Shiro与Spring的整合
导入 shiro-all-1.4.1.jar 包
配置 web.xml
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring配置文件 applicationContext.xml
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<!-- 配置登录页面 -->
<property name="loginUrl" value="/login.jsp"></property>
<!-- url拦截规则 -->
<property name="filterChainDefinitions">
<value>
/validatecode.jsp* = anon
/userAction_login = anon
/* = authc
</value>
</property>
</bean>
<!-- 配置shiro的安全管理者 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realm"></property>
</bean>
<!-- extends AuthorizingRealm -->
<bean id="realm" class="com.gwl.bos.web.realm.BosRealm"></bean>
- anon:例子/admins/**=anon 没有参数,表示可以匿名使用。
- authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数
- roles:例子/admins/user/=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。
- perms:例子/admins/user/*=perms[user:add:],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割
- 例如/admins/user/=perms["user:add:,user:modify:"],当有多个参数时必须每个参数都通过才通过,相当于isPermitedAll()方法。
- rest:例子/admins/user/=rest[user],根据请求的方法,相当于/admins/user/=perms[user:method] ,其中method为post,get,delete等。
- port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。
- authcBasic:例如/admins/user/**=authcBasic没有参数表示httpBasic认证
- ssl:例子/admins/user/**=ssl没有参数,表示安全的url请求,协议为https
- user:例如/admins/user/**=user没有参数表示必须存在用户,当登入操作时不做检查
- 注:anon,authcBasic,auchc,user是认证过滤器,perms,roles,ssl,rest,port是授权过滤器
验证 登录功能
BosRealm
package com.gwl.bos.web.realm;
import com.gwl.bos.dao.UserDao;
import com.gwl.bos.model.User;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
public class BosRealm extends AuthorizingRealm {
/**
* 权限 与角色相关
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
@Autowired
private UserDao userDao;
/**
* 登录认证
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
User user = userDao.findByUsername(token.getUsername());
if (user != null) {
/**
* Object principal 数据库查询的对象
* Object credentials 查询出来的密码,自动验证
* String realmName 当前类名
*/
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this
.getClass().getSimpleName());
return info;
}
return null;
}
}
userAction
package com.gwl.bos.web.action;
public class UserAction extends BaseAction<User> {
public String login() {
String username = getModel().getUsername();
String password = getModel().getPassword();
HttpServletRequest request = ServletActionContext.getRequest();
String serviceCheckCode = (String) request.getSession().getAttribute("key");
String clienCheckCode = request.getParameter("checkcode");
if (serviceCheckCode.equalsIgnoreCase(clienCheckCode)) {
//使用shiro验证登录
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, MD5Utils.text2md5(password));
try {
subject.login(token);
User loginUser = (User) subject.getPrincipal();
subject.getSession().setAttribute("loginUser", loginUser);
return "home";
} catch (AuthenticationException e) {
e.printStackTrace();
System.out.println("登录失败,用户名密码不正确");
}
} else {
System.out.println("验证码不正确");
}
return "loginfailure";
}
}
struts.xml 中配置全局的权限url
<!-- 配置全局的结果视图 -->
<global-results>
<result name="unauthorizedUrl" type="redirect">/authorizing.jsp</result>
</global-results>
<!-- shiro抛出具体的异常来到的页面 -->
<global-exception-mappings>
<!-- 权限 -->
<exception-mapping exception="org.apache.shiro.authz.UnauthorizedException"
result="unauthorizedUrl"></exception-mapping>
<!-- 登录 -->
<exception-mapping exception="org.apache.shiro.authz.AuthorizationException"
result="unauthorizedUrl"></exception-mapping>
</global-exception-mappings>
权限控制
url拦截
spring配置文件 applicationContext.xml
<property name="filterChainDefinitions">
<value>
/page_base_staff = perms["staff"]
<!-- /page_base_staff = roles["staff"] -->
</value>
</property>
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
//根据数据库查询的角色权限赋予不同权限
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermission("staff");
// info.addRole("staff");
return info;
}
方法注解
spring配置文件 applicationContext.xml
<!-- 开启shiro注解 -->
<bean id="defaultAdvisorAutoProxyCreator"
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
<property name="proxyTargetClass" value="true"></property>
</bean>
<!-- 切面类 -->
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"></bean>
<!-- 解决泛型问题 -->
<bean class="com.gwl.bos.web.action.StaffAction" scope="prototype"></bean>
@RequiresPermissions
@RequiresPermissions("staff")
@Override
public String save() {
staffService.save(getModel());
return SUCCESS;
}
页面标签
在jsp页面引入shiro标签
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8" %>
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
根据当前用户的权限动态展示页面元素有无
<shiro:hasPermission name="staff">
<a id="save" icon="icon-save" href="#" class="easyui-linkbutton" plain="true">保存</a>
</shiro:hasPermission>
代码
@Override
public String save() {
SecurityUtils.getSubject().checkPermission("staff");
staffService.save(getModel());
return SUCCESS;
}
网友评论