【Java漏洞】Shiro 漏洞：SpringBoot 整合 Shiro+JdbcRealm

JdbcRealm

其中JdbcRealm需要创建如下表结构:

CREATE TABLE `users`(id int primary key auto_increment,username varchar(60) not null unique,password varchar(60) not null,password_salt varchar(20)
);
-- 创建五个用户如下
INSERT INTO `users`(username, password) VALUES('zhangsan', '123456');
INSERT INTO `users`(username, password) VALUES('lisi', '123456');
INSERT INTO `users`(username, password) VALUES('wangwu', '123456');
INSERT INTO `users`(username, password) VALUES('zhaoliu', '123456');
INSERT INTO `users`(username, password) VALUES('chenqi', '123456');CREATE TABLE `user_roles`(id int primary key auto_increment,username varchar(60) not null,role_name varchar(100) not null
);
-- 给这五个用户分别增加如下角色
-- admin 系统管理人员
-- cmanager 库管人员
-- xmanager 销售人员
-- kmanager 客服人员
-- zmanager 行政人员
INSERT INTO `user_roles`(username, role_name) VALUES('zhangsan', 'admin');
INSERT INTO `user_roles`(username, role_name) VALUES('lisi', 'cmanager');
INSERT INTO `user_roles`(username, role_name) VALUES('wangwu', 'xmanager');
INSERT INTO `user_roles`(username, role_name) VALUES('zhaoliu', 'kmanager');
INSERT INTO `user_roles`(username, role_name) VALUES('chenqi', 'zmanager');CREATE TABLE `roles_permissions`(id int primary key auto_increment,role_name varchar(100) not null,permission varchar(100) not null
);
-- admin 具备所有权限
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("admin", "*");
-- 库管人员具备的权限
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("cmanager", "sys:c:save");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("cmanager", "sys:c:delete");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("cmanager", "sys:c:update");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("cmanager", "sys:c:find");
-- 销售人员具备的权限
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:c:find");INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:x:save");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:x:delete");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:x:update");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:x:find");INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:k:save");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:k:delete");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:k:update");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("xmanager", "sys:k:find");
-- 客服人员所具备的权限
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("kmanager", "sys:k:update");
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("kmanager", "sys:k:find");
-- 行政人员
INSERT INTO `roles_permissions`(`role_name`,`permission`) VALUES("zmanager", "sys:*:find");

当前表结构如果想要查询具体用户是否具有某种权限的话, 关系如下:

那么此时我们修改ShiroAutoConfiguration类代码如下:

@Configuration
public class ShiroAutoConfiguration {
//    @Bean
//    public IniRealm getIniRealm() { // 先使用 IniReal 做演示
//        IniRealm iniRealm = new IniRealm("classpath:shiro.ini");
//        return iniRealm;
//    }@Beanpublic JdbcRealm getJdbcRealm(DataSource dataSource) {JdbcRealm jdbcRealm = new JdbcRealm();jdbcRealm.setDataSource(dataSource); // druid-spring-boot-starter 已经配置好了, 直接引用即可jdbcRealm.setPermissionsLookupEnabled(true); // 默认开启认证功能, 需手动开启授权功能return jdbcRealm;}@Beanpublic SecurityManager getSecurityManager(JdbcRealm ream) {DefaultWebSecurityManager defaultWebSecurityManager = new DefaultWebSecurityManager();defaultWebSecurityManager.setRealm(ream); // 要想完成校验, 需要 Realm// SecurityUtils.setSecurityManager(defaultWebSecurityManager); // 设置 SecurityUtils 下的 SecurityManagerreturn defaultWebSecurityManager;}@Beanpublic ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) {ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();shiroFilterFactoryBean.setSecurityManager(securityManager);HashMap<String,String> filterMap = new HashMap();filterMap.put("/", "anon");filterMap.put("/login", "anon");filterMap.put("/register", "anon");filterMap.put("/user/login", "anon");filterMap.put("/**", "authc");filterMap.put("/static/**", "anon");shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap); // 将规则设置进来shiroFilterFactoryBean.setLoginUrl("/login"); // 设置默认的登录界面shiroFilterFactoryBean.setUnauthorizedUrl("/"); // 设置未授权访问的跳转URLreturn shiroFilterFactoryBean;}
}

修改完具体Realm后, 我们的功能也成功生效了.

Shiro 标签使用

当我们登录成功后, 需要显示当前用户信息, 以及对应的权限功能入口, Shiro 提供了一套标签, 可以应用于 Thymeleaf, jsp 中。

当前我们的环境是 Thymeleaf, 所以我们必须在pom.xml中导入依赖:

<dependency> <!-- 引入 shiro 标签依赖 --><groupId>com.github.theborakompanioni</groupId><artifactId>thymeleaf-extras-shiro</artifactId><version>2.1.0</version>
</dependency>

随后我们需要在我们的配置类中定义一个Bean:

@Bean
public ShiroDialect getShiroDialect() {return new ShiroDialect();
}

随后我们在具体模板中进行声明引用即可:

<html lang="en" xmlns:th="http://www.thymeleaf.org" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">

修改/resources/templates/index.html文件内容如下:

<!DOCTYPE html>
<html lang="en" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
<head><meta charset="UTF-8"><title>主页</title>
</head>
<body>
<shiro:guest>欢迎游客访问 | <a href="/login">登录</a> <!-- 当用户没有登录时会显示该内容 -->
</shiro:guest>
<shiro:user>欢迎用户名为: <shiro:principal/> 的用户访问! <br><!-- 当前已经登陆成功的状态, 会显示该内容 <shiro:principal/> 获取当前用户名 --><hr>当前用户角色为:<shiro:hasRole name="admin"> 超级管理员</shiro:hasRole> <!-- 判断当前的角色 --><shiro:hasRole name="cmanager"> 库管人员</shiro:hasRole><shiro:hasRole name="xmanager"> 销售人员</shiro:hasRole><shiro:hasRole name="kmanager"> 客服人员</shiro:hasRole><shiro:hasRole name="zmanager"> 行政人员</shiro:hasRole><hr><br>当前所拥有的权限为:<br><hr>仓库管理<ul><shiro:hasPermission name="sys:c:save"><li><a href="#">入库</a></li></shiro:hasPermission><shiro:hasPermission name="sys:c:delete"><li><a href="#">出库</a></li></shiro:hasPermission><shiro:hasPermission name="sys:c:update"><li><a href="#">更新仓库</a></li></shiro:hasPermission><shiro:hasPermission name="sys:c:find"><li><a href="#">查找仓库</a></li></shiro:hasPermission></ul><hr>销售管理<ul><shiro:hasPermission name="sys:x:save"><li><a href="#">保存订单</a></li></shiro:hasPermission><shiro:hasPermission name="sys:x:delete"><li><a href="#">删除订单</a></li></shiro:hasPermission><shiro:hasPermission name="sys:x:update"><li><a href="#">更新订单</a></li></shiro:hasPermission><shiro:hasPermission name="sys:x:find"><li><a href="#">查询订单</a></li></shiro:hasPermission></ul>客户管理<ul><shiro:hasPermission name="sys:k:save"><li><a href="#">新增客户</a></li></shiro:hasPermission><shiro:hasPermission name="sys:k:delete"><li><a href="#">删除客户</a></li></shiro:hasPermission><shiro:hasPermission name="sys:k:update"><li><a href="#">修改客户</a></li></shiro:hasPermission><shiro:hasPermission name="sys:k:find"><li><a href="#">查询客户</a></li></shiro:hasPermission></ul>
</shiro:user>
</body>
</html>

不同用户登录效果: