权限控制常用的有shiro、spring security,两者相比较,各有优缺点,此篇文章以shiro为例,实现系统的权限控制。

一、数据库的设计

简单的五张表,用户、角色、权限及关联表:

CREATE TABLE `sysrole` (

  `id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键',

  `name` varchar(255) NOT NULL,

  `role` varchar(255) NOT NULL COMMENT '角色名',

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COMMENT='角色表';

CREATE TABLE `sysuser` (

  `id` int(11) NOT NULL AUTO_INCREMENT COMMENT '主键',

  `username` varchar(250) NOT NULL,

  `password` varchar(250) NOT NULL,

  `salt` varchar(250) NOT NULL COMMENT '密码盐',

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8 COMMENT='用户表';

CREATE TABLE `user_role` (

  `id` int(11) NOT NULL AUTO_INCREMENT,

  `user_id` int(11) NOT NULL,

  `role_id` int(11) NOT NULL,

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8 COMMENT='用户角色表';

CREATE TABLE `syspermission` (

  `id` int(11) NOT NULL AUTO_INCREMENT,

  `name` varchar(250) NOT NULL COMMENT '权限名称',

  `type` int(1) NOT NULL COMMENT '权限类型,1菜单menu,2按钮button,3数据data',

  `permission` varchar(250) NOT NULL COMMENT '权限表达式',

  `parent_id` int(11) NOT NULL COMMENT '父级ID',

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT=19 DEFAULT CHARSET=utf8 COMMENT='权限表';

CREATE TABLE `role_permission` (

  `id` int(11) NOT NULL AUTO_INCREMENT,

  `role_id` int(11) NOT NULL,

  `permission_id` int(11) NOT NULL,

  PRIMARY KEY (`id`)

) ENGINE=InnoDB AUTO_INCREMENT=35 DEFAULT CHARSET=utf8 COMMENT='角色权限表';

二、配置shiro

1.pom.xml文件中引入shiro的jar包

     <dependency>

              <groupId>org.apache.shiro</groupId>

              <artifactId>shiro-spring</artifactId>

              <version>1.3.2</version>

        </dependency>

        <dependency>

              <groupId>org.apache.shiro</groupId>

              <artifactId>shiro-core</artifactId>

              <version>1.3.2</version>

        </dependency>

        <dependency>

            <groupId>org.apache.shiro</groupId>

            <artifactId>shiro-ehcache</artifactId>

            <version>1.3.2</version>

        </dependency>

        <dependency>

            <groupId>org.apache.shiro</groupId>

            <artifactId>shiro-guice</artifactId>

            <version>1.3.2</version>

        </dependency>

2、编写shiro的配置文件

import java.util.LinkedHashMap;

import java.util.LinkedList;

import java.util.Map;

import org.apache.shiro.authc.UsernamePasswordToken;

import org.apache.shiro.authc.credential.HashedCredentialsMatcher;

import org.apache.shiro.cache.ehcache.EhCacheManager;

import org.apache.shiro.codec.Base64;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.session.SessionListener;

import org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler;

import org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO;

import org.apache.shiro.spring.LifecycleBeanPostProcessor;

import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;

import org.apache.shiro.spring.web.ShiroFilterFactoryBean;

import org.apache.shiro.web.mgt.CookieRememberMeManager;

import org.apache.shiro.web.mgt.DefaultWebSecurityManager;

import org.apache.shiro.web.servlet.SimpleCookie;

import org.apache.shiro.web.session.mgt.DefaultWebSessionManager;

import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;

import org.springframework.beans.factory.config.MethodInvokingFactoryBean;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.context.annotation.DependsOn;

import at.pollux.thymeleaf.shiro.dialect.ShiroDialect;

@Configuration

public class ShiroConfig {

    private static Map<String, String> filterChainDefinitionMap = new LinkedHashMap<String, String>();

    //缓存管理器

    @Bean(name = "cacheShiroManager")

    public EhCacheManager getCacheManager(){

        return new EhCacheManager();

    }

    //生命周期处理器

    @Bean(name = "lifecycleBeanPostProcessor")

    public LifecycleBeanPostProcessor getLifecycleBeanPostProcessor(){

        return new LifecycleBeanPostProcessor();

    }

    //hash加密处理

    @Bean(name = "hashedCredentialsMatcher")

    public HashedCredentialsMatcher getHashedCredentialsMatcher(){

        HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();

        credentialsMatcher.setHashAlgorithmName("MD5");

        credentialsMatcher.setHashIterations(2);//散列的次数,比如散列两次,相当于 md5(md5(""));

        credentialsMatcher.setStoredCredentialsHexEncoded(true);

        return     credentialsMatcher;

    }

    //浏览器会话的cookie管理

    @Bean(name = "sessionIdCookie")

    public SimpleCookie getSessionIdCookie(){

        SimpleCookie cookie = new SimpleCookie("sid");

        cookie.setHttpOnly(true);

        cookie.setMaxAge(-1);//浏览器关闭时失效此Cookie;

        return cookie;

    }

    //记住我的cookie管理

    @Bean(name = "rememberMeCookie")

    public SimpleCookie getRememberMeCookie(){

        SimpleCookie cookie = new SimpleCookie("rememberMe");

        //如果httyOnly设置为true,则客户端不会暴露给客户端脚本代码,使用HttpOnly cookie有助于减少某些类型的跨站点脚本攻击;

        cookie.setHttpOnly(true);

        cookie.setMaxAge(2592000);//记住我的cookie有效期30天

        return cookie;

    }

    //记住我cookie管理器

    @Bean

    public CookieRememberMeManager getRememberManager(){

        CookieRememberMeManager meManager = new CookieRememberMeManager();

        meManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));

        meManager.setCookie(getRememberMeCookie());

        return meManager;

    }

    //session验证管理器

    @Bean(name = "sessionValidationScheduler")

    public ExecutorServiceSessionValidationScheduler getExecutorServiceSessionValidationScheduler(){

        ExecutorServiceSessionValidationScheduler scheduler = new ExecutorServiceSessionValidationScheduler();

        //设置session验证时间,15分钟一次

        scheduler.setInterval(900000);

        return scheduler;

    }

    @Bean(name = "sessionManager")

    public DefaultWebSessionManager getSessionManage(){

        DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();

        sessionManager.setGlobalSessionTimeout(1800000);//过期时间30分钟

        //session定期验证

        sessionManager.setSessionValidationScheduler(getExecutorServiceSessionValidationScheduler());

        sessionManager.setDeleteInvalidSessions(true);

        //会话cookie

        sessionManager.setSessionIdCookie(getSessionIdCookie());

        sessionManager.setSessionIdCookieEnabled(true);

        sessionManager.setSessionValidationSchedulerEnabled(true);

        //session监听

        LinkedList<SessionListener> list = new LinkedList<SessionListener>();

        list.add(new MyShiroSessionListener());

        sessionManager.setSessionListeners(list);

        //session的存储

        EnterpriseCacheSessionDAO cacheSessionDAO = new EnterpriseCacheSessionDAO();

        sessionManager.setCacheManager(getCacheManager());

        sessionManager.setSessionDAO(cacheSessionDAO);

        return sessionManager;

    }

    @Bean(name = "myRealm")

    public AuthorizingRealm  getShiroRealm(){

        AuthorizingRealm  realm = new MyShiroRealm(getCacheManager(),getHashedCredentialsMatcher());

        realm.setName("my_shiro_auth_cache");

//        realm.setAuthenticationCache(getCacheManager().getCache(realm.getName()));

        realm.setAuthenticationTokenClass(UsernamePasswordToken.class);

        realm.setCredentialsMatcher(getHashedCredentialsMatcher());

        return realm;

    }

    @Bean(name = "securityManager")

    public DefaultWebSecurityManager getSecurityManager(){

        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();

        securityManager.setCacheManager(getCacheManager());

        securityManager.setRealm(getShiroRealm());

        securityManager.setRememberMeManager(getRememberManager());

        securityManager.setSessionManager(getSessionManage());

        return securityManager;

    }

    @Bean

    public MethodInvokingFactoryBean getMethodInvokingFactoryBean(){

        MethodInvokingFactoryBean factoryBean = new MethodInvokingFactoryBean();

        factoryBean.setStaticMethod("org.apache.shiro.SecurityUtils.setSecurityManager");

        factoryBean.setArguments(new Object[]{getSecurityManager()});

        return factoryBean;

    }

    @Bean

    @DependsOn("lifecycleBeanPostProcessor")

    public DefaultAdvisorAutoProxyCreator getAutoProxyCreator(){

        DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();

        creator.setProxyTargetClass(true);

        return creator;

    }

    @Bean

    public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor(){

        AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();

        advisor.setSecurityManager(getSecurityManager());

        return advisor;

    }

    @Bean

    public ShiroFilterFactoryBean getShiroFilterFactoryBean(){

        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();

        factoryBean.setSecurityManager(getSecurityManager());

        //设置登录页面路径

        factoryBean.setLoginUrl("/login");

        //设置登录成功跳转的路径,此方法有bug

     // factoryBean.setSuccessUrl("/manager/hello");

        //将无需拦截的方法及页面使用anon配置

        filterChainDefinitionMap.put("", "anon");

        //将需认证的方法及页面使用authc配置

        filterChainDefinitionMap.put("", "authc");  
 

        factoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);

        return factoryBean;

    }

    @Bean(name = "shiroDialect")

    public ShiroDialect shiroDialect(){

        return new ShiroDialect();

    }

}

3、自定义shiroRealm

import javax.annotation.Resource;

import org.apache.log4j.Logger;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authc.AuthenticationInfo;

import org.apache.shiro.authc.AuthenticationToken;

import org.apache.shiro.authc.IncorrectCredentialsException;

import org.apache.shiro.authc.SimpleAuthenticationInfo;

import org.apache.shiro.authc.UsernamePasswordToken;

import org.apache.shiro.authc.credential.CredentialsMatcher;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.cache.CacheManager;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

import org.apache.shiro.util.ByteSource;

import org.thymeleaf.util.StringUtils;

public class MyShiroRealm extends AuthorizingRealm {

    //注入查询用户信息的service层

    @Resource

        private IAuthorityService authorityService;

    private Logger log = Logger.getLogger(MyShiroRealm.class);

    public MyShiroRealm(CacheManager cacheManager, CredentialsMatcher matcher) {

        super(cacheManager, matcher);

    }

    //授权

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(

            PrincipalCollection principals) {

        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();

        SysUser user = (SysUser) principals.getPrimaryPrincipal();

        for(SysRole role:user.getRoleList()){

            authorizationInfo.addRole(role.getRole());

            for(SysPermission p:role.getPermissions()){

                authorizationInfo.addStringPermission(p.getPermission());

            }

        }

        return authorizationInfo;

    }

   //认证

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(

            AuthenticationToken token) throws AuthenticationException {

        UsernamePasswordToken user = (UsernamePasswordToken) token;

        String username = user.getUsername();

        String password = user.getPassword().toString();

        user.isRememberMe();

        if(StringUtils.isEmpty(username)){

            throw new IncorrectCredentialsException("username is null");

        }else if(StringUtils.isEmpty(password)){

            throw new IncorrectCredentialsException("password is null");

        }

        //根据账户名称查询用户信息

        SysUser sysUser = authorityService.findByUsername(username);

        if(sysUser == null){

            log.error("用户不存在"+username);

            return null;

        }
     //密码加密策略可自定义,此处使用自定义的密码盐CredentialsSalt
    SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(sysUser,sysUser.getPassword(), ByteSource.Util.bytes(sysUser.getCredentialsSalt()),getName());
     return authenticationInfo; 
  } 
}

4、自定义session监听

import org.apache.log4j.Logger;

import org.apache.shiro.session.Session;

import org.apache.shiro.session.SessionListener;

public class MyShiroSessionListener implements SessionListener {

    private Logger log = Logger.getLogger(MyShiroSessionListener.class);

    @Override

    public void onStart(Session session) {

        log.info("----会话创建:"+session.getId());

    }

    @Override

    public void onStop(Session session) {

        log.info("----会话停止:"+session.getId());

    }

    @Override

    public void onExpiration(Session session) {

        log.info("----会话过期:"+session.getId());

    }

}

三、使用注解控制后台方法的权限

@RequiresAuthentication,认证通过可访问

@RequiresPermissions("***"),有***权限可访问

@RequiresGuest,游客即可访问

@RequiresRoles("***"),有***角色可访问

@RequiresUser("***"),是***用户可访问

四、使用shiro标签细粒度控制页面按钮及数据的权限

thyemleaf模板引入shiro标签库

<html xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">

<shiro:guest/>

<shiro:user/>

<shiro:principal/>

<shiro:hasPermission/>

<shiro:lacksPermission/>

<shiro:hasRole/>

<shiro:lacksRole/>

<shiro:hasAnyRoles/>

<shiro:authenticated/>

<shiro:notAuthenticated/>

使用方法参考:shiro官网

shiro权限控制的简单实现的更多相关文章

  1. shiro权限控制入门

    一:权限控制两种主要方式 粗粒度 URL 级别权限控制和细粒度方法级别权限控制 1.粗粒度 URL 级别权限控制 可以基于 Filter 实现在数据库中存放 用户.权限.访问 URL 对应关系, 当前 ...

  2. Spring boot后台搭建二为Shiro权限控制添加缓存

    在添加权限控制后,添加方法 查看 当用户访问”获取用户信息”.”新增用户”和”删除用户”的时,后台输出打印如下信息 , Druid数据源SQL监控 为了避免频繁访问数据库获取权限信息,在Shiro中加 ...

  3. Spring boot后台搭建二集成Shiro权限控制

    上一篇文章,实现了用户验证 查看,接下来实现下权限控制 权限控制,是管理资源访问的过程,用于对用户进行的操作授权,证明该用户是否允许进行当前操作,如访问某个链接,某个资源文件等 Apache Shir ...

  4. shiro权限控制配置

    shiro配置流程 web.xml中配置shiro的filter spring中配置shiro的过滤器工厂,指定对不同地址权限控制 , 传入安全管理器 配置安全管理器,传入realm,realm中定义 ...

  5. ASP.NET MVC中权限控制的简单实现

    1.重写AuthorizeAttribute类,用自己的权限控制逻辑重写AuthorizeCore方法 public class MyAuthorizeAttribute : AuthorizeAtt ...

  6. shiro权限控制

    1.1  简介 Apache Shiro是Java的一个安全框架.目前,使用Apache Shiro的人越来越多,因为它相当简单,对比Spring Security,可能没有Spring Securi ...

  7. Shiro权限控制框架

    Subject:主体,可以看到主体可以是任何可以与应用交互的"用户": SecurityManager:相当于SpringMVC中的DispatcherServlet或者Strut ...

  8. shiro权限控制(一):shiro介绍以及整合SSM框架

    shiro安全框架是目前为止作为登录注册最常用的框架,因为它十分的强大简单,提供了认证.授权.加密和会话管理等功能 . shiro能做什么? 认证:验证用户的身份 授权:对用户执行访问控制:判断用户是 ...

  9. JFinal配合Shiro权限控制在FreeMarker模板引擎中控制到按钮粒度的使用

    实现在FreeMarker模板中控制对应按钮的显示隐藏主要用到了Shiro中的hasRole, hasAnyRoles, hasPermission以及Authenticated等方法,我们可以实现T ...

随机推荐

  1. phpstudy php5.4以上版本伪静态设置 thinkphp

    http://www.thinkphp.cn/topic/35958.html <IfModule mod_rewrite.c> Options +FollowSymlinks -Mult ...

  2. dedecms v5.7 图片集“图集内容”无法调用的解决办法

    在dedecms的图片集模型或者基于图片集模型修改的自定义模型中 内容页模板使用 {dede:field.body/} 方式来调用body字段是没有输出的(原因不明,未继续深入) 但有些时候当需要在内 ...

  3. [SinGuLaRiTy] 复习模板-数学

    [SinGuLaRiTy-1047] Copyright (c) SinGuLaRiTy 2017. All Rights Reserved. 质因数分解 void solve(int n) { == ...

  4. 数据库复习总结(6)-SQL语句入门(脚本、命令)

    脚本操作: 脚本操作 注释:--单行注释,/**/多行注释 数据库:创建.删除 (可以通过查看master数据库中的sysdatabase表,来了解当前存在的数据库) 点击“新建查询”,选中哪句执行哪 ...

  5. Node.js进阶:5分钟入门非对称加密方法

    前言 刚回答了SegmentFault上一个兄弟提的问题<非对称解密出错>.这个属于Node.js在安全上的应用,遇到同样问题的人应该不少,基于回答的问题,这里简单总结下. 非对称加密的理 ...

  6. IOS @proporty 关键字(一)retain strong

    @interface User : NSObject @property (nonatomic,retain) NSString* tRetain; @property (nonatomic,assi ...

  7. Hystrix-命令名称、分组以及线程池划分

    命令名称: 1.1 以继承的方式实现Hystrix命令使用类名作为默认的命令名称,我们也可以在构造函数中通过Setter静态类来设置 1.2 为了保存每个命令分配的Setter分配,你也可以像这样缓存 ...

  8. linux_http协议

    什么是http协议? 超文本传输协议 最流行www服务,是http协议的实现 ssh,nfs,rsync客户端(Client)和服务端(Server),C/S架构,局域网内部用,胖客户端 http协议 ...

  9. 如何去掉ul标签的多余空白或多余大距离?

    在css中写入 ul{ margin:; padding:; list-style: none; } 让其内边距和外边距为0,列表样式为空

  10. WebService初入

    WebService 1. WebService基本认识 WebService最早是微软提出了一种以XML为载体网络信息传输的规范,现在几乎所有的语言与平台都支持,带有状态机制,不依赖于容器,可以发送 ...