shiro权限控制的简单实现
权限控制常用的有shiro、spring security,两者相比较,各有优缺点,此篇文章以shiro为例,实现系统的权限控制。
一、数据库的设计
简单的五张表,用户、角色、权限及关联表:
CREATE TABLE `sysrole` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键',
`name` varchar(255) NOT NULL,
`role` varchar(255) NOT NULL COMMENT '角色名',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COMMENT='角色表'; CREATE TABLE `sysuser` (
`id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键',
`username` varchar(250) NOT NULL,
`password` varchar(250) NOT NULL,
`salt` varchar(250) NOT NULL COMMENT '密码盐',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COMMENT='用户表'; CREATE TABLE `user_role` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_id` int(11) NOT NULL,
`role_id` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8 COMMENT='用户角色表'; CREATE TABLE `syspermission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(250) NOT NULL COMMENT '权限名称',
`type` int(1) NOT NULL COMMENT '权限类型,1菜单menu,2按钮button,3数据data',
`permission` varchar(250) NOT NULL COMMENT '权限表达式',
`parent_id` int(11) NOT NULL COMMENT '父级ID',
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=19 DEFAULT CHARSET=utf8 COMMENT='权限表'; CREATE TABLE `role_permission` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`role_id` int(11) NOT NULL,
`permission_id` int(11) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=35 DEFAULT CHARSET=utf8 COMMENT='角色权限表';
二、配置shiro
1.pom.xml文件中引入shiro的jar包
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency> <dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency> <dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.3.2</version>
</dependency> <dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-guice</artifactId>
<version>1.3.2</version>
</dependency>
2、编写shiro的配置文件
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.Map; import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.SessionListener;
import org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler;
import org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.CookieRememberMeManager;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.apache.shiro.web.servlet.SimpleCookie;
import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn; import at.pollux.thymeleaf.shiro.dialect.ShiroDialect; @Configuration
public class ShiroConfig { private static Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>(); //缓存管理器
@Bean(name = "cacheShiroManager")
public EhCacheManager getCacheManager(){
return new EhCacheManager();
} //生命周期处理器
@Bean(name = "lifecycleBeanPostProcessor")
public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor(){
return new LifecycleBeanPostProcessor();
} //hash加密处理
@Bean(name = "hashedCredentialsMatcher")
public HashedCredentialsMatcher getHashedCredentialsMatcher(){
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
credentialsMatcher.setHashAlgorithmName("MD5");
credentialsMatcher.setHashIterations(2);//散列的次数,比如散列两次,相当于 md5(md5(""));
credentialsMatcher.setStoredCredentialsHexEncoded(true);
return credentialsMatcher;
} //浏览器会话的cookie管理
@Bean(name = "sessionIdCookie")
public SimpleCookie getSessionIdCookie(){
SimpleCookie cookie = new SimpleCookie("sid");
cookie.setHttpOnly(true);
cookie.setMaxAge(-1);//浏览器关闭时失效此Cookie;
return cookie;
} //记住我的cookie管理
@Bean(name = "rememberMeCookie")
public SimpleCookie getRememberMeCookie(){
SimpleCookie cookie = new SimpleCookie("rememberMe");
//如果httyOnly设置为true,则客户端不会暴露给客户端脚本代码,使用HttpOnly cookie有助于减少某些类型的跨站点脚本攻击;
cookie.setHttpOnly(true);
cookie.setMaxAge(2592000);//记住我的cookie有效期30天
return cookie;
} //记住我cookie管理器
@Bean
public CookieRememberMeManager getRememberManager(){
CookieRememberMeManager meManager = new CookieRememberMeManager();
meManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));
meManager.setCookie(getRememberMeCookie());
return meManager;
} //session验证管理器
@Bean(name = "sessionValidationScheduler")
public ExecutorServiceSessionValidationScheduler getExecutorServiceSessionValidationScheduler(){
ExecutorServiceSessionValidationScheduler scheduler = new ExecutorServiceSessionValidationScheduler();
//设置session验证时间,15分钟一次
scheduler.setInterval(900000);
return scheduler;
} @Bean(name = "sessionManager")
public DefaultWebSessionManager getSessionManage(){ DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
sessionManager.setGlobalSessionTimeout(1800000);//过期时间30分钟
//session定期验证
sessionManager.setSessionValidationScheduler(getExecutorServiceSessionValidationScheduler());
sessionManager.setDeleteInvalidSessions(true);
//会话cookie
sessionManager.setSessionIdCookie(getSessionIdCookie());
sessionManager.setSessionIdCookieEnabled(true);
sessionManager.setSessionValidationSchedulerEnabled(true);
//session监听
LinkedList<SessionListener> list = new LinkedList<SessionListener>();
list.add(new MyShiroSessionListener());
sessionManager.setSessionListeners(list);
//session的存储
EnterpriseCacheSessionDAO cacheSessionDAO = new EnterpriseCacheSessionDAO();
sessionManager.setCacheManager(getCacheManager());
sessionManager.setSessionDAO(cacheSessionDAO);
return sessionManager;
} @Bean(name = "myRealm")
public AuthorizingRealm getShiroRealm(){
AuthorizingRealm realm = new MyShiroRealm(getCacheManager(),getHashedCredentialsMatcher());
realm.setName("my_shiro_auth_cache");
// realm.setAuthenticationCache(getCacheManager().getCache(realm.getName()));
realm.setAuthenticationTokenClass(UsernamePasswordToken.class);
realm.setCredentialsMatcher(getHashedCredentialsMatcher());
return realm;
} @Bean(name = "securityManager")
public DefaultWebSecurityManager getSecurityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setCacheManager(getCacheManager());
securityManager.setRealm(getShiroRealm());
securityManager.setRememberMeManager(getRememberManager());
securityManager.setSessionManager(getSessionManage());
return securityManager;
} @Bean
public MethodInvokingFactoryBean getMethodInvokingFactoryBean(){
MethodInvokingFactoryBean factoryBean = new MethodInvokingFactoryBean();
factoryBean.setStaticMethod("org.apache.shiro.SecurityUtils.setSecurityManager");
factoryBean.setArguments(new Object[]{getSecurityManager()});
return factoryBean;
} @Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator getAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();
creator.setProxyTargetClass(true);
return creator;
} @Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(){
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(getSecurityManager());
return advisor;
} @Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(){
ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
factoryBean.setSecurityManager(getSecurityManager());
//设置登录页面路径
factoryBean.setLoginUrl("/login");
//设置登录成功跳转的路径,此方法有bug
// factoryBean.setSuccessUrl("/manager/hello");
//将无需拦截的方法及页面使用anon配置
filterChainDefinitionMap.put("", "anon");
//将需认证的方法及页面使用authc配置
filterChainDefinitionMap.put("", "authc");
factoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
return factoryBean;
} @Bean(name = "shiroDialect")
public ShiroDialect shiroDialect(){
return new ShiroDialect();
} }
3、自定义shiroRealm
import javax.annotation.Resource; import org.apache.log4j.Logger;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.thymeleaf.util.StringUtils; public class MyShiroRealm extends AuthorizingRealm {
//注入查询用户信息的service层
@Resource
private IAuthorityService authorityService; private Logger log = Logger.getLogger(MyShiroRealm.class);
public MyShiroRealm(CacheManager cacheManager, CredentialsMatcher matcher) {
super(cacheManager, matcher);
} //授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) { SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
SysUser user = (SysUser) principals.getPrimaryPrincipal();
for(SysRole role:user.getRoleList()){
authorizationInfo.addRole(role.getRole());
for(SysPermission p:role.getPermissions()){
authorizationInfo.addStringPermission(p.getPermission());
}
} return authorizationInfo; } //认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken user = (UsernamePasswordToken) token;
String username = user.getUsername();
String password = user.getPassword().toString();
user.isRememberMe(); if(StringUtils.isEmpty(username)){
throw new IncorrectCredentialsException("username is null");
}else if(StringUtils.isEmpty(password)){
throw new IncorrectCredentialsException("password is null");
}
//根据账户名称查询用户信息
SysUser sysUser = authorityService.findByUsername(username);
if(sysUser == null){
log.error("用户不存在"+username);
return null;
}
//密码加密策略可自定义,此处使用自定义的密码盐CredentialsSalt
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(sysUser,sysUser.getPassword(), ByteSource.Util.bytes(sysUser.getCredentialsSalt()),getName());
return authenticationInfo;
}
}
4、自定义session监听
import org.apache.log4j.Logger;
import org.apache.shiro.session.Session;
import org.apache.shiro.session.SessionListener; public class MyShiroSessionListener implements SessionListener { private Logger log = Logger.getLogger(MyShiroSessionListener.class);
@Override
public void onStart(Session session) {
log.info("----会话创建:"+session.getId());
} @Override
public void onStop(Session session) {
log.info("----会话停止:"+session.getId());
} @Override
public void onExpiration(Session session) {
log.info("----会话过期:"+session.getId());
} }
三、使用注解控制后台方法的权限
@RequiresAuthentication,认证通过可访问
@RequiresPermissions("***"),有***权限可访问
@RequiresGuest,游客即可访问
@RequiresRoles("***"),有***角色可访问
@RequiresUser("***"),是***用户可访问
四、使用shiro标签细粒度控制页面按钮及数据的权限
thyemleaf模板引入shiro标签库
<html xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<shiro:guest/>
<shiro:user/>
<shiro:principal/>
<shiro:hasPermission/>
<shiro:lacksPermission/>
<shiro:hasRole/>
<shiro:lacksRole/>
<shiro:hasAnyRoles/>
<shiro:authenticated/>
<shiro:notAuthenticated/>
使用方法参考:shiro官网
shiro权限控制的简单实现的更多相关文章
- shiro权限控制入门
一:权限控制两种主要方式 粗粒度 URL 级别权限控制和细粒度方法级别权限控制 1.粗粒度 URL 级别权限控制 可以基于 Filter 实现在数据库中存放 用户.权限.访问 URL 对应关系, 当前 ...
- Spring boot后台搭建二为Shiro权限控制添加缓存
在添加权限控制后,添加方法 查看 当用户访问”获取用户信息”.”新增用户”和”删除用户”的时,后台输出打印如下信息 , Druid数据源SQL监控 为了避免频繁访问数据库获取权限信息,在Shiro中加 ...
- Spring boot后台搭建二集成Shiro权限控制
上一篇文章,实现了用户验证 查看,接下来实现下权限控制 权限控制,是管理资源访问的过程,用于对用户进行的操作授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等 Apache Shir ...
- shiro权限控制配置
shiro配置流程 web.xml中配置shiro的filter spring中配置shiro的过滤器工厂,指定对不同地址权限控制 , 传入安全管理器 配置安全管理器,传入realm,realm中定义 ...
- ASP.NET MVC中权限控制的简单实现
1.重写AuthorizeAttribute类,用自己的权限控制逻辑重写AuthorizeCore方法 public class MyAuthorizeAttribute : AuthorizeAtt ...
- shiro权限控制
1.1 简介 Apache Shiro是Java的一个安全框架.目前,使用Apache Shiro的人越来越多,因为它相当简单,对比Spring Security,可能没有Spring Securi ...
- Shiro权限控制框架
Subject:主体,可以看到主体可以是任何可以与应用交互的"用户": SecurityManager:相当于SpringMVC中的DispatcherServlet或者Strut ...
- shiro权限控制(一):shiro介绍以及整合SSM框架
shiro安全框架是目前为止作为登录注册最常用的框架,因为它十分的强大简单,提供了认证.授权.加密和会话管理等功能 . shiro能做什么? 认证:验证用户的身份 授权:对用户执行访问控制:判断用户是 ...
- JFinal配合Shiro权限控制在FreeMarker模板引擎中控制到按钮粒度的使用
实现在FreeMarker模板中控制对应按钮的显示隐藏主要用到了Shiro中的hasRole, hasAnyRoles, hasPermission以及Authenticated等方法,我们可以实现T ...
随机推荐
- Windows7下设置定时启动(关闭)虚拟机
曾记否,忆当年,开启或者关闭虚拟机,度秒如年~ ⒈石头,剪刀,布,C.D.E盘随便找一个,然后在里面找个静谧的墙角, 新建一个文件:vmstart.bat 添加:"C:\Program Fi ...
- win7 64位wamp2.5无法启动MSVCR110.DLL丢失听语音
从网上下载wampserver2.5 64位的PHP集成环境,根本无法使用,说是丢失了MSVCR110.DLL,然后再网上找了一大堆资料工具都无用,比如下微软的了vcredist_x64,重新卸载安装 ...
- SQLITE3 使用总结(3~5)(转)
3 不使用回调查询数据库/ `- ^# T6 ?, F: H* m2 ~# ~上 面介绍的 sqlite3_exec 是使用回调来执行 select 操作.还有一个方法可以直接查询而不需要回调.但是, ...
- [JS]Math.random()
参考网址:http://www.soulteary.com/2014/07/05/js-math-random-trick.html [JS]Math.random()的二三事 看到题目,如果大家平时 ...
- python装饰器实现对异常代码出现进行监控
异常,不应该存在,但是我们有时候会遇到这样的情况,比如我们监控服务器的时候,每一秒去采集一次信息,那么有一秒没有采集到我们想要的信息,但是下一秒采集到了, 而后每次的采集都能采集到,就那么一次采集不到 ...
- JS获取父、兄、子节点
一.jQuery的父节点查找方法 $(selector).parent(selector):获取父节点 $(selector).parentNode:以node[]的形式存放父节点,如果没有父节点,则 ...
- Hyperledger Fabric CouchDB as the State Database
使用CouchDB作为状态数据库 状态数据库选项 状态数据库包括LevelDB和CouchDB.LevelDB是嵌入在peer进程中的默认键/值状态数据库,CouchDB是一个可选的外部状态数据库.与 ...
- [转]同一台Windows机器中启动多个Memcached服务
Memcached的安装后,如果手头上只有一台机器,又想做多节点测试咋办? 这就需要在一台机器上启动多个Memcached服务了. 假设Memcached在如下目录:C:\memcached\memc ...
- apache (order allow,deny or deny,allow)
平台:"rhel6.2" 实验内容: "测试apache‘order allow,deny’ or ‘order deny,allow’ 功能" 配置文件:&q ...
- 小打卡PRD
目标:打造一款不同于市场上的公开打卡app的产品 理念:通过监督和鼓励,和相同圈子的人一起互相鼓励.分享及监督,共同进步. 优点: 模板消息通知,网上基本通过小程序中逻辑层JS完成推送的请求,小打卡在 ...