SpringMVC+Spring Data JPA+Shiro+EasyUI简单权限管理系统

概述

一直想做一个管理系统，希望它简洁，能做一个demo使用。以后在研究学习的时候，可以在此基础上增加代码。我觉得权限管理系统很值得做，因为涉及关系数据库模式的设计，能学到很多东西。万事开头难，先做个简单的，以后再慢慢完善的。任何事情关键是要做，不能停留在想。

前端

由于之前没有多少前端编程经验，所以做起前端比较吃力。之前前端使用Bootstrap，发现需要自己编写很多前端代码，虽然花费了很多时间，但是页面做起来还是很难看。后来前端选择了EasyUI，发现特别适合做管理页面，也容易上手。当然每个框架都有其局限性，后面使用多了就知道了，就是EasyUI不够灵活，但是现在先用着，以后再选择换其他的。EasyUI官网http://www.jeasyui.com/

MVC

使用主流的SpringMVC，不但功能强大，用起来比较简单方便。

SpringMVC推荐学习网站http://www.iteye.com/blogs/subjects/kaitao-springmvc

持久化

使用spring Data JPA。这个框架真的很赞，对于简单的业务逻辑，基本不用写SQL代码。最重要的是可以根据接口名自动生成SQL代码，极大的提高了开发效率。参考http://www.ibm.com/developerworks/cn/opensource/os-cn-spring-jpa

同时也配置了hibernate，虽然现在还没是用，但准备后期和Spring Data JPA配合是用。

权限管理

选择Shiro，简单好用，容易上手。推荐学习网站http://www.iteye.com/blogs/subjects/shiro

权限模型了解http://blog.csdn.net/painsonline/article/details/7183613/

使用预览

注册

登录

管理后台

设置角色

授权

实体层

以下只是展示了部分关键代码

用户

用户和角色是N-N的关系。

@Entity
@Table(name = "sys_user")
public class User implements Serializable {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id; // 编号

// 这里不能用CascadeType.ALL
@ManyToMany(targetEntity = Role.class, cascade = CascadeType.MERGE, fetch = FetchType.EAGER)
@JoinTable(name = "sys_user_role", joinColumns = @JoinColumn(name = "user_id", referencedColumnName = "id") , inverseJoinColumns = @JoinColumn(name = "role_id", referencedColumnName = "id") )
private Set<Role> roles = new HashSet<>();

@Column(unique = true)
private String username; // 用户名

private String password; // 密码
private String salt; // 加密密码的盐
private Boolean locked = Boolean.FALSE;

private String email;

@Column(name = "create_date")
@Temporal(TemporalType.TIMESTAMP)
private Date createDate = new Date();
....

角色

@Entity
@Table(name = "sys_role")
public class Role implements Serializable {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id; // 编号

@OneToMany(targetEntity = Permission.class, cascade = CascadeType.REFRESH, fetch = FetchType.EAGER)
@JoinTable(name = "sys_role_permission", joinColumns = @JoinColumn(name = "role_id", referencedColumnName = "id") , inverseJoinColumns = @JoinColumn(name = "permission_id", referencedColumnName = "id", unique = true) )
private List<Permission> permissions = new ArrayList<>();

private String name;

@Column(unique = true)
private String role; // 角色标识 程序中判断使用,如"admin"

private String description; // 角色描述,UI界面显示使用

权限

权限是资源和操作的组合。也就是说一个权限意味着对一个资源的多个操作。

@Entity
@Table(name = "sys_permission")
public class Permission implements Serializable {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id;

@OneToOne(targetEntity = Resource.class, cascade = CascadeType.REFRESH, fetch = FetchType.EAGER)
@JoinColumn(name = "resource_id", referencedColumnName = "id")
private Resource resource;

@ManyToMany(targetEntity = Operation.class, cascade = CascadeType.REFRESH, fetch = FetchType.EAGER)
@JoinTable(name = "sys_permission_operation", joinColumns = @JoinColumn(name = "permission_id", referencedColumnName = "id") , inverseJoinColumns = @JoinColumn(name = "operation_id", referencedColumnName = "id") )
private Set<Operation> operations = new HashSet<>();

private String name;

private String description;

资源

@Entity
@Table(name = "sys_resource")
public class Resource implements Serializable {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id; // 编号

private String name; // 资源名称

@Column(unique = true)
private String identity;// 资源类型

操作

@Entity
@Table(name = "sys_operation")
public class Operation implements Serializable {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private Long id; // 编号

private String name; // 操作名称

@Column(unique = true)
private String operation;// 操作标识

private String description;

简洁易用的Spring Data JPA

Spring Data可以通过解析方法名创建查询。比如方法是findByUsername(String username),则Spring Data会自动生成SQL语句select * from 表名 where username= username.所以你对于简单的操作，你只要按照Srping Data约定写出对应的方法名，Spring Data就能自动创建SQL语句，基本不需要你写SQL语句。

一般定义DAO层时，继承一个Spring Data的基本接口，比如JpaRepository，该接口能可以帮你实现增删查改的功能外，还可以帮你做分页查询和排序。

import org.springframework.data.jpa.repository.JpaRepository;
import com.myweb.entity.User;
public interface UserDao extends JpaRepository<User, Long> {
User findByUsername(String username);
}

使用时，直接注入就可以了

@Inject
private UserDao userDao;

Shiro认证与授权

shiro比Spring Security简单，在实现认证授权的时候，继承一个Realm类然后扩展，这里使用AuthorizingRealm。

Realm在shiro中类似数据源，认证和授权的数据就依靠它。

public class UserRealm extends AuthorizingRealm {
@Inject
private UserService userService;
@Inject
private UserDao userDao;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// 授权
String username = (String) principals.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setRoles(userService.getStringRoles(username));
authorizationInfo.setStringPermissions(userService.getStringPermissions(username));
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
throws AuthenticationException {
// 认证
String username = (String) authenticationToken.getPrincipal();
User user = userDao.findByUsername(username);
// 查出是否有此用户
if (user == null) {
throw new UnknownAccountException();// 没找到帐号
}
if (Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); // 帐号锁定
}
// 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配，如果觉得人家的不好可以自定义实现
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(),
user.getPassword(), ByteSource.Util.bytes(user.getCredentialsSalt()), getName());
return authenticationInfo;
}
}

认证

需要SecurityUtils返回一个Subject，然后通过用户名和密码创建Token，使用这个Token登录验证。Subject 是 Shiro 的核心对象，基本所有身份验证、授权都是通过 Subject 完成。

@RequestMapping(value = "/login", method = RequestMethod.POST)
public ModelAndView login(User user) {
ModelAndView mv = new ModelAndView();
try {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken authenticationToken = new UsernamePasswordToken(user.getUsername(),
user.getPassword());
subject.login(authenticationToken);
} catch (AuthenticationException e) {
e.printStackTrace();
mv.setViewName("redirect:/unauthorized");
return mv;
}
mv.setViewName("redirect:/index");
return mv;
}

授权

采用注解形式，简单方便

@RequiresPermissions("user:create")
@RequestMapping(value = "/save", method = RequestMethod.POST)
@ResponseBody
public String saveUser(@RequestParam String username, @RequestParam String password, @RequestParam String email,
@RequestParam(value = "roles", required = false) List<Long> roleIds) {
User user = new User();
user.setUsername(username);
user.setPassword(password);
user.setEmail(email);
List<Role> roles = roleDao.findAll(roleIds);
user.setRoles(new HashSet<>(roles));
userService.save(user);
return "OK";
}

1
支持注解需要配置

<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
<!-- the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor" />
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>

XML配置

项目整体配置

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>myweb</display-name>
<welcome-file-list>
<welcome-file>/WEB-INF/jsp/login.jsp</welcome-file>
</welcome-file-list>
<!-- 加载所有的配置文件 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:config/spring-*.xml</param-value>
</context-param>
<!-- 配置Spring监听 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 配置字符集 -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 配置Session -->
<filter>
<filter-name>openSession</filter-name>
<filter-class>org.springframework.orm.hibernate4.support.OpenSessionInViewFilter</filter-class>
<init-param>
<param-name>singleSession</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>flushMode</param-name>
<param-value>AUTO</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>openSession</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 配置SpringMVC -->
<servlet>
<description>myweb</description>
<display-name>myweb</display-name>
<servlet-name>springMVC</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:config/spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springMVC</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

<!-- 配置shiro -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

配置SpringMVC

spring-mvc.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd"> <!-- 开启Spring MVC注解 -->
<mvc:annotation-driven />
<!-- 静态资源映射 -->
<mvc:resources mapping="/static/**" location="/WEB-INF/static/" />
<mvc:resources mapping="/html/**" location="/WEB-INF/html/" />
<!-- 打开Spring的Annotation支持 -->
<context:annotation-config />
<!-- 注解扫描包 -->
<context:component-scan base-package="com.myweb.controller" />
<context:component-scan base-package="com.myweb.dao.imp" />
<context:component-scan base-package="com.myweb.service.imp" />
<context:component-scan base-package="com.myweb.security.util" />
<!-- 配置SessionFactory -->
<bean id="sessionFactory" class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<!-- <property name="dataSource" ref="dataSource" /> -->
<property name="configLocation" value="classpath:config/hibernate.cfg.xml" />
<property name="packagesToScan" value="com.myweb.entity" />
</bean>
<!-- 配置Dao要注入的hibernateTemplate -->
<bean id="hibernateTemplate" class="org.springframework.orm.hibernate4.HibernateTemplate">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<!-- 配置Spring的事务处理 -->
<!-- 创建事务管理器 -->
<bean id="txManager" class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<!-- 配置AOP，Spring是通过AOP来进行事务管理的 -->
<aop:config>
<!-- 设置pointCut表示哪些方法要加入事务处理 -->
<!-- 以下的事务是声明在DAO中，但是通常都会在Service来处理多个业务对象逻辑的关系，注入删除，更新等，此时如果在执行了一个步骤之后抛出异常 就会导致数据不完整，所以事务不应该在DAO层处理，而应该在service，这也就是Spring所提供的一个非常方便的工具，声明式事务 -->
<aop:pointcut id="allMethods" expression="execution(* com.myweb.service.imp.*.*(..))" />
<!-- 通过advisor来确定具体要加入事务控制的方法 -->
<aop:advisor advice-ref="txAdvice" pointcut-ref="allMethods" />
</aop:config>
<!-- 配置哪些方法要加入事务控制 -->
<tx:advice id="txAdvice" transaction-manager="txManager">
<tx:attributes>
<!-- 让所有的方法都加入事务管理，为了提高效率，可以把一些查询之类的方法设置为只读的事务 -->
<tx:method name="find*" propagation="REQUIRED" read-only="true" />
<!-- 以下方法都是可能设计修改的方法，就无法设置为只读 -->
<tx:method name="add*" propagation="REQUIRED" />
<tx:method name="del*" propagation="REQUIRED" />
<tx:method name="update*" propagation="REQUIRED" />
<tx:method name="save*" propagation="REQUIRED" />
</tx:attributes>
</tx:advice>
<!-- 开启事务注解 -->
<tx:annotation-driven />
<!-- 默认的视图解析器ViewResolver -->
<bean id="defaultViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/" />
<property name="suffix" value=".jsp" />
</bean>
<!-- JPA -->
<jpa:repositories base-package="com.myweb.dao" repository-impl-postfix="Impl" entity-manager-factory-ref="entityManagerFactory" transaction-manager-ref="transactionManager">
</jpa:repositories>
<bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="packagesToScan" value="com.myweb.entity" />
<property name="persistenceProvider">
<bean class="org.hibernate.ejb.HibernatePersistence" />
</property>
<property name="jpaVendorAdapter">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="generateDdl" value="false" />
<property name="database" value="MYSQL" />
<property name="databasePlatform" value="org.hibernate.dialect.MySQL5InnoDBDialect" />
<property name="showSql" value="true" />
</bean>
</property>
<property name="jpaDialect">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaDialect" />
</property>
<property name="jpaPropertyMap">
<map>
<entry key="hibernate.query.substitutions" value="true 1, false 0" />
<entry key="hibernate.default_batch_fetch_size" value="16" />
<entry key="hibernate.max_fetch_depth" value="2" />
<entry key="hibernate.generate_statistics" value="true" />
<entry key="hibernate.bytecode.use_reflection_optimizer" value="true" />
<entry key="hibernate.cache.use_second_level_cache" value="false" />
<entry key="hibernate.cache.use_query_cache" value="false" />
</map>
</property>
</bean>
<!--事务管理器配置 -->
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory" />
</bean>
<bean name="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://localhost:3306/myweb</value>
</property>
<property name="username">
<value>root</value>
</property>
<property name="password" value="jiangyu" />
</bean>
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="messageConverters">
<list>
<ref bean="mappingJacksonHttpMessageConverter" />
</list>
</property>
</bean>

<bean id="mappingJacksonHttpMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
<property name="supportedMediaTypes">
<list>
<value>apolication/json; charset=UTF-8</value>
</list>
</property>
</bean>
<mvc:annotation-driven>
<mvc:argument-resolvers>
<bean class="com.myweb.controller.CurrentUserMethodArgumentResolver" />
</mvc:argument-resolvers>
</mvc:annotation-driven>
</beans>

shiro在Spring配置

spring-shiro-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:util="http://www.springframework.org/schema/util" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<!-- 凭证匹配器 -->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="md5" />
<property name="hashIterations" value="2" />
<property name="storedCredentialsHexEncoded" value="true" />
</bean>

<!-- Realm实现 -->
<bean id="userRealm" class="com.myweb.security.realm.UserRealm">
<property name="credentialsMatcher" ref="credentialsMatcher" />
</bean>
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm" />
</bean>
<!-- Shiro的Web过滤器 ,id要与web.xml一致 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/api/user/login.page" />
<property name="successUrl" value="/index" />
<property name="unauthorizedUrl" value="/unauthorized" />
<property name="filterChainDefinitions">
<value>
/static/** = anon
/api/user/login = anon
/api/user/register* = anon
/unauthorized = anon
/** = authc
</value>
</property>
</bean>
<!-- Shiro生命周期处理器 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
<!-- the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor" />
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
</beans>

hibernate配置

hibernate.cfg.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE hibernate-configuration PUBLIC
"-//Hibernate/Hibernate Configuration DTD 3.0//EN"
"http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
<property name="hibernate.dialect">
org.hibernate.dialect.MySQLDialect
</property>
<property name="hibernate.connection.driver_class">
com.mysql.jdbc.Driver
</property>
<property name="hibernate.connection.url">
jdbc:mysql://localhost/myweb
</property>
<property name="hibernate.connection.username">
root
</property>
<property name="hibernate.connection.password">
jiangyu
</property>
<property name="hibernate.temp.use_jdbc_metadata_defaults">false</property>
<!-- ddl语句自动建表 -->
<property name="hbm2ddl.auto">update</property>
<property name="show_sql">true</property>
<property name="format_sql">true</property>
<property name="jdbc.fetch_size">50</property>
<property name="jdbc.batch_size">30</property>
<property name="hibernate.connection.provider_class">org.hibernate.connection.C3P0ConnectionProvider</property>
<property name="hibernate.c3p0.acquireRetryAttempts">30</property>
<property name="hibernate.c3p0.acquireIncrement">2</property>
<property name="hibernate.c3p0.checkoutTimeout">30000</property>
<property name="hibernate.c3p0.idleConnectionTestPeriod">120</property>
<property name="hibernate.c3p0.maxIdleTime">180</property>
<property name="hibernate.c3p0.initialPoolSize">3</property>
<property name="hibernate.c3p0.maxPoolSize">50</property>
<property name="hibernate.c3p0.minPoolSize">1</property>
<property name="hibernate.c3p0.maxStatements">0</property>
<!-- XML配置映射关系 <mapping resource="Employee.hbm.xml" /> -->
<!-- 注册ORM映射文件 -->
<!-- spring不起作用 <mapping package="com.myweb.entity"/> -->
</session-factory>
</hibernate-configuration>

其他说明

超级管理员用户名/密码：admin/123456。

数据库导入文件：/myweb/src/main/resources/SQL/myweb.sql

源码：https://github.com/Jdoing/myweb