SSM+Shiro安全框架
搭建SSM
(1)引入相关依赖
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>ssm-shiro</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<dependencies>
<!-- mysql驱动-->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.31</version>
</dependency>
<!--spring的相关依赖-->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>5.2.15.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>5.2.15.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>5.2.15.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>5.2.15.RELEASE</version>
</dependency>
<!-- mybatis依赖-->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.5.11</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>2.0.7</version>
</dependency>
<!-- lombok-->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.28</version>
</dependency>
<!-- jackson-->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.14.2</version>
</dependency>
<!-- jsp servlet-->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<!-- druid-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.2.8</version>
</dependency>
</dependencies>
</project>
(2)spring配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc https://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd">
<!--包扫描-->
<context:component-scan base-package="com.cjj"/>
<!--2.注解驱动-->
<mvc:annotation-driven/>
<!--3.静态资源放行-->
<mvc:default-servlet-handler/>
<!--4.视图解析器-->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/"/>
<property name="suffix" value=".jsp"/>
</bean>
<!--数据源-->
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource">
<property name="username" value="root"/>
<property name="password" value="123456"/>
<property name="driverClassName" value="com.mysql.cj.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost:3306/shiro?serverTimezone=Asia/Shanghai"/>
</bean>
<!--SqlSessionFactory 加载mybatis的配置-->
<bean id="sessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource"/>
<!--映射文件所在的路径-->
<property name="mapperLocations" value="classpath:mapper/*.xml"/>
</bean>
<!--7.设置dao接口的代理实现类-->
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="sqlSessionFactoryBeanName" value="sessionFactory"/>
<!--dao接口所在的包-->
<property name="basePackage" value="com.cjj.dao"/>
</bean>
<!--事务管理-->
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource"/>
</bean>
<!--开启事务的注解驱动-->
<tx:annotation-driven/>
</beans>
(3)web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<!--配置前端控制器-->
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring.xml</param-value>
</init-param>
<!--tomcat启动时加载该类-->
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
SSM整合Shiro---认证功能
(1)创建数据库
/*
Navicat Premium Data Transfer
Source Server : 实训
Source Server Type : MySQL
Source Server Version : 80032
Source Host : localhost:3306
Source Schema : shiro
Target Server Type : MySQL
Target Server Version : 80032
File Encoding : 65001
Date: 06/07/2023 11:16:35
*/
SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;
-- ----------------------------
-- Table structure for permission
-- ----------------------------
DROP TABLE IF EXISTS `permission`;
CREATE TABLE `permission` (
`perid` int(0) NOT NULL AUTO_INCREMENT,
`pername` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
`percode` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`perid`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 9 CHARACTER SET = utf8mb3 COLLATE = utf8mb3_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of permission
-- ----------------------------
INSERT INTO `permission` VALUES (1, '查询用户信息', 'user:query');
INSERT INTO `permission` VALUES (2, '修改用户', 'user:update');
INSERT INTO `permission` VALUES (3, '删除用户', 'user:delete');
INSERT INTO `permission` VALUES (4, '添加用户', 'user:insert');
INSERT INTO `permission` VALUES (5, '导出用户', 'user:export');
-- ----------------------------
-- Table structure for role
-- ----------------------------
DROP TABLE IF EXISTS `role`;
CREATE TABLE `role` (
`roleid` int(0) NOT NULL AUTO_INCREMENT,
`rolename` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`roleid`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8mb3 COLLATE = utf8mb3_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of role
-- ----------------------------
INSERT INTO `role` VALUES (1, '仓管管理员');
INSERT INTO `role` VALUES (2, 'CEO');
INSERT INTO `role` VALUES (3, '保安');
-- ----------------------------
-- Table structure for role_permission
-- ----------------------------
DROP TABLE IF EXISTS `role_permission`;
CREATE TABLE `role_permission` (
`perid` int(0) NOT NULL,
`roleid` int(0) NOT NULL,
PRIMARY KEY (`perid`, `roleid`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8mb3 COLLATE = utf8mb3_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of role_permission
-- ----------------------------
INSERT INTO `role_permission` VALUES (1, 1);
INSERT INTO `role_permission` VALUES (1, 2);
INSERT INTO `role_permission` VALUES (1, 3);
INSERT INTO `role_permission` VALUES (2, 1);
INSERT INTO `role_permission` VALUES (2, 2);
INSERT INTO `role_permission` VALUES (3, 1);
INSERT INTO `role_permission` VALUES (3, 2);
INSERT INTO `role_permission` VALUES (4, 1);
INSERT INTO `role_permission` VALUES (5, 3);
-- ----------------------------
-- Table structure for user
-- ----------------------------
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
`userid` int(0) NOT NULL AUTO_INCREMENT,
`username` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
`userpwd` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
`sex` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
`address` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
`salt` varchar(255) CHARACTER SET utf8mb3 COLLATE utf8mb3_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`userid`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8mb3 COLLATE = utf8mb3_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO `user` VALUES (1, 'zhangsan', '4b05a8716a430f71c6911d2e9149092f', '男', '武汉', '07f63bbf285e4719bfee1cc2bb81db33');
INSERT INTO `user` VALUES (2, 'lisi', '99cc11855b41ff3e5f7c0af3c5090a8c', '女', '北京', '2d7e37f019144764ac02aa7220929f93');
INSERT INTO `user` VALUES (3, 'wangwu', '6d70c027801af4dc892ab340d4bf73b6', '女', '成都', '99f6bf1b540145699e6e5c90480105b0');
-- ----------------------------
-- Table structure for user_role
-- ----------------------------
DROP TABLE IF EXISTS `user_role`;
CREATE TABLE `user_role` (
`userid` int(0) NOT NULL,
`roleid` int(0) NOT NULL,
PRIMARY KEY (`userid`, `roleid`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8mb3 COLLATE = utf8mb3_general_ci ROW_FORMAT = Dynamic;
-- ----------------------------
-- Records of user_role
-- ----------------------------
INSERT INTO `user_role` VALUES (1, 1);
INSERT INTO `user_role` VALUES (2, 2);
INSERT INTO `user_role` VALUES (3, 3);
SET FOREIGN_KEY_CHECKS = 1;
(2)引入shiro-spring依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.0</version>
</dependency>
(3)修改/增加spring配置文件
<!-- shiro和spring整合的配置-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
<bean id="myRealm" class="com.cjj.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!--密码加密器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"/><!--使用MD5加密器-->
<property name="hashIterations" value="1024"/><!--加密次数-->
</bean>
<!-- shiro过滤器 id必须和web.xml里面的过滤器配置的名称对应-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- 未登录时跳转的路径-->
<property name="loginUrl" value="/index.jsp"/>
<property name="filterChainDefinitions">
<value>
<!-- 具体意思见下表-->
/login=anon
/**=authc
</value>
</property>
</bean>
(4)web.xml文件
<!-- shiro的过滤器:必须和ShiroFilterFactoryBean的一致-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(5)修改login.jsp
<body>
<form action="/login" method="post">
账号:<input type="text" name="username"/><br><br>
密码:<input type="text" name="password"/><br><br>
<input type="submit" value="登录"/>
</form>
</body>
(6)controller
@Controller
public class LoginController {
@PostMapping("/login")
public String login(LoginVo loginVo){
final Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(loginVo.getUsername(),loginVo.getPassword());
try{
subject.login(token);
return "success"; //经过视图解析器,最终的访问路径为 /WEB-INF/views/success.jsp
}catch (Exception e){
e.printStackTrace();
return "redirect:/login.jsp"; //重定向到login.jsp
}
}
}
(7)MyRealm
public class MyRealm extends AuthorizingRealm {
@Autowired
protected UserService userService;
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//获取登录账号
final String username = authenticationToken.getPrincipal().toString();
User user = userService.findUserByUsername(username);
if(user!=null){
final ByteSource salt = ByteSource.Util.bytes(user.getSalt());
SimpleAuthenticationInfo info= new SimpleAuthenticationInfo(user,user.getUserpwd(),salt,this.getName());
return info;
}
return null;
}
}
(8)UserService
@Service
public class UserServiceImpl implements UserService {
@Autowired
private UserDao userDao;
public User findUserByUsername(String username) {
User user = userDao.findUserByUsername(username);
return user;
}
}
(9)dao方法和映射代码
public interface UserDao {
User findUserByUsername(@Param("username") String username);
}
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<!--namesapce的内容必须和对应的接口路径映射-->
<mapper namespace="com.cjj.dao.UserDao">
<select id="findUserByUsername" resultType="com.cjj.entity.User">
select *from user where username=#{username}
</select>
</mapper>
(10)测试
SSM整合shiro--授权【权限管理】
(1)修改MyRealm
@Autowired
protected UserService userService;
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//获取当前登录者的账号|对象
User user = (User) principalCollection.getPrimaryPrincipal();
//调用userSerice中的方法--根据id
List<String> permission = userService.findPermissionByUserId(user.getUserid());
if(permission.size()!=0){
SimpleAuthorizationInfo info =new SimpleAuthorizationInfo();
info.addStringPermissions(permission);
return info;
}
return null;
}
(2)Controller
@RestController
@RequestMapping("user")
public class UserController {
@GetMapping("query")
public String query(){
return "user:query";
}
@GetMapping("update")
public String update(){
return "user:update";
}
@GetMapping("delete")
public String delete(){
return "user:delete";
}
@GetMapping("insert")
public String insert(){
return "user:insert";
}
@GetMapping("export")
public String export(){
return "user:export";
}
}
(3)UserService
@Service
public class UserServiceImpl implements UserService {
@Autowired
private UserDao userDao;
public User findUserByUsername(String username) {
User user = userDao.findUserByUsername(username);
return user;
}
public List<String> findPermissionByUserId(Integer userid) {
List<Permission> permission = userDao.findPermissionByUserId(userid);
final List<String> collect = permission.stream().map(item -> item.getPercode()).collect(Collectors.toList());
return collect;
}
}
(4)userDao和映射
//根据用户id查询权限
List<Permission> findPermissionByUserId(@Param("userid") Integer userid);
<select id="findPermissionByUserId" resultType="com.cjj.entity.Permission">
select p.* from user_role ur join role_permission rp on ur.roleid = rp.roleid
join permission p on rp.perid = p.perid where userid=#{userid}
</select>
(5)测试
报错畸形语法请求,发现标头有jsessionid的信息,删掉就能正常访问
(6)解决畸形语法请求
在web.xml文件中加上
<!-- 移除shiro首次加载时路径中的 jsessionid-->
<session-config>
<!-- Disables URL-based sessions (no more 'jsessionid' in the URL using Tomcat) -->
<tracking-mode>COOKIE</tracking-mode>
</session-config>
(7)再次测试、
这个时候发现所有的权限都在显示---我们的需求是登录人只能看到自己所拥有的权限按钮
解决方案:在jsp中使用shiro标签库
(8)在jsp中使用shiro标签库
(9)测试
这个时候已经会根据自身拥有的权限显示相应的权限按钮,但是只要登录成功,就算没显示按钮,也是可以访问后台的其他接口
解决方法:shiro提供了注解,可以判断登录用户是否具有该注解的权限--如果有,才会执行该方法
(10)controller
@RequiresPermissions(value = "user:query") 此注解会判断该用户是否具有value中的权限 有就可以访问,没有就不行
@RestController
@RequestMapping("user")
public class UserController {
@GetMapping("query")
@RequiresPermissions(value = "user:query")
public String query(){
return "user:query";
}
@GetMapping("update")
@RequiresPermissions(value = "user:update")
public String update(){
return "user:update";
}
@GetMapping("delete")
@RequiresPermissions(value = "user:delete")
public String delete(){
return "user:delete";
}
@GetMapping("insert")
@RequiresPermissions(value = "user:insert")
public String insert(){
return "user:insert";
}
@GetMapping("export")
@RequiresPermissions(value = "user:export")
public String export(){
return "user:export";
}
}
(11)测试
没有权限,依旧可以访问
(12)解决shiro注解不生效
发面注解不生效-----spring没有开启该注解的驱动---spring配置文件加入如下内容
<!-- 启动Shrio的注解 shiro加在controller应该属于springmvc的配置 -->
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
(13)测试
拦截成功
(14)处理权限不足的异常
定义一个异常处理类
@ExceptionHandler(异常信息类)
@ControllerAdvice【用来捕获controller层的一异常】
@ControllerAdvice
public class MyHandle {
@ExceptionHandler(value = UnauthorizedException.class)
public String unauthorizedException(UnauthorizedException e){
e.printStackTrace();
return "403";
}
}
将返回的数据改为json数据,完成前后端分离的效果
(1)定义一个统一的json类
@Data
@NoArgsConstructor
@AllArgsConstructor
public class Result {
Integer code;
String msg;
Object data;
}
(2)修改controller代码
@Controller
//将后端返回的数据转为json格式
@ResponseBody
public class LoginController {
@PostMapping("/login")
public Result login(LoginVo loginVo){
final Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(loginVo.getUsername(),loginVo.getPassword());
try{
subject.login(token);
//登录成功返回200
return new Result(200,"登录成功",null);
}catch (Exception e){
e.printStackTrace();
return new Result(500,"账号或密码错误",null);
}
}
}
(3)修改权限不足时的异常处理类
@ControllerAdvice//捕获异常类
public class MyHandle {
@ExceptionHandler(value = UnauthorizedException.class)
//将后端返回的数据转为json格式
@ResponseBody
public Result unauthorizedException(UnauthorizedException e){
e.printStackTrace();
return new Result(403,"权限不足",null);
}
}
(4)修改未登录时跳转的路径
1.第一种方式,未登录跳转到一个接口路径
修改前
修改后
//未登陆时跳转的路径
@GetMapping("/unlogin")
@ResponseBody
public Result unlogin(){
return new Result(401,"未登录",null);
}
2.第二种方式,定义过滤器
<!-- 将对象转换为json字符串的依赖-->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.62</version>
</dependency>
public class LoginFilter extends FormAuthenticationFilter {
//未登录访问资源时,会触发该方法。 ---默认内容是重定向到登录页面--重写改为返回json数据
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
//解决响应数据的中文乱码问题
response.setContentType("application/json;charset=utf-8");
//获取用于向客户端发送文本数据的对象
final PrintWriter writer = response.getWriter();
final Result result = new Result(401,"未登录",null);
//把java对象转为json字符串
final String string = JSON.toJSONString(result);
writer.write(string);
//刷新流
writer.flush();
//关流
writer.close();
return false;
}
}
修改spring配置文件
(5)将shiro权限对象缓存到redis中
避免频繁的查询数据库
1.引入shiro和redis整合的依赖
<!--shiro和redis整合的依赖-->
<dependency>
<groupId>org.crazycake</groupId>
<artifactId>shiro-redis</artifactId>
<version>2.4.6</version>
</dependency>
