spring boot整合shiro實現(xiàn)權(quán)限校驗

1.首先導(dǎo)入項目所需jar包

<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.1.3.RELEASE</version><relativePath/></parent><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version><spring-cloud.version>Greenwich.RELEASE</spring-cloud.version><mysql.version>5.1.47</mysql.version><mybaitsPlus.version>3.1.1</mybaitsPlus.version><druid.version>1.0.31</druid.version><shiro-redis.version>3.1.0</shiro-redis.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><!--devtools熱部署--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-devtools</artifactId><optional>true</optional><scope>runtime</scope></dependency><!-- mysql驅(qū)動 --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.47</version></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.1.1</version></dependency><!--redis存儲--><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-redis</artifactId></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.4.0</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.4.0</version></dependency><dependency><groupId>org.apache.commons</groupId><artifactId>commons-lang3</artifactId><version>3.9</version><scope>compile</scope></dependency><!-- Shiro-redis插件 --><dependency><groupId>org.crazycake</groupId><artifactId>shiro-redis</artifactId><version>${shiro-redis.version}</version></dependency><dependency><groupId>org.springframework.session</groupId><artifactId>spring-session-data-redis</artifactId></dependency><dependency><groupId>org.springframework.session</groupId><artifactId>spring-session</artifactId><version>1.3.5.RELEASE</version></dependency><dependency><groupId>com.sun</groupId><artifactId>tools</artifactId><version>1.8.0</version><scope>system</scope><systemPath>${env.JAVA_HOME}/lib/tools.jar</systemPath><optional>true</optional></dependency><!-- 分頁插件 --></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId><configuration><fork>true</fork></configuration></plugin></plugins></build>

2. 編寫yml和properties配置文件

yml文件

server:port: 8083#tomcat:#max-http-post-size: -1max-http-header-size: 4048576 spring:profiles:active: diagnoseapplication:name: user-centerdevtools:restart:enabled: true # 設(shè)置開啟熱部署additional-paths: src/main/java # 重啟目錄exclude: WEB-INF/**freemarker:cache: false # 頁面不加載緩存，修改即時生效datasource:driver-class-name: com.mysql.jdbc.Driverurl: jdbc:mysql://192.168.1.199/zhzd?useUnicode=true&characterEncoding=utf-8&useSSL=falseusername: rootpassword: root# myBatis-plus mybatis-plus:#configuration:#log-impl: org.apache.ibatis.logging.stdout.StdOutImpl # 輸出sql日志和查詢結(jié)果日志mapper-locations: classpath*:mapper/**Mapper.xml # .xml目錄type-aliases-package: com.etouch.mapper # 接口包global-config:db-config:db-type: mysqlcolumn-underline=true: # 默認(rèn)駝峰# 只打印sql日志和sql參數(shù) logging:file: logs/sys.loglevel:com:etouch:mapper: debug# shiro自定義配置 shiro:session:jsessionid: x-auth-tokenrole:superRole: superAdmin--- # Redis數(shù)據(jù)源 spring:profiles: diagnoseredis:host: localhostport: 6379timeout: 6000password: nulldatabase: 0jedis:pool:max-active: 1000 # 連接池最大連接數(shù)（使用負(fù)值表示沒有限制）max-wait: -1 # 連接池最大阻塞等待時間（使用負(fù)值表示沒有限制）max-idle: 10 # 連接池中的最大空閑連接min-idle: 5 # 連接池中的最小空閑連接 eureka:instance:prefer-ip-address: trueinstance-id: user-centerlease-expiration-duration-in-seconds: 15lease-renewal-interval-in-seconds: 5client:service-url:defaultZone: http://eureka:eureka@localhost:8800/eureka/registry-fetch-interval-seconds: 5

properties文件

#redis 中存儲的用戶登錄數(shù)據(jù)結(jié)構(gòu) user.login.redis=zhzd:user:login: #redis 中存儲的驗證碼結(jié)構(gòu) user.send.code=zhzd:user:code: #redis 中存儲的用戶信息 user.info.dto=zhzd:user:login:dto:

3.新增MyShiroRealm繼承AuthorizingRealm,

package com.etouch.config.shiro;import com.etouch.DTO.MenuDTO; import com.etouch.DTO.RoleDTO; import com.etouch.DTO.UserDTO; import com.etouch.corecenter.utils.UuidUtils; import com.etouch.entity.SysMenu; import com.etouch.entity.SysRole; import com.etouch.entity.SysUser; import com.etouch.entity.SysUserToken; import com.etouch.service.SysUserTokenService; import com.etouch.service.UserService; import com.etouch.utils.ShiroUtils; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.beans.factory.annotation.Autowired;public class MyShiroRealm extends AuthorizingRealm {@Autowiredprivate UserService userService;/*** 權(quán)限校驗** @param principals* @return*/@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();UserDTO user = (UserDTO) SecurityUtils.getSubject().getPrincipal();UserDTO userDTO = userService.findUserByName(user.getLoginName());for (RoleDTO role : userDTO.getRoleList()) {authorizationInfo.addRole(role.getRoleName());for (MenuDTO menu : role.getMenuDTOList()) {authorizationInfo.addStringPermission(menu.getMenuUrl());}}return authorizationInfo;}/*** 登錄認(rèn)證** @param token* @return* @throws AuthenticationException*/@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {//強轉(zhuǎn)成自己傳入的參數(shù),要不然獲取不到自己傳入的用戶名和密碼UsernamePasswordToken upToken = (UsernamePasswordToken) token;//獲得前臺輸入的用戶名和密碼String username = upToken.getUsername();String password = new String(upToken.getPassword());//根據(jù)郵箱獲得數(shù)據(jù)庫的用戶UserDTO user = userService.findUserByName(username);if (user == null) {return null; //return null 在底層會拋出異常}SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getName());return info;}/* // 清除緩存public void clearCached() {PrincipalCollection principals = SecurityUtils.getSubject().getPrincipals();super.clearCache(principals);}*/

4. 新增動態(tài)獲取權(quán)限, 校驗權(quán)限業(yè)務(wù)類

接口類

package com.etouch.config.shiro.service;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import java.util.Map;/*** <p> shiro權(quán)限處理 </p>*/ public interface ShiroService {/*** 初始化權(quán)限 -> 拿全部權(quán)限** @param :* @return: java.util.Map<java.lang.String,java.lang.String>*/Map<String, String> loadFilterChainDefinitionMap();/*** 在對uri權(quán)限進(jìn)行增刪改操作時，需要調(diào)用此方法進(jìn)行動態(tài)刷新加載數(shù)據(jù)庫中的uri權(quán)限** @param shiroFilterFactoryBean* @param roleId* @param isRemoveSession:* @return: void*/void updatePermission(ShiroFilterFactoryBean shiroFilterFactoryBean, String roleId, Boolean isRemoveSession);/*** shiro動態(tài)權(quán)限加載 -> 原理：刪除shiro緩存，重新執(zhí)行doGetAuthorizationInfo方法授權(quán)角色和權(quán)限** @param roleId* @param isRemoveSession:* @return: void*/void updatePermissionByRoleId(String roleId, Boolean isRemoveSession);}

實現(xiàn)類

package com.etouch.config.shiro.service.impl;import com.etouch.config.shiro.service.ShiroService; import com.etouch.entity.SysMenu; import com.etouch.entity.SysUser; import com.etouch.exception.ZhException; import com.etouch.mapper.SysMenuMapper; import com.etouch.mapper.SysRoleMapper; import com.etouch.mapper.SysUserMapper; import com.etouch.utils.ShiroUtils; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.filter.mgt.DefaultFilterChainManager; import org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver; import org.apache.shiro.web.servlet.AbstractShiroFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.springframework.util.CollectionUtils;import java.util.LinkedHashMap; import java.util.List; import java.util.Map;/*** <p> shiro權(quán)限處理實現(xiàn)類 </p>** @description:* @author: zhengqing* @date: 2019/9/7 0007 13:53*/ @Slf4j @Service public class ShiroServiceImpl implements ShiroService {@Autowiredprivate SysMenuMapper menuMapper;@Autowiredprivate SysUserMapper userMapper;@Autowired@Overridepublic Map<String, String> loadFilterChainDefinitionMap() {// 權(quán)限控制mapMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();// 配置過濾:不會被攔截的鏈接 -> 放行 start ----------------------------------------------------------// 放行Swagger2頁面，需要放行這些filterChainDefinitionMap.put("/swagger-ui.html", "anon");filterChainDefinitionMap.put("/swagger/**", "anon");filterChainDefinitionMap.put("/swagger-resources/**", "anon");filterChainDefinitionMap.put("/static/**", "anon");// 三方登錄 // filterChainDefinitionMap.put("/auth/loginByQQ", "anon"); // filterChainDefinitionMap.put("/auth/afterlogin.do", "anon");// 退出// token過期接口filterChainDefinitionMap.put("/sysUser/tokenExpired", "anon");// 被擠下線filterChainDefinitionMap.put("/sysUser/downline", "anon");//手機號,驗證碼登錄filterChainDefinitionMap.put("/sysUser/login", "anon");filterChainDefinitionMap.put("/sysUser/loginByPhone", "anon");filterChainDefinitionMap.put("/sysUser/logOut", "anon");//管理員可操作所有的//發(fā)送驗證碼和校驗驗證碼filterChainDefinitionMap.put("/*/sendCode", "anon");filterChainDefinitionMap.put("/*/checkoutCode", "anon");//swaggerUI// 放行 end ----------------------------------------------------------//TODO 管理員可以訪問任何接口filterChainDefinitionMap.put("/**", "roles[superAdmin]");// 從數(shù)據(jù)庫或緩存中查取出來的url與resources對應(yīng)則不會被攔截 放行List<SysMenu> permissionList = menuMapper.selectList(null);if (!CollectionUtils.isEmpty(permissionList)) {permissionList.forEach(e -> {if (StringUtils.isNotBlank(e.getMenuUrl())) {filterChainDefinitionMap.put(e.getMenuUrl(), "perms["+e.getMenuUrl()+"]"); // filterChainDefinitionMap.put("/api/system/user/listPage", "authc,token,zqPerms[user1]"); // 寫死的一種用法}});}// ⑤ 認(rèn)證登錄 【注：map不能存放相同key】//TODO 開發(fā)階段不需要登錄就可以訪問filterChainDefinitionMap.put("/**", "anon");return filterChainDefinitionMap;}@Overridepublic void updatePermission(ShiroFilterFactoryBean shiroFilterFactoryBean, String roleId, Boolean isRemoveSession) {synchronized (this) {AbstractShiroFilter shiroFilter;try {shiroFilter = (AbstractShiroFilter) shiroFilterFactoryBean.getObject();} catch (Exception e) {throw new ZhException("get ShiroFilter from shiroFilterFactoryBean error!");}PathMatchingFilterChainResolver filterChainResolver = (PathMatchingFilterChainResolver) shiroFilter.getFilterChainResolver();DefaultFilterChainManager manager = (DefaultFilterChainManager) filterChainResolver.getFilterChainManager();// 清空攔截管理器中的存儲manager.getFilterChains().clear();// 清空攔截工廠中的存儲,如果不清空這里,還會把之前的帶進(jìn)去// ps:如果僅僅是更新的話,可以根據(jù)這里的 map 遍歷數(shù)據(jù)修改,重新整理好權(quán)限再一起添加shiroFilterFactoryBean.getFilterChainDefinitionMap().clear();// 動態(tài)查詢數(shù)據(jù)庫中所有權(quán)限shiroFilterFactoryBean.setFilterChainDefinitionMap(loadFilterChainDefinitionMap());// 重新構(gòu)建生成攔截Map<String, String> chains = shiroFilterFactoryBean.getFilterChainDefinitionMap();for (Map.Entry<String, String> entry : chains.entrySet()) {manager.createChain(entry.getKey(), entry.getValue());}log.info("--------------- 動態(tài)生成url權(quán)限成功！ ---------------");// 動態(tài)更新該角色相關(guān)聯(lián)的用戶shiro權(quán)限if (roleId != null) {updatePermissionByRoleId(roleId, isRemoveSession);}}}@Overridepublic void updatePermissionByRoleId(String roleId, Boolean isRemoveSession) {// 查詢當(dāng)前角色的用戶shiro緩存信息 -> 實現(xiàn)動態(tài)權(quán)限List<SysUser> userList = userMapper.selectUserByRoleId(roleId);// 刪除當(dāng)前角色關(guān)聯(lián)的用戶緩存信息,用戶再次訪問接口時會重新授權(quán) ; isRemoveSession為true時刪除Session -> 即強制用戶退出if (!CollectionUtils.isEmpty(userList)) {for (SysUser user : userList) {ShiroUtils.deleteCache(user.getLoginName(), isRemoveSession);}}log.info("--------------- 動態(tài)修改用戶權(quán)限成功！ ---------------");}}

5. 新建shiro的配置文件ShiroConfig

package com.etouch.config.shiro;import java.util.ArrayList; import java.util.List;import com.etouch.utils.CustomCredentialsMatcher; import com.etouch.config.shiro.service.impl.ShiroServiceImpl; import org.apache.shiro.codec.Base64; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.realm.Realm; import org.apache.shiro.session.mgt.SessionManager; import org.apache.shiro.spring.LifecycleBeanPostProcessor; import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor; import org.apache.shiro.spring.web.ShiroFilterFactoryBean; import org.apache.shiro.web.mgt.CookieRememberMeManager; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.apache.shiro.web.servlet.SimpleCookie; import org.crazycake.shiro.RedisCacheManager; import org.crazycake.shiro.RedisManager; import org.crazycake.shiro.RedisSessionDAO; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration;@Configuration public class ShiroConfig {private final String CACHE_KEY = "shiro:cache:";private final String SESSION_KEY = "shiro:session:";private final int EXPIRE = 1000*60*60*24*7; //TODO 單位毫秒/*** Redis配置*/@Value("${spring.redis.host}")private String host;@Value("${spring.redis.port}")private int port;@Value("${spring.redis.timeout}")private int timeout;@Value("${shiro.session.jsessionid}")private String jsessionid;@Beanpublic ShiroFilterFactoryBean shirFilter(SecurityManager securityManager, ShiroServiceImpl shiroService) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);/** 常用的過濾器如下：authc：所有已登陸用戶可訪問roles：有指定角色的用戶可訪問，通過[ ]指定具體角色，這里的角色名稱與數(shù)據(jù)庫中配置一致perms：有指定權(quán)限的用戶可訪問，通過[ ]指定具體權(quán)限，這里的權(quán)限名稱與數(shù)據(jù)庫中配置一致anon：所有用戶可訪問，通常作為指定頁面的靜態(tài)資源時使用* *///未登錄提示shiroFilterFactoryBean.setLoginUrl("/sysUser/unLogin");//沒有權(quán)限提示shiroFilterFactoryBean.setUnauthorizedUrl("/sysUser/unAuth");// 權(quán)限控制map.shiroFilterFactoryBean.setFilterChainDefinitionMap(shiroService.loadFilterChainDefinitionMap());return shiroFilterFactoryBean;}@Beanpublic CustomCredentialsMatcher credentialMatcher() {return new CustomCredentialsMatcher();}// 將自己的驗證方式加入容器,注入自定義的realm@Beanpublic MyShiroRealm myShiroRealm() {MyShiroRealm myShiroRealm = new MyShiroRealm();//將密碼比較器注入自定義realm域myShiroRealm.setCredentialsMatcher(credentialMatcher());myShiroRealm.setCacheManager(cacheManager());return myShiroRealm;}@Beanpublic PhoneRealm phoneRealm() {PhoneRealm phoneRealm = new PhoneRealm();phoneRealm.setCacheManager(cacheManager());return phoneRealm;}// 權(quán)限管理，配置主要是Realm的管理認(rèn)證/*** 配置核心安全事務(wù)管理器** @param shiroRealm* @return*/@Bean(name = "securityManager")public SecurityManager securityManager(@Qualifier("myShiroRealm") MyShiroRealm shiroRealm, PhoneRealm phoneRealm) {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();// 設(shè)置realmsList<Realm> realms = new ArrayList<>();realms.add(shiroRealm);realms.add(phoneRealm);//設(shè)置自定義realm.securityManager.setRealms(realms);//配置記住我securityManager.setRememberMeManager(rememberMeManager());// 自定義session管理securityManager.setSessionManager(sessionManager());// 自定義Cache實現(xiàn)緩存管理securityManager.setCacheManager(cacheManager());return securityManager;}/*** cookie對象;會話Cookie模板 ,默認(rèn)為: JSESSIONID 問題: 與SERVLET容器名沖突,重新定義為sid或rememberMe，自定義** @return*/@Beanpublic SimpleCookie rememberMeCookie() {//這個參數(shù)是cookie的名稱，對應(yīng)前端的checkbox的name = rememberMeSimpleCookie simpleCookie = new SimpleCookie("rememberMe");//setcookie的httponly屬性如果設(shè)為true的話，會增加對xss防護(hù)的安全系數(shù)。它有以下特點：//setcookie()的第七個參數(shù)//設(shè)為true后，只能通過http訪問，javascript無法訪問//防止xss讀取cookiesimpleCookie.setHttpOnly(true);simpleCookie.setPath("/");//<!-- 記住我cookie生效時間30天 ,單位秒;-->simpleCookie.setMaxAge(2592000);return simpleCookie;}/*** cookie管理對象;記住我功能,rememberMe管理器** @return*/@Beanpublic CookieRememberMeManager rememberMeManager() {CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();cookieRememberMeManager.setCookie(rememberMeCookie());//rememberMe cookie加密的密鑰 建議每個項目都不一樣 默認(rèn)AES算法 密鑰長度(128 256 512 位)cookieRememberMeManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));return cookieRememberMeManager;}// 加入注解的使用，不加入這個注解不生效@Beanpublic AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);return authorizationAttributeSourceAdvisor;}/*** 配置Redis管理器：使用的是shiro-redis開源插件*/@Beanpublic RedisManager redisManager() {RedisManager redisManager = new RedisManager();redisManager.setHost(host);redisManager.setPort(port);redisManager.setTimeout(timeout); // redisManager.setPassword(password);return redisManager;}/*** 配置Cache管理器：用于往Redis存儲權(quán)限和角色標(biāo)識 (使用的是shiro-redis開源插件)*/@Beanpublic RedisCacheManager cacheManager() {RedisCacheManager redisCacheManager = new RedisCacheManager();redisCacheManager.setRedisManager(redisManager());redisCacheManager.setKeyPrefix(CACHE_KEY);// 配置緩存的話要求放在session里面的實體類必須有個id標(biāo)識 注：這里id為用戶表中的主鍵，否-> 報：User must has getter for field: xxredisCacheManager.setPrincipalIdFieldName("id");return redisCacheManager;}/*** SessionID生成器*/@Beanpublic ShiroSessionIdGenerator sessionIdGenerator() {return new ShiroSessionIdGenerator();}/*** 配置RedisSessionDAO (使用的是shiro-redis開源插件)*/@Beanpublic RedisSessionDAO redisSessionDAO() {RedisSessionDAO redisSessionDAO = new RedisSessionDAO();redisSessionDAO.setRedisManager(redisManager());redisSessionDAO.setSessionIdGenerator(sessionIdGenerator());redisSessionDAO.setKeyPrefix(SESSION_KEY);redisSessionDAO.setExpire(EXPIRE);return redisSessionDAO;}/*** 配置Session管理器*/@Beanpublic SessionManager sessionManager() {ShiroSessionManager shiroSessionManager = new ShiroSessionManager();shiroSessionManager.setGlobalSessionTimeout(EXPIRE);shiroSessionManager.setSessionDAO(redisSessionDAO());//修改默認(rèn)session存儲機制,將shiro中的session數(shù)據(jù)存儲至redis數(shù)據(jù)庫中shiroSessionManager.setSessionIdCookie(getSessionIdCookie());//設(shè)置sessionId的KeyshiroSessionManager.setDeleteInvalidSessions(true);//自動清空失效sessionreturn shiroSessionManager;}/*** 給shiro的sessionId默認(rèn)的JSSESSIONID名字改掉* @return*/@Bean(name="sessionIdCookie")public SimpleCookie getSessionIdCookie(){SimpleCookie simpleCookie = new SimpleCookie(jsessionid);return simpleCookie;}/*** 該類如果不設(shè)置為static，@Value注解就無效，原因未知* @return*/@Beanpublic static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {return new LifecycleBeanPostProcessor();}}

自定義密碼比較器

package com.etouch.utils;import com.etouch.corecenter.utils.MD5Util; import com.etouch.utils.Encrypt; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authc.credential.CredentialsMatcher;public class CustomCredentialsMatcher implements CredentialsMatcher {/**** @param token 用戶輸入的用戶名和密碼* @param info 數(shù)據(jù)庫中的用戶名和密碼* @return 返回如果是false 則登錄失敗, 返回true 則登錄成功*/@Overridepublic boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {/*** 驗證數(shù)據(jù)庫的密碼 和 用戶輸入的密碼 是否一致** @param token 用戶輸入的用戶名 密碼* @param info 數(shù)據(jù)庫中的用戶名 密碼* @return 返回值 比較密碼是否正確 比較正確 返回true 表示登陸成功 返回false 表示登陸失敗(同時拋出異常)** 明文密碼: 不加密 原始密碼* 密文密碼: 經(jīng)過一定的加密處理 , 數(shù)據(jù)更加安全* md5加密 : 不可逆的加密方式* 先將加密后的數(shù)據(jù) 以及加密前的數(shù)據(jù) 提前保存了 根據(jù)對應(yīng)的數(shù)據(jù)找即可* 123456 -> xxxxyyyyqqqq** 如何屏蔽這種情況* 123456 -> xxxxyyyyqqqq* 123456000 -> asdasdfg* 用戶輸入的密碼 + 固定值(不變的值) = 特殊的密碼* 用戶輸入的密碼 + 可變化的固定值 = 特殊的密碼* password:123456 + 用戶的登錄名 = 特殊的密碼* 加密: 直接轉(zhuǎn)換* 加鹽加密: 在原有的密碼基礎(chǔ)上 加上一定的參數(shù) 針對該用戶而言 這個鹽(新加入的參數(shù)) 是不變的*/// System.out.println("密碼比較器執(zhí)行"); // //加鹽加密 // UsernamePasswordToken upToken = (UsernamePasswordToken) token; // //獲取用戶輸入的數(shù)據(jù) // String email = upToken.getUsername(); // String password = new String(upToken.getPassword()); // //對密碼進(jìn)行加密處理 加鹽加密 // String md5Pwd = Encrypt.md5(password, email); // //獲得數(shù)據(jù)庫的密碼 // String dbPwd = (String) info.getCredentials(); // return md5Pwd.equals(dbPwd);//不加鹽加密UsernamePasswordToken upToken = (UsernamePasswordToken) token;//獲得用戶輸入的密碼String password = new String(upToken.getPassword());//加密后的密碼String md5Pwd = MD5Util.string2MD5(password);//獲取數(shù)據(jù)庫的密碼String dbPwd = (String) info.getCredentials();return md5Pwd.equals(dbPwd);} } ### 6. 新建shiro的session管理器```javapackage com.etouch.config.shiro;import com.etouch.utils.constants.Constants; import org.apache.commons.lang3.StringUtils; import org.apache.shiro.web.servlet.ShiroHttpServletRequest; import org.apache.shiro.web.session.mgt.DefaultWebSessionManager; import org.apache.shiro.web.util.WebUtils;import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import java.io.Serializable;import static org.apache.shiro.web.servlet.ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE;/*** <p> 自定義獲取Token </p>** @description :* @author : zhengqing* @date : 2019/8/23 15:55*/ public class ShiroSessionManager extends DefaultWebSessionManager {/*** 定義常量*/ // private static final String REFERENCED_SESSION_ID_SOURCE = "Stateless request";/*** 重寫構(gòu)造器*/public ShiroSessionManager() {super();this.setDeleteInvalidSessions(true);}/*** 重寫方法實現(xiàn)從請求頭獲取Token便于接口統(tǒng)一* 每次請求進(jìn)來,Shiro會去從請求頭找REQUEST_HEADER這個key對應(yīng)的Value(Token)*/@Overridepublic Serializable getSessionId(ServletRequest request, ServletResponse response) {String token = WebUtils.toHttp(request).getHeader(Constants.REQUEST_HEADER);// 如果請求頭中存在token 則從請求頭中獲取tokenif ( StringUtils.isNotBlank( token ) ) {request.setAttribute(REFERENCED_SESSION_ID_SOURCE, REFERENCED_SESSION_ID_SOURCE);request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID, token);request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_IS_VALID, Boolean.TRUE);return token;} else {// 否則按默認(rèn)規(guī)則從cookie取tokenreturn super.getSessionId(request, response);}} }

7. 用戶名密碼登陸

/*** 用戶名密碼登錄** @param userName* @param passWord* @param rememberMe* @return*/@ApiOperation(value = "用戶名密碼登錄", notes = "用戶名密碼登錄")@PostMapping("/login")public ResultUtils<String> login(HttpServletRequest request,@ApiParam(value = "用戶名", required = true) @RequestParam(name = "userName") String userName,@ApiParam(value = "密碼", required = true) @RequestParam(name = "passWord") String passWord,@ApiParam("記住密碼,true,false") @RequestParam(name = "rememberMe") boolean rememberMe,@ApiParam("驗證碼") @RequestParam(name = "VerificationCode") String VerificationCode) {if (StringUtils.isBlank(userName) || StringUtils.isBlank(passWord)) {return ResultUtils.error("用戶名或密碼不能為空");}if (checkVerify(request, VerificationCode).getCode() != 200) {return ResultUtils.errorParam("驗證碼錯誤,請重新輸入");}QueryWrapper<SysUser> queryWrapper = new QueryWrapper();queryWrapper.eq("login_name", userName);SysUser sysUser = sysUserService.getOne(queryWrapper);if (sysUser == null) {return ResultUtils.error("用戶名不存在");}String encodePwd = MD5Util.string2MD5(passWord);log.info("加密碼后的密碼為: " + encodePwd);if (!encodePwd.equals(sysUser.getPassword())) {return ResultUtils.error("用戶名或密碼錯誤");}//登錄前,先清除掉之前的用戶登錄信息this.shiroCheck();UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken(userName, passWord, rememberMe);//登錄操作Subject subject = SecurityUtils.getSubject();LoginUser loginUser = new LoginUser();//存入用戶id和tokenString uToken = null;try {//進(jìn)行shiro登錄驗證subject.login(usernamePasswordToken);uToken = ShiroUtils.getSession().getId().toString();//subject.getSession().setAttribute("loginUser", sysUser);//userService.login(sysUser, rememberMe, uToken);SecurityUtils.getSubject().getSession().setTimeout(1000*60*60*24*7);return ResultUtils.success("登陸成功", uToken);} catch (AuthenticationException e) {e.printStackTrace();return ResultUtils.error("登錄失敗");} catch (InvalidSessionException e) {e.printStackTrace();return ResultUtils.error("登錄失敗");}}

8 如需增加手機號, 驗證碼登陸, 則需進(jìn)行以下配置

8.1重寫shiro的token獲取類

package com.etouch.config.shiro;import org.apache.shiro.authc.HostAuthenticationToken; import org.apache.shiro.authc.RememberMeAuthenticationToken;import java.io.Serializable;public class UserNamePasswordPhoneToken implements HostAuthenticationToken, RememberMeAuthenticationToken, Serializable {// 手機號碼private String phone;private boolean rememberMe;private String host;/*** 重寫getPrincipal方法*/public Object getPrincipal() {return phone;}/*** 重寫getCredentials方法*/public Object getCredentials() {return phone;}public UserNamePasswordPhoneToken() {this.rememberMe = false;}public UserNamePasswordPhoneToken(String phone) {this(phone, false, null);}public UserNamePasswordPhoneToken(String phone, boolean rememberMe) {this(phone, rememberMe, null);}public UserNamePasswordPhoneToken(String phone, boolean rememberMe, String host) {this.phone = phone;this.rememberMe = rememberMe;this.host = host;}public String getPhone() {return phone;}public void setPhone(String phone) {this.phone = phone;}@Overridepublic String getHost() {return host;}@Overridepublic boolean isRememberMe() {return rememberMe;} }

8.2 新建PhoneRealm 繼承AuthorizingRealm

package com.etouch.config.shiro;import com.etouch.DTO.MenuDTO; import com.etouch.DTO.RoleDTO; import com.etouch.DTO.UserDTO; import com.etouch.entity.SysUser; import com.etouch.DTO.search.SearchUserArgs; import com.etouch.service.UserService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.beans.BeanUtils; import org.springframework.beans.factory.annotation.Autowired;public class PhoneRealm extends AuthorizingRealm {@Autowiredprivate UserService userService;// 登錄認(rèn)證@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {UserNamePasswordPhoneToken token = null;// 如果是PhoneToken，則強轉(zhuǎn)，獲取phone；否則不處理。if (authenticationToken instanceof UserNamePasswordPhoneToken) {token = (UserNamePasswordPhoneToken) authenticationToken;} else {return null;}String phone = (String) token.getPrincipal();SearchUserArgs searchUserArgs = new SearchUserArgs();if (phone.contains("@")) {searchUserArgs.setEmail(phone);} else {searchUserArgs.setPhone(phone);}SysUser user = userService.findByArgs(searchUserArgs);UserDTO userDTO = new UserDTO();BeanUtils.copyProperties(user,userDTO);if (userDTO == null) {throw null;}return new SimpleAuthenticationInfo(userDTO, phone, this.getName());}/*** 權(quán)限校驗* @param principalCollection* @return*/@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();UserDTO user = (UserDTO) SecurityUtils.getSubject().getPrincipal();UserDTO userDTO = userService.findUserByName(user.getLoginName());for (RoleDTO role : userDTO.getRoleList()) {authorizationInfo.addRole(role.getRoleName());for (MenuDTO menu : role.getMenuDTOList()) {authorizationInfo.addStringPermission(menu.getMenuUrl());}}return authorizationInfo;}@Overridepublic boolean supports(AuthenticationToken var1) {return var1 instanceof UserNamePasswordPhoneToken;}}

8.3 新增手機號驗證碼登陸

@ApiOperation("手機號,驗證碼登錄")@PostMapping("/loginByPhone")public ResultUtils<String> login(@ApiParam("手機號") @RequestParam(name = "phone") String phone,@ApiParam("驗證碼") @RequestParam(name = "code") String code, @ApiParam("記住密碼") Boolean rememberMe) {//首先校驗驗證碼Boolean b = userService.checkoutCode(phone, code);if (!b) {return ResultUtils.errorParam("驗證碼錯誤,請重新輸入");}QueryWrapper<SysUser> queryWrapper = new QueryWrapper<>();//通過手機號或者與郵箱賬號查詢用戶SearchUserArgs searchUserArgs = new SearchUserArgs();if (phone.contains("@")) {searchUserArgs.setEmail(phone);} else {searchUserArgs.setPhone(phone);}SysUser sysUser = userService.findByArgs(searchUserArgs);if (sysUser == null) {return ResultUtils.errorParam("查找不到用戶信息");}this.shiroCheck();//清除掉這臺客戶端的上個用戶的登錄信息UserNamePasswordPhoneToken userNamePasswordPhoneToken = new UserNamePasswordPhoneToken(phone);//登錄操作Subject subject = SecurityUtils.getSubject();LoginUser loginUser = new LoginUser();//存入用戶id和tokenString uToken = null;try {//進(jìn)行shiro登錄驗證uToken = ShiroUtils.getSession().getId().toString();subject.login(userNamePasswordPhoneToken);userService.login(sysUser, rememberMe, uToken);return ResultUtils.success("登陸成功", uToken);} catch (AuthenticationException e) {e.printStackTrace();return ResultUtils.error("登錄失敗");} catch (InvalidSessionException e) {e.printStackTrace();return ResultUtils.error("登錄失敗");}}

ShiroUtils工具類

package com.etouch.utils;import com.etouch.DTO.UserDTO; import com.etouch.corecenter.enums.ExceptionEnum; import com.etouch.corecenter.exception.ProjectExeption; import com.etouch.entity.SysUser; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.Authenticator; import org.apache.shiro.authc.LogoutAware; import org.apache.shiro.session.Session; import org.apache.shiro.subject.SimplePrincipalCollection; import org.apache.shiro.subject.support.DefaultSubjectContext; import org.apache.shiro.web.mgt.DefaultWebSecurityManager; import org.crazycake.shiro.RedisSessionDAO;import java.util.Collection; import java.util.Objects;/*** <p> Shiro工具類 </p>*/ public class ShiroUtils {/*** 私有構(gòu)造器**/private ShiroUtils() {}private static RedisSessionDAO redisSessionDAO = SpringUtil.getBean(RedisSessionDAO.class);// public static final String LOGIN_USER_IN_SESSION = "loginUser";/*** 傳入一個用戶放到session中* @param user*/ // public static void setUserInfo(User user){ // Session session = getSession(); // // 將用戶信息放到session中 // session.setAttribute(LOGIN_USER_IN_SESSION, user); // }/*** 從session中獲取一個用戶的信息*/ // public static User getUser(){ // Session session = getSession(); // return (User) session.getAttribute(LOGIN_USER_IN_SESSION); // }// -------------------------------------------------------------/*** 獲取當(dāng)前用戶Session** @Return SysUserEntity 用戶信息*/public static Session getSession() {return SecurityUtils.getSubject().getSession();}/*** 用戶登出*/public static void logout() {SecurityUtils.getSubject().logout();}/*** 獲取當(dāng)前用戶信息** @Return SysUserEntity 用戶信息*/public static UserDTO getUserInfo() {return (UserDTO) SecurityUtils.getSubject().getPrincipal();}/*** 獲取當(dāng)前登陸用戶id** @Return*/public static String getLoginUserId() {UserDTO userDTO = (UserDTO) SecurityUtils.getSubject().getPrincipal();if (userDTO == null) {throw new ProjectExeption(ExceptionEnum.UNLOGIN);}return userDTO.getId();}/*** 刪除用戶緩存信息** @Param username 用戶名稱* @Param isRemoveSession 是否刪除Session，刪除后用戶需重新登錄*/public static void deleteCache(String username, boolean isRemoveSession) {//從緩存中獲取SessionSession session = null;// 獲取當(dāng)前已登錄的用戶session列表Collection<Session> sessions = redisSessionDAO.getActiveSessions();UserDTO sysUserEntity;Object attribute = null;// 遍歷Session,找到該用戶名稱對應(yīng)的Sessionfor (Session sessionInfo : sessions) {attribute = sessionInfo.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);if (attribute == null) {continue;}sysUserEntity = (UserDTO) ((SimplePrincipalCollection) attribute).getPrimaryPrincipal();if (sysUserEntity == null) {continue;}if (Objects.equals(sysUserEntity.getLoginName(), username)) {session = sessionInfo;// 清除該用戶以前登錄時保存的session，強制退出 -> 單用戶登錄處理if (isRemoveSession) {redisSessionDAO.delete(session);}}}if (session == null || attribute == null) {return;}//刪除sessionif (isRemoveSession) {redisSessionDAO.delete(session);}//刪除Cache，再訪問受限接口時會重新授權(quán)DefaultWebSecurityManager securityManager = (DefaultWebSecurityManager) SecurityUtils.getSecurityManager();Authenticator authc = securityManager.getAuthenticator();((LogoutAware) authc).onLogout((SimplePrincipalCollection) attribute);}/*** 從緩存中獲取指定用戶名的Session** @param username*/private static Session getSessionByUsername(String username) {// 獲取當(dāng)前已登錄的用戶session列表Collection<Session> sessions = redisSessionDAO.getActiveSessions();SysUser user;Object attribute;// 遍歷Session,找到該用戶名稱對應(yīng)的Sessionfor (Session session : sessions) {attribute = session.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY);if (attribute == null) {continue;}user = (SysUser) ((SimplePrincipalCollection) attribute).getPrimaryPrincipal();if (user == null) {continue;}if (Objects.equals(user.getLoginName(), username)) {return session;}}return null;}}

}

總結(jié)

以上是生活随笔為你收集整理的spring boot结合shiro实现用户-角色-权限的控制(包含用户名密码登陆和手机号验证码登陆)的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。