Shiro大概原理和快速开始

shiro快速开始-helloshiro（官网教程：http://shiro.apache.org/10-minute-tutorial.html）

1.下载 shiro -master.zip

2.添加依赖

<dependencies><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.4.1</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>jcl-over-slf4j</artifactId><version>1.7.21</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-log4j12</artifactId><version>1.7.21</version></dependency><dependency><groupId>log4j</groupId><artifactId>log4j</artifactId><version>1.2.17</version></dependency>
</dependencies>

2.添加log4j.properties

log4j.rootLogger=INFO, stdoutlog4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n# General Apache libraries
log4j.logger.org.apache=WARN# Spring
log4j.logger.org.springframework=WARN# Default Shiro logging
log4j.logger.org.apache.shiro=INFO# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.

3.添加shiro.ini文件

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#
# =============================================================================
# Quickstart INI Realm configuration
#
# For those that might not understand the references in this file, the
# definitions are all based on the classic Mel Brooks' film "Spaceballs". ;)
# =============================================================================# -----------------------------------------------------------------------------
# Users and their assigned roles
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setUserDefinitions JavaDoc
# -----------------------------------------------------------------------------
[users]
# user 'root' with password 'secret' and the 'admin' role
root = secret, admin
# user 'guest' with the password 'guest' and the 'guest' role
guest = guest, guest
# user 'presidentskroob' with password '12345' ("That's the same combination on
# my luggage!!!" ;)), and role 'president'
presidentskroob = 12345, president
# user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
darkhelmet = ludicrousspeed, darklord, schwartz
# user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
lonestarr = vespa, goodguy, schwartz# -----------------------------------------------------------------------------
# Roles with assigned permissions
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
# -----------------------------------------------------------------------------
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
# The 'schwartz' role can do anything (*) with any lightsaber:
schwartz = lightsaber:*
# The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with
# license plate 'eagle5' (instance specific id)
goodguy = winnebago:drive:eagle5

4.添加quickstart.java

/** Licensed to the Apache Software Foundation (ASF) under one* or more contributor license agreements.  See the NOTICE file* distributed with this work for additional information* regarding copyright ownership.  The ASF licenses this file* to you under the Apache License, Version 2.0 (the* "License"); you may not use this file except in compliance* with the License.  You may obtain a copy of the License at**     http://www.apache.org/licenses/LICENSE-2.0** Unless required by applicable law or agreed to in writing,* software distributed under the License is distributed on an* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY* KIND, either express or implied.  See the License for the* specific language governing permissions and limitations* under the License.*/import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;/*** Simple Quickstart application showing how to use Shiro's API.** @since 0.9 RC2*/
public class Quickstart {private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);public static void main(String[] args) {// The easiest way to create a Shiro SecurityManager with configured// realms, users, roles and permissions is to use the simple INI config.// We'll do that by using a factory that can ingest a .ini file and// return a SecurityManager instance:// Use the shiro.ini file at the root of the classpath// (file: and url: prefixes load from files and urls respectively):Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");SecurityManager securityManager = factory.getInstance();// for this simple example quickstart, make the SecurityManager// accessible as a JVM singleton.  Most applications wouldn't do this// and instead rely on their container configuration or web.xml for// webapps.  That is outside the scope of this simple quickstart, so// we'll just do the bare minimum so you can continue to get a feel// for things.SecurityUtils.setSecurityManager(securityManager);// Now that a simple Shiro environment is set up, let's see what you can do:// get the currently executing user://获取当前的用户对象subjectSubject currentUser = SecurityUtils.getSubject();//通过当前用户获取Session// Do some stuff with a Session (no need for a web or EJB container!!!)Session session = currentUser.getSession();session.setAttribute("someKey", "aValue");String value = (String) session.getAttribute("someKey");if (value.equals("aValue")) {log.info("Retrieved the correct value! [" + value + "]");}//判断当前用户数是否被认证// let's login the current user so we can check against roles and permissions:if (!currentUser.isAuthenticated()) {//Token :令牌 ，没有获取，随机UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");token.setRememberMe(true); //设置记住我try {currentUser.login(token); //执行登录操作} catch (UnknownAccountException uae) {log.info("There is no user with username of " + token.getPrincipal());} catch (IncorrectCredentialsException ice) {log.info("Password for account " + token.getPrincipal() + " was incorrect!");} catch (LockedAccountException lae) {log.info("The account for username " + token.getPrincipal() + " is locked.  " +"Please contact your administrator to unlock it.");}// ... catch more exceptions here (maybe custom ones specific to your application?catch (AuthenticationException ae) {//unexpected condition?  error?}}//say who they are://print their identifying principal (in this case, a username):log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");//test a role:if (currentUser.hasRole("schwartz")) {log.info("May the Schwartz be with you!");} else {log.info("Hello, mere mortal.");}//粗粒度//test a typed permission (not instance-level)if (currentUser.isPermitted("lightsaber:wield")) {log.info("You may use a lightsaber ring.  Use it wisely.");} else {log.info("Sorry, lightsaber rings are for schwartz masters only.");}//细粒度5//a (very powerful) Instance Level permission:if (currentUser.isPermitted("winnebago:drive:eagle5")) {log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'.  " +"Here are the keys - have fun!");} else {log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");}//all done - log out!currentUser.logout();System.exit(0);}
}

shiro整合springboot环境(实现一个简单的登录页面)

1.添加项目依赖

<!-- thymeleaf--><dependency><groupId>org.thymeleaf</groupId><artifactId>thymeleaf-spring5</artifactId></dependency><dependency><groupId>org.thymeleaf.extras</groupId><artifactId>thymeleaf-extras-java8time</artifactId></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.3.2</version></dependency><!--shiro-thymeleaf整合 --><dependency><groupId>com.github.theborakompanioni</groupId><artifactId>thymeleaf-extras-shiro</artifactId><version>2.0.0</version></dependency><!--连接数据库所需要的依赖 --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>8.0.21</version></dependency><dependency><groupId>log4j</groupId><artifactId>log4j</artifactId><version>1.2.17</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.12</version></dependency><dependency><groupId>org.mybatis.spring.boot</groupId><artifactId>mybatis-spring-boot-starter</artifactId><version>2.1.0</version></dependency><!--web所需要的依赖 --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.4.1</version><scope>compile</scope></dependency>

2.引入thymeleaf的命名空间

xmlns:th="http://thymeleaf.org"

3.项目结构图：

Shiro实现登录拦截(shiro.config)

1.ShiroConfig.java

package com.seer.config;import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;import java.util.LinkedHashMap;
import java.util.Map;@Configuration
public class ShiroConfig {//ShiroFilterFactoryBean 3@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("security") DefaultWebSecurityManager defaultWebSecurityManager){ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();//设置安全管理器bean.setSecurityManager(defaultWebSecurityManager);//添加shiro的内置过滤器/** anno:无需认证就可以访问* authc:必须认证才可以访问* user:必须拥有记住我功能才能访问* perms；拥有某个资源的权限才能访问* role：拥有某个角色权限才能访问* */Map<String, String> filterMap=new LinkedHashMap<>();//拦截//授权，正常的情况下，没有授权会跳转到没授权页面filterMap.put("/user/add","perms[user:add]");filterMap.put("/user/update","perms[user:update]");filterMap.put("/user/*","authc");bean.setFilterChainDefinitionMap(filterMap);//设置登录的请求bean.setLoginUrl("/toLogin");//设置没授权的跳转bean.setUnauthorizedUrl("/noauth");return bean;
}//DefaultWebSecurityManager 2@Bean(name = "security")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm ){DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();//关联UserRealmsecurityManager.setRealm(userRealm);return securityManager;
}//创建realm对象，需要自定义类 1@Bean
public UserRealm userRealm(){return new UserRealm();
}//整合shiroDialect:用来整合shiro和thymeleaf@Beanpublic ShiroDialect getShiroDialect(){return new ShiroDialect();}
}

Shiro实现用户认证和授权

1.UserRealm.java

package com.seer.config;import com.seer.pojo.User;
import com.seer.service.UserService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;public class UserRealm extends AuthorizingRealm {//引入业务层@AutowiredUserService userService;//授权@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {System.out.println("执行了=》授权");SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();//拿到当前登录的这个对象Subject subject = SecurityUtils.getSubject();User currentUser = (User) subject.getPrincipal();  //拿到User对象//设置当前用户的权限info.addStringPermission(currentUser.getPerm());return info;}//认证@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {System.out.println("执行了=》认证");//用户名，密码，数据中取UsernamePasswordToken userToken= (UsernamePasswordToken)token;//数据库查询得到的用户User user = userService.getUserByusername(userToken.getUsername());if (user==null){  //没有这个人就会报UnknownAccountException异常return null;}//密码认证，shiro做return new SimpleAuthenticationInfo(user,user.getPwd(),"");}
}

Shiro整合mybatis

1.Mycontroller.java

package com.seer.controller;import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;@Controller
public class MyController {//首页@RequestMapping({"/","/index"})public String  toindex(Model model){model.addAttribute("msg","helloshiro!");return "index";}//添加@RequestMapping("/user/add")public String add(){return "user/add";}//修改@RequestMapping("/user/update")public String update(){return "user/update";}//首页@RequestMapping("/toLogin")public String tologin(){return "login";}//执行登录@RequestMapping("/login")public String  login(String username, String password,Model model){//获取当前用户Subject subject = SecurityUtils.getSubject();//封装用户的登录数据UsernamePasswordToken token = new UsernamePasswordToken(username, password);try {subject.login(token);return "index"; //登陆成功返回首页} catch (UnknownAccountException e) { //用户名错误model.addAttribute("msg","用户名错误");return "login";} catch (IncorrectCredentialsException e) { //密码错误model.addAttribute("msg","密码错误");return "login";}}//无授权跳转页面@RequestMapping("/noauth")@ResponseBodypublic String unauthorized(){return "没授权无法访问此页面";}
}

2.编写实体类–User.java

package com.seer.pojo;import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;@Data
@AllArgsConstructor
@NoArgsConstructor
public class User {private int id;private String username;private String pwd;private String perm;
}

3.application.yml

#DataSource Config
spring:datasource:username: rootpassword: 12345driver-class-name: com.mysql.cj.jdbc.Driverurl: jdbc:mysql://localhost:3306/testjdbc?useUnicode=true&useSSL=false&characterEncoding=utf-8&serverTimezone=UTCtype: com.alibaba.druid.pool.DruidDataSource #自定义的druid数据源#Spring Boot 默认是不注入这些属性值的，需要自己绑定#druid 数据源专有配置initialSize: 5minIdle: 5maxActive: 20maxWait: 60000timeBetweenEvictionRunsMillis: 60000minEvictableIdleTimeMillis: 300000validationQuery: SELECT 1 FROM DUALtestWhileIdle: truetestOnBorrow: falsetestOnReturn: falsepoolPreparedStatements: true#配置监控统计拦截的filters，stat:监控统计、log4j：日志记录、wall：防御sql注入#如果允许时报错  java.lang.ClassNotFoundException: org.apache.log4j.Priority#则导入 log4j 依赖即可，Maven 地址：https://mvnrepository.com/artifact/log4j/log4jfilters: stat,wall,log4jmaxPoolPreparedStatementPerConnectionSize: 20useGlobalDataSourceStat: trueconnectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
mybatis:type-aliases-package: com.seer.pojomapper-locations: classpath:mybatis/mapper/*.xml

4.编写mapper和mapper.xml

UserMapper.java

package com.seer.mapper;import com.seer.pojo.User;
import org.apache.ibatis.annotations.Mapper;
import org.springframework.stereotype.Repository;
//@Mapper : 表示本类是一个 MyBatis 的 Mapper
@Mapper
@Repository
public interface UserMapper {//通过用户名查找用户public  User getUserByusername(String username);
}

UserMapper.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapperPUBLIC "-//mybatis.org//DTD Mapper 3.0//EN""http://mybatis.org/dtd/mybatis-3-mapper.dtd"><mapper namespace="com.seer.mapper.UserMapper"><select id="getUserByusername" resultType="User" parameterType="String">select * from user where username= #{username} ;</select></mapper>

5.编写业务层

UserService.java

package com.seer.service;import com.seer.pojo.User;public interface UserService {public User getUserByusername (String username);}

UserServiceImpl.java

package com.seer.service;import com.seer.mapper.UserMapper;
import com.seer.pojo.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;@Service
public class UserServiceImpl implements UserService {@AutowiredUserMapper userMapper;@Overridepublic User getUserByusername(String username) {return userMapper.getUserByusername(username);}
}

Shiro整合Thymeleaf

1.导入命名空间

xmlns:th="www.thymeleaf.org/thymeleaf-extras-shiro"

Shiro-登录大致的实现流程

1.第一步：在Controller中获取当前用户subject，封装当前用户的登录数据成Token，执行subject的login()方法。

//执行登录
@RequestMapping("/login")
public String  login(String username, String password,Model model){//获取当前用户Subject subject = SecurityUtils.getSubject();//封装用户的登录数据UsernamePasswordToken token = new UsernamePasswordToken(username, password);try {subject.login(token);return "index"; //登陆成功返回首页} catch (UnknownAccountException e) { //用户名错误model.addAttribute("msg","用户名错误");return "login";} catch (IncorrectCredentialsException e) { //密码错误model.addAttribute("msg","密码错误");return "login";}}

其中SecurityUtils.getSubject()是怎么获取到当前用户信息的？：根据前台传回的cookie，通过shrio的 SessionManager 去获取到对应的seesionid，然后再绑定到线程上，通过线程获取subject。

2.第二步：执行认证

//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {System.out.println("执行了=》认证");//用户名，密码，数据中取UsernamePasswordToken userToken= (UsernamePasswordToken)token;//数据库查询得到的用户User user = userService.getUserByusername(userToken.getUsername());if (user==null){  //没有这个人就会报UnknownAccountException异常return null;}//密码认证，shiro做return new SimpleAuthenticationInfo(user,user.getPwd(),"");}

3.第三步执行授权

//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {System.out.println("执行了=》授权");SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();//拿到当前登录的这个对象Subject subject = SecurityUtils.getSubject();User currentUser = (User) subject.getPrincipal();  //拿到User对象//设置当前用户的权限info.addStringPermission(currentUser.getPerm());return info;
}

4.第四步：ShiroFilterFactoryBean 过滤器拦截

@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("security") DefaultWebSecurityManager defaultWebSecurityManager){ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();//设置安全管理器bean.setSecurityManager(defaultWebSecurityManager);//添加shiro的内置过滤器/** anno:无需认证就可以访问* authc:必须认证才可以访问* user:必须拥有记住我功能才能访问* perms；拥有某个资源的权限才能访问* role：拥有某个角色权限才能访问* */Map<String, String> filterMap=new LinkedHashMap<>();//拦截//授权，正常的情况下，没有授权会跳转到没授权页面filterMap.put("/user/add","perms[user:add]");filterMap.put("/user/update","perms[user:update]");filterMap.put("/user/*","authc");bean.setFilterChainDefinitionMap(filterMap);//设置登录的请求bean.setLoginUrl("/toLogin");//设置没授权的跳转bean.setUnauthorizedUrl("/noauth");return bean;
}

这一步中有三个重要的方法

    //创建realm对象，需要自定义类 1@Bean
public UserRealm userRealm(){return new UserRealm();
}//DefaultWebSecurityManager 2@Bean(name = "security")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm ){DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();//关联UserRealmsecurityManager.setRealm(userRealm);return securityManager;
}@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("security") DefaultWebSecurityManager defaultWebSecurityManager){、、、return bean;
}

由此看出：执行的顺序为: MyReaml–>SecurityManager–>ShiroFilterFactoryBean