springboot整合shiro进行身份验证和授权

一、引入shiro依赖：

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.shiro</groupId>
    <artifactId>wangyao</artifactId>
    <packaging>war</packaging>
    <version>0.0.1-SNAPSHOT</version>
    <name>wangyao Maven Webapp</name>
    <url>http://maven.apache.org</url>
    <!--启动父依赖 -->
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.6.RELEASE</version>
    </parent>
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <java.version>1.8</java.version>
        <sqlserver-connector>4.0</sqlserver-connector>
    </properties>
    <dependencies>
        <!--spring 基本的web服务 -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <!--thmleaf模板依赖. -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <!-- shiro spring. -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.3.2</version>
        </dependency>
        <!-- Spirng data JPA依赖; -->
       <dependency>
           <groupId>org.springframework.boot</groupId>
           <artifactId>spring-boot-starter-data-jpa</artifactId>
       </dependency>
       <!-- sqlserver依赖 -->
        <dependency>
            <groupId>com.microsoft.sqlserver</groupId>
            <artifactId>sqljdbc4</artifactId>
            <version>${sqlserver-connector}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>3.8.1</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <build>
        <finalName>wangyao</finalName>
    </build>
</project>

二、shiro配置：

package shiropro.config;

import java.util.LinkedHashMap;
import java.util.Map;

import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.apache.shiro.mgt.SecurityManager;
import shiropro.shiro.MyShiroRealm;

/**
 * shiro配置
 * 
 * @author wangyao
 *
 */
@Configuration
public class ShiroConfiguration {
    @Bean
    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
        System.err.println("ShiroConfiguration.shirFilter()");
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        // 必须设置 SecurityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        // 拦截器.
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();

        // 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
        shiroFilterFactoryBean.setLoginUrl("/login");
        // 登录成功后要跳转的链接
        shiroFilterFactoryBean.setSuccessUrl("/index");
        // 未授权界面;
        shiroFilterFactoryBean.setUnauthorizedUrl("/403");

        // 配置退出过滤器,其中的具体的退出代码Shiro已经替我们实现了
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/add", "perms[权限添加]");
        filterChainDefinitionMap.put("/del", "perms[权限删除]");
        // <!-- 过滤链定义，从上向下顺序执行，一般将 /**放在最为下边 -->:这是一个坑呢，一不小心代码就不好使了;
        // <!-- authc 表示需要认证才能访问的页面 -->
        filterChainDefinitionMap.put("/**", "authc");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        System.out.println("Shiro拦截器工厂类注入成功");
        return shiroFilterFactoryBean;
    }

    /**
     * 身份认证realm; (这个需要自己写，账号密码校验；权限等)
     * 
     * @return
     */
    @Bean
    public MyShiroRealm myShiroRealm() {
        MyShiroRealm myShiroRealm = new MyShiroRealm();
        return myShiroRealm;
    }

    @Bean
    public SecurityManager securityManager() {
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        // 设置realm.
        securityManager.setRealm(myShiroRealm());
        return securityManager;
    }

    /**
     * 开启shiro aop注解支持. 使用代理方式;所以需要开启代码支持，调用授权的方法必须要有此支持;
     * 
     * @param securityManager
     * @return
     */

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

}

三、shiro身份校验（继承AuthorizingRealm）：

package shiropro.shiro;


import java.util.HashSet;
import java.util.Map;
import java.util.Set;

import javax.annotation.Resource;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import shiropro.entity.UserInfo;
import shiropro.service.IUserInfoService;
/**
 * shiro身份校验
 * 
 * @author wangyao
 *
 */
public class MyShiroRealm extends AuthorizingRealm {

    @Resource
    private IUserInfoService userInfoService;

    /**
     * 认证信息.(身份验证) : Authentication 是用来验证用户身份
     * 
     * @param token
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        System.err.println("MyShiroRealm.doGetAuthenticationInfo()");
        UsernamePasswordToken tk=(UsernamePasswordToken) token;
        // 获取用户的输入的账号.
        String username =  tk.getUsername();
        //获取用户输入的密码
        //String pwd=new String(token.getPassword());
        // 实际项目中，这里可以根据实际情况做缓存，如果不做，Shiro自己也是有时间间隔机制，2分钟内不会重复执行该方法
        UserInfo userInfo = userInfoService.findByUsername(username);
        //密码可以加密在此
        System.out.println("----->>userInfo=" + userInfo);
        if (userInfo == null) {
            return null;
        }
        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(userInfo, // 用户名
                userInfo.getPassword(), // 密码
                getName() // realm name
        );

        return authenticationInfo;
    }
    /**
     * 获取授权信息(包含权限信息)
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
        UserInfo user=(UserInfo) getAvailablePrincipal(pc);
        System.err.println("授权："+user);
        String loginName= user.getUsername();
        if (loginName != null) {
            SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
            Map<String,Object> map=user.getPerList();
            //用户的角色信息
            /*List<String> roles=(List<String>) map.get("roles");
            for (String role : roles) {
                info.addRole(role);
            }*/
            Set<String> roleSet=new HashSet<String>(); 
            roleSet.add("100002");
            info.setRoles(roleSet);
            //用户的权限信息
            /*List<String> permissions=(List<String>) map.get("permissions");
            for (String permission : permissions) {
                info.addStringPermission(permission);
            }*/
            Set<String> permissionSet =new HashSet<String>(); 
            permissionSet.add("权限添加");
            info.setStringPermissions(permissionSet);
            return info;
        }
        return null;
    }


}

四、控制层：

package shiropro.action;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;

import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class HomeAction {

    @GetMapping("/index")
    public String index() {
        return "index";
    }

    @PostMapping("/del")
    public String del() {
        return "del";
    }

    @PostMapping("/add")
    public String add() {
        return "add";
    }

    @GetMapping("/login")
    public String lo() {
        return "login";
    }

    // 登录提交地址和applicationontext-shiro.xml配置的loginurl一致。 (配置文件方式的说法)
    @PostMapping("/login")
    public String login(HttpServletRequest request, Map<String, Object> map) throws Exception {
        System.out.println("HomeController.login()");
        // 登录失败从request中获取shiro处理的异常信息。//也可以自定义判断
        // shiroLoginFailure:就是shiro异常类的全类名.
        String exception = (String) request.getAttribute("shiroLoginFailure");

        System.out.println("exception=" + exception);
        String msg = "";
        if (exception != null) {
            if (UnknownAccountException.class.getName().equals(exception)) {
                System.out.println("UnknownAccountException -- > 账号不存在：");
                msg = "UnknownAccountException -- > 账号不存在：";
            } else if (IncorrectCredentialsException.class.getName().equals(exception)) {
                System.out.println("IncorrectCredentialsException -- > 密码不正确：");
                msg = "IncorrectCredentialsException -- > 密码不正确：";
            } else if ("kaptchaValidateFailed".equals(exception)) {
                System.out.println("kaptchaValidateFailed -- > 验证码错误");
                msg = "kaptchaValidateFailed -- > 验证码错误";
            } else {
                msg = "else >> " + exception;
                System.out.println("else -- >" + exception);
            }
        }
        map.put("msg", msg);
        // 此方法不处理登录成功,由shiro进行处理.
        return "index";
    }

//-----------------------------------------------------------------------------------------------------------
    
    public static void main(String[] args) {
        List<Integer> a = new ArrayList<>();
        List<Integer> b = new ArrayList<>();
        for (int i = 0; i < 100000; i++) {
            if (i % 2 == 0) {
                a.add(i);
            }
            if (i % 3 == 0) {
                b.add(i);
            }
        }

        List<Integer> list = new ArrayList<>();
        Map<String, Object> map = new HashMap<>();
        System.out.println("a.size:" + a.size() + ".....b.size:" + b.size());
        long s = System.currentTimeMillis();
        // for (Integer i : a) {
        // map.put(i.toString(), i);
        // }
        // System.out.println(map.size());
        // for (Integer in : b) {
        // if(map.get(in.toString())!=null){
        // list.add(in);
        // }
        // }

        // list.addAll(a);list.addAll(b);
        System.out.println("-------list:" + list.size());
        System.out.println("------------------");
        // List<Integer> list2=new ArrayList<>();
        // Set<Integer> set=new HashSet<>();
        // set.addAll(list);
        // for (Integer integer : set) {
        // list2.add(integer);
        // }
        // System.out.println("-------list2:"+list2.size());
        // list.removeAll(list2);
        // System.out.println("----------------0");
        for (Integer m : a) {
            //if (m <= 1000) {
                if (m % 3 == 0) {
                    list.add(m);
                }
            //}
        }
        long e = System.currentTimeMillis();
        System.out.println(e - s + "......." + list.size());
    }
}

五、login页面：

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<title>Insert title here</title>
</head>
<body>
    错误信息：
    <h4 th:text="${msg}"></h4>
    <form action="/login" method="post">
        <p>
            账号：<input type="text" name="username" value="admin" />
        </p>
        <p>
            密码：<input type="text" name="password" value="123456" />
        </p>
        <p>
            <input type="submit" value="登录" />
        </p>
    </form>
    
</body>
</html>

2017-09-01 15:39:45