Shiro---强大且易用的Java安全框架（三）

尚学堂

让人人享有高品质教育

【Shiro】

十、Spring Boot整合Shiro实现登录认证

整体项目结构。省略数据访问层相关代码，使用固定数据进行认证。

1、添加依赖

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.1.13.RELEASE</version>
</parent>
<dependencies>
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-spring-boot-web-starter</artifactId>
        <version>1.4.2</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <!--mybatis的启动器-->
    <dependency>
        <groupId>org.mybatis.spring.boot</groupId>
        <artifactId>mybatis-spring-boot-starter</artifactId>
        <version>2.1.1</version>
    </dependency>
    <!--数据库的驱动-->
    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.11</version>
    </dependency>
</dependencies>

2、编写配置文件

新建application.yml

spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://127.0.0.1:3306/rbac1?characterEncoding=utf8&useSSL=false&serverTimezone=GMT%2B8
    username: root
    password: root
shiro:
  loginUrl: /login

3、新建实体类

新建com.bjsxt.pojo.User

public class User {
    private Long id;
    private String username;
    private String password;
    // 省略getter和setter
// 省略构造方法
}

4、编写业务层代码

新建com.bjsxt.service.UserService

public interface AdminService {
    Admin    findOne(String  uname);
}

实现类

@Service
public class AdminServiceImpl implements AdminService {
     @Autowired
    private AdminMapper  adminMapper;
    @Override
    public Admin findOne(String uname) {
        return adminMapper.selectOne(uname);
}

5、自定义Realm

新建com.bjsxt.realm.MyRealm编写认证逻辑

@Component
public class MyRealm extends AuthorizingRealm {
     @Autowired
    private AdminService  adminService;
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        return null;
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        String name = authenticationToken.getPrincipal().toString();
        Admin admin = adminService.findOne(name);
        if(admin!=null){
            AuthenticationInfo  info=new SimpleAuthenticationInfo(name,admin.getPwd(), ByteSource.Util.bytes(admin.getSalt()),"sxt");
            return   info;
        return null;
    }}

6、编写配置

新建com.bjsxt.config.ShiroConfig，编写配置

@Configuration
public class SApplicationConfig {
    @Autowired
    private   MyRealm  myRealm;
    @Bean
   public DefaultWebSecurityManager  defaultWebSecurityManager(){
       DefaultWebSecurityManager  defaultWebSecurityManager=new DefaultWebSecurityManager();
        HashedCredentialsMatcher  matcher=new




    
 HashedCredentialsMatcher();
        matcher.setHashAlgorithmName("md5");
        matcher.setHashIterations(3);
        myRealm.setCredentialsMatcher(matcher);     
        defaultWebSecurityManager.setRealm(myRealm);
       return defaultWebSecurityManager;
    @Bean
    public ShiroFilterChainDefinition shiroFilterChainDefinition() {     
        DefaultShiroFilterChainDefinition definition = new DefaultShiroFilterChainDefinition();
        definition.addPathDefinition("/doLogin", "anon");
        definition.addPathDefinition("/login", "anon");
        definition.addPathDefinition("/**", "authc");
        return definition;
}

7、编写控制器

新建com.bjsxt.controller.UserController

@Controller
public class AdminController {
    @RequestMapping("/{path}")
    public   String   getUrl(@PathVariable String path){
        System.out.println("iii");
        return  path;
    @RequestMapping("/doLogin")
    public String   login(String  uname,String  pwd){
        Subject subject = SecurityUtils.getSubject();
        try {
            subject.login(new UsernamePasswordToken(uname,pwd));
            return "main" ;
        } catch (AuthenticationException e) {
            System.out.println("失败");
            return "login";
}

8、编写启动类

新建com.bjsxt.ShiroApplication

@SpringBootApplication
@MapperScan("com.bjsxt.mapper")
public class ShiroApplication {
    public static void main(String[] args) {
        SpringApplication.run(ShiroApplication.class,args);
}

9、编写页面

9.1 编写登录页面

新建templates/login.html

<form action="/doLogin" method="post">
    用户名：<input type="text" name="username"/><br/>
    密码：<input type="password" name="password" /><br/>
    <input type="submit" value="登录"/>
</form>

9.2 编写主页面

新建templates/login.html。页面中虽然编写内容

<body>
   index.html
</body>

十一、凭证匹配器

1、修改ShiroConfig

@Bean
public DefaultWebSecurityManager securityManager() {
    DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
    HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
    hashedCredentialsMatcher.setHashAlgorithmName("md5");
    hashedCredentialsMatcher.setHashIterations(2);
    myRealm.setCredentialsMatcher(hashedCredentialsMatcher);
    manager.setRealm(myRealm);
    return manager;
}

2、修改UserServiceImpl

模拟从数据库查询出来的密码是加密的密码。

此加密数据是”admin”加盐”123”迭代两次加密的结果。

return new User(1L,"admin","6bdae6366c1e46d541eb0ca9547d974c");

3、修改MyRealm

修改MyRealm中doGetAuthenticationInfo方法。把盐添加进去。

AuthenticationInfo info = new SimpleAuthenticationInfo(token.getPrincipal(),user.getPassword(), ByteSource.Util.bytes("123"),user.getUsername());

十二、remember me实现

1、修改ShiroConfig

秘钥长度为16位，使用的时AES加密。

@Configuration
public class ShiroConfig {
    @Autowired
    private MyRealm myRealm;
    @Bean
    public DefaultWebSecurityManager securityManager() {
        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
        HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
        hashedCredentialsMatcher.setHashAlgorithmName("md5");
        hashedCredentialsMatcher.setHashIterations(2);
        myRealm.setCredentialsMatcher(hashedCredentialsMatcher);
        manager.setRealm(myRealm);
        manager.setRememberMeManager(rememberMeManager());
        return manager;
     * cookie 属性设置
    public SimpleCookie rememberMeCookie()
        SimpleCookie cookie = new SimpleCookie("rememberMe");
//        cookie.setDomain(domain);
        cookie.setPath("/");
        cookie.setHttpOnly(true);
        cookie.setMaxAge(30 * 24 * 60 * 60);
        return cookie;
     * 记住我
    public CookieRememberMeManager rememberMeManager()
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        cookieRememberMeManager.setCookie(rememberMeCookie());
        cookieRememberMeManager.setCipherKey(“1234567890987654”);
        return cookieRememberMeManager;
    @Bean
    public ShiroFilterChainDefinition shiroFilterChainDefinition() {
        DefaultShiroFilterChainDefinition definition = new DefaultShiroFilterChainDefinition();
        definition.addPathDefinition("/doLogin", "anon");
        definition.addPathDefinition("/logout", "logout");
        definition.addPathDefinition("/**", "user");
        return definition;
    @Bean
    public ShiroDialect shiroDialect() {
        return new ShiroDialect();
}

2、修改控制器方法

修改控制doLogin方法，在UsernamePasswordToken中添加第三个参数。表示是否启用remember me功能。

此功能应该在页面中添加一个复选框，代码中直接假设用户勾选了复选框

@RequestMapping("/doLogin")
public String showLogin(User user){
    Subject subject = SecurityUtils.getSubject();
    try {
        //添加第三个参数，表示是否启用rememberme功能
        subject.login(new UsernamePasswordToken(user.getUsername(),user.getPassword(),true));
        return "redirect:/showIndex";
    } catch (Exception e) {
        e.printStackTrace();