1課程目Shiro1課程目Shiro2權(quán)限管2.1什么是權(quán)限2.2用戶身份認(rèn)2.2.1 YESYES是否認(rèn)證通NO2.2.3Subject：主Principal箱地址等，一個(gè)主體可以有多個(gè)身份，但是必須有一個(gè)主身份（PrimaryYESYES是否認(rèn)證通NO2.2.3Subject：主Principal箱地址等，一個(gè)主體可以有多個(gè)身份，但是必須有一個(gè)主身份（PrimaryPrincipalcredential：憑證YES2.32.3.12.3.2NO2.3.3繼續(xù)2.32.3.12.3.2NO2.3.3繼續(xù)訪問權(quán)限身份分配訪問系統(tǒng)主（用戶權(quán)主（用戶權(quán)類型商品權(quán)（查詢權(quán)（添加權(quán)（刪除資資（商品信息2.3.4主體（賬號(hào)、密碼***1**多對(duì)多對(duì)多對(duì)1111***用戶角色角色權(quán)限*權(quán)限（權(quán)限名稱、資源名稱、資源訪問地址****多對(duì)多對(duì)1111******1**多對(duì)多對(duì)多對(duì)1111***用戶角色角色權(quán)限*權(quán)限（權(quán)限名稱、資源名稱、資源訪問地址****多對(duì)多對(duì)1111****2.3.52.3.6基于角色的訪問控RBAC基于角色的訪問控制（Role-BasedAccessControl）2.3.6基于角色的訪問控RBAC基于角色的訪問控制（Role-BasedAccessControl）YES} }無(wú)權(quán)訪問處（通常提示用戶無(wú)權(quán)操作查詢工資信基于資源的訪問控基于資源的訪問控}3權(quán)限管理解決方3.1粗顆粒度和細(xì)顆粒 service接口添3.2urlurlurl配置Url是否公開地NOurl是否3.2urlurlurl配置Url是否公開地NOurl是否是否存在權(quán)限url3.3使用權(quán)限管理4url攔截實(shí)4.1環(huán)境4url攔截實(shí)4.1環(huán)境web前臺(tái)UI：jqueryeasyUI數(shù)據(jù)shiro_sql_talbe.sqlshiro-4.3activeUser用戶身4.4publicclassActiveUserimplementsjava.io.SerializableprivateStringuserid;//用戶idprivateStringusercode用戶賬號(hào)privateStringusername;privateList<SysPermission>menusprivateList<SysPermission>permissions4.54.64.54.6用戶身份認(rèn)證攔filterpublicclassLoginInterceptorimplementsHandlerInterceptor//publicbooleanpreHandle(HttpServletRequestrequest,HttpServletResponseresponse,Objecthandler)throwsExceptionList<String>open_urls=用戶訪問的Stringurl=for(Stringopen_url:open_urls)if(url.indexOf(open_url)>=0)return}}HttpSessionsession=request.getSession();ActiveUseractiveUser=(ActiveUser)if(activeUser!=null)return}4.7用戶授權(quán)攔4.7用戶授權(quán)攔（refuse.jsppublicclassPermissionInterceptorimplementsHandlerInterceptor//publicbooleanpreHandle(HttpServletRequestrequest,HttpServletResponseresponse,Objecthandler)throwsException//TODOAuto-generatedmethodStringurl=List<String>open_urls=用戶訪問的for(Stringopen_url:open_urls)if(url.indexOf(open_url)>=0)return}}//從session獲取用戶公共訪問地址（認(rèn)證通過無(wú)需分配權(quán)限即可訪問）List<String>common_urlsResourcesUtil.gekeyList("commonURL");用戶訪問的for(Stringcommon_url:common_urls)if(url.indexOf(common_url)>=0)returnreturn}4.8用戶url4.8用戶url等）activeUsersession4.8.1publicStringloginsubmit(HttpSessionsession,Stringusercode,Stringpassword,Stringrandomcode)throwsException{}}HttpSessionsession=request.getSession();ActiveUseractiveUser=(ActiveUser)取出session中權(quán)限List<SysPermission>permission_list=for(SysPermissionsysPermission:{Stringpermission_url=if(url.contains(permission_url))return}}return}4.8.2service接4.8.2service接**Title:****@param@param@returnActiveUser@throwspublicActiveUserauthenticat(Stringusercode,StringthrowspublicSysUserfindSysuserByUsercode(Stringusercode)StringvalidateCode=thrownewCustomException("}ActiveUseractiveUser=sysService.authenticat(usercode,return}5shiro5.1什么是5shiro5.1什么是5.2為什么要學(xué)shiroshiro就可以非?？焖俚挠脩糸_始使用shiro。java領(lǐng)域中springsecurity(原名Acegi)也是一個(gè)開源的權(quán)限管理框架spring依賴spring運(yùn)行，而shiro就相對(duì)獨(dú)立，最主要是因?yàn)閟hiro使用簡(jiǎn)單、靈活，所以現(xiàn)在越來(lái)越多的用戶選擇shiro。5.3Shiro架publicList<SysPermission>findSysPermissionList(Stringthrows .1Subjectshiro5.3.2責(zé)對(duì)所有的subject進(jìn)行安全管SecurityManager可以完成subject授權(quán)等，實(shí)質(zhì)上SecurityManager是通過Authenticator進(jìn)行認(rèn)證，通過Authorizer進(jìn)行授權(quán)，通過SessionManager進(jìn)行會(huì)話管理等。SecurityManagerAuthenticatorAuthorizerSessionManager5.3.3Authenticator即認(rèn)證器，對(duì)用戶身份進(jìn)行認(rèn)證，Authenticator是一個(gè)接口，shiroModularRealmAuthenticatorModularRealmAuthenticator5.3.3Authenticator即認(rèn)證器，對(duì)用戶身份進(jìn)行認(rèn)證，Authenticator是一個(gè)接口，shiroModularRealmAuthenticatorModularRealmAuthenticator5.3.45.3.55.3.65.3.7SessionDAOdaosessionsessionjdbc5.3.85.3.9Cryptography即密碼管理，shiro提供了一套加密/5.4shiro5.4shirojarshiro-corewebshiro-webspringshiro-springquartzshiro-quartzshirojarmaven坐標(biāo)。<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-<artifactId>shiro-lib6shiro6.1認(rèn)證根據(jù)身份獲取驗(yàn)證6shiro6.1認(rèn)證根據(jù)身份獲取驗(yàn)證信執(zhí)行認(rèn)執(zhí)行認(rèn)提交認(rèn)構(gòu)造SecurityManager6.2入門程序（用戶登陸和退出入門程序（用戶登陸和退出6.2.1javajdk版本：1.7.0_726.2.2加入shiro-coreJar包及依6.2.3perties日志配置log4j.rootLogger=debug,-%m6.2.4eclipseinishiro.ini6.2.5publicvoidtestLoginLogout()Factory<SecurityManager>factory=通過工廠創(chuàng)建SecurityManagersecurityManager=////6.2.66.2.63AuthenticatorModularRealmAuthenticatorrealmini配置文件取用戶真實(shí)的賬號(hào)和密碼，這里使用的是IniRealm（shiro自帶）4IniRealm先根據(jù)tokenini行Subjectsubject=//UsernamePasswordTokentoken=newtry}catch(AuthenticationExceptione)//TODOAuto-generatedcatchblock}BooleanisAuthenticated=subject.isAuthenticated();System.out.println("用戶認(rèn)證狀態(tài)：isAuthenticated);isAuthenticated=subject.isAuthenticated();System.out.println("用戶認(rèn)證狀態(tài)：isAuthenticated);}6.2.7foundforuser。。。。 -6.2.7foundforuser。。。。 -rememberMe=false]didnotmatchtheexpected鎖定）ExcessiveAttemptsException（登錄失敗次ExpiredCredentialsException（憑證過期）6.3自定義IniealmInieal6.3.1shiro提供最基礎(chǔ)的是Realm接口，CachingRealm負(fù)責(zé)緩存處理，最基礎(chǔ)的是Realm接口，CachingRealm負(fù)責(zé)緩存處理，AuthenticationRealm6.3.2publicclassCustomRealm1extendsAuthorizingRealmpublicStringgetName()return}publicbooleansupports(AuthenticationTokentoken)returntokeninstanceof}protecteddoGetAuthenticationInfo(AuthenticationTokentoken)AuthenticationExceptionStringusername=(String)6.3.46.3.4#自定義realmreturn}Stringpassword"123";//SimpleAuthenticationInfosimpleAuthenticationInfonewusername,password,return}protecteddoGetAuthorizationInfo(PrincipalCollectionprincipals)//TODOAuto-generatedmethodreturn}}6.4散列6.4散列般散列算法需要提供一個(gè)salt（鹽）與原始內(nèi)容生成摘要信息，這樣做的目的是為了安全性，比如：111111的md5值是：96e79218965eb72c92a549dd5a330112“96e79218965eb72c92a549dd5a330112”去md5破解網(wǎng)站很容易進(jìn)行破解，如果要是對(duì)111111salt（鹽，一個(gè)隨機(jī)數(shù)）111111加不同的鹽會(huì)生成6.4.1shiroStringpassword_md5newMd5Hash("111111").toString();Stringpassword_md5_sale_1=newMd5Hash("111111","eteokues",Stringpassword_md5_sale_2=newMd5Hash("111111",StringsimpleHash=newSimpleHash("MD5","111111",realmrealmprotecteddoGetAuthenticationInfo(AuthenticationTokentoken)AuthenticationExceptionStringusername=(String)Stringpassword=Stringsalt="eteokues";SimpleAuthenticationInfosimpleAuthenticationInfo=username,password,return7shiro7.1授權(quán)根據(jù)身份獲7shiro7.1授權(quán)根據(jù)身份獲取資源權(quán)限執(zhí)行授執(zhí)行授授構(gòu)造SecurityManager7.2授權(quán)ShiroSubjectsubject=7.2授權(quán)ShiroSubjectsubject=}else}publicvoidhello()}JSP/GSPJSP/GSP<!7.3授權(quán) 7.3.2，或7.3.3注意：在用戶認(rèn)證通過后執(zhí)行下邊的授publicvoidtestPermission()從ini文件中創(chuàng)建SecurityManagerFactory<SecurityManager>factory=創(chuàng)建SecurityManagersecurityManager=//Subjectsubject=//設(shè)置用戶認(rèn)證的身份(principals)和憑證(credentials)UsernamePasswordTokentokennewUsernamePasswordToken("zhang",//設(shè)置用戶認(rèn)證的身份(principals)和憑證(credentials)UsernamePasswordTokentokennewUsernamePasswordToken("zhang",try}catch(AuthenticationExceptione)//TODOAuto-generatedcatchblock}BooleanisAuthenticated=System.out.println("用戶認(rèn)證狀態(tài)：System.out.println("用戶是否擁有一個(gè)角色：System.out.println("用戶是否擁有多個(gè)角色："+subject.checkRoles(Arrays.asList("role1",//System.out.println("是否擁有某一個(gè)權(quán)限：System.out.println("是否擁有多個(gè)權(quán)限："+}7.3.47.3.4 7.3.5 System.out.println("是否擁有某一個(gè)權(quán)限：System.out.println("是否擁有多個(gè)權(quán)限：" subject.isPermittedAll("user:create:1","user:delete"));subject.checkRoles(Arrays.asList("role1",System.out.println("用戶是否擁有一個(gè)角色：System.out.println("用戶是否擁有多個(gè)角色："+7.4自定義7.4自定義7.4.1realmshiroprotecteddoGetAuthorizationInfo(PrincipalCollectionprincipals)Stringusername=(String)List<String>permissions=newArrayList<String>();SimpleAuthorizationInfosimpleAuthorizationInfonew}return7.4.37.4.47.4.37.4.48shiro與項(xiàng)目集成開8.1shirospringweb項(xiàng)目整shirospringweburlurl攔截實(shí)現(xiàn)的工程的技術(shù)架構(gòu)是springmvc+mybatis，整合注意兩點(diǎn)：1、shirospring8.1.1springmvc認(rèn)證和授權(quán)攔8.1.2shirojar8.1.2shirojarshiro過慮器，DelegatingFilterProx會(huì)從spring容器中找shiroFilterShiro的Web<beanid="shiroFilter"<propertyname="securityManager"ref="securityManager"過慮器FormAuthenticationFilter中指定此地址就為身份認(rèn)證地址--><propertyname="loginUrl"value="/login.action"<propertyname="unauthorizedUrl"value="/refuse.jsp"shiro<property<entrykey="authc"<property<entrykey="authc"value-<property定的loginUrl一致-->/loginsubmit.action=退出攔截，請(qǐng)求logout.action/logout.action=/refuse.jsp=roles[XX]表示有XX/item/list.action=/js/**/images/**/styles/**user/**=逗號(hào)分隔，如：/**=user,roles[admin]--><beanid="securityManager"<propertyname="realm"ref="userRealm"realm<beanid="userRealm"賬號(hào)、密碼及l(fā)oginurl將采用默認(rèn)值，建議配置--><bean動(dòng)尋找項(xiàng)目web項(xiàng)目的根目錄下的”/login.jsp”頁(yè)面。8.1.5動(dòng)尋找項(xiàng)目web項(xiàng)目的根目錄下的”/login.jsp”頁(yè)面。8.1.5使用shiro注解授//查詢商品列表publicModelAndViewqueryItem()throwsException開啟aop<aop:configproxy-target-開啟shiro<propertyname="securityManager"ref="securityManager"表單中賬號(hào)的input<propertyname="usernameParam"value="usercode"表單中密碼的input<propertyname="passwordParam"value="password"<!--<propertyname="rememberMeParam"value="rememberMe"/>--loginurl：用戶登陸地址，此地址是可以http訪問的url<propertyname="loginUrl"value="/loginsubmit.action"8.1.6realm8.1.6realmshiropublicclassCustomRealm1extendsAuthorizingRealmprivateSysServicepublicStringgetName()return}publicbooleansupports(AuthenticationTokentoken)returntokeninstanceof}protecteddoGetAuthenticationInfo(AuthenticationTokentoken)AuthenticationException從tokenStringusername=(String)//如果查詢不到則返回if(!username.equals("zhangreturn}Stringpassword"123List<SysPermission>menus=newSysPermissionsysPermission_1=List<SysPermission>menus=newSysPermissionsysPermission_1=newSysPermissionsysPermission_2newSysPermission();ActiveUseractiveUser=newActiveUser();//activeUser,password,=return}protectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionprincipals){ActiveUseractiveUser=(ActiveUser)Stringuserid= List<String>permissions=newArrayList<String>();將權(quán)限信息封閉為8.1.7public8.1.7publicStringlogin()throwsreturn}publicStringloginsubmit(Modelmodel,HttpServletRequestthrowsExceptionStringexceptionClassName=(String)request(UnknownAccountException.class.getName().equals(exceptionClassName))thrownewCustomException("賬號(hào)不存在}else(IncorrectCredentialsException.class.getName().equals(exceptionClassName)){thrownewCustomException("用戶名/密碼錯(cuò)誤}thrownewException();//}SimpleAuthorizationInfosimpleAuthorizationInfo=for(Stringpermission:{}return}}8.1.8由于session由shiro管8.1.8由于session由shiro管理，需要修改首頁(yè)的controller方法8.1.9由于使shirosessionManager，不用開發(fā)退出功能，使用shirologout攔截即可8.1.10無(wú)權(quán)限當(dāng)用戶無(wú)操作權(quán)限，shiro將跳轉(zhuǎn)refuse.jsp頁(yè)面參考：applicationContext-退出攔截，請(qǐng)求logout.action/logout.action=publicStringfirst(Modelmodel)throwsSubjectsubject=ActiveUseractiveUser=(ActiveUser)subject.getPrincipal();model.addAttribute("activeUser",activeUser);return}8.2realm連接數(shù)8.2.18.2realm連接數(shù)8.2.18.2.2realmpublicclassCustomRealm1extendsAuthorizingRealmprivateSysServicepublicStringgetName()return}publicbooleansupports(AuthenticationTokentoken)<bean<propertyname="hashAlgorithmName"value="md5"<propertyname="hashIterations"value="1"realm<beanid="userRealm"<propertyname="credentialsMatcher"ref="credentialsMatcher"returntokeninstanceof}protecteddoGetAuthenticationInfo(returntokeninstanceof}protecteddoGetAuthenticationInfo(AuthenticationTokenthrows{SysUsersysUser=trysysUser=}catch(Exceptione)//TODOAuto-generatedcatchblock}if(sysUser==null)thrownewUnknownAccountException("賬號(hào)找不到}//根據(jù)用戶id取出菜單List<SysPermission>menusnull;try{menus=}catch(Exceptione)//TODOAuto-generatedcatchblock}Stringpassword=Stringsalt=ActiveUseractiveUser=newActiveUser();SimpleAuthenticationInfosimpleAuthenticationInfo=activeUser,return}protectedAuthorizationInfodoGetAuthorizationInfo(activeUser,return}protectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionActiveUseractiveUser=(ActiveUser)Stringuserid=List<SysPermission>permissions=null;try{permissions=}catch(Exceptione)//TODOAuto-generatedcatchblock}SimpleAuthorizationInfosimpleAuthorizationInfo=for(SysPermission}return}}8.3shirorealmrealmShiro8.3shirorealmrealmShiroEhcache8.3.1添Ehcachejar8.3.28.4session<beanid="securityManager"<propertyname="realm"ref="userRealm"<propertyname="sessionManager"ref="sessionManager"<bean<beanid="securityManager"<propertyname="realm"ref="userRealm"<propertyname="sessionManager"ref="sessionManager"<propertyname="cacheManager"<beanid="cacheManager"8.5驗(yàn)證8.5.18.5驗(yàn)證8.5.1publicclassMyFormAuthenticationFilterFormAuthenticationFilterprotectedbooleanonAccessDenied(ServletRequestrequest,ServletResponseresponse,ObjectmappedValue)throwsExceptionHttpSessionsession=Stringrandomcode=StringvalidateCode=(String)if(!randomcode.equals(validateCode))//randomCodeError表示驗(yàn)證碼錯(cuò)誤return}returnsuper.onAccessDenied(request,response,}}session<propertyname="globalSessionTimeout"刪除失效的session<propertyname="deleteInvalidSessions"8.5.2修改FormAuthenticationFilter8.5.2修改FormAuthenticationFilter8.5.38.5.4配置validatecode.jsp匿名訪<TD><inputid="randomcode"size="8"/>src="${baseurl}validatecode.jsp"alt=""width="56"height="20"/><beanid="formAuthenticationFilter"<beanid="formAuthenticationFilter"8.6記住8.6記住8.6.28.6.38.6.3login.jsp中添加“記住我”checkbox<beanid="formAuthenticationFilter"表單中賬號(hào)的input<propertyname="usernameParam"value="usercode"表單中密碼的input<propertyname="passwordParam"value="password"<propertyname="rememberMeParam"loginurl：用戶登陸地址，此地址是可以h