权限管理框架传智shiro 1

1课程目Shiro1课程目Shiro2权限管2.1什么是权限2.2用户身份认2.2.1 YESYES是否认证通NO2.2.3Subject：主Principal箱地址等，一个主体可以有多个身份，但是必须有一个主身份（PrimaryYESYES是否认证通NO2.2.3Subject：主Principal箱地址等，一个主体可以有多个身份，但是必须有一个主身份（PrimaryPrincipalcredential：凭证YES2.32.3.12.3.2NO2.3.3继续2.32.3.12.3.2NO2.3.3继续访问权限身份分配访问系统主（用户权主（用户权类型商品权（查询权（添加权（删除资资（商品信息2.3.4主体（账号、密码***1**多对多对多对1111***用户角色角色权限*权限（权限名称、资源名称、资源访问地址****多对多对1111******1**多对多对多对1111***用户角色角色权限*权限（权限名称、资源名称、资源访问地址****多对多对1111****2.3.52.3.6基于角色的访问控RBAC基于角色的访问控制（Role-BasedAccessControl）2.3.6基于角色的访问控RBAC基于角色的访问控制（Role-BasedAccessControl）YES} }无权访问处（通常提示用户无权操作查询工资信基于资源的访问控基于资源的访问控}3权限管理解决方3.1粗颗粒度和细颗粒 service接口添3.2urlurlurl配置Url是否公开地NOurl是否3.2urlurlurl配置Url是否公开地NOurl是否是否存在权限url3.3使用权限管理4url拦截实4.1环境4url拦截实4.1环境web前台UI：jqueryeasyUI数据shiro_sql_talbe.sqlshiro-4.3activeUser用户身4.4publicclassActiveUserimplementsjava.io.SerializableprivateStringuserid;//用户idprivateStringusercode用户账号privateStringusername;privateList<SysPermission>menusprivateList<SysPermission>permissions4.54.64.54.6用户身份认证拦filterpublicclassLoginInterceptorimplementsHandlerInterceptor//publicbooleanpreHandle(HttpServletRequestrequest,HttpServletResponseresponse,Objecthandler)throwsExceptionList<String>open_urls=用户访问的Stringurl=for(Stringopen_url:open_urls)if(url.indexOf(open_url)>=0)return}}HttpSessionsession=request.getSession();ActiveUseractiveUser=(ActiveUser)if(activeUser!=null)return}4.7用户授权拦4.7用户授权拦（refuse.jsppublicclassPermissionInterceptorimplementsHandlerInterceptor//publicbooleanpreHandle(HttpServletRequestrequest,HttpServletResponseresponse,Objecthandler)throwsException//TODOAuto-generatedmethodStringurl=List<String>open_urls=用户访问的for(Stringopen_url:open_urls)if(url.indexOf(open_url)>=0)return}}//从session获取用户公共访问地址（认证通过无需分配权限即可访问）List<String>common_urlsResourcesUtil.gekeyList("commonURL");用户访问的for(Stringcommon_url:common_urls)if(url.indexOf(common_url)>=0)returnreturn}4.8用户url4.8用户url等）activeUsersession4.8.1publicStringloginsubmit(HttpSessionsession,Stringusercode,Stringpassword,Stringrandomcode)throwsException{}}HttpSessionsession=request.getSession();ActiveUseractiveUser=(ActiveUser)取出session中权限List<SysPermission>permission_list=for(SysPermissionsysPermission:{Stringpermission_url=if(url.contains(permission_url))return}}return}4.8.2service接4.8.2service接**Title:****@param@param@returnActiveUser@throwspublicActiveUserauthenticat(Stringusercode,StringthrowspublicSysUserfindSysuserByUsercode(Stringusercode)StringvalidateCode=thrownewCustomException("}ActiveUseractiveUser=sysService.authenticat(usercode,return}5shiro5.1什么是5shiro5.1什么是5.2为什么要学shiroshiro就可以非常快速的用户开始使用shiro。java领域中springsecurity(原名Acegi)也是一个开源的权限管理框架spring依赖spring运行，而shiro就相对独立，最主要是因为shiro使用简单、灵活，所以现在越来越多的用户选择shiro。5.3Shiro架publicList<SysPermission>findSysPermissionList(Stringthrows .1Subjectshiro5.3.2责对所有的subject进行安全管SecurityManager可以完成subject授权等，实质上SecurityManager是通过Authenticator进行认证，通过Authorizer进行授权，通过SessionManager进行会话管理等。SecurityManagerAuthenticatorAuthorizerSessionManager5.3.3Authenticator即认证器，对用户身份进行认证，Authenticator是一个接口，shiroModularRealmAuthenticatorModularRealmAuthenticator5.3.3Authenticator即认证器，对用户身份进行认证，Authenticator是一个接口，shiroModularRealmAuthenticatorModularRealmAuthenticator5.3.45.3.55.3.65.3.7SessionDAOdaosessionsessionjdbc5.3.85.3.9Cryptography即密码管理，shiro提供了一套加密/5.4shiro5.4shirojarshiro-corewebshiro-webspringshiro-springquartzshiro-quartzshirojarmaven坐标。<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-lib6shiro6.1认证根据身份获取验证6shiro6.1认证根据身份获取验证信执行认执行认提交认构造SecurityManager6.2入门程序（用户登陆和退出入门程序（用户登陆和退出6.2.1javajdk版本：1.7.0_726.2.2加入shiro-coreJar包及依6.2.3perties日志配置log4j.rootLogger=debug,-%m6.2.4eclipseinishiro.ini6.2.5publicvoidtestLoginLogout()Factory<SecurityManager>factory=通过工厂创建SecurityManagersecurityManager=////6.2.66.2.63AuthenticatorModularRealmAuthenticatorrealmini配置文件取用户真实的账号和密码，这里使用的是IniRealm（shiro自带）4IniRealm先根据tokenini行Subjectsubject=//UsernamePasswordTokentoken=newtry}catch(AuthenticationExceptione)//TODOAuto-generatedcatchblock}BooleanisAuthenticated=subject.isAuthenticated();System.out.println("用户认证状态：isAuthenticated);isAuthenticated=subject.isAuthenticated();System.out.println("用户认证状态：isAuthenticated);}6.2.7foundforuser。。。。 -6.2.7foundforuser。。。。 -rememberMe=false]didnotmatchtheexpected锁定）ExcessiveAttemptsException（登录失败次ExpiredCredentialsException（凭证过期）6.3自定义IniealmInieal6.3.1shiro提供最基础的是Realm接口，CachingRealm负责缓存处理，最基础的是Realm接口，CachingRealm负责缓存处理，AuthenticationRealm6.3.2publicclassCustomRealm1extendsAuthorizingRealmpublicStringgetName()return}publicbooleansupports(AuthenticationTokentoken)returntokeninstanceof}protecteddoGetAuthenticationInfo(AuthenticationTokentoken)AuthenticationExceptionStringusername=(String)6.3.46.3.4#自定义realmreturn}Stringpassword"123";//SimpleAuthenticationInfosimpleAuthenticationInfonewusername,password,return}protecteddoGetAuthorizationInfo(PrincipalCollectionprincipals)//TODOAuto-generatedmethodreturn}}6.4散列6.4散列般散列算法需要提供一个salt（盐）与原始内容生成摘要信息，这样做的目的是为了安全性，比如：111111的md5值是：96e79218965eb72c92a549dd5a330112“96e79218965eb72c92a549dd5a330112”去md5破解网站很容易进行破解，如果要是对111111salt（盐，一个随机数）111111加不同的盐会生成6.4.1shiroStringpassword_md5newMd5Hash("111111").toString();Stringpassword_md5_sale_1=newMd5Hash("111111","eteokues",Stringpassword_md5_sale_2=newMd5Hash("111111",StringsimpleHash=newSimpleHash("MD5","111111",realmrealmprotecteddoGetAuthenticationInfo(AuthenticationTokentoken)AuthenticationExceptionStringusername=(String)Stringpassword=Stringsalt="eteokues";SimpleAuthenticationInfosimpleAuthenticationInfo=username,password,return7shiro7.1授权根据身份获7shiro7.1授权根据身份获取资源权限执行授执行授授构造SecurityManager7.2授权ShiroSubjectsubject=7.2授权ShiroSubjectsubject=}else}publicvoidhello()}JSP/GSPJSP/GSP<!7.3授权 7.3.2，或7.3.3注意：在用户认证通过后执行下边的授publicvoidtestPermission()从ini文件中创建SecurityManagerFactory<SecurityManager>factory=创建SecurityManagersecurityManager=//Subjectsubject=//设置用户认证的身份(principals)和凭证(credentials)UsernamePasswordTokentokennewUsernamePasswordToken("zhang",//设置用户认证的身份(principals)和凭证(credentials)UsernamePasswordTokentokennewUsernamePasswordToken("zhang",try}catch(AuthenticationExceptione)//TODOAuto-generatedcatchblock}BooleanisAuthenticated=System.out.println("用户认证状态：System.out.println("用户是否拥有一个角色：System.out.println("用户是否拥有多个角色："+subject.checkRoles(Arrays.asList("role1",//System.out.println("是否拥有某一个权限：System.out.println("是否拥有多个权限："+}7.3.47.3.4 7.3.5 System.out.println("是否拥有某一个权限：System.out.println("是否拥有多个权限：" subject.isPermittedAll("user:create:1","user:delete"));subject.checkRoles(Arrays.asList("role1",System.out.println("用户是否拥有一个角色：System.out.println("用户是否拥有多个角色："+7.4自定义7.4自定义7.4.1realmshiroprotecteddoGetAuthorizationInfo(PrincipalCollectionprincipals)Stringusername=(String)List<String>permissions=newArrayList<String>();SimpleAuthorizationInfosimpleAuthorizationInfonew}return7.4.37.4.47.4.37.4.48shiro与项目集成开8.1shirospringweb项目整shirospringweburlurl拦截实现的工程的技术架构是springmvc+mybatis，整合注意两点：1、shirospring8.1.1springmvc认证和授权拦8.1.2shirojar8.1.2shirojarshiro过虑器，DelegatingFilterProx会从spring容器中找shiroFilterShiro的Web<beanid="shiroFilter"<propertyname="securityManager"ref="securityManager"过虑器FormAuthenticationFilter中指定此地址就为身份认证地址--><propertyname="loginUrl"value="/login.action"<propertyname="unauthorizedUrl"value="/refuse.jsp"shiro<property<entrykey="authc"<property<entrykey="authc"value-<property定的loginUrl一致-->/loginsubmit.action=退出拦截，请求logout.action/logout.action=/refuse.jsp=roles[XX]表示有XX/item/list.action=/js/**/images/**/styles/**user/**=逗号分隔，如：/**=user,roles[admin]--><beanid="securityManager"<propertyname="realm"ref="userRealm"realm<beanid="userRealm"账号、密码及loginurl将采用默认值，建议配置--><bean动寻找项目web项目的根目录下的”/login.jsp”页面。8.1.5动寻找项目web项目的根目录下的”/login.jsp”页面。8.1.5使用shiro注解授//查询商品列表publicModelAndViewqueryItem()throwsException开启aop<aop:configproxy-target-开启shiro<propertyname="securityManager"ref="securityManager"表单中账号的input<propertyname="usernameParam"value="usercode"表单中密码的input<propertyname="passwordParam"value="password"<!--<propertyname="rememberMeParam"value="rememberMe"/>--loginurl：用户登陆地址，此地址是可以http访问的url<propertyname="loginUrl"value="/loginsubmit.action"8.1.6realm8.1.6realmshiropublicclassCustomRealm1extendsAuthorizingRealmprivateSysServicepublicStringgetName()return}publicbooleansupports(AuthenticationTokentoken)returntokeninstanceof}protecteddoGetAuthenticationInfo(AuthenticationTokentoken)AuthenticationException从tokenStringusername=(String)//如果查询不到则返回if(!username.equals("zhangreturn}Stringpassword"123List<SysPermission>menus=newSysPermissionsysPermission_1=List<SysPermission>menus=newSysPermissionsysPermission_1=newSysPermissionsysPermission_2newSysPermission();ActiveUseractiveUser=newActiveUser();//activeUser,password,=return}protectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionprincipals){ActiveUseractiveUser=(ActiveUser)Stringuserid= List<String>permissions=newArrayList<String>();将权限信息封闭为8.1.7public8.1.7publicStringlogin()throwsreturn}publicStringloginsubmit(Modelmodel,HttpServletRequestthrowsExceptionStringexceptionClassName=(String)request(UnknownAccountException.class.getName().equals(exceptionClassName))thrownewCustomException("账号不存在}else(IncorrectCredentialsException.class.getName().equals(exceptionClassName)){thrownewCustomException("用户名/密码错误}thrownewException();//}SimpleAuthorizationInfosimpleAuthorizationInfo=for(Stringpermission:{}return}}8.1.8由于session由shiro管8.1.8由于session由shiro管理，需要修改首页的controller方法8.1.9由于使shirosessionManager，不用开发退出功能，使用shirologout拦截即可8.1.10无权限当用户无操作权限，shiro将跳转refuse.jsp页面参考：applicationContext-退出拦截，请求logout.action/logout.action=publicStringfirst(Modelmodel)throwsSubjectsubject=ActiveUseractiveUser=(ActiveUser)subject.getPrincipal();model.addAttribute("activeUser",activeUser);return}8.2realm连接数8.2.18.2realm连接数8.2.18.2.2realmpublicclassCustomRealm1extendsAuthorizingRealmprivateSysServicepublicStringgetName()return}publicbooleansupports(AuthenticationTokentoken)<bean<propertyname="hashAlgorithmName"value="md5"<propertyname="hashIterations"value="1"realm<beanid="userRealm"<propertyname="credentialsMatcher"ref="credentialsMatcher"returntokeninstanceof}protecteddoGetAuthenticationInfo(returntokeninstanceof}protecteddoGetAuthenticationInfo(AuthenticationTokenthrows{SysUsersysUser=trysysUser=}catch(Exceptione)//TODOAuto-generatedcatchblock}if(sysUser==null)thrownewUnknownAccountException("账号找不到}//根据用户id取出菜单List<SysPermission>menusnull;try{menus=}catch(Exceptione)//TODOAuto-generatedcatchblock}Stringpassword=Stringsalt=ActiveUseractiveUser=newActiveUser();SimpleAuthenticationInfosimpleAuthenticationInfo=activeUser,return}protectedAuthorizationInfodoGetAuthorizationInfo(activeUser,return}protectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionActiveUseractiveUser=(ActiveUser)Stringuserid=List<SysPermission>permissions=null;try{permissions=}catch(Exceptione)//TODOAuto-generatedcatchblock}SimpleAuthorizationInfosimpleAuthorizationInfo=for(SysPermission}return}}8.3shirorealmrealmShiro8.3shirorealmrealmShiroEhcache8.3.1添Ehcachejar8.3.28.4session<beanid="securityManager"<propertyname="realm"ref="userRealm"<propertyname="sessionManager"ref="sessionManager"<bean<beanid="securityManager"<propertyname="realm"ref="userRealm"<propertyname="sessionManager"ref="sessionManager"<propertyname="cacheManager"<beanid="cacheManager"8.5验证8.5.18.5验证8.5.1publicclassMyFormAuthenticationFilterFormAuthenticationFilterprotectedbooleanonAccessDenied(ServletRequestrequest,ServletResponseresponse,ObjectmappedValue)throwsExceptionHttpSessionsession=Stringrandomcode=StringvalidateCode=(String)if(!randomcode.equals(validateCode))//randomCodeError表示验证码错误return}returnsuper.onAccessDenied(request,response,}}session<propertyname="globalSessionTimeout"删除失效的session<propertyname="deleteInvalidSessions"8.5.2修改FormAuthenticationFilter8.5.2修改FormAuthenticationFilter8.5.38.5.4配置validatecode.jsp匿名访<TD><inputid="randomcode"size="8"/>src="${baseurl}validatecode.jsp"alt=""width="56"height="20"/><beanid="formAuthenticationFilter"<beanid="formAuthenticationFilter"8.6记住8.6记住8.6.28.6.38.6.3login.jsp中添加“记住我”checkbox<beanid="formAuthenticationFilter"表单中账号的input<propertyname="usernameParam"value="usercode"表单中密码的input<propertyname="passwordParam"value="password"<propertyname="rememberMeParam"loginurl：用户登陆地址，此地址是可以h