三、开始登录
上面,我们已经配置了 shiro 的一系列操作,从登录验证、密码验证规则、用户授权等等,下面我们就开始登录,登录的操作,放在了 LoginController.java 文件中
import com.zyxx.common.consts.SystemConst; import com.zyxx.common.enums.StatusEnums; import com.zyxx.common.kaptcha.KaptchaUtil; import com.zyxx.common.shiro.SingletonLoginUtils; import com.zyxx.common.utils.PasswordUtils; import com.zyxx.common.utils.ResponseResult; import com.zyxx.sbm.entity.UserInfo; import com.zyxx.sbm.service.PermissionInfoService; import io.swagger.annotations.Api; import io.swagger.annotations.ApiImplicitParam; import io.swagger.annotations.ApiImplicitParams; import io.swagger.annotations.ApiOperation; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * @ClassName LoginController * @Description * @Author Lizhou * @Date 2020-07-02 10:54:54 **/ @Api(tags = "后台管理端--登录") @Controller public class LoginController { @Autowired private PermissionInfoService permissionInfoService; @ApiOperation(value = "请求登录页面", notes = "请求登录页面") @GetMapping("login") public String init() { return "login"; } @ApiOperation(value = "请求主页面", notes = "请求主页面") @GetMapping("/") public String index() { return "index"; } @ApiOperation(value = "登录验证", notes = "登录验证") @ApiImplicitParams({ @ApiImplicitParam(name = "account", value = "账号", required = true), @ApiImplicitParam(name = "password", value = "密码", required = true), @ApiImplicitParam(name = "resCode", value = "验证码", required = true), @ApiImplicitParam(name = "rememberMe", value = "记住登录", required = true) }) @PostMapping("doLogin") @ResponseBody public ResponseResult doLogin(String account, String password, String resCode, Boolean rememberMe, HttpServletRequest request, HttpServletResponse response) throws Exception { // 验证码 if (!KaptchaUtil.validate(resCode, request)) { return ResponseResult.getInstance().error(StatusEnums.KAPTCH_ERROR); } // 验证帐号和密码 Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken token = new UsernamePasswordToken(account, password); // 记住登录状态 token.setRememberMe(rememberMe); try { // 执行登录 subject.login(token); // 将用户保存到session中 UserInfo userInfo = (UserInfo) subject.getPrincipal(); request.getSession().setAttribute(SystemConst.SYSTEM_USER_SESSION, userInfo); return ResponseResult.getInstance().success(); } catch (UnknownAccountException e) { return ResponseResult.getInstance().error("账户不存在"); } catch (DisabledAccountException e) { return ResponseResult.getInstance().error("账户已被冻结"); } catch (IncorrectCredentialsException e) { return ResponseResult.getInstance().error("密码不正确"); } catch (ExcessiveAttemptsException e) { return ResponseResult.getInstance().error("密码连续输入错误超过5次,锁定半小时"); } catch (RuntimeException e) { return ResponseResult.getInstance().error("未知错误"); } } @ApiOperation(value = "登录成功,跳转主页面", notes = "登录成功,跳转主页面") @PostMapping("success") public String success() { return "redirect:/"; } @ApiOperation(value = "初始化菜单数据", notes = "初始化菜单数据") @GetMapping("initMenu") @ResponseBody public String initMenu() { return permissionInfoService.initMenu(); } @ApiOperation(value = "退出登录", notes = "退出登录") @GetMapping(value = "loginOut") public String logout() { Subject subject = SecurityUtils.getSubject(); subject.logout(); return "login"; } }
当执行 subject.login(token); 时,就会进入我们在 第二步中第二条登录验证中,对用户密码、状态进行检查,对用户授权等操作,登录的密码,一定是通过密码加密工具得到的,不然验证不通过
四、页面权限控制
我们本次使用的是 thymeleaf 模板引擎,我们需要在 html 文件中加入以下内容
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
引入了 thymeleaf 的依赖,以及 shiro 的依赖,这样我们就能在 html 文件中使用 thymeleaf、shiro 的标签了
例如:
1、判断当前用户有无此权限,通过权限标识
<button class="layui-btn" shiro:hasPermission="user_info_add"><i class="layui-icon"></i> 新增 </button>
2、与上面相反,判断当前用户无此权限,通过权限标识,没有时验证通过
<button class="layui-btn" shiro:lacksPermission="user_info_add"><i class="layui-icon"></i> 新增 </button>
3、判断当前用户有无以下全部权限,通过权限标识
<button class="layui-btn" shiro:hasAllPermissions="user_info_add"><i class="layui-icon"></i> 新增 </button>
4、判断当前用户有无以下任一权限,通过权限标识
<button class="layui-btn" shiro:hasAnyPermissions="user_info_add"><i class="layui-icon"></i> 新增 </button>
5、判断当前用户有无此角色,通过角色标识
<a shiro:hasRole="admin" href="admin.html">Administer the system</a>
6、与上面相反,判断当前用户无此角色,通过角色标识,没有时验证通过
<a shiro:lacksRole="admin" href="admin.html">Administer the system</a>
7、判断当前用户有无以下全部角色,通过角色标识
<a shiro:hasAllRoles="admin,role1,role2" href="admin.html">Administer the system</a>
8、判断当前用户有无以下任一角色,通过角色标识
<a shiro:hasAnyRoles="admin,role1,role2" href="admin.html">Administer the system</a>
以上,就是 SpringBoot 中整合 Shiro 实现权限管理的全部内容