How does springboot integrate shiro to implement multi-verification login function?

1. First create a shiroConfig shiro configuration class, the code is as follows:

@Configuration
public class SpringShiroConfig {


    /**
     * @param realms 这儿使用接口集合是为了实现多验证登录时使用的
     * @return
     */
    @Bean
    public SecurityManager securityManager(Collection<Realm> realms) {
        DefaultWebSecurityManager sManager = new DefaultWebSecurityManager();
        sManager.setRealms(realms);
        return sManager;
    }

    @Bean
    public ShiroFilterFactoryBean shiroFilterFactory(SecurityManager securityManager) {
        ShiroFilterFactoryBean sfBean = new ShiroFilterFactoryBean();
        sfBean.setSecurityManager(securityManager);
        //如果是匿名访问时，访问了不能访问的资源跳转的位置
        sfBean.setLoginUrl("/index");
        //定义map指定请求过滤规则(哪些资源允许匿名访问,哪些必须认证访问)
        LinkedHashMap<String, String> map = new LinkedHashMap<>();
        //静态资源允许匿名访问:"anon" 静态资源授权时不能写static下面所有的开放，要将static下面的所有文件夹一个一个的开放，templates同理
        //map的key可以为文件的位置，也可以为请求的路径
        map.put("/bower_components/**", "anon");
        map.put("/json/**", "anon");
        map.put("/pages", "anon");
        map.put("/user/userPasswordLogin", "anon");
        map.put("/user/login", "anon");
        map.put("/user/reg", "anon");
        //访问这个路径时不会进入controller，会在这儿直接拦截退出，问为什么的，自己想请求流程去
        map.put("/user/userLogout", "logout");
        //拦截除上面之外的所有请求路径
        map.put("/**", "user");
        sfBean.setFilterChainDefinitionMap(map);
        return sfBean;
    }

    @Bean
    public LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

2. Write the Realms implementation class, which is generally inherited from AuthorizingRealm (this is to implement username and password login), the code is as follows:

@Service
public class ShioUserRealm extends AuthorizingRealm {

    //注入userdao
    @Autowired
    private UserDao userDao;
    /**
     * 设置凭证匹配器
     *
     * @param credentialsMatcher
     */
    @Override
    public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {
        /*这里设置了MD5盐值加密，这儿就必须使用HashedCredentialsMatcher才能有下面两个方法*/
        HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
        //这里是设置加密方式
        matcher.setHashAlgorithmName("MD5");
        //这里是设置加密的次数
        matcher.setHashIterations(2);
        super.setCredentialsMatcher(matcher);
    }

    /**
     * 这儿是设置授权的
     * @param principalCollection
     * @return
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {

        return null;
    }

    /**
     * 通过此方法完成认证数据的获取及封装，系统底层会将认证数据传递认证管理器，有认证管理器完成认证操作
     * @param authenticationToken
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {

        //先判断这个是否是来及这个令牌的数据：我们这儿分为了UsernamePasswordToken（shiro给我们提供的。）、UserPhoneToken
        if (!(authenticationToken instanceof UsernamePasswordToken)) {
            return null;
        }
        //获取controller传过来的数据
        UsernamePasswordToken upToken = (UsernamePasswordToken) authenticationToken;
        //upToken.setRememberMe(true);shiro默认为false,是是否记住我的功能
        //这儿为用户提交的username
        String username = upToken.getUsername();
        //去数据更加name取到用户的信息
        User user = userDao.findUserByUserName(username);
        //判断数据库是否有这用户
        if (user == null) {
            throw new UnknownAccountException();
        }
        //判断用户的状态是否被禁用(数据库的字段)
        if (user.getState() == 0) {
            throw new LockedAccountException();
        }
        //这儿是取到用户信息中的盐值，盐值要转换为ByteSource这个类型才能使用
        ByteSource credentialsSalt = ByteSource.Util.bytes(user.getSalt());
        //这儿是将这个用户的信息交给shiro（user为用户对象，user.getPassword()是要加密的对象，credentialsSalt为盐值，getName()当前对象）
        SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), credentialsSalt, getName());
        return info;
    }
}

3. At this time, the user’s account and password can be used to log in. The controller code is as follows:

@RequestMapping("userPasswordLogin")
    @ResponseBody
    public JsonResult userPasswordLogin(String username, String password) {
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);
        subject.login(token);
        return new JsonResult("login Ok");
    }

4. Let’s now implement the SMS verification code login implementation:

4.1 First write UserPhoneToken, I put it in the same directory as l and springShiroConfig:

@Component
public class UserPhoneToken extends UsernamePasswordToken implements Serializable {

    private static final long serialVersionUID = 6293390033867929958L;
    // 手机号码
    private String phoneNum;
    //无参构造
    public UserPhoneToken(){}
    
    //获取存入的值
    @Override
    public Object getPrincipal() {
        if (phoneNum == null) {
            return getUsername();
        } else {
            return getPhoneNum();
        }
    }

    @Override
    public Object getCredentials() {
        if (phoneNum == null) {
            return getPassword();
        }else {
            return "ok";
        }

    }

    public UserPhoneToken(String phoneNum) {
        this.phoneNum = phoneNum;
    }

    public UserPhoneToken(final String userName, final String password) {
        super(userName, password);
    }

    public String getPhoneNum() {
        return phoneNum;
    }

    public void setPhoneNum(String phoneNum) {
        this.phoneNum = phoneNum;
    }
    @Override
    public String toString() {
        return "PhoneToken [PhoneNum=" + phoneNum + "]";
    }

}

4.2 When writing shiroUserPhoneRealm, the code is as follows:

@Service
public class ShioUserPhoneRealm extends AuthorizingRealm {

    @Autowired
    private UserDao userDao;

    @Override
    public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {
        //这儿的CredentialsMatcher的new的对象必须是AllowAllCredentialsMatcher
        CredentialsMatcher matcher = new AllowAllCredentialsMatcher();
        super.setCredentialsMatcher(matcher);
    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        return null;
    }

    /**
     * 通过此方法完成认证数据的获取及封装，系统底层会将认证数据传递认证管理器，有认证管理器完成认证操作
     * @param authenticationToken
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {

        UserPhoneToken token = null;
        if (authenticationToken instanceof UserPhoneToken) {
            token = (UserPhoneToken) authenticationToken;
        }else {
            return null;
        }
        //获取我发送验证码是存入session中的验证码和手机号
        String verificationCode = (String) SecurityUtils.getSubject().getSession().getAttribute("verificationCode");
        String phone = (String) SecurityUtils.getSubject().getSession().getAttribute("phone");
        //获取controller传过来的数据
        String verificationCode1 = (String) token.getPrincipal();
        //去数据库根据手机号查询用户信息
        User user = userDao.findUserByUserPhone(phone);
        if (StringUtils.isEmpty(verificationCode)) {
            throw new ServiceException("网络错误");
        }
        //比对手机号
        if (!verificationCode.equals(verificationCode1)) {
            throw new ServiceException("验证码不正确");
        }
        if (user == null) {
            throw new UnknownAccountException();
        }
        if (user.getState() == 0) {
            throw new LockedAccountException();
        }
        return new SimpleAuthenticationInfo(user,phone,getName());
    }
}

4.3 The mobile phone number login verification has been basically completed: the controller code is as follows:

@PostMapping("verificationCodeLogin")
    @ResponseBody
    public JsonResult verificationCodeLogin(String password) {
        Subject subject = SecurityUtils.getSubject();
        UserPhoneToken token = new UserPhoneToken(password);
        subject.login(token);
        return new JsonResult("login OK");
    }

Bugs encountered during use

1.

##org.apache.shiro.authc.UnknownAccountException: Realm [cn.tedu.wxacs.service. impl.ShioUserPhoneRealm@768d8431] was unable to find account data for the submitted AuthenticationToken [org.apache.shiro.authc.UsernamePasswordToken - Zhang San, rememberMe=false].

This problem is mine It is because a certain implementation class in Realm is not annotated. When I demonstrate here, the @Service annotation should be added to ShiroUserRealm

2.

org.apache.shiro.authc .AuthenticationException: Authentication token of type [class org.apache.shiro.authc.UsernamePasswordToken] could not be authenticated by any configured realms. Please ensure that at least one realm can authenticate these tokens.

here The problem that occurred was due to the User user = userDao.findUserByUserName(username); line of code in my ShioUserRealm's AuthenticationInfo method. When debugging, I found that the error was guaranteed after this sentence was executed

Reason: It's because the path to the mapper file corresponding to dao is not written in my application.yml file

3. The error is reported after the position of new SimpleAuthenticationInfo(user, phone, getName()) in the doGetAuthenticationInfo method of ShioUserPhoneRealm. In this method of ShioUserPhoneRealm, you did not set the new object to AllowAllCredentialsMatcher();

@Override
    public void setCredentialsMatcher(CredentialsMatcher credentialsMatcher) {
        //这儿的CredentialsMatcher的new的对象必须是AllowAllCredentialsMatcher
        CredentialsMatcher matcher = new AllowAllCredentialsMatcher();
        super.setCredentialsMatcher(matcher);
    }

The above is the detailed content of How does springboot integrate shiro to implement multi-verification login function?. For more information, please follow other related articles on the PHP Chinese website!