Shiro入门

作者: camlboy | 来源:发表于2017-04-21 15:16 被阅读75次

    Shiro来控制权限

    首先我们需要来创建一个RBAC模型(图片网上找的)

    RBAC.png

    数据库模型建好以后便可进行配置:
    我们在项目中创建Shiro的配置文件命名为shiro.ini,内容如下:

    [main]
    #数据源配置
    dataSource=org.springframework.jdbc.datasource.DriverManagerDataSource
    dataSource.driverClassName=com.mysql.jdbc.Driver
    dataSource.url=jdbc:mysql://127.0.0.1:3306/test
    dataSource.username=root
    dataSource.password=root
    
    jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
    jdbcRealm.permissionsLookupEnabled = true
    jdbcRealm.dataSource=$dataSource
    #用户认证(登录)查询语句,以用户名为查询条件
    jdbcRealm.authenticationQuery = SELECT password FROM usr_user WHERE username = ?
    #用户角色查询语句,以用户名为查询条件,判断用户是否拥有某个角色
    jdbcRealm.userRolesQuery = SELECT usr_role.roleName from usr_user,usr_user_role,usr_role WHERE usr_user.username = ? AND usr_user.id = usr_user_role.userId AND usr_user_role.roleId = usr_role.id
    #资源许可查询语句,以角色名称为查询条件,判断角色是否拥有某个资源的许可
    jdbcRealm.permissionsQuery = SELECT usr_func.code from usr_role,usr_role_func,usr_func WHERE usr_role.roleName = ? AND usr_role.id = usr_role_func.roleId AND usr_role_func.funcId = usr_func.id
    
    securityManager.realms=$jdbcRealm
    

    数据源配置相信大家都很熟悉,我们主要配置的是securityManager的realms属性,shiro权限控制主要靠这个做具体的事情,至此简单的配置应完成了。
    接下来我们写一个简单的测试类:

    import org.apache.shiro.SecurityUtils;
    import org.apache.shiro.authc.DisabledAccountException;
    import org.apache.shiro.authc.ExcessiveAttemptsException;
    import org.apache.shiro.authc.ExpiredCredentialsException;
    import org.apache.shiro.authc.IncorrectCredentialsException;
    import org.apache.shiro.authc.LockedAccountException;
    import org.apache.shiro.authc.UnknownAccountException;
    import org.apache.shiro.authc.UsernamePasswordToken;
    import org.apache.shiro.config.IniSecurityManagerFactory;
    import org.apache.shiro.mgt.SecurityManager;
    import org.apache.shiro.subject.Subject;
    import org.apache.shiro.util.Factory;
    import org.junit.Test;
    import org.junit.runner.RunWith;
    import org.junit.runners.JUnit4;
    
    import junit.framework.Assert;
    
    @RunWith(JUnit4.class)
    public class TestController {
    
        @Test
        public void test(){
            Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
            SecurityManager securityManager = factory.getInstance();
            SecurityUtils.setSecurityManager(securityManager);
    
            Subject subject = SecurityUtils.getSubject();
            UsernamePasswordToken token = new UsernamePasswordToken("admin", "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918");
            try {
                subject.login(token);
                Assert.assertEquals(true, subject.isAuthenticated());
    
                //判断用户是否拥有某个角色
                System.out.println("has==manager" + subject.hasRole("manager"));  //true
                System.out.println("has==editor" + subject.hasRole("editor"));  //false
    
                //判断是否被授权
                System.out.println("per==CX" + subject.isPermitted("YHGL:CX"));  //true
                System.out.println("per==XZ" + subject.isPermitted("YHGL:XZ"));  //true
    
                subject.logout();
            } catch (IncorrectCredentialsException e) {
                System.out.println("登录密码错误. Password for account " + token.getPrincipal() + " was incorrect.");
            } catch (ExcessiveAttemptsException e) {
                System.out.println("登录失败次数过多");
            } catch (LockedAccountException e) {
                System.out.println("帐号已被锁定. The account for username " + token.getPrincipal() + " was locked.");
            } catch (DisabledAccountException e) {
                System.out.println("帐号已被禁用. The account for username " + token.getPrincipal() + " was disabled.");
            } catch (ExpiredCredentialsException e) {
                System.out.println("帐号已过期. the account for username " + token.getPrincipal() + "  was expired.");
            } catch (UnknownAccountException e) {
                System.out.println("帐号不存在. There is no user with username of " + token.getPrincipal());
            }
    
        }
    }
    

    UsernamePasswordToken主要用来做登录验证,这里我们是写死的,密码也是加密后存储在数据库的;

    subject.login(token)这句代码则会触发我们的jdbcRealm.authenticationQuery = SELECT password FROM usr_user WHERE username = ?去数据库中进行验证;

    subject.hasRole("manager")subject.isPermitted("YHGL:CX")分别会触发jdbcRealm.userRolesQueryjdbcRealm.permissionsQuery

    后面我们在异常捕获中进行异常区分来做不同的提示

    相关文章

      网友评论

        本文标题:Shiro入门

        本文链接:https://www.haomeiwen.com/subject/wnpdzttx.html