一.介绍
二.基本功能
三.使用Maven包
<shiro.version>1.2.3</shiro.version
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-quartz</artifactId>
<version>${shiro.version}</version>
</dependency>
四.用户登录
(1)使用用户的登录信息创建令牌
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
token可以理解为用户令牌,登录的过程被抽象为Shiro验证令牌是否具有合法身份以及相关权限。
(2)执行登陆
SecurityUtils.setSecurityManager(securityManager); // 注入SecurityManager安全管理器
Subject subject = SecurityUtils.getSubject(); // 获取Subject单例对象
subject.login(token); // 登陆
Shiro的核心部分是SecurityManager,它负责安全认证与授权。Shiro本身已经实现了所有的细节,用户可以完全把它当做一个黑盒来使用。SecurityUtils对象,本质上就是一个工厂类似Spring中的ApplicationContext。Subject是初学者比较难于理解的对象,很多人以为它可以等同于User,其实不然。Subject中文翻译:项目,而正确的理解也恰恰如此。它是你目前所设计的需要通过Shiro保护的项目的一个抽象概念。通过令牌(token)与项目(subject)的登陆(login)关系,Shiro保证了项目整体的安全。
(3)判断用户
2.基本代码
/**
* 用户登录
* @param user
* @param model
* @param remember
* @return
*/
@RequestMapping("/login")
public String login(Student user,Model model,String remember) {
ModelAndView view = new ModelAndView("loginerro");
String msg = "";
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword(),user.getUsername());
if(remember!=null){
if(remember.equals("记住我")){//记住我
token.setRememberMe(true);
}
}
try {
subject.login(token);
return "main";
} catch (IncorrectCredentialsException e) {
model.addAttribute("errorMsg", "抱歉,您的密码有误");
} catch (ExcessiveAttemptsException e) {
msg = "登录失败次数过多";
model.addAttribute("errorMsg", "登录失败次数过多");
System.out.println(msg);
} catch (LockedAccountException e) {
msg = "帐号已被锁定. The account for username " + token.getPrincipal() + " was locked.";
model.addAttribute("errorMsg", "帐号已被锁定");
System.out.println(msg);
} catch (DisabledAccountException e) {
msg = "帐号已被禁用. The account for username " + token.getPrincipal() + " was disabled.";
model.addAttribute("errorMsg", "帐号已被禁用");
System.out.println(msg);
} catch (ExpiredCredentialsException e) {
msg = "帐号已过期. the account for username " + token.getPrincipal() + " was expired.";
model.addAttribute("errorMsg", "帐号已过期");
System.out.println(msg);
} catch (UnknownAccountException e) {
model.addAttribute("errorMsg", e.getMessage());
} catch (UnauthorizedException e) {
msg = "您没有得到相应的授权!" + e.getMessage();
model.addAttribute("errorMsg", "您没有得到相应的授权");
System.out.println(msg);
} catch (AccountException e) {
msg = e.getMessage();
model.addAttribute("errorMsg", e.getMessage());
System.out.println(msg);
}
return "home";
}
五.Reaml
1.Realm能做的工作主要有以下几个方面:
2.Realm接口的内容,这个接口里有3个方法,内容如下:
AuthenticationInfo getAuthenticationInfo(AuthenticationToken token)
boolean supports(AuthenticationToken token)
String getName()
3.实现自定义Realm
自定义realm代码
public class LoginShiro extends AuthorizingRealm {
private static final Logger logger = LogManager.getLogger(LoginShiro.class);
@Autowired
private UserServerInter userServerInter;
@Autowired
private RoleServerInter roleServerInter;
@Autowired
private PermissionServerInter permissionServerInter;
@Autowired
private UserDao userDao;
@Override
public String getName() {
return "realm";
}
/**
* 权限认证
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String currentUsername = (String)super.getAvailablePrincipal(principalCollection);
System.out.print("AuthorizationInfo====:"+currentUsername);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//根据用户ID查询角色(role),放入到Authorization里。
Set<String> roles = roleServerInter.FindRoleByName(currentUsername);
info.setRoles(roles);
//根据用户ID查询权限(permission),放入到Authorization里。
Set<String> permissions = permissionServerInter.findPermissionByName(currentUsername);
info.setStringPermissions(permissions);
return info;
}
/**
* 身份认证
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
SimpleAuthenticationInfo authenticationInfo = null;
UsernamePasswordToken token=(UsernamePasswordToken) authenticationToken;
String username = String.valueOf(token.getUsername());
String password = new String(token.getPassword());
Student user= userDao.FindUserByUserName(username);
if (null != user) {
authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());
// //盐值:取用户信息中唯一的字段来生成盐值,避免由于两个用户原始密码相同,加密后的密码也相同
authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes(username+user.getSalt()));
}else {
throw new AccountException("当前无此用户!");
}
return authenticationInfo;
}
@Override
public void clearCachedAuthorizationInfo(PrincipalCollection principals) {
super.clearCachedAuthorizationInfo(principals);
}
@Override
public void clearCachedAuthenticationInfo(PrincipalCollection principals) {
super.clearCachedAuthenticationInfo(principals);
}
@Override
public void clearCache(PrincipalCollection principals) {
super.clearCache(principals);
}
public void clearAllCachedAuthorizationInfo() {
getAuthorizationCache().clear();
}
public void clearAllCachedAuthenticationInfo() {
getAuthenticationCache().clear();
}
/**
* 清空缓存
*/
public void clearAllCache() {
clearAllCachedAuthenticationInfo();
clearAllCachedAuthorizationInfo();
}
}
七.登录失败次数限制
1.在spring-shiro配置文件里面配置安全管理器
<bean id="credentialsMatcher" class="com.sxkj.Common.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager" />
<!--加密算法为md5-->
<property name="hashAlgorithmName" value="md5" />
<!--3次md5迭代 配置加密的次数-->
<property name="hashIterations" value="2" />
<!--是否存储散列后的密码为16进制,需要和生成密码时的一样,默认是base64-->
<property name="storedCredentialsHexEncoded" value="true" />
</bean>
2.RetryLimitHashedCredentialsMatcher文件
public class RetryLimitHashedCredentialsMatcher extends HashedCredentialsMatcher {
private Cache < String, AtomicInteger> passwordRetryCache;
public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager) {
// passwordRetryCache = cacheManager.getCache("passwordRetryCache");
}
@Override
public boolean doCredentialsMatch(AuthenticationToken token,
AuthenticationInfo info) {
// Strin matches;
String username = (String) token.getPrincipal();
//retrycount + 1
Object element = EhcacheUtil.getItem(username);
if (element == null) {
EhcacheUtil.putItem(username, 1);
element=0;
}else{
int count=Integer.parseInt(element.toString())+1;
element=count;
EhcacheUtil.putItem(username,element);
}
AtomicInteger retryCount = new AtomicInteger(Integer.parseInt(element.toString()));
if (retryCount.incrementAndGet() > 5) {
//if retrycount >5 throw
throw new ExcessiveAttemptsException();
}
boolean matches = super.doCredentialsMatch(token, info);
if (matches) {
//clear retrycount
EhcacheUtil.removeItem(username);
}
return matches;
}
}
八.退出登录
/**
* 退出登录
* @return
*/
@RequestMapping("/logout")
public String logout(){
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession();
if (subject.isAuthenticated()) {
System.out.println(session.getLastAccessTime());
subject.logout();
} else if(subject.isRemembered()) {
subject.logout();
}
return "home";
}
九.创建Ecache缓存以及时效
1.spring-shir配置ecache
<!--Ehcache缓存管理器 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"></property>
</bean>
2.Ecache工具类
public class EhcacheUtil {
private static final CacheManager cacheManager = CacheManager.getInstance();
/**
* 创建ehcache缓存,创建之后的有效期是1小时
*/
private static Cache cache = new Cache(new CacheConfiguration("systemCache", 5000).memoryStoreEvictionPolicy(MemoryStoreEvictionPolicy.FIFO).timeoutMillis(300).timeToLiveSeconds( 60 * 60));
static {
cacheManager.addCache(cache);
}
public static void putItem(String key, Object item) {
if (cache.get(key) != null) {
cache.remove(key);
}
Element element = new Element(key, item);
cache.put(element);
}
public static void removeItem(String key) {
cache.remove(key);
}
public static void updateItem(String key, Object value) {
putItem(key, value);
}
public static Object getItem(String key) {
Element element= cache.get(key);
if(null!=element)
{
return element.getObjectValue();
}
return null;
}
}