用BCrypt加密的shiro配置多个realm配置Shiro的多Realm验证的实现–shiro实现不同身份使用不同Realm进行验证 springboot整合shiro和idea版最新Apache Shiro快速入门Security安全框架【千锋南京JAVA】 jwt结合shiro使用
@Bean public ShiroRealm getRealm() {ShiroRealm shiroRealm1 = new ShiroRealm(); shiroRealm1.setCredentialsMatcher(new CredentialsMatcher() {@Override public boolean doCredentialsMatch(AuthenticationToken authenticationToken, AuthenticationInfo authenticationInfo) {UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; String plaimtext = new String(token.getPassword()); String hashed = authenticationInfo.getCredentials().toString(); System.out.println("明文密码"+plaimtext+hashed); return BCrypt.checkpw(plaimtext,hashed); } }); return shiroRealm1; }
(资料图片)
package com.sbibits.config;import org.apache.shiro.SecurityUtils;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.subject.Subject;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import java.util.LinkedHashMap;import java.util.Map;/** * @author admin * @version 1.0.0 * @ClassName ShiroConfig.java * @Description TODO * @createTime 2019年12月12日 16:10:00 */@Configurationpublic class ShiroConfig {//创建ShiroFilterFactoryBean @Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroFilterFactoryBean.setSecurityManager(securityManager); /** * 添加shiro内置过滤器 * 常用的过滤器: * anon:无需认证可以访问 * authc:必须认证 * user:若使用remeberme的功能可以访问 * perms:须得到授权 * role: 需得到角色可访问 * */ MapfilterMap = new LinkedHashMap<>(); filterMap.put("/user/*", "authc"); filterMap.put("/*", "anon"); //修改调整的页面// shiroFilterFactoryBean.setLoginUrl("/"); shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap); return shiroFilterFactoryBean; } //创建DefaultWebSecurityManager @Bean(name = "securityManager") public DefaultWebSecurityManager getDefaultWebSecurityManager(@Qualifier("userRealm") UserRealm userRealm) {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //关联realm securityManager.setRealm(userRealm); return securityManager; } //创建realm @Bean(name = "userRealm") public UserRealm getRealm() {return new UserRealm(); }}
package com.sbibits.config;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;/** * @author admin * @version 1.0.0 * @ClassName UserRealm.java * @Description TODO * @createTime 2019年12月12日 16:12:00 */public class UserRealm extends AuthorizingRealm {//执行授权逻辑 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {System.out.println("执行授权逻辑"); return null; } //执行认证逻辑 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {return null; }}
用户注册时,先用bcrypt加密存入数据库 执行认证逻辑时,用 BCrypt.checkpw判断密码是否相同,返回boolean值 获取盐 登出操作
shiro
导入依赖
org.apache.shiroshiro-spring1.4.0
编写shiro两个核心配置shiroconfig和userrealm
public class UserRealm extends AuthorizingRealm {//授权逻辑 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {System.out.println("执行授权逻辑"); SimpleAuthorizationInfo sa = new SimpleAuthorizationInfo(); sa.addStringPermission("user:add"); return sa; } //认证逻辑 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {System.out.println("执行认证逻辑"); UsernamePasswordToken token = (UsernamePasswordToken)authenticationToken; return new SimpleAuthenticationInfo("","1234",""); }
@Bean public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("securityManager") DefaultWebSecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean(); //设置安全管理器 shiroFilterFactoryBean.setSecurityManager(securityManager); return shiroFilterFactoryBean; } //创建DefaultWebSecurityManager @Bean(name = "securityManager") public DefaultWebSecurityManager getDefaultWebSecurityManager() {DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager(); //关联realm securityManager.setRealm(getRealm()); return securityManager; } //创建realm,需要自定义realm @Bean public UserRealm getRealm() {return new UserRealm(); }
编写controller
@PostMapping("register") public String shiro(User user, Model model) {//获取subject Subject subject = SecurityUtils.getSubject(); System.out.println("判断是否已经登录" + subject.isAuthenticated()); //若没有登录,把用户名密码封装为UsernamePasswordToken对象 UsernamePasswordToken token = new UsernamePasswordToken(user.getName(), user.getPassword()); try {//执行登录 subject.login(token); System.out.println("再判断是否已经登录" + subject.isAuthenticated()); return "success"; } catch (IncorrectCredentialsException e) {model.addAttribute("msg", "密码不存在"); return "login"; } catch (UnknownAccountException e) {model.addAttribute("msg", "用户名不存在"); return "login"; }
Shiro的三种授权(十二)
多个权限标识 hasAnyPermissions hasPermission
// 拥有 admin 角色可以访问 @RequiresRoles(“admin”) // 拥有 user 或 admin 角色可以访问 @RequiresRoles(logical = Logical.OR, value = {“user”, “admin”}) // 拥有 user 或 admin 角色,且拥有 vip 权限可以访问 @GetMapping("/getVipMessage") @RequiresRoles(logical = Logical.OR, value = {“user”, “admin”}) @RequiresPermissions(“vip”) public ResultMap getVipMessage() {return resultMap.success().code(200).message(“成功获得 vip 信息!”); }