SpringBoot使用Shiro验证登录笔记
2017-12-06 10:00
676 查看
笔记:
1.使用Authentication,验证用户登录
1、Authentication:是验证用户身份的过程。
2、Authorization:是授权访问控制,用于对用户进行的操作进行人证授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等。
添加依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.4</version>
</dependency>配置拦截器ShiroConfiguration
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.damionew.website.shiro.MyShiroRealm;
import java.util.*;
/**
* Shiro 配置
*
Apache Shiro 核心通过 Filter 来实现,就好像SpringMvc 通过DispachServlet 来主控制一样。
既然是使用 Filter 一般也就能猜到,是通过URL规则来进行过滤和权限校验,所以我们需要定义一系列关于URL的规则和访问权限。
*
*/
@Configuration
public class ShiroConfiguration {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
System.out.println("ShiroConfiguration.shirFilter()");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager((org.apache.shiro.mgt.SecurityManager) securityManager);
//拦截器.
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
//配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
filterChainDefinitionMap.put("/logout", "logout");
//<!-- 过滤链定义,从上向下顺序执行,一般将/**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了;
//<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
filterChainDefinitionMap.put("/**", "authc");
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
// 仍然是通過controller請求响应
shiroFilterFactoryBean.setLoginUrl("/login");
// 登录成功后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/menu/index");
//未授权界面;
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
//自定义域
@Bean
public MyShiroRealm myShiroRealm(){
MyShiroRealm myShiroRealm = new MyShiroRealm();
System.out.println("myShiroRealm");
return myShiroRealm;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
}MyShiroRealm
/**
* @Author yinyunqi
* @date 2017/12/6
* @Content shiro登录验证
*/
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import com.damionew.website.model.back.Member;
import com.damionew.website.service.back.MemberService;
public class MyShiroRealm extends AuthorizingRealm{
@Autowired
MemberService memberService;
@Override
1.使用Authentication,验证用户登录
1、Authentication:是验证用户身份的过程。
2、Authorization:是授权访问控制,用于对用户进行的操作进行人证授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等。
添加依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.4</version>
</dependency>配置拦截器ShiroConfiguration
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.damionew.website.shiro.MyShiroRealm;
import java.util.*;
/**
* Shiro 配置
*
Apache Shiro 核心通过 Filter 来实现,就好像SpringMvc 通过DispachServlet 来主控制一样。
既然是使用 Filter 一般也就能猜到,是通过URL规则来进行过滤和权限校验,所以我们需要定义一系列关于URL的规则和访问权限。
*
*/
@Configuration
public class ShiroConfiguration {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
System.out.println("ShiroConfiguration.shirFilter()");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager((org.apache.shiro.mgt.SecurityManager) securityManager);
//拦截器.
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
//配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
filterChainDefinitionMap.put("/logout", "logout");
//<!-- 过滤链定义,从上向下顺序执行,一般将/**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了;
//<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
filterChainDefinitionMap.put("/**", "authc");
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
// 仍然是通過controller請求响应
shiroFilterFactoryBean.setLoginUrl("/login");
// 登录成功后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/menu/index");
//未授权界面;
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
//自定义域
@Bean
public MyShiroRealm myShiroRealm(){
MyShiroRealm myShiroRealm = new MyShiroRealm();
System.out.println("myShiroRealm");
return myShiroRealm;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
}MyShiroRealm
/**
* @Author yinyunqi
* @date 2017/12/6
* @Content shiro登录验证
*/
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import com.damionew.website.model.back.Member;
import com.damionew.website.service.back.MemberService;
public class MyShiroRealm extends AuthorizingRealm{
@Autowired
MemberService memberService;
@Override
//授权管理 登录还不用
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("doGetAuthorizationInfo");
return null;
}
//登录验证
@Override
protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)
throws AuthenticationExc
b0f0
eption{
//通过表单获得的账户名
String account = (String) authcToken.getPrincipal();
//select password from member where account=#{account}
//获取一个Member类的member
Member member = memberService.findMemberByAccount(account);
if (!StringUtils.isEmpty(member)) {
System.out.println("memberPassword不为空");
if (member.getPassword()!=null) {
//验证交给shiro
//三个参数为Member对象,从数据库获取的密码,当前Realm名称
//登录账户account相当于username,必然是相同的
//因为是从表单获得的account,然后拿来查询,比较的是从数据库获取得password和token中获得的password
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(
member,member.getPassword(),getName());
return simpleAuthenticationInfo;
}
}
return null;
}
}HomeController登录控制器import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class HomeController {
@RequestMapping("/login")
public String homeLogin(HttpServletRequest request,Model model) throws Exception {
//登录失败从request获取shiro处理的异常信息;
//shiroLoginFailure是shiro异常类的全类名
String exception = (String) request.getAttribute("shiroLoginFailure");
String msg = "";
if (exception != null) {
if (UnknownAccountException.class.getName().equals(exception)) {
System.out.println("UnknownAccountException-->账号不存在:");
msg = "错误信息:账号不存在";
}else if (IncorrectCredentialsException.class.getName().equals(exception)) {
System.out.println("IncorrectCredentialsException-->密码不正确:");
msg = "错误信息:密码不正确";
}else if ("kaptchaValidateFailed".equals(exception)) {
System.out.println("kaptchaValidateFailed-->验证码错误");
msg = "错误信息:验证码错误";
}else {
msg = exception;
System.out.println("else --> "+exception);
}
}
model.addAttribute("msg",msg);
return "/login";
}
}login.html<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>后台登录</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport" />
<script type="text/javascript" src="//cdn.bootcss.com/jquery/2.2.4/jquery.min.js"></script>
</head>
<body class="hold-transition skin-blue fixed sidebar-mini">
<h4 th:text="${msg}"></h4>
<form action="" method="post">
<p>账号:<input type="text" name="username" /></p>
<p>密码:<input type="text" name="password" /></p>
<p><input type="submit" value="登录"/></p>
</form>
</body>
</html>至于Service,Dao等就不记录了,SpringBoot做到Shiro想必对这些已经很熟悉了,只是注意Service返回的是Member对象就好
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Spring Boot使用HandlerInterceptorAdapter和WebMvcConfigurerAdapter实现原始的登录验证
- springboot系列(一):初次使用与登录验证实现
- 简单两步快速实现shiro的配置和使用,包含登录验证、角色验证、权限验证以及shiro登录注销流程(基于spring的方式,使用maven构建)
- Spring Boot 结合shiro做第三方登录验证
- SpringBoot使用JWT实现登录验证
- Spring boot +spring mvc+shiro 登录验证demo
- spring boot配置shiro安全框架及用户登录权限验证实现
- Spring boot + LayIM + t-io 使用thyemleaf模板和Shiro实现登录
- 使用Spring Security给Spring Boot Admin做一个安全验证登录
- springboot+shiro实现登录系数限定,thymeleaf中使用shiro标签
- 使用manven+hibernate+spring+shiro登录验证实现简单增删改查
- Apache Shiro 整合Spring 进行权限验证 以及在Freemarker中使用shiro标签
- MVC使用Controller代替Filter完成登录验证(Session校验)学习笔记5
- springboot+angular项目 使用token方式进行权限验证
- Spring Boot Shiro 权限信息缓存处理,记住我,thymleaf使用shiro标签
- 使用validator-api来验证spring-boot的参数
- SpringBoot使用笔记
- spring boot 1.5.4 集成shiro+cas,实现单点登录和权限控制
- Spring Boot学习笔记-SQL数据库使用
- MVC使用Controller代替Filter完成登录验证(Session校验)学习笔记5