-
基于spring框架的apache shiro简单集成
添加时间:2013-7-11 点击量:关于项目标安然保护,我一向想找一个简单设备就能达到目标的办法,自从接触了shiro,这个目标总算杀青了,以下连络我应用shiro的经验,谈谈斗劲简便地集成该功能。
起首我们先懂得一下shiro是什么。
apache shiro 是一个功能强大和易于应用的Java安然框架,为开辟人员供给一个直观而周全的的解决规划的认证,授权,加密,会话经管。
其实遵守我小我的懂得,就是个过滤器,遵守设备(或者注解)的规矩进行权限验证。
我的项目基于maven经管依附jar包,起首把apache shiro相干须要用到的jar引入:
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.1</version>
</dependency>此中shiro-web和shiro-spring必须,若是要缓存权限的话,就引入shiro-ehcache,后边会具体说道shiro-ehcache的应用。
看一下login.action里是如何实现用户登录写入的,获取用户表单信息以及查询数据库验证就不说了,直接上关键代码:
//验证用户信息掉队行token写入,这里为了简单,我把用户的id和姓名作为token的username和password
UsernamePasswordToken token = new UsernamePasswordToken(m.getId()
.toString(), m.getUsername());
Subject subject1 = SecurityUtils.getSubject();
subject1.login(token);
subject1.getSession();
既然是个过滤器,那我们就看一下这个过滤器的写法:
package com.airfey.tech.nuo.action.shiro.filter;
import java.io.IOException;
import java.security.Principal;
import javax.annotation.Resource;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import com.airfey.tech.nuo.common.security.MD5;
import com.airfey.tech.nuo.core.domain.Manager;
import com.airfey.tech.nuo.core.service.ManagerService;
public class shiroFilter implements Filter {
//经管员用户service
@Resource
private ManagerService managerService;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
Subject subjects = SecurityUtils.getSubject();
HttpServletRequest requestHttp = (HttpServletRequest) request;
HttpServletResponse responseHttp = (HttpServletResponse) response;
Principal principal = requestHttp.getUserPrincipal();
if (null != principal) {
//principal.getName()里保存的是用户的id,就是上边登录处token里的信息
System.out.println(principal.getName());
Manager m = managerService.findOne(Long.parseLong(principal
.getName()));
if (null != m && 1 == m.getAudit()) {
UsernamePasswordToken token = new UsernamePasswordToken(
m.getId(), m.getId());//作为例子,这里我只是把用户id放进了token,你可以批改成其它错杂点的信息
Subject subject1 = SecurityUtils.getSubject();
subject1.login(token);
subject1.getSession();
} else {
if (subjects != null) {
subjects.logout();
}
}
}
chain.doFilter(requestHttp, responseHttp);
}
@Override
public void destroy() {
}
}至此,可以说登录和过滤器已经完成了。然后就进行web.xml和spring文件以及权限验证的实现。
1、在web.xml里参加shiro的过滤器设备:
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>此过滤器要位于所有过滤器的前面。
2、权限验证代码实现,我们写一个realm类集成shiro的AuthorizingRealm
package com.airfey.tech.nuo.action.shiro.realm;
import javax.annotation.Resource;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
public class ShiroRealm extends AuthorizingRealm {
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
if (principals == null) {
throw new AuthorizationException(
PrincipalCollection method argument cannot be null.);
}
String username = (String) getAvailablePrincipal(principals);
System.out.println(------------------- + username);//输出的其实是用户id
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 增长默认角色
info.addRole(ROLE_USER);
/以下可以从数据库获取用户的角色以及权限信息,获取到的信息添参加info即可,具体获取数据库的代码我就省略了/
// // 增长自定义角色
// if (null != userInfo.getRoleList()) {
// for (RoleInfo roleInfo : userInfo.getRoleList()) {
// if (null != roleInfo.getName()
// && !.equals(roleInfo.getName())) {
// info.addRole(roleInfo.getName());
// }
// }
// }
// if (null != userInfo.getModuleInfo()) {
// for (ModuleInfo moduleInfo : userInfo.getModuleInfo()) {
// if (null != moduleInfo.getGuid()
// && !.equals(moduleInfo.getGuid())) {
// info.addStringPermission(moduleInfo.getGuid());
// }
// }
// }
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
String userName = token.getUsername();
if (userName != null && !.equals(userName)) {
return new SimpleAuthenticationInfo(token.getPrincipal(),
token.getPassword(), token.getUsername());
}
return null;
}
/
清空用户接洽关系权限认证,待下次应用时从头加载。
@param principal
/
public void clearCachedAuthorizationInfo(String principal) {
SimplePrincipalCollection principals = new SimplePrincipalCollection(
principal, getName());
clearCachedAuthorizationInfo(principals);
}
/
清空所有接洽关系认证
/
public void clearAllCachedAuthorizationInfo() {
Cache<Object, AuthorizationInfo> cache = getAuthorizationCache();
if (cache != null) {
for (Object key : cache.keys()) {
cache.remove(key);
}
}
}
}3、applicationContext.xml的设备 (这里只保存了shiro相干的信息)
<?xml version=1.0 encoding=UTF-8?>
<beans xmlns=http://www.springframework.org/schema/beans
xmlns:aop=http://www.springframework.org/schema/aop xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xmlns:context=http://www.springframework.org/schema/context xmlns:tx=http://www.springframework.org/schema/tx
xsi:schemaLocation=http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.0.xsd>
<bean id=shiroFilter class=org.apache.shiro.spring.web.ShiroFilterFactoryBean>
<property name=securityManager ref=securityManager />
<property name=successUrl value=/manage/index.do />
<property name=loginUrl value=/manage/login.do />
<property name=unauthorizedUrl value=/manage/401.html />
<property name=filters>
<map>
<entry key=authc value-ref=shiro></entry>
</map>
</property>
<property name=filterChainDefinitions>
<value>
/manage/admin.html = authc,perms[shiro_admin:view]
/manage/user.html=authc,perms[shiro_user:view]
/manage/login.do=anon
/manage/401.html=anon
/manage/js/=anon
/manage/img/=anon
/manage/kindeditor/=anon
/manage/=authc,roles[ROLE_USER]
/=anon
</value>
</property>
</bean>
<bean id=shiro class=com.airfey.tech.nuo.action.shiro.filter.shiroFilter>
</bean>
<bean id=shiroRealm class=com.airfey.tech.nuo.action.shiro.realm.ShiroRealm />
<bean id=securityManager class=org.apache.shiro.web.mgt.DefaultWebSecurityManager>
<property name=realm ref=shiroRealm />
<property name=cacheManager ref=shiroEhcacheManager />
</bean>
<!-- 用户授权信息Cache, 采取EhCache,须要的话就设备上此信息 -->
<bean id=shiroEhcacheManager class=org.apache.shiro.cache.ehcache.EhCacheManager>
<property name=cacheManagerConfigFile value=classpath:ehcache-shiro.xml />
</bean>
<bean id=lifecycleBeanPostProcessor class=org.apache.shiro.spring.LifecycleBeanPostProcessor />
<bean
class=org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator
depends-on=lifecycleBeanPostProcessor>
<property name=proxyTargetClass value=true />
</bean>
<bean
class=org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor>
<property name=securityManager ref=securityManager />
</bean>
</beans>验证规矩里如下让静态文件比如js img 目次设备上anon
/manage/admin.html = authc,perms[shiro_admin:view]
/manage/user.html=authc,perms[shiro_user:view]
/manage/login.do=anon
/manage/401.html=anon
/manage/js/=anon
/manage/img/=anon
/manage/kindeditor/=anon
/manage/=authc,roles[ROLE_USER]
/=anon
停止,收工。好久不写这么长的博文了,敲起来真费劲。原创文章,文中不免有漏掉或者错误之处,请斧正。
作者:碧血黄沙出处:http://www.cnblogs.com/airfey/本文版权归作者和博客园共有,迎接转载,但未经作者赞成必须保存此段声明,且在文章页面明显地位给出原文连接,不然保存究查法令义务的权力.
无论对感情还是对生活,“只要甜不要苦”都是任性而孩子气的,因为我们也不完美,我们也会伤害人。正因为我们都不完美,也因为生活从不是事事如意,所以对这些“瑕疵”的收纳才让我们对生活、对他人的爱变得日益真实而具体。—— 汪冰《世界再亏欠你,也要敢于拥抱幸福》
