本文共 8479 字,大约阅读时间需要 28 分钟。
1、自定义Realm
Shiro从Realm获取安全数据(如用户、角色、权限),就是说SecurityManager要验证用户身份,那么它需要从Realm获取相应的用户进行比较以确定用户身份是否合法;也需要从Realm得到用户相应的角色/权限进行验证用户是否能进行操作;可以把Realm看成DataSource,即安全数据源。最基础的是Realm接口,CachingRealm负责缓存处理,AuthenticationRealm负责认证,AuthorizingRealm负责授权。通常自定义的realm继承AuthorizingRealm。
需要导入的依赖:
在<!--shiro相关依赖--> <shiro.version>1.3.2</shiro.version> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>${shiro.version}</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>${shiro.version}</version> </dependency>
shiro提供的realm图: 一个自定义realm实例:
package com.zking.ssm.shiro; import com.zking.ssm.model.User;import com.zking.ssm.service.UserService;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.util.ByteSource; /** * @author LJ * @site www.lijun.com * @Date 2019年01月02日 * @Time 19:27 */public class MyRealm extends AuthorizingRealm { private UserService userService; public UserService getUserService() { return userService; } public void setUserService(UserService userService) { this.userService = userService; } /** * 此方法在用户进入一个没有权限的页面时调用 * @author LJ * @Date 2019/1/3 * @Time 17:11 * @param principals * @return org.apache.shiro.authz.AuthorizationInfo */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { System.out.println("授权....."); return null; } /** * 此方法在进行身份认证时调用 * @author LJ * @Date 2019/1/3 * @Time 17:12 * @param token * @return org.apache.shiro.authc.AuthenticationInfo */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("认证....."); String username = token.getPrincipal().toString(); User user = this.userService.queryByName(username); //数据库中存在的账户、密码组合成唯一的认证标识 AuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(),user.getPassword(),this.getName()); return info; } }
2、Spring与Shiro集成
(1)配置自定义Realm(2)注册安全管理器
将自定义的Realm设置到Shiro的SecurityManager中,在Shiro授权和认证时使用自定义的Realm数据源进行校验
(3)配置Shiro核心过滤器
Shiro核心过滤器用于拦截请求,通过给定的授权认证机制对用户访问身份和权限进行认证识别<!--Shiro核心过滤器--> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- Shiro的核心安全接口,这个属性是必须的 --> <property name="securityManager" ref="securityManager" /> <!-- 身份验证失败,跳转到登录页面 --> <property name="loginUrl" value="/login"/> <!-- 身份验证成功,跳转到指定页面 --> <!--<property name="successUrl" value="/index.jsp"/>--> <!-- 权限验证失败,跳转到指定页面 --> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> <!-- Shiro连接约束配置,即过滤链的定义 --> <property name="filterChainDefinitions"> <value> <!-- 注:anon,authcBasic,auchc,user是认证过滤器 perms,roles,ssl,rest,port是授权过滤器 --> <!--anon 表示匿名访问,不需要认证以及授权--> <!--authc表示需要认证 没有进行身份认证是不能进行访问的--> <!--roles[admin]表示角色认证,必须是拥有admin角色的用户才行--> /user/login=anon /user/updatePwd.jsp=authc /admin/*.jsp=roles[admin] /user/teacher.jsp=perms["user:update"] <!-- /css/** = anon /images/** = anon /js/** = anon / = anon /user/logout = logout /user/** = anon /userInfo/** = authc /dict/** = authc /console/** = roles[admin] /** = anon--> </value> </property> </bean>
(4)配置Shiro生命周期
3、修改web.xml文件,添加shiroFilter的配置
shiroFilter org.springframework.web.filter.DelegatingFilterProxy targetFilterLifecycle true shiroFilter /*
4、创建ShiroController实现Shiro身份认证登录
package com.zking.ssm.controller; import com.zking.ssm.model.User;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping; import javax.servlet.http.HttpServletRequest; /** * @author LJ * @site www.lijun.com * @Date 2019年01月02日 * @Time 19:27 */@Controllerpublic class ShiroController { /** * 登录 * @author LJ * @Date 2019/1/3 * @Time 17:31 * @param user * @param request * @return java.lang.String */ @RequestMapping("/login") public String login(User user, HttpServletRequest request){ Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword()); try { subject.login(token); request.getSession().setAttribute("username",user.getUsername()); return "main"; }catch (Exception e){ request.setAttribute("message","用户名或密码有误!"); return "login"; } } /** * 退出登录 * @author LJ * @Date 2019/1/3 * @Time 17:31 * @param * @return java.lang.String */ @RequestMapping("/logout") public String logout(){ Subject subject = SecurityUtils.getSubject(); subject.logout(); return "redirect:login.jsp"; }}
5、创建login.jsp
<%@ page contentType="text/html;charset=UTF-8" language="java" %>Title 用户登陆
${message}
6、MD5盐加密
(1)生成加密密码PasswordHelper类(盐加密)package com.zking.ssm.util; import org.apache.shiro.crypto.RandomNumberGenerator;import org.apache.shiro.crypto.SecureRandomNumberGenerator;import org.apache.shiro.crypto.hash.SimpleHash; /** * 用于shiro权限认证的密码工具类 */public class PasswordHelper { /** * 随机数生成器 */ private static RandomNumberGenerator randomNumberGenerator = new SecureRandomNumberGenerator(); /** * 指定hash算法为MD5 */ private static final String hashAlgorithmName = "md5"; /** * 指定散列次数为1024次,即加密1024次 */ private static final int hashIterations = 1024; /** * true指定Hash散列值使用Hex加密存. false表明hash散列值用用Base64-encoded存储 */ private static final boolean storedCredentialsHexEncoded = true; /** * 获得加密用的盐 * @return */ public static String createSalt() { return randomNumberGenerator.nextBytes().toHex(); } /** * 获得加密后的凭证 * @param credentials 凭证(即密码) * @param salt 盐 * @return */ public static String createCredentials(String credentials, String salt) { SimpleHash simpleHash = new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations); return storedCredentialsHexEncoded ? simpleHash.toHex() : simpleHash.toBase64(); } /** * 进行密码验证 * @param credentials 未加密的密码 * @param salt 盐 * @param encryptCredentials 加密后的密码 * @return */ public static boolean checkCredentials(String credentials, String salt, String encryptCredentials) { return encryptCredentials.equals(createCredentials(credentials, salt)); } public static void main(String[] args) { //盐 String salt = createSalt(); System.out.println("盐:"+salt); System.out.println(salt.length()); //凭证+盐加密后得到的密码 String credentials = createCredentials("123", salt); System.out.println("加盐后:"+credentials); System.out.println(credentials.length()); boolean b = checkCredentials("123", salt, credentials); System.out.println(b); }}
(2)修改applicationContext-shirod的自定义Realm配置,增加以下:
(3)在自定义realm类里修改如下:
//数据库中存在的账户、密码组合成唯一的认证标识 AuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(),user.getPassword(),ByteSource.Util.bytes(user.getSalt()),this.getName());转载地址:http://hmuwi.baihongyu.com/