How to quickly implement Shiro in springboot-javaTutorial-php.cn

Home

Java

javaTutorial

How to quickly implement Shiro in springboot

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

May 11, 2023 pm 06:49 PM

springbootshiro

1. Knowledge you must know to use shiro

1. What is shiro?

1. Apache Shiro is a Java security (permission) framework
2. It can easily develop good enough applications, both It can be used in JavaEE or JavaSE
3. Shiro can complete authentication, authorization, encryption, session management, web integration, caching, etc.

2. Three commonly used core objects of shiro architecture

Subject: User
SecurityManager: Manage all users
Readim: Connection data

3. When used in springboot, it can be mainly regarded as two modules (request filtering module, authentication Authorization module)

1. Authentication and authorization module: The authentication and authorization module mainly includes two aspects, namely authentication and authorization. Authentication refers to determining the user's login status; authorization refers to obtaining the roles and permissions owned by the current user and handing them over to AuthoriztionInfo so that they can hand over relevant information to Shiro
2. Request filtering module: Based on the permissions, roles and other information owned by the current user, it is judged whether it has the requested permission (that is, whether it can request the address currently being accessed). If the user has the permission to access the currently requested address, it will be allowed, otherwise it will be intercepted
3. The above is the most basic implementation of permission authentication interception using the shiro framework. In addition, you can also learn according to your actual business situation by encrypting passwords, limiting login times (redis) and other functions. #4. Dependency

<!--        后台拦截-->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.4.0</version>
        </dependency>

2. Specific use

1. Write configuration class (config)

1.1. Shiro filter object (ShiroFilterFactoryBean)

@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier(SecurityManager) DefaultWebSecurityManager securityManager){
   	ShiroFilterFactiryBean bean = new ShiroFilterFactoryBean()
	//关联SecurityManager设置安全管理器	
 	bean.setSecurityManager(securityManager)
    
	//添加内置过滤器
        /*
        	anon:无需过滤就可以访问
            authc：必须认证了才可访问(登录后才可访问)
            user：必须拥有"记住我"功能才可访问
            perms：拥有对某个资源的权限才可以访问
            role：拥有某个角色权限才可访问
        */
  	Map<String,String> filterMap = new LinkedHashMap<>();
    //拦截 
    //filterMap.put("页面地址","内置过滤器")
	//filterMap.put("/user/name","anon")
	//filterMap.put("/user/book","authc")
    
	//具有user:add权限时才可以访问/user/name
    //perms中的“user:add”与数据库中对应权限要一致
    filterMap.put("/user/name","perms[user:add]")
    
	//授权，正常情况下，没有授权会跳转到未授权页面
 	bean.setUnauthorizedUrl("未授权时跳转的页面")  
        
  	//创建一个过滤器链(其中内容通过Map存储)
 	bean.setFilterChainDefinitionMap(FilterMap); 
    //设置登录请求(登录的地址添加，当使用"authc"时，如果未登录，则跳转到登录页面)
    bean.setLoginUrl("/login")
	return bean;
}

1.2. Shiro security object (DefaultWebSecurity)

//@Qualifier:引入bena对象
@Bean(name="SecurityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("MyRealm") MyRealm myRealm){
    DefaultWebSecurityManager securityManager = new DefaultWebSecurotyManager();
    //关联MyRealm
    securityManager.setRealm(myRealm);
    return securityManager;
}

1.3. Create realm object (custom)

//将自定义的realm对象交给spring
//@Bean(name="MyRealm")中name属性不加默认名称为方法名
@Bean(name="MyRealm")
public MyRealm MyRealm(){
 	return new MyRealm();
}

2. Create realm object

2.1. Customize realm class to inherit AuthorizingRealm class

class MyRealm extends AuthorizingRealm

2.2. Override the methods in AuthorizingRealm

Authorization:

project AthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals){
    //1、权限信息对象info,用来存放查出的用户的所有的角色（role）及权限（permission）
 	SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    //2、拿到当前登录的对象信息，通过认证方法SimpleAuthenticationInfo（第一个参数）已经进行存入 
    User user =（user）SecurityUtils.getSubject().getPrincipal();
    //3、将该对象的角色信息进行存入
    // 赋予角色
	List<Role> roleList = roleService.listRolesByUserId(userId);
	for (Role role : roleList) {
		info.addRole(role.getName());
	}
    //4、设置该用户的权限
    infO.addStringPermission(user.getPerms())
    //5、将该对象的权限信息进行存入（permissionSet一个权限信息的集合）
    info.setStringPermissions(permissionSet);
    return info;
}

Authentication:

project AuthenticationInfo doGetAuthorizationInfo(AuthenticationToken token){
    //1、拿到用户登陆的信息
    UsernamePasswordToken userToken =(UsernamePasswordToken) token;
    //2、通过用户名（userToken.getUsername）获取数据库中的对象user
    //如果获取对象user为空则该用户不从在，返回return null（抛出用户不存在异常）
    if (user == null) {
            throw new UnknownAccountException("账号不存在！");
        	//或直接 return null;
        }
    //3、密码认证，有shiro完成(AuthenticationInfo是一个接口，SimpleAuthenticationInfo是其接口的实现类)
    //也可对密码进行加密 如MD5 MD5盐值
    return new SimpleAuthenticationInfo("用户对象信息（user）","通过用户从数据库中获得的用户密码（user.password）","")
}

3. Pass in the logged in user information ( Obtain the login request information through the controller)

//获取当前用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登录数据(username:用户登陆时传入的账号；password：用户登陆时传入的密码)
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
//执行登录(如果有异常则登录失败，没有异常则登录成功，在Shiro中已经为我们封装了登录相关的异常，直接使用即可)
try{
    subject.login(token);//执行登录成功后
    return "首页"
}catch(UnknowAccountException e){//用户名不存在
    return "login"
}catch(IncorrectCredentialsException e){//密码不存在
    return "login"
}
注意：该方法中登录失败后返回的是跳转的页面，故不可用@ResponseBody

3. Specific implementation

1. Realm implementation

package com.lingmeng.shiro;
 
import com.lingmeng.pojo.entity.Admin;
import com.lingmeng.pojo.entity.Permission;
import com.lingmeng.pojo.entity.Role;
import com.lingmeng.pojo.resp.BaseResp;
import com.lingmeng.service.AdminService;
import com.lingmeng.service.RoleService;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.springframework.beans.factory.annotation.Autowired;
 
import java.util.HashSet;
import java.util.Set;
 
public class MyRealm extends AuthorizingRealm {
 
    @Autowired
    RoleService roleService;
 
    @Autowired
    AdminService adminService;
 
    //授权
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        //获取用户信息
        Subject subject = SecurityUtils.getSubject();
        Admin admin =(Admin) subject.getPrincipal();
        //获取用户的权限及角色信息
        BaseResp baseResp = roleService.selectOne(admin.getUsername());
        Role role = (Role) baseResp.getData();
        //将获取的角色及权限进行存入
        if (role!=null){
            //角色存入
            info.addRole(role.getName());
            //权限信息进行存入
            Set<String> perms = new HashSet<>();
            for (Permission perm : role.getPerms()) {
                perms.add(perm.getUrl());
            }
            info.setStringPermissions(perms);
        }
        return info;
    }
 
    //认证
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        //获取登录信息(登录的账号)
        String username =(String)authenticationToken.getPrincipal();
//      UsernamePasswordToken userToken =(UsernamePasswordToken) authenticationToken;拿到登录时传入的账号和密码对象
        //从数据库中查询该对象的信息
        Admin admin = adminService.selectOne(username);
        if (admin==null){
            throw new UnknownAccountException("账号不存在");
        }
        return new SimpleAuthenticationInfo(admin,admin.getPassword(),this.getName());
    }
}

2. Controller implementation

package com.lingmeng.controller;
 
import com.lingmeng.pojo.entity.Admin;
import com.lingmeng.pojo.resp.BaseResp;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.web.bind.annotation.*;
 
@RestController
public class AdminController {
 
    @PostMapping("background/login")
    public BaseResp  login(@RequestBody Admin admin){
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(admin.getUsername(), admin.getPassword());
        try{
            subject.login(token);
            return BaseResp.SUCCESS("登录成功",null,null);
        }catch (UnknownAccountException e){//账号不存在
            return BaseResp.FAIL(201,"账号不存在");
        }catch(IncorrectCredentialsException incorrectCredentialsException){//密码错误
            return BaseResp.FAIL(201,"密码错误") ;
        }
    }
 
    @GetMapping("/background/exitLogin")
    public BaseResp exitLogin(){
        Subject subject = SecurityUtils.getSubject();
        System.out.println(subject.getPrincipal());
        try{
            subject.logout();//退出登录
            return BaseResp.SUCCESS("退出登录",null,null);
        }catch(Exception e){
            return BaseResp.FAIL(202,"退出失败");
        }
    }
}

3. config Implementation

package com.lingmeng.config;
 
import com.lingmeng.shiro.MyRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
 
import java.util.LinkedHashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
 
    @Bean
    public ShiroFilterFactoryBean shiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager){
        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
        bean.setSecurityManager(securityManager);
        //配置请求拦截并存入map中
         /*
        	anon:无需过滤就可以访问
            authc：必须认证了才可访问(登录后才可访问)
            user：必须拥有"记住我"功能才可访问
            perms：拥有对某个资源的权限才可以访问
            role：拥有某个角色权限才可访问
        */
        Map<String, String> map = new LinkedHashMap<>();
        map.put("/background/**","authc");
        map.put("background/login","anon");
 
 
        bean.setFilterChainDefinitionMap(map);
        //设置未授权跳转地址
        bean.setUnauthorizedUrl("");
        //设置登录地址
        bean.setLoginUrl("/background/login");
        return bean;
    }
 
    @Bean("securityManager")
    public DefaultWebSecurityManager defaultWebSecurityManager(@Qualifier("myRealm") MyRealm myRealm){
        return new DefaultWebSecurityManager(myRealm);
    }
 
    @Bean()
    public MyRealm myRealm(){
        return new MyRealm();
    }
}

The above are some basic usages of shiro in springboot. I hope it will be helpful to everyone (the entities, roles, and permissions in the code can be replaced according to the results of your own database query).

The above is the detailed content of How to quickly implement Shiro in springboot. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete

怎么使用SpringBoot+Canal实现数据库实时监控May 10, 2023 pm 06:25 PM

Canal工作原理Canal模拟MySQLslave的交互协议，伪装自己为MySQLslave，向MySQLmaster发送dump协议MySQLmaster收到dump请求，开始推送binarylog给slave（也就是Canal）Canal解析binarylog对象（原始为byte流）MySQL打开binlog模式在MySQL配置文件my.cnf设置如下信息：[mysqld]#打开binloglog-bin=mysql-bin#选择ROW(行)模式binlog-format=ROW#配置My

Spring Boot怎么使用SSE方式向前端推送数据May 10, 2023 pm 05:31 PM

前言SSE简单的来说就是服务器主动向前端推送数据的一种技术，它是单向的，也就是说前端是不能向服务器发送数据的。SSE适用于消息推送，监控等只需要服务器推送数据的场景中，下面是使用SpringBoot来实现一个简单的模拟向前端推动进度数据，前端页面接受后展示进度条。服务端在SpringBoot中使用时需要注意，最好使用SpringWeb提供的SseEmitter这个类来进行操作，我在刚开始时使用网上说的将Content-Type设置为text-stream这种方式发现每次前端每次都会重新创建接。最

SpringBoot怎么实现二维码扫码登录May 10, 2023 pm 08:25 PM

一、手机扫二维码登录的原理二维码扫码登录是一种基于OAuth3.0协议的授权登录方式。在这种方式下，应用程序不需要获取用户的用户名和密码，只需要获取用户的授权即可。二维码扫码登录主要有以下几个步骤：应用程序生成一个二维码，并将该二维码展示给用户。用户使用扫码工具扫描该二维码，并在授权页面中授权。用户授权后，应用程序会获取一个授权码。应用程序使用该授权码向授权服务器请求访问令牌。授权服务器返回一个访问令牌给应用程序。应用程序使用该访问令牌访问资源服务器。通过以上步骤，二维码扫码登录可以实现用户的快

SpringBoot/Spring AOP默认动态代理方式是什么May 10, 2023 pm 03:52 PM

1.springboot2.x及以上版本在SpringBoot2.xAOP中会默认使用Cglib来实现，但是Spring5中默认还是使用jdk动态代理。SpringAOP默认使用JDK动态代理，如果对象没有实现接口，则使用CGLIB代理。当然，也可以强制使用CGLIB代理。在SpringBoot中，通过AopAutoConfiguration来自动装配AOP.2.Springboot1.xSpringboot1.xAOP默认还是使用JDK动态代理的3.SpringBoot2.x为何默认使用Cgl

spring boot怎么对敏感信息进行加解密May 10, 2023 pm 02:46 PM

我们使用jasypt最新版本对敏感信息进行加解密。1.在项目pom文件中加入如下依赖：com.github.ulisesbocchiojasypt-spring-boot-starter3.0.32.创建加解密公用类：packagecom.myproject.common.utils;importorg.jasypt.encryption.pbe.PooledPBEStringEncryptor;importorg.jasypt.encryption.pbe.config.SimpleStrin

使用Java SpringBoot集成POI实现Word文档导出Apr 21, 2023 pm 12:19 PM

知识准备需要理解ApachePOI遵循的标准（OfficeOpenXML（OOXML）标准和微软的OLE2复合文档格式（OLE2）），这将对应着API的依赖包。什么是POIApachePOI是用Java编写的免费开源的跨平台的JavaAPI，ApachePOI提供API给Java程序对MicrosoftOffice格式档案读和写的功能。POI为“PoorObfuscationImplementation”的首字母缩写，意为“简洁版的模糊实现”。ApachePOI是创建和维护操作各种符合Offic

springboot怎么整合shiro实现多验证登录功能May 10, 2023 pm 04:19 PM

1.首先新建一个shiroConfigshiro的配置类，代码如下：@ConfigurationpublicclassSpringShiroConfig{/***@paramrealms这儿使用接口集合是为了实现多验证登录时使用的*@return*/@BeanpublicSecurityManagersecurityManager(Collectionrealms){DefaultWebSecurityManagersManager=newDefaultWebSecurityManager();

SpringBoot项目打包发布到外部tomcat遇到的问题怎么解决May 10, 2023 pm 05:49 PM

先说遇到问题的情景：初次尝试使用springboot框架写了个小web项目，在IntellijIDEA中能正常启动运行。使用maven运行install，生成war包，发布到本机的tomcat下，出现异常，主要的异常信息是.......LifeCycleException。经各种搜索，找到答案。springboot因为内嵌tomcat容器，所以可以通过打包为jar包的方法将项目发布，但是如何将springboot项目打包成可发布到tomcat中的war包项目呢？1.既然需要打包成war包项目，首

See all articles