SpringBoot使用Shiro验证登录笔记
2017-12-06 10:00
676 查看
笔记:
1.使用Authentication,验证用户登录
1、Authentication:是验证用户身份的过程。
2、Authorization:是授权访问控制,用于对用户进行的操作进行人证授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等。
添加依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.4</version>
</dependency>配置拦截器ShiroConfiguration
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.damionew.website.shiro.MyShiroRealm;
import java.util.*;
/**
* Shiro 配置
*
Apache Shiro 核心通过 Filter 来实现,就好像SpringMvc 通过DispachServlet 来主控制一样。
既然是使用 Filter 一般也就能猜到,是通过URL规则来进行过滤和权限校验,所以我们需要定义一系列关于URL的规则和访问权限。
*
*/
@Configuration
public class ShiroConfiguration {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
System.out.println("ShiroConfiguration.shirFilter()");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager((org.apache.shiro.mgt.SecurityManager) securityManager);
//拦截器.
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
//配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
filterChainDefinitionMap.put("/logout", "logout");
//<!-- 过滤链定义,从上向下顺序执行,一般将/**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了;
//<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
filterChainDefinitionMap.put("/**", "authc");
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
// 仍然是通過controller請求响应
shiroFilterFactoryBean.setLoginUrl("/login");
// 登录成功后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/menu/index");
//未授权界面;
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
//自定义域
@Bean
public MyShiroRealm myShiroRealm(){
MyShiroRealm myShiroRealm = new MyShiroRealm();
System.out.println("myShiroRealm");
return myShiroRealm;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
}MyShiroRealm
/**
* @Author yinyunqi
* @date 2017/12/6
* @Content shiro登录验证
*/
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import com.damionew.website.model.back.Member;
import com.damionew.website.service.back.MemberService;
public class MyShiroRealm extends AuthorizingRealm{
@Autowired
MemberService memberService;
@Override
1.使用Authentication,验证用户登录
1、Authentication:是验证用户身份的过程。
2、Authorization:是授权访问控制,用于对用户进行的操作进行人证授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等。
添加依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.4</version>
</dependency>配置拦截器ShiroConfiguration
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.damionew.website.shiro.MyShiroRealm;
import java.util.*;
/**
* Shiro 配置
*
Apache Shiro 核心通过 Filter 来实现,就好像SpringMvc 通过DispachServlet 来主控制一样。
既然是使用 Filter 一般也就能猜到,是通过URL规则来进行过滤和权限校验,所以我们需要定义一系列关于URL的规则和访问权限。
*
*/
@Configuration
public class ShiroConfiguration {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager) {
System.out.println("ShiroConfiguration.shirFilter()");
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager((org.apache.shiro.mgt.SecurityManager) securityManager);
//拦截器.
Map<String,String> filterChainDefinitionMap = new LinkedHashMap<String,String>();
// 配置不会被拦截的链接 顺序判断
filterChainDefinitionMap.put("/static/**", "anon");
//配置退出 过滤器,其中的具体的退出代码Shiro已经替我们实现了
filterChainDefinitionMap.put("/logout", "logout");
//<!-- 过滤链定义,从上向下顺序执行,一般将/**放在最为下边 -->:这是一个坑呢,一不小心代码就不好使了;
//<!-- authc:所有url都必须认证通过才可以访问; anon:所有url都都可以匿名访问-->
filterChainDefinitionMap.put("/**", "authc");
// 如果不设置默认会自动寻找Web工程根目录下的"/login.jsp"页面
// 仍然是通過controller請求响应
shiroFilterFactoryBean.setLoginUrl("/login");
// 登录成功后要跳转的链接
shiroFilterFactoryBean.setSuccessUrl("/menu/index");
//未授权界面;
shiroFilterFactoryBean.setUnauthorizedUrl("/403");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return shiroFilterFactoryBean;
}
//自定义域
@Bean
public MyShiroRealm myShiroRealm(){
MyShiroRealm myShiroRealm = new MyShiroRealm();
System.out.println("myShiroRealm");
return myShiroRealm;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(myShiroRealm());
return securityManager;
}
}MyShiroRealm
/**
* @Author yinyunqi
* @date 2017/12/6
* @Content shiro登录验证
*/
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.util.StringUtils;
import com.damionew.website.model.back.Member;
import com.damionew.website.service.back.MemberService;
public class MyShiroRealm extends AuthorizingRealm{
@Autowired
MemberService memberService;
@Override
//授权管理 登录还不用
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { System.out.println("doGetAuthorizationInfo"); return null; } //登录验证 @Override protected org.apache.shiro.authc.AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationExc b0f0 eption{ //通过表单获得的账户名 String account = (String) authcToken.getPrincipal(); //select password from member where account=#{account} //获取一个Member类的member Member member = memberService.findMemberByAccount(account); if (!StringUtils.isEmpty(member)) { System.out.println("memberPassword不为空"); if (member.getPassword()!=null) { //验证交给shiro //三个参数为Member对象,从数据库获取的密码,当前Realm名称 //登录账户account相当于username,必然是相同的 //因为是从表单获得的account,然后拿来查询,比较的是从数据库获取得password和token中获得的password SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo( member,member.getPassword(),getName()); return simpleAuthenticationInfo; } } return null; } }HomeController登录控制器
import javax.servlet.http.HttpServletRequest; import org.apache.shiro.authc.IncorrectCredentialsException; import org.apache.shiro.authc.UnknownAccountException; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class HomeController { @RequestMapping("/login") public String homeLogin(HttpServletRequest request,Model model) throws Exception { //登录失败从request获取shiro处理的异常信息; //shiroLoginFailure是shiro异常类的全类名 String exception = (String) request.getAttribute("shiroLoginFailure"); String msg = ""; if (exception != null) { if (UnknownAccountException.class.getName().equals(exception)) { System.out.println("UnknownAccountException-->账号不存在:"); msg = "错误信息:账号不存在"; }else if (IncorrectCredentialsException.class.getName().equals(exception)) { System.out.println("IncorrectCredentialsException-->密码不正确:"); msg = "错误信息:密码不正确"; }else if ("kaptchaValidateFailed".equals(exception)) { System.out.println("kaptchaValidateFailed-->验证码错误"); msg = "错误信息:验证码错误"; }else { msg = exception; System.out.println("else --> "+exception); } } model.addAttribute("msg",msg); return "/login"; } }login.html
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>后台登录</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport" /> <script type="text/javascript" src="//cdn.bootcss.com/jquery/2.2.4/jquery.min.js"></script> </head> <body class="hold-transition skin-blue fixed sidebar-mini"> <h4 th:text="${msg}"></h4> <form action="" method="post"> <p>账号:<input type="text" name="username" /></p> <p>密码:<input type="text" name="password" /></p> <p><input type="submit" value="登录"/></p> </form> </body> </html>至于Service,Dao等就不记录了,SpringBoot做到Shiro想必对这些已经很熟悉了,只是注意Service返回的是Member对象就好
相关文章推荐
- Spring Boot使用HandlerInterceptorAdapter和WebMvcConfigurerAdapter实现原始的登录验证
- springboot系列(一):初次使用与登录验证实现
- 简单两步快速实现shiro的配置和使用,包含登录验证、角色验证、权限验证以及shiro登录注销流程(基于spring的方式,使用maven构建)
- Spring Boot 结合shiro做第三方登录验证
- SpringBoot使用JWT实现登录验证
- Spring boot +spring mvc+shiro 登录验证demo
- spring boot配置shiro安全框架及用户登录权限验证实现
- Spring boot + LayIM + t-io 使用thyemleaf模板和Shiro实现登录
- 使用Spring Security给Spring Boot Admin做一个安全验证登录
- springboot+shiro实现登录系数限定,thymeleaf中使用shiro标签
- 使用manven+hibernate+spring+shiro登录验证实现简单增删改查
- Apache Shiro 整合Spring 进行权限验证 以及在Freemarker中使用shiro标签
- MVC使用Controller代替Filter完成登录验证(Session校验)学习笔记5
- springboot+angular项目 使用token方式进行权限验证
- Spring Boot Shiro 权限信息缓存处理,记住我,thymleaf使用shiro标签
- 使用validator-api来验证spring-boot的参数
- SpringBoot使用笔记
- spring boot 1.5.4 集成shiro+cas,实现单点登录和权限控制
- Spring Boot学习笔记-SQL数据库使用
- MVC使用Controller代替Filter完成登录验证(Session校验)学习笔记5