Spring Boot整合Shiro搭建权限管理系统.doc

Spring Boot整合Shiro搭建权限管理系统一、 Spring Boot入门1. 新建一个maven工程2. 修改pom.xml文件,添加spring boot父工程org.springframework.bootspring-boot-starter-parent1.5.4.RELEASE3. 修改默认编译的jdk版本1.84. 添加spring boot启动器(web支持)org.springframework.bootspring-boot-starter-web完整的pom.xml文件如下:4.0.0com.hellotomcatspringboot-shiro0.0.1-SNAPSHOTorg.springframework.bootspring-boot-starter-parent1.5.4.RELEASEorg.springframework.bootspring-boot-starter-weborg.springframework.bootspring-boot-starter-thymeleaf .RELEASE2.0.45. 编写controller（UserController）package com.hellotomcat.controller;import org.springframework.stereotype.Controller;import org.springframework.ui.Model;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.ResponseBody;Controllerpublic class UserController /* * 测试方法 * return */RequestMapping(/hello)ResponseBody / 返回json数据public String hello() System.out.println(hello spring boot);return ok;/* * 测试thymeleaf * param model * return */RequestMapping(/testThymeleaf)public String testThymeleaf(Model model) / 把数据放入modelmodel.addAttribute(name, admin);/ 返回test.htmlreturn test;6. 编写启动类Applicationpackage com.hellotomcat;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;/* * Spring Boot启动类 * author Lenovo * */SpringBootApplicationpublic class Application public static void main(String args) SpringApplication.run(Application.class, args);7. 运行启动类Application(和运行普通的Java程序一样)8. 然后在浏览器输入:http:/localhost:8080/hello,就可以正常访问了,出现如下画面说明启动成功二、 导入thymeleaf页面模块1. 引入thymeleaf依赖org.springframework.bootspring-boot-starter-thymeleaf2. 在controller当中添加如下方法:/* * 测试thymeleaf * param model * return */RequestMapping(/testThymeleaf)public String testThymeleaf(Model model) / 把数据放入modelmodel.addAttribute(name, admin);/ 返回test.htmlreturn test;3. 在src/main/resources目录下面建立templates目录用来存放页面(Spting-Boot默认页面存放路径,名字不可更改)4. 在templates目录下新建test.html测试thymeleaf的使用!-th:text=$name为thymeleaf语法,获取model中传过来的值5. 在浏览器访问http:/localhost:8080/testThymeleaf 进行测试.如果能够在页面上获取到值就说明成功了.此处需要注意在thymeleaf3.0以前对页面标签语法要求比较严格,开始标签必须有对应的结束标签,如果没有就出现如下错误.如果页面标签不严谨还希望使用thymeleaf的话,那就需要升级thymeleaf到3.0以上的版本,此处升级为3.0.26. 升级thymeleaf版本(修复上面的错误),在properties节点下面添加3.0.2.RELEASE2.0.4三、 Spring Boot与Shiro整合实现用户认证1. Shiro核心API类Subject: 用户主体(把操作交给SecurityManager)SecurityManager: 安全管理器(关联Realm)Realm: shiro连接数据库的桥梁2. 导入shiro与spring整合依赖org.apache.shiroshiro-spring1.4.03. 创建自定义Realmpackage com.hellotomcat.shiro;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;/* * 自定义Realm * author Lenovo * */public class UserRealm extends AuthorizingRealm/* * 执行授权逻辑 */Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection arg0) System.out.println(执行授权逻辑);return null;/* * 执行认证逻辑 */Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) throws AuthenticationException System.out.println(执行认证逻辑);return null;4. 编写shiro的配置类(重点)(最基础的配置类如下)package com.hellotomcat.shiro;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;/* * Shiro的配置类 * author Lenovo * */Configurationpublic class ShiroConfig /* * 创建ShiroFilterFactoryBean */public ShiroFilterFactoryBean getShiroFilterFactoryBean(Qualifier(securityManager)DefaultWebSecurityManager securityManager) ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();/ 设置安全管理器shiroFilterFactoryBean.setSecurityManager(securityManager);return shiroFilterFactoryBean;/* * 创建DefaultWebSecurityManager */Bean(name=securityManager)public DefaultWebSecurityManager getDefaultWebSecurityManager(Qualifier(userRealm)UserRealm userRealm) DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();/ 关联realmsecurityManager.setRealm(userRealm);return securityManager;/* * 创建Realm */Beanpublic UserRealm getRealm() return new UserRealm();5. 使用shiro内置过滤器实现拦截功能.5.5.1. 新建两个页面add.html和update.htmladd.html页面代码:用户新增页面!-用户新增update.html页面代码:用户更新页面!-用户更新5.2. 修改test.html页面测试thymeleaf的使用!-进入用户添加功能:用户添加进入用户更新功能:用户更新5.3. 在UserController当中添加下面的方法RequestMapping(/add)/ 没有ResponseBody这个注释则返回页面,有就返回json数据public String add() return /user/add;RequestMapping(/update)public String update() return /user/update;5.4. 修改ShiroConfig类package com.hellotomcat.shiro;import java.util.LinkedHashMap;import java.util.Map;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;/* * Shiro的配置类 * author Lenovo * */Configurationpublic class ShiroConfig /* * 创建ShiroFilterFactoryBean */Beanpublic ShiroFilterFactoryBean getShiroFilterFactoryBean(Qualifier(securityManager)DefaultWebSecurityManager securityManager) ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();/ 设置安全管理器shiroFilterFactoryBean.setSecurityManager(securityManager);/ 添加Shiro内置过滤器/* * Shiro内置过滤器,可以实现权限相关的拦截 * 常用的过滤器: * anon: 无需认证(登录)可以访问 * authc: 必须认证才可以访问 * user: 如果使用rememberMe的功能可以直接访问 * perms: 该资源必须得到资源权限才可以访问 * role: 该资源必须得到角色权限才可以访问 */Map filterMap = new LinkedHashMap();filterMap.put(/add, authc);filterMap.put(/update, authc);shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);return shiroFilterFactoryBean;/* * 创建DefaultWebSecurityManager */Bean(name=securityManager)public DefaultWebSecurityManager getDefaultWebSecurityManager(Qualifier(userRealm)UserRealm userRealm) DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();/ 关联realmsecurityManager.setRealm(userRealm);return securityManager;/* * 创建Realm */Bean(name=userRealm)public UserRealm getRealm() return new UserRealm();5.5. 验证拦截功能,在test页面点击超链接,如果出现以下情况,说明拦截成功5.6. 设置跳转到自定义登录页面5.6.1. 新建一个登录页面login.htmllogin.html代码如下:登录页面!-登录页面 5.6.2. 在UserController当中添加如下方法:RequestMapping(/toLogin)public String toLogin() return /login;5.6.3. 修改ShiroConfig类package com.hellotomcat.shiro;import java.util.LinkedHashMap;import java.util.Map;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;/* * Shiro的配置类 * author Lenovo * */Configurationpublic class ShiroConfig /* * 创建ShiroFilterFactoryBean */Beanpublic ShiroFilterFactoryBean getShiroFilterFactoryBean(Qualifier(securityManager)DefaultWebSecurityManager securityManager) ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();/ 设置安全管理器shiroFilterFactoryBean.setSecurityManager(securityManager);/ 添加Shiro内置过滤器/* * Shiro内置过滤器,可以实现权限相关的拦截 * 常用的过滤器: * anon: 无需认证(登录)可以访问 * authc: 必须认证才可以访问 * user: 如果使用rememberMe的功能可以直接访问 * perms: 该资源必须得到资源权限才可以访问 * role: 该资源必须得到角色权限才可以访问 */Map filterMap = new LinkedHashMap();filterMap.put(/add, authc);filterMap.put(/update, authc);/ 修改默认的登录页面shiroFilterFactoryBean.setLoginUrl(/toLogin);shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);return shiroFilterFactoryBean;/* * 创建DefaultWebSecurityManager */Bean(name=securityManager)public DefaultWebSecurityManager getDefaultWebSecurityManager(Qualifier(userRealm)UserRealm userRealm) DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();/ 关联realmsecurityManager.setRealm(userRealm);return securityManager;/* * 创建Realm */Bean(name=userRealm)public UserRealm getRealm() return new UserRealm();5.6.4. 验证,如果页面调整到自定义登录页面则成功5.7. 使用通配符简化配置,修改ShiroConfig类将filterMap.put(/add, authc);filterMap.put(/update, authc);修改为:filterMap.put(/testThymeleaf, anon);filterMap.put(/*, authc); /此句必须放在最下面,否则将会对所有的请求进行拦截,导致不需登录也可以访问的配置均无效6. 实现用户验证（登录）操作.. 修改登录页面login.html登录页面!-登录用户名：密码： 6.2. 在controller当中添加方法/* * 登录逻辑处理 */RequestMapping(/login)public String login(String name, String password,Model model) /* * 使用Shiro编写认证操作 */ 1.获取SubjectSubject subject = SecurityUtils.getSubject();/ 2.封装用户数据UsernamePasswordToken token = new UsernamePasswordToken(name, password);/ 3.执行登录方法try subject.login(token); / 没有异常则说明登录成功return redirect:/testThymeleaf; catch (UnknownAccountException e) /e.printStackTrace();/ 登录失败：用户名不存在model.addAttribute(msg, 用户名不存在);return login; catch (IncorrectCredentialsException e) /e.printStackTrace();/ 登录失败：密码错误model.addAttribute(msg, 密码错误);return login;6.3. 在ShiroConfig当中添加如下代码，放行登录操作filterMap.put(/login, anon); / 放行登录操作6.4. 编写UserRealm的认证（判断）逻辑/* * 执行认证逻辑 */Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException System.out.println(执行认证逻辑);/ 假设数据库的用户名和密码String name = admin;String password = root;/ 编写shiro判断逻辑，判断用户名和密码是否正确/ 1.判断用户名UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken;if (!token.getUsername().equals(name) / 用户名不存在return null; / 返回null时，shiro底层会抛出UnknowAccountException/ 2.判断密码return new SimpleAuthenticationInfo(, password, );四、 整合Mybatis实现登录功能1. 导入Mybatis相关依赖，修改pom.xml文件com.alibabadruid1.0.9mysqlmysql-connector-javaorg.mybatis.spring.bootmybatis-spring-boot-starter1.1.12. 新建一个数据库，然后再新建一张数据库表，建表语句如下（数据库需要手动创建）：CREATE TABLE user ( id int(11) NOT NULL AUTO_INCREMENT, name varchar(20) DEFAULT NULL, password varchar(50) DEFAULT NULL, PRIMARY KEY (id) ENGINE=InnoDB DEFAULT CHARSET=utf8;3. 在src/main/resources目录下面新建perties。(位置和文件名固定)spring.datasource.driverClassName=com.mysql.jdbc.Driverspring.datasource.url=jdbc:mysql:/localhost:3306/db_springbootspring.datasource.username=rootspring.datasource.password=rootspring.datasource.type=com.alibaba.druid.pool.DruidDataSourcemybatis.type-aliases-package=com.hellotomcat.domain4. 编写实体类Userpackage com.hellotomcat.domain;public class User private Integer id;private String name;private String password;public Integer getId() return id;public void setId(Integer id) this.id = id;public String getName() return name;public void setName(String name) = name;public String getPassword() return password;public void setPassword(String password) this.password = password;Overridepublic String toString() return User id= + id + , name= + name + , password= + password + ;5. 编写查询接口package com.hellotomcat.mapper;import com.hellotomcat.domain.User;public interface UserMapper public User findByName(String name);6. 编写UserMapper.xml映射文件SELECTid,NAME,PASSWORDFROMuser where name=#value 7. 编写业务接口和实现接口：package com.hellotomcat.service;import com.hellotomcat.domain.User;public interface UserService public User findByName(String name);实现：package com.hellotomcat.service.impl;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Service;import com.hellotomcat.domain.User;import com.hellotomcat.mapper.UserMapper;import com.hellotomcat.service.UserService;Servicepublic class UserServiceImpl implements UserService/ 注入mapper接口Autowiredprivate UserMapper userMapper;Overridepublic User findByName(String name) return userMapper.findByName(