GDreams0 2019-12-22
1. JdbcRealm 数据库准备
JdbcRealm就是用户的角色,权限都从数据库中读取,也就是用来进行用户认证授权的安全数据源更换为从数据库中读取,其他没有差别,首先在数据库创建三张表:
CREATE TABLE `users` ( `id` bigint(20) NOT NULL AUTO_INCREMENT, `username` varchar(100) DEFAULT NULL, `password` varchar(100) DEFAULT NULL, `password_salt` varchar(100) DEFAULT NULL, PRIMARY KEY (`id`), UNIQUE KEY `idx_users_username` (`username`) ) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=utf8;
CREATE TABLE `user_roles` ( `id` bigint(20) NOT NULL AUTO_INCREMENT, `username` varchar(100) DEFAULT NULL, `role_name` varchar(100) DEFAULT NULL, PRIMARY KEY (`id`), UNIQUE KEY `idx_user_roles` (`username`,`role_name`) ) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8;
CREATE TABLE `roles_permissions` ( `id` bigint(20) NOT NULL AUTO_INCREMENT, `role_name` varchar(100) DEFAULT NULL, `permission` varchar(100) DEFAULT NULL, PRIMARY KEY (`id`), UNIQUE KEY `idx_roles_permissions` (`role_name`,`permission`) ) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8;
插入数据:
INSERT INTO `users` VALUES (1,‘jack‘,‘123‘,NULL),(2,‘xdclass‘,‘456‘,NULL); INSERT INTO `roles_permissions` VALUES (4,‘admin‘,‘video:*‘),(3,‘role1‘,‘video:buy‘),(2,‘role1‘,‘video:find‘),(5,‘role2‘,‘*‘),(1,‘root‘,‘*‘); INSERT INTO `user_roles` VALUES (1,‘jack‘,‘role1‘),(2,‘jack‘,‘role2‘),(4,‘xdclass‘,‘admin‘),(3,‘xdclass‘,‘root‘);
2. JdbcRealm 配置文件
#注意 文件格式必须为ini,编码为ANSI #声明Realm,指定realm类型 jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm #配置数据源 #dataSource=com.mchange.v2.c3p0.ComboPooledDataSource dataSource=com.alibaba.druid.pool.DruidDataSource # mysql-connector-java 5 用的驱动url是com.mysql.jdbc.Driver,mysql-connector-java6以后用的是com.mysql.cj.jdbc.Driver dataSource.driverClassName=com.mysql.cj.jdbc.Driver #避免安全警告 dataSource.url=jdbc:mysql://localhost:3306/xdclass_shiro?characterEncoding=UTF-8&serverTimezone=UTC&useSSL=false dataSource.username=root dataSource.password=lchadmin #指定数据源 jdbcRealm.dataSource=$dataSource #开启查找权限,否则不会自动查询角色对应的权限,造成实际有权限,调用subject.isPermitted()返回false jdbcRealm.permissionsLookupEnabled=true #指定SecurityManager的Realms实现,设置realms,可以有多个,用逗号隔开 securityManager.realms=$jdbcRealm
测试代码
package net.xdclass.xdclassshiro; import com.alibaba.druid.pool.DruidDataSource; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.mgt.DefaultSecurityManager; import org.apache.shiro.mgt.SecurityManager; import org.apache.shiro.realm.jdbc.JdbcRealm; import org.apache.shiro.subject.Subject; import org.apache.shiro.util.Factory; import org.junit.Test; /** * jdbcRealm操作 */ public class QuicksStratTest5_3 { @Test public void testAuthentication() { //通过配置文件创建SecurityManager工厂 Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:jdbcrealm.ini"); // 获取SecurityManager实例 SecurityManager securityManager = factory.getInstance(); //设置当前上下文 SecurityUtils.setSecurityManager(securityManager); //获取当前subject(application应用的user) Subject subject = SecurityUtils.getSubject(); // 模拟用户输入 UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken("jack","123"); // subject.login(usernamePasswordToken); System.out.println("认证结果(是否已授权):" + subject.isAuthenticated()); //最终调用的是org.apache.shiro.authz.ModularRealmAuthorizer.hasRole方法 System.out.println("是否有role1角色:" + subject.hasRole("role1")); System.out.println("是否有role2角色:" + subject.hasRole("role2")); System.out.println("是否有root角色:" + subject.hasRole("root")); //获取登录 账号 System.out.println("getPrincipal():" + subject.getPrincipal()); //校验角色,没有返回值,校验不通过,直接跑出异常 subject.checkRole("role1"); System.out.println("=======subject.checkRole(\"role1\") passed=====" ); // user jack有video的find权限,执行通过 subject.checkPermission("video:find"); // 是否有video:find权限:true System.out.println("是否有video:find权限:" + subject.isPermitted("video:find")); // 是否有video:delete权限:false System.out.println("是否有video:delete权限:" + subject.isPermitted("video:delete")); //user jack没有video的删除权限,执行会报错:org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [video:delete] subject.checkPermission("video:delete"); subject.logout(); System.out.println("logout后认证结果:" + subject.isAuthenticated()); /* org.apache.shiro.realm.jdbc.JdbcRealm源码 * 1. class JdbcRealm extends AuthorizingRealm * 2. 预置了默认的查询语句,因此创建数据库时字段名字要与这里定义的一致!!! * protected static final String DEFAULT_AUTHENTICATION_QUERY = "select password from users where username = ?"; protected static final String DEFAULT_SALTED_AUTHENTICATION_QUERY = "select password, password_salt from users where username = ?"; #根据用户名称查角色 protected static final String DEFAULT_USER_ROLES_QUERY = "select role_name from user_roles where username = ?"; * #根据用户名称查权限 protected static final String DEFAULT_PERMISSIONS_QUERY = "select permission from roles_permissions where role_name = ?"; protected String authenticationQuery = "select password from users where username = ?"; protected String userRolesQuery = "select role_name from user_roles where username = ?"; * #根据角色查询权限 protected String permissionsQuery = "select permission from roles_permissions where role_name = ?"; * * 3. protected boolean permissionsLookupEnabled = false; 这个开关默认是关闭的,需要手动打开 * 4. * protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { if (principals == null) { throw new AuthorizationException("PrincipalCollection method argument cannot be null."); } else { String username = (String)this.getAvailablePrincipal(principals); Connection conn = null; Set<String> roleNames = null; Set permissions = null; try { conn = this.dataSource.getConnection(); roleNames = this.getRoleNamesForUser(conn, username); if (this.permissionsLookupEnabled) { permissions = this.getPermissions(conn, username, roleNames); } } catch (SQLException var11) { String message = "There was a SQL error while authorizing user [" + username + "]"; if (log.isErrorEnabled()) { log.error(message, var11); } throw new AuthorizationException(message, var11); } finally { JdbcUtils.closeConnection(conn); } SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames); info.setStringPermissions(permissions); return info; } * */ } @Test public void test2(){// 不使用配置文件的情况下: DefaultSecurityManager securityManager = new DefaultSecurityManager(); DruidDataSource ds = new DruidDataSource(); ds.setDriverClassName("com.mysql.cj.jdbc.Driver"); ds.setUrl("jdbc:mysql://localhost:3306/xdclass_shiro?characterEncoding=UTF-8&serverTimezone=UTC&useSSL=false"); ds.setUsername("root"); ds.setPassword("lchadmin"); JdbcRealm jdbcRealm = new JdbcRealm(); jdbcRealm.setPermissionsLookupEnabled(true); jdbcRealm.setDataSource(ds); securityManager.setRealm(jdbcRealm); // 将securityManager设置到当前运行环境中 SecurityUtils.setSecurityManager(securityManager); //获取当前subject(application应用的user) Subject subject = SecurityUtils.getSubject(); // 模拟用户输入 UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken("jack","123"); // subject.login(usernamePasswordToken); System.out.println("认证结果(是否已授权):" + subject.isAuthenticated()); //最终调用的是org.apache.shiro.authz.ModularRealmAuthorizer.hasRole方法 System.out.println("是否有role1角色:" + subject.hasRole("role1")); System.out.println("是否有role2角色:" + subject.hasRole("role2")); System.out.println("是否有root角色:" + subject.hasRole("root")); //获取登录 账号 System.out.println("getPrincipal():" + subject.getPrincipal()); //校验角色,没有返回值,校验不通过,直接抛出异常 subject.checkRole("role1"); System.out.println("=======subject.checkRole(\"role1\") passed=====" ); // user jack有video的find权限,执行通过 subject.checkPermission("video:find"); // 是否有video:find权限:true System.out.println("是否有video:find权限:" + subject.isPermitted("video:find")); // 是否有video:delete权限:false System.out.println("是否有video:delete权限:" + subject.isPermitted("video:delete")); //user jack没有video的删除权限,执行会报错:org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [video:delete] subject.checkPermission("video:delete"); } }