当前位置：首页 >Java技术 > springboot整合shiro应用

springboot整合shiro应用

1、Shiro是Apache下的一个开源项目，我们称之为Apache Shiro。它是一个很易用与Java项目的的安全框架，提供了认证、授权、加密、会话管理，与spring Security 一样都是做一个权限的安全框架，但是与Spring Security 相比，在于 Shiro 使用了比较简单易懂易于使用的授权方式。shiro属于轻量级框架，相对于security简单的多，也没有security那么复杂。所以我这里也是简单介绍一下shiro的使用。

2、非常简单；其基本功能点如下图所示：

Authentication：身份认证/登录，验证用户是不是拥有相应的身份；

Authorization：授权，即权限验证，验证某个已认证的用户是否拥有某个权限；即判断用户是否能做事情，常见的如：验证某个用户是否拥有某个角色。或者细粒度的验证某个用户对某个资源是否具有某个权限；

Session Manager：会话管理，即用户登录后就是一次会话，在没有退出之前，它的所有信息都在会话中；会话可以是普通JavaSE环境的，也可以是如Web环境的；

Cryptography：加密，保护数据的安全性，如密码加密存储到数据库，而不是明文存储；

Web Support：Web支持，可以非常容易的集成到Web环境；

Caching：缓存，比如用户登录后，其用户信息、拥有的角色/权限不必每次去查，这样可以提高效率；

Concurrency：shiro支持多线程应用的并发验证，即如在一个线程中开启另一个线程，能把权限自动传播过去；

Testing：提供测试支持；

Run As：允许一个用户假装为另一个用户（如果他们允许）的身份进行访问；

Remember Me：记住我，这个是非常常见的功能，即一次登录后，下次再来的话不用登录了。

记住一点，Shiro不会去维护用户、维护权限；这些需要我们自己去设计/提供；然后通过相应的接口注入给Shiro即可。

3、这里我就简单介绍一下springboot和shiro整合与基本使用。

　　1）目录结构

　　2）需要的基础包：pom.xml

<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.troy</groupId><artifactId>springshiro</artifactId><version>1.0-SNAPSHOT</version><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>1.5.6.RELEASE</version></parent><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId><version>1.5.6.RELEASE</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-jpa</artifactId><version>1.5.6.RELEASE</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-autoconfigure</artifactId><version>1.5.6.RELEASE</version></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-Java</artifactId><version>5.1.9</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.3.2</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.1.4</version></dependency></dependencies></project>

　　3）基本配置application.yml　　

server:  port: 8082spring:  datasource:driver-class-name: com.mysql.jdbc.Driverurl: jdbc:mysql://localhost:3306/spring_shiro?useUnicode=true&amp;characterEncoding=UTF-8useame: rootpassword: roottype: com.alibaba.druid.pool.DruidDataSource  jpa:show-sql: truehibeate:  ddl-auto: update  http:encoding:  charset: utf-8  enabled: true

　　4）这里我们基本需要3个实体，用户，角色和权限

　　(1)角色：User.class

@Entitypublic class User {@Id@GeneratedValue(strategy = GenerationType.AUTO)private Long id;@Column(unique = true)private String name;private Integer password;@OneToMany(cascade = CascadeType.ALL,mappedBy = "user")private List<Role> roles;public Long getId() {retu id;}public void setId(Long id) {this.id = id;}public String getName() {retu name;}public void setName(String name) {this.name = name;}public List<Role> getRoles() {retu roles;}public void setRoles(List<Role> roles) {this.roles = roles;}public Integer getPassword() {retu password;}public void setPassword(Integer password) {this.password = password;}}

　　注：这里我只考虑一个用户对多个角色，不考虑多对多的关系

　　(2)角色：Role.class

@Entitypublic class Role {@Id@GeneratedValue(strategy = GenerationType.AUTO)private Long id;private String roleName;@ManyToOne(fetch = FetchType.EAGER)private User user;@OneToMany(cascade = CascadeType.ALL,mappedBy = "role")private List<Permission> permissions;public Long getId() {retu id;}public void setId(Long id) {this.id = id;}public String getRoleName() {retu roleName;}public void setRoleName(String roleName) {this.roleName = roleName;}public User getUser() {retu user;}public void setUser(User user) {this.user = user;}public List<Permission> getPermissions() {retu permissions;}public void setPermissions(List<Permission> permissions) {this.permissions = permissions;}}

　　(3)权限：Permission.class

@Entitypublic class Permission {@Id@GeneratedValue(strategy = GenerationType.AUTO)private Long id;private String permission;@ManyToOne(fetch = FetchType.EAGER)private Role role;public Long getId() {retu id;}public void setId(Long id) {this.id = id;}public String getPermission() {retu permission;}public void setPermission(String permission) {this.permission = permission;}public Role getRole() {retu role;}public void setRole(Role role) {this.role = role;}}

　　5）然后就是配置对应的验证，以及过滤条件

　　(1)验证，以及权限的添加MyShiroRealm.class

//实现AuthorizingRealm接口用户用户认证public class MyShiroRealm extends AuthorizingRealm{//用于用户查询@Autowiredprivate ILoginService loginService;//角色权限和对应权限添加@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {//获取登录用户名String name= (String) principalCollection.getPrimaryPrincipal();//查询用户名称User user = loginService.findByName(name);//添加角色和权限SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();for (Role role:user.getRoles()) {//添加角色simpleAuthorizationInfo.addRole(role.getRoleName());for (Permission permission:role.getPermissions()) {//添加权限simpleAuthorizationInfo.addStringPermission(permission.getPermission());}}retu simpleAuthorizationInfo;}//用户认证@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {//加这一步的目的是在Post请求的时候会先进认证，然后在到请求if (authenticationToken.getPrincipal() == null) {retu null;}//获取用户信息String name = authenticationToken.getPrincipal().toString();User user = loginService.findByName(name);if (user == null) {//这里返回后会报出对应异常retu null;} else {//这里验证authenticationToken和simpleAuthenticationInfo的信息SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(name, user.getPassword().toString(), getName());retu simpleAuthenticationInfo;}}}

　　(2)过滤配置：ShiroConfiguration.class

@Configurationpublic class ShiroConfiguration {//将自己的验证方式加入容器@Beanpublic MyShiroRealm myShiroRealm() {MyShiroRealm myShiroRealm = new MyShiroRealm();retu myShiroRealm;}//权限管理，配置主要是Realm的管理认证@Beanpublic SecurityManager securityManager() {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();securityManager.setRealm(myShiroRealm());retu securityManager;}//Filter工厂，设置对应的过滤条件和跳转条件@Beanpublic ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);Map<String,String> map = new HashMap<String, String>();//登出map.put("/logout","logout");//对所有用户认证map.put("/**","authc");//登录shiroFilterFactoryBean.setLoginUrl("/login");//首页shiroFilterFactoryBean.setSuccessUrl("/index");//错误页面，认证不通过跳转shiroFilterFactoryBean.setUnauthorizedUrl("/error");shiroFilterFactoryBean.setFilterChainDefinitionMap(map);retu shiroFilterFactoryBean;}//加入注解的使用，不加入这个注解不生效@Beanpublic AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);retu authorizationAttributeSourceAdvisor;}}

　　6）接下来就是数据访问层、业务层、以及控制层

　　(1)数据层：BaseRepository.class,UserRepository.class,RoleRepository.class

@NoRepositoryBeanpublic interface BaseRepository<T,I extends Serializable> extends PagingAndSortingRepository<T,I>,JpaSpecificationExecutor<T>{}

public interface UserRepository extends BaseRepository<User,Long>{User findByName(String name);}

public interface RoleRepository extends BaseRepository<Role,Long> {}

　　(2)业务层：LoginServiceImpl.class

@Service@Transactionalpublic class LoginServiceImpl implements ILoginService {@Autowiredprivate UserRepository userRepository;@Autowiredprivate RoleRepository roleRepository;//添加用户@Overridepublic User addUser(Map<String, Object> map) {User user = new User();user.setName(map.get("useame").toString());user.setPassword(Integer.valueOf(map.get("password").toString()));userRepository.save(user);retu user;}//添加角色@Overridepublic Role addRole(Map<String, Object> map) {User user = userRepository.findOne(Long.valueOf(map.get("userId").toString()));Role role = new Role();role.setRoleName(map.get("roleName").toString());role.setUser(user);Permission permission1 = new Permission();permission1.setPermission("create");permission1.setRole(role);Permission permission2 = new Permission();permission2.setPermission("update");permission2.setRole(role);List<Permission> permissions = new ArrayList<Permission>();permissions.add(permission1);permissions.add(permission2);role.setPermissions(permissions);roleRepository.save(role);retu role;}//查询用户通过用户名@Overridepublic User findByName(String name) {retu userRepository.findByName(name);}}

　　(3)控制层：LoginResource.class

@RestControllerpublic class LoginResource {@Autowiredprivate ILoginService loginService;//退出的时候是get请求，主要是用于退出@RequestMapping(value = "/login",method = RequestMethod.GET)public String login(){retu "login";}//post登录@RequestMapping(value = "/login",method = RequestMethod.POST)public String login(@RequestBody Map map){//添加用户认证信息Subject subject = SecurityUtils.getSubject();UseamePasswordToken useamePasswordToken = new UseamePasswordToken(map.get("useame").toString(),map.get("password").toString());//进行验证，这里可以捕获异常，然后返回对应信息subject.login(useamePasswordToken);retu "login";}@RequestMapping(value = "/index")public String index(){retu "index";}//登出@RequestMapping(value = "/logout")public String logout(){retu "logout";}//错误页面展示@RequestMapping(value = "/error",method = RequestMethod.POST)public String error(){retu "error ok!";}//数据初始化@RequestMapping(value = "/addUser")public String addUser(@RequestBody Map<String,Object> map){User user = loginService.addUser(map);retu "addUser is ok! \n" + user;}//角色初始化@RequestMapping(value = "/addRole")public String addRole(@RequestBody Map<String,Object> map){Role role = loginService.addRole(map);retu "addRole is ok! \n" + role;}//注解的使用@RequiresRoles("admin")@RequiresPermissions("create")@RequestMapping(value = "/create")public String create(){retu "Create success!";}}