SpringCloud Alibaba(八) - Durid,SpringSecurity,Shiro

农妇山泉一亩田 · 2022-12-3 21:37:48

1、Durid

1.1 简介

Java程序很大一部分要操作数据库，为了提高性能操作数据库的时候，又不得不使用数据库连接池。
Druid 是阿里巴巴开源平台上一个数据库连接池实现，结合了 C3P0、DBCP 等 DB 池的优点，同时加入了日志监控。
Druid 可以很好的监控 DB 池连接和 SQL 的执行情况，天生就是针对监控而生的 DB 连接池。
Druid已经在阿里巴巴部署了超过600个应用，经过一年多生产环境大规模部署的严苛考验。
Spring Boot 2.0 以上默认使用 Hikari 数据源，可以说 Hikari 与 Driud 都是当前 Java Web 上最优秀的数据源，我们来重点介绍 Spring Boot 如何集成 Druid 数据源，如何实现数据库监控。
Github地址：https://github.com/alibaba/druid/

1.2 依赖

<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.2.8</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>

复制代码

1.3 配置

1.3.1 application.yml

# 端口
server:
port: 9603
# 服务名
spring:
application:
name: kgcmall96-user
# 数据源配置
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: jdbc:mysql://localhost:3306/kh96_alibaba_kgcmalldb?useUnicode=true&characterEncoding=utf-8&useSSL=false&serverTimezone=GMT
username: root
password: root
#2、切换数据源；之前已经说过 Spring Boot 2.0 以上默认使用 com.zaxxer.hikari.HikariDataSource 数据源，但可以通过 spring.datasource.type 指定数据源。
# 指定数据源类型
type: com.alibaba.druid.pool.DruidDataSource
# 数据源其他配置
# 初始化时建立物理连接的个数。初始化发生在显示调用init方法，或者第一次getConnection时
initialSize: 5
# 最小连接池数量
minIdle: 5
# 最大连接池数量
maxActive: 20
# 获取连接时最大等待时间，单位毫秒。
maxWait: 60000
# 配置间隔多久才进行一次检测，检测需要关闭的空闲连接，单位是毫秒
timeBetweenEvictionRunsMillis: 60000
# 配置一个连接在池中最小生存的时间，单位是毫秒
minEvictableIdleTimeMillis: 300000
# 用来检测连接是否有效的sql，要求是一个查询语句。如果validationQuery为null，testOnBorrow、testOnReturn、testWhileIdle都不会其作用。
validationQuery: SELECT 1 FROM DUAL
# 建议配置为true，不影响性能，并且保证安全性。申请连接的时候检测，如果空闲时间大于timeBetweenEvictionRunsMillis，执行validationQuery检测连接是否有效
testWhileIdle: true
# 申请连接时执行validationQuery检测连接是否有效，做了这个配置会降低性能。
testOnBorrow: false
# 归还连接时执行validationQuery检测连接是否有效，做了这个配置会降低性能
testOnReturn: false
# 是否缓存preparedStatement，也就是PSCache。PSCache对支持游标的数据库性能提升巨大，比如说oracle。在mysql下建议关闭
poolPreparedStatements: false
maxPoolPreparedStatementPerConnectionSize: 20
# 合并多个DruidDataSource的监控数据
useGlobalDataSourceStat: true
# 配置监控统计拦截的filters，去掉后监控界面sql无法统计
# 属性性类型是字符串，通过别名的方式配置扩展插件，常用的插件有：监控统计用的filter:stat日志用的filter:log4j防御sql注入的filter:wall
filters: stat,wall,log4j
# 通过connectProperties属性来打开mergeSql功能；慢SQL记录
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
# jpa配置
jpa:
hibernate:
ddl-auto: update
show-sql: true

复制代码

1.3.2 log4j.properties

在网上随便搜的一个；

log4j.rootLogger=DEBUG, stdout
# Console output...
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%5p [%t] - %m%n

复制代码

1.4 Druid数据源配置类

/**
* @author : huayu
* @date : 29/11/2022
* @param :
* @return :
* @description : Druid数据源配置类
*/
@Configuration
public class DruidConfig {
@Bean
@ConfigurationProperties(prefix = "spring.datasource")
public DataSource dataSource() {
return new DruidDataSource();
}
/**
* 配置后台管理
*/
@Bean
public ServletRegistrationBean statViewServlet() {
ServletRegistrationBean bean = new ServletRegistrationBean(new StatViewServlet(), "/druid/*");
// 初始化参数
Map<String, String> initParams = new HashMap<>();
initParams.put("loginUsername", "admin");
initParams.put("loginPassword", "123456");
// 是否允许访问
initParams.put("allow", "");
bean.setInitParameters(initParams);
return bean;
}
/**
* 配置web监控的过滤器
*/
@Bean
public FilterRegistrationBean webStatFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setFilter(new WebStatFilter());
// 初始化参数
Map<String, String> initParams = new HashMap<>();
// 排除过滤，静态文件等
initParams.put("exclusions", "*.css,*.js,/druid/*");
bean.setInitParameters(initParams);
bean.setUrlPatterns(Arrays.asList("/*"));
return bean;
}
}

复制代码

1.5 测试

测试代码不在赘述，就简单写一个测试请求就好；
1.5.1 登录

1.5.2 测试请求

2、SpringSecurity

2.0 认识SpringSecurity

Spring Security 是针对Spring项目的安全框架，也是Spring Boot底层安全模块默认的技术选型，他可以实现强大的Web安全控制，对于安全控制，我们仅需要引入 spring-boot-starter-security 模块，进行少量的配置，即可实现强大的安全管理！
记住几个类：

WebSecurityConfigurerAdapter：自定义Security策略
AuthenticationManagerBuilder：自定义认证策略
@EnableWebSecurity：开启WebSecurity模式

Spring Security的两个主要目标是 “认证” 和 “授权”（访问控制）。
“认证”（Authentication）
身份验证是关于验证您的凭据，如用户名/用户ID和密码，以验证您的身份。
身份验证通常通过用户名和密码完成，有时与身份验证因素结合使用。
“授权” （Authorization）
授权发生在系统成功验证您的身份后，最终会授予您访问资源（如信息，文件，数据库，资金，位置，几乎任何内容）的完全权限。
这个概念是通用的，而不是只在Spring Security 中存在。
2.1 项目介绍

2.1 依赖

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
<version>3.0.4.RELEASE</version>
</dependency>

复制代码

2.2 application.yml

# 关闭模板缓存
spring:
thymeleaf:
cache: false

复制代码

2.3 html

2.3.1 1.html

创建这几个文件；

1.html（这几个html的代码都是一样的）

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<title>首页</title>
<link href="https://cdn.bootcss.com/semantic-ui/2.4.1/semantic.min.css" rel="stylesheet">
<link th:href="@{/qinjiang/css/qinstyle.css}" rel="stylesheet">
</head>
<body>
<h3>Level-1-1</h3>
</body>
</html>

复制代码

2.3.2 login.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<title>登录</title>
<link href="https://cdn.bootcss.com/semantic-ui/2.4.1/semantic.min.css" rel="stylesheet">
</head>
<body>
<h1 >登录</h1>
<form th:action="@{/login}" method="post">
<label>Username</label>
<input type="text" placeholder="Username" name="username">
<i ></i>
<label>Password</label>
<input type="password" name="password">
<i ></i>
<input type="checkbox" name="remember"> 记住我
<input type="submit" />
</form>
</i>注册
<br><br>
<small>blog.kuangstudy.com</small>
<h3>Spring Security Study by 秦疆</h3>
</body>
</html>

复制代码

2.3.3 index.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org"
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity5">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<title>首页</title>
<link href="https://cdn.bootcss.com/semantic-ui/2.4.1/semantic.min.css" rel="stylesheet">
<link th:href="@{/qinjiang/css/qinstyle.css}" rel="stylesheet">
</head>
<body>
<a th:target="_blank" href="https://www.cnblogs.com/@{/index}">首页</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/toLogin}">
<i ></i> 登录
</a>
<a >
用户名：
角色：
</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/logout}">
<i ></i> 注销
</a>
<h3>Spring Security Study by 秦疆</h3>
<br>
<h5 >Level 1</h5>
<hr>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level1/1}"><i ></i> Level-1-1</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level1/2}"><i ></i> Level-1-2</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level1/3}"><i ></i> Level-1-3</a>
<h5 >Level 2</h5>
<hr>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level2/1}"><i ></i> Level-2-1</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level2/2}"><i ></i> Level-2-2</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level2/3}"><i ></i> Level-2-3</a>
<h5 >Level 3</h5>
<hr>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level3/1}"><i ></i> Level-3-1</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level3/2}"><i ></i> Level-3-2</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/level3/3}"><i ></i> Level-3-3</a>
</body>
</html>

复制代码

2.4 RouterController

@Controller
public class RouterController {
//首页
@RequestMapping({"/","/index"})
public String index(){
return "index";
}
//登录
@RequestMapping("/toLogin")
public String toLogin(){
return "views/login";
}
//level1 权限才可以访问
@RequestMapping("/level1/{id}")
public String leave1(@PathVariable("id") int id){
return "views/level1/"+id;
}
//level2 权限才可以访问
@RequestMapping("/level2/{id}")
public String leave2(@PathVariable("id") int id){
return "views/level2/"+id;
}
//level3 权限才可以访问
@RequestMapping("/level3/{id}")
public String leave3(@PathVariable("id") int id){
return "views/level3/"+id;
}
}

复制代码

2.5 SecurityConfig

//AOP : 拦截器
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//授权
@Override
protected void configure(HttpSecurity http) throws Exception {
//首页所有人可以访问，功能页只有对应权限的人才能访问
//请求授权的规则
http.authorizeRequests()
.antMatchers("/").permitAll() //所有的人可以访问
.antMatchers("/level1/**").hasRole("vip1") //有相对的权限才可以访问
.antMatchers("/level2/**").hasRole("vip2")
.antMatchers("/level3/**").hasRole("vip3");
//没有权限默认会到登录页面
// /login
http.formLogin()
.loginPage("/toLogin") //走的登录页面
.usernameParameter("username").passwordParameter("password") //默认的帮我们写的登录验真参数为username,password,通过这个可以改变参数名字，例如user,pwd
.loginProcessingUrl("/login"); //真正的登录页面
//防止网站工具： get post
http.csrf().disable(); //关闭csrf功能防止攻击登录失败可能存在的原因
//注销，开启了注销功能,跳到首页
http.logout()
.deleteCookies("remove") //移除cookies
.invalidateHttpSession(true) //清除session
.logoutSuccessUrl("/");
//开启记住我功能
http.rememberMe() //默认保存两周 //这些直接开启的都是自动配置里面的那个登录页面，只需要开启就可以；
.rememberMeParameter("remember"); //自定义接收前端的参数 //这些需要自定义参数的都是我们自己写的登录页面
}
//认证， springboot 2.1.x可以使用
//密码编码： PasswowrdEncoder 报错：密码前面直接加{noop}，就可以了 password("{noop}123456")
//在Spring Secutiry 5.0+ 新增了很多的加密方法
//定义认证规则
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//这些数据正常应该从数据库中读
auth
// .jdbcAuthentication() //从数据库中读数据
.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())
.withUser("kuangshen").password(new BCryptPasswordEncoder().encode("123456")).roles("vip2","vip3")
.and()
.withUser("root").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1","vip2","vip3")
.and()
.withUser("guest").password(new BCryptPasswordEncoder().encode("123456")).roles("vip1");
}
}

复制代码

2.6 测试

2.6.1 不同权限的用户登录

2.6.1.1 只有 vip1 权限

登录：guest 用户

登录成功：

2.6.1.2 只有 vip1， vip2 权限

登录：kuangshen 用户

登陆成功：

2.6.1.3 只有 vip1， vip2， vip3 权限

登录：root 用户

登陆成功

2.6.2 记住我

2.6.2.1 登录

2.6.2.2 登录成功

2.6.2.3 关闭浏览器，重新访问 http://localhost:8080/

登录成功

检查Cookie

参考博客地址：https://mp.weixin.qq.com/s/FLdC-24_pP8l5D-i7kEwcg
视频地址：https://www.bilibili.com/video/BV1PE411i7CV/?p=34
3、Shiro

3.1 helloShiro快速开始

3.1.1 依赖

<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>

复制代码

3.1.2 log4j.properties

log4j.rootLogger=INFO, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m %n
# General Apache libraries
log4j.logger.org.apache=WARN
# Spring
log4j.logger.org.springframework=WARN
# Default Shiro logging
log4j.logger.org.apache.shiro=INFO
# Disable verbose logging
log4j.logger.org.apache.shiro.util.ThreadContext=WARN
log4j.logger.org.apache.shiro.cache.ehcache.EhCache=WARN

复制代码

3.1.3 shiro.ini

[users]
# user 'root' with password 'secret' and the 'admin' role
root = secret, admin
# user 'guest' with the password 'guest' and the 'guest' role
guest = guest, guest
# user 'presidentskroob' with password '12345' ("That's the same combination on
# my luggage!!!" ;)), and role 'president'
presidentskroob = 12345, president
# user 'darkhelmet' with password 'ludicrousspeed' and roles 'darklord' and 'schwartz'
darkhelmet = ludicrousspeed, darklord, schwartz
# user 'lonestarr' with password 'vespa' and roles 'goodguy' and 'schwartz'
lonestarr = vespa, goodguy, schwartz
# -----------------------------------------------------------------------------
# Roles with assigned permissions
#
# Each line conforms to the format defined in the
# org.apache.shiro.realm.text.TextConfigurationRealm#setRoleDefinitions JavaDoc
# -----------------------------------------------------------------------------
[roles]
# 'admin' role has all permissions, indicated by the wildcard '*'
admin = *
# The 'schwartz' role can do anything (*) with any lightsaber:
schwartz = lightsaber:*
# The 'goodguy' role is allowed to 'drive' (action) the winnebago (type) with
# license plate 'eagle5' (instance specific id)
goodguy = winnebago:drive:eagle5

复制代码

3.1.4 Quickstart

/**
* Simple Quickstart application showing how to use Shiro's API.
*
* @since 0.9 RC2
*/
public class Quickstart {
private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class);
public static void main(String[] args) {
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
// Now that a simple Shiro environment is set up, let's see what you can do:
// get the currently executing user:
//获取当前的用户对象 Subject
Subject currentUser = SecurityUtils.getSubject();
// Do some stuff with a Session (no need for a web or EJB container!!!)
//通过当前用户拿到session
Session session = currentUser.getSession();
session.setAttribute("someKey", "aValue");
String value = (String) session.getAttribute("someKey");
if (value.equals("aValue")) {
log.info("Retrieved the correct value! [" + value + "]");
}
//判断当前用户是否被认证
//Token:没有获取,直接设置令牌
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
token.setRememberMe(true);//设置记住我
try {
currentUser.login(token);//执行登录操作
} catch (UnknownAccountException uae) {
log.info("There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
log.info("Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
log.info("The account for username " + token.getPrincipal() + " is locked. " +
"Please contact your administrator to unlock it.");
}
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
//unexpected condition? error?
}
}
//say who they are:
//print their identifying principal (in this case, a username):
log.info("User [" + currentUser.getPrincipal() + "] logged in successfully.");
//test a role:
if (currentUser.hasRole("schwartz")) {
log.info("May the Schwartz be with you!");
} else {
log.info("Hello, mere mortal.");
}
//粗粒度
//test a typed permission (not instance-level)
if (currentUser.isPermitted("lightsaber:wield")) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
}
//细粒度
//a (very powerful) Instance Level permission:
if (currentUser.isPermitted("winnebago:drive:eagle5")) {
log.info("You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
}
//注销
//all done - log out!
currentUser.logout();
//结束
System.exit(0);
}
}

复制代码

3.1.5 测试

3.2 整合SpringBoot,MyBatis,Thymeleaf

3.2.1 依赖

<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.21</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>2.1.4</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.22</version>
</dependency>
<dependency>
<groupId>org.thymeleaf</groupId>
<artifactId>thymeleaf-spring5</artifactId>
<version>3.0.11.RELEASE</version>
</dependency>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-java8time</artifactId>
<version>3.0.4.RELEASE</version>
</dependency>
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>2.0.0</version>
</dependency>

复制代码

3.2.2 application.yml

spring:
datasource:
username: root
password: 17585273765
url: jdbc:mysql://localhost:3306/mybatis?serverTimezone=GMT&useUnicode=true&characterEncoding=utf-8
driver-class-name: com.mysql.cj.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
#Spring Boot 默认是不注入这些属性值的，需要自己绑定
#druid 数据源专有配置
initialSize: 5
minIdle: 5
maxActive: 20
maxWait: 60000
timeBetweenEvictionRunsMillis: 60000
minEvictableIdleTimeMillis: 300000
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
poolPreparedStatements: true
#配置监控统计拦截的filters，stat:监控统计、log4j：日志记录、wall：防御sql注入
#如果允许时报错 java.lang.ClassNotFoundException: org.apache.log4j.Priority
#则导入 log4j 依赖即可，Maven 地址：https://mvnrepository.com/artifact/log4j/log4j
filters: stat,wall,log4j
maxPoolPreparedStatementPerConnectionSize: 20
useGlobalDataSourceStat: true
connectionProperties: druid.stat.mergeSql=true;druid.stat.slowSqlMillis=500
thymeleaf:
cache: false

复制代码

3.2.3 静态资源

3.2.3.1 login.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.themeleaf.org">
<head>
<meta charset="UTF-8">
<title>登录页面</title>
</head>
<body>
<h1>登录</h1>
<p th:text="${msg}" ></p>
<form th:action="@{/login}">
<p>用户名： <input type="text" name="username"></p>
<p>密码： <input type="text" name="password"></p>
<p><input type="submit"></p>
</form>
</body>
</html>

复制代码

3.2.3.2 index.html

<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.themeleaf.org"
xmlns:shiro="http://www.thymeleaf.org/thymeleaf-extras-shiro" >
<head>
<meta charset="UTF-8">
<title>首页</title>
</head>
<body>
<h1>首页</h1>
<p th:if="${session.loginUser} == null" >
<a th:target="_blank" href="https://www.cnblogs.com/@{/toLogin}">登录</a>
</p>
<p th:text="${msg}"></p>
<hr>
<a th:target="_blank" href="https://www.cnblogs.com/@{/user/add}">add</a>
<a th:target="_blank" href="https://www.cnblogs.com/@{/user/update}">update</a>
</body>
</html>

复制代码

3.2.3.3 add.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>添加页面</title>
</head>
<body>
<h1>add</h1>
</body>
</html>

复制代码

3.2.3.4 update.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>修改页面</title>
</head>
<body>
<h1>update</h1>
</body>
</html>

复制代码

3.2.4 根据用户名和密码查询用户信息

3.2.5 shiro配置信息

3.2.5.1 UserRealm 认证

//自定义的 UserRealm extends AuthorizingRealm
public class UserRealm extends AuthorizingRealm {
@Autowired
UserService userService;
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("执行了=>授权doGetAuthorizationInfo");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//info.addStringPermission("user:add"); //给用户添加add权限
//拿到当前登录的这个对象
Subject subject = SecurityUtils.getSubject();
User currentUser = (User)subject.getPrincipal(); //Shiro取出当前对象拿到user对象
//设置当前用户的权限
info.addStringPermission(currentUser.getPerms());
return info;
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("执行了=>认证doGetAuthenticationInfo");
//用户名密码模拟数据库中取
// String name = "root";
// String password = "123456";
UsernamePasswordToken userToken = (UsernamePasswordToken)token;
//连接真实数据库
User user = userService.queryUserByName(userToken.getUsername());
//模拟判断
/* if (!userToken.getUsername().equals(name)){
return null; //抛出异常 UnknownAccountException
}
//密码认证 shiro
return new SimpleAuthenticationInfo("",user.password,"");
*/
//数据库判断
if(user == null){ //没有这个人
return null;
}
//获取session对象，保存user对象
Subject currentSubject = SecurityUtils.getSubject();
Session session = currentSubject.getSession();
session.setAttribute("loginUser",user);
//可以加密：md5 md5盐值加密
//密码认证 shiro
//第一个参数user是为了传递参数
return new SimpleAuthenticationInfo(user,user.getPwd(),"");
}
}

复制代码

3.2.5.2 ShiroConfig 授权

@Configuration
public class ShiroConfig {
//ShiroFilterFactoryBean 工厂对象第三步
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("defaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
//设置安全管理器
bean.setSecurityManager(defaultWebSecurityManager);
//添加shiro的内置过滤器
/*
anon: 无需认证就可以访问
authc: 必须认证；才能访问
user: 必须拥有某个资源的权限才能访问
role: 拥有某个角色权限才能访问
*/
//拦截
Map<String, String> filterMap = new LinkedHashMap<>();
//拦截路径
// filterMap.put("/user/add","authc");
// filterMap.put("/user/update","authc");
//授权，正常情况下，没有授权会跳到未授权页面
filterMap.put("/user/add","perms[user:add]"); //有add权限的user才可以访问/user/add
filterMap.put("/user/update","perms[user:update]");
bean.setFilterChainDefinitionMap(filterMap);
bean.setLoginUrl("/toLogin"); //设置登录的请求
//未授权页面
bean.setUnauthorizedUrl("/noauth");
return bean;
}
//DefaultWebSecurityManger 安全对象第二步
@Bean("defaultWebSecurityManager")
public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
//关联 userRealm
securityManager.setRealm(userRealm);
return securityManager;
}
//创建 realm 对象，需要自定义类第一步
@Bean(name = "userRealm")
public UserRealm userRealm(){
return new UserRealm();
}
//整合ShiroDialect：用来整合 Shiro
@Bean
public ShiroDialect getShiroDialect(){
return new ShiroDialect();
}
}

复制代码

3.2.6 控制层

@Controller
public class MyController {
//index
@GetMapping({"/","/index"})
public String toIndex(Model model){
model.addAttribute("msg","hello,shiro");
return "index";
}
//add
@RequestMapping("/user/add")
public String add(){
return "user/add";
}
//update
@RequestMapping("/user/update")
public String update(){
return "user/update";
}
//去登录
@RequestMapping("/toLogin")
public String toLogin(){
return "login";
}
//登录
@RequestMapping("/login")
public String login( String username, String password,Model model){
//获取当前的用户
Subject subject = SecurityUtils.getSubject();
//封装用户的登陆数据
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
try {
subject.login(token); //执行登陆方法，如果没有异常就说明Ok
return "index"; //登录成功，返回首页
}catch (UnknownAccountException e){ //用户名bu存在
model.addAttribute("msg","用户名错误");
return "login";
}catch (IncorrectCredentialsException e){ //密码不存在
model.addAttribute("msg","密码错误");
return "login";
}
}
//未授权
@RequestMapping("/noauth")
@ResponseBody
public String unauthorized(){
return "未经授权无法访问此页面！！！";
}
}

复制代码

3.2.7 测试

3.2.7.1 没有权限

3.2.7.2 add 权限

3.2.7.3 update 权限

3.2.7.4 add + update 权限

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

		自动登录	找回密码
密码			立即注册

SpringCloud Alibaba(八) - Durid,SpringSecurity,Shiro

本帖子中包含更多资源

0 个回复

快速回复

楼主热帖

标签云