return new ShiroDialect();
    




<hr>

14、授权和认证

package com.zheng.config;

import com.zheng.pojo.User;
import com.zheng.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;


//自定义的UserRealm

public class UserRealm extends AuthorizingRealm 

    @Autowired
    UserService userService;

    //授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) 

        System.out.println("执行了授权");
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//        info.addStringPermission("user:update");

        //拿到当前的登录对象
        Subject subject = SecurityUtils.getSubject();
        User user = (User)subject.getPrincipal();

        //设置当前用户的权限
        info.addStringPermission(user.getPerm());

        return info;

    

    //认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException 
        // 第一种方式
        // 获取用户输入的账号和密码(一般只需要获取账号就可以)
        System.out.println("执行了认证");
        UsernamePasswordToken userToken = (UsernamePasswordToken) token;
        //连接真实的数据库

        User user = userService.login(userToken.getUsername());

        //1、思路:在用户表中新增加一个权限字段、然后再次查询数据库获得该用户所具有的权限(该权限为要给集合??????
        if(user == null)
            //没有这个人
            return null;
        
        //密码认证
        return  new SimpleAuthenticationInfo(user,user.getPassword(),"");

    


15、关键解说:

以上是关于在SpringBoot项目中使用shiro框架实现权限管理的主要内容,如果未能解决你的问题,请参考以下文章

springboot整合shiro

SpringBoot 整合Shiro实现动态权限加载更新+Session共享+单点登录

SpringBoot2.0 整合 Shiro 框架,实现用户权限管理

SpringBoot项目+Shiro(权限框架)+Redis(缓存)集成

Shiro 核心功能案例讲解 基于SpringBoot 有源码

bootstrap+springboot实现shiro权限控制的坑