先贴出pom.xml 需要用到的依赖:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <parent> <artifactId>shiro</artifactId> <groupId>lyf.top.shiro</groupId> <version>1.0-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>shiro-web</artifactId> <packaging>war</packaging> <name>shiro-web Maven Webapp</name> <!-- FIXME change it to the project's website --> <url>http://www.example.com</url> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <maven.compiler.source>1.7</maven.compiler.source> <maven.compiler.target>1.7</maven.compiler.target> </properties> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.11</version> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>5.0.10.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>5.0.10.RELEASE</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.4.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.4.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.4.0</version> </dependency> <!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-api --> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.7.26</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>5.1.45</version> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>1.1.6</version> </dependency> <!--或者用hibernate或者mybatis都可以,这里就用jdbc来访问数据了--> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> <version>4.2.4.RELEASE</version> </dependency> </dependencies> <build> <finalName>shiro-web</finalName> <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) --> <plugins> <plugin> <artifactId>maven-clean-plugin</artifactId> <version>3.1.0</version> </plugin> <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging --> <plugin> <artifactId>maven-resources-plugin</artifactId> <version>3.0.2</version> </plugin> <plugin> <artifactId>maven-compiler-plugin</artifactId> <version>3.8.0</version> </plugin> <plugin> <artifactId>maven-surefire-plugin</artifactId> <version>2.22.1</version> </plugin> <plugin> <artifactId>maven-war-plugin</artifactId> <version>3.2.2</version> </plugin> <plugin> <artifactId>maven-install-plugin</artifactId> <version>2.5.2</version> </plugin> <plugin> <artifactId>maven-deploy-plugin</artifactId> <version>2.8.2</version> </plugin> </plugins> </pluginManagement> </build> </project>
接着创建一个自定义Realm:
package com.yunyun.shiro.realm; import com.yunyun.dao.UserDao; import com.yunyun.vo.user; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.crypto.hash.Md5Hash; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import java.util.*; @Component public class CustomRealm extends AuthorizingRealm { @Autowired private UserDao userDao; //授权 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { String userName = (String) principalCollection.getPrimaryPrincipal(); //实际开发时这里从数据库或者缓存中获取角色数据 Set<String> roles = getRolesByUserName(userName); Set<String> permissions = getPermissionsByUserName(); //将取来的角色数据与权限数据返回 SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); //设置权限 simpleAuthorizationInfo.setStringPermissions(permissions); //设置角色 simpleAuthorizationInfo.setRoles(roles); return simpleAuthorizationInfo; } private Set<String> getPermissionsByUserName() { Set<String> sets= new HashSet<>(); sets.add("user:delete"); sets.add("user:add"); return sets; } /** * 根据账号取角色信息 * @param userName * @return */ private Set<String> getRolesByUserName(String userName) { List<String> list = userDao.queryRolesByUserName(userName); Set<String> sets = new HashSet<>(list); return sets; } //认证 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { //1.通过主体传过来的认证信息中去获取用户名 String userName = (String)authenticationToken.getPrincipal(); //2.通过用户名到数据库中获取凭证 String password = getPasswordByUserName(userName); if (password == null){ return null; } SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo (userName,password,"customRealm"); return authenticationInfo; } /** * 通过数据库查询凭证 * @param userName * @return */ private String getPasswordByUserName(String userName){ //查询数据库 user user = userDao.getUserByUserName(userName); if (user != null){ return user.getPassword(); } return null; } public static void main(String[] args){//数据库中的密码应该都是被MD5加密过的数据 //所以需要在这里直接打印出加密后的密码 Md5Hash md5Hash = new Md5Hash("123qwe"); System.out.println(md5Hash.toString()); } }
接着配置Spring,文件目录如下:
spring.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> <!--引入创建的配置文件--> <import resource="spring-dao.xml"/> <!--配置扫描路径--> <context:component-scan base-package="com.yunyun"/> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <!--登录页的url--> <property name="loginUrl" value="login.html"/> <!--未认证的跳转页面--> <property name="unauthorizedUrl" value="403.xml" /> <!--过滤器链//从上往下匹配拦截认证,--> <property name="filterChainDefinitions"> <value> <!--登录页面不需要拦截--> /login.html = anon <!--提交登录请求的url也不许要拦截--> /subLogin = anon <!--登录页面以外的需要拦截认证--> /* = authc </value> </property> </bean> <!--创建SecurityManager对象--> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!--将realm设置到securityManager主体中--> <property name="realm" ref="realm"/> </bean> <bean class="com.yunyun.shiro.realm.CustomRealm" id="realm"> <!--将加密管理器对象,加入到自定义的Realm中--> <property name="credentialsMatcher" ref="credentialsMatcher"/> </bean> <!--加密管理器对象--> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher" id="credentialsMatcher"> <!--设置加密算法为MD5--> <property name="hashAlgorithmName" value="md5"/> <!--设置加密次数为1次--> <property name="hashIterations" value="1"/> </bean> </beans>
spring-dao.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean class="com.alibaba.druid.pool.DruidDataSource" id="dataSource"> <property name="url" value="jdbc:mysql://localhost:3306/test"/> <property name="username" value="root"/> <property name="password" value="root"/> </bean> <bean class="org.springframework.jdbc.core.JdbcTemplate" id="jdbcTemplate"> <property name="dataSource" ref="dataSource" /> </bean> </beans>
spring-mvc.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd"> <!--确定扫描路径--> <context:component-scan base-package="com.yunyun.controller"/> <mvc:annotation-driven/> <mvc:resources mapping="/*" location="/" /> </beans>
接着写接口UserDao:
public interface UserDao { user getUserByUserName(String userName); List<String> queryRolesByUserName(String userName); }
实现类:
@Component public class UserDaoImpl implements UserDao { @Resource private JdbcTemplate jdbcTemplate; @Override public user getUserByUserName(String userName) { String sql = "select username,password from users where username = ?"; List<user> list = jdbcTemplate.query(sql, new String[]{userName}, new RowMapper<user>(){ @Override public user mapRow(ResultSet resultSet, int i) throws SQLException { //将查询到的结果集 设置到对象中 user user = new user(); user.setUsername(resultSet.getString("username")); user.setPassword(resultSet.getString("password")); return user; } }); //判断集合是否为空 if (CollectionUtils.isEmpty(list)){ //若为空直接返回null return null; } //若不为空,直接返回集合的第一条(因为username肯定不会重复,结果肯定唯一) return list.get(0); } @Override public List<String> queryRolesByUserName(String userName) { String sql = "select role_name from user_roles where username = ?"; //直接返回结果集 return jdbcTemplate.query(sql, new String[]{userName}, new RowMapper<String>() { @Override public String mapRow(ResultSet resultSet, int i) throws SQLException { return resultSet.getString("role_name"); } }); } }
这里的sql都是自定义sql,也可以将sql改成自己的数据库操作。
接着创建controller:
@Controller public class UserController { @RequestMapping(value = "/subLogin",method = RequestMethod.POST, produces = "application/json;charset=utf-8") @ResponseBody public String subLogin(user user){ Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken (user.getUsername(),user.getPassword()); try { subject.login(token); }catch (AuthenticationException e){ return e.getMessage(); } if (subject.hasRole("admin")){ return "有admin权限"; }else { return "无admin权限"; } } }
user实体类里只有username与password和它们的set、get方法。
然后运行项目:
