本文详细介绍如何在Spring环境中配置Apache Shiro进行权限管理和用户认证。包括Maven依赖配置、web.xml设置、application-shiro.xml定义及登录控制器的核心代码。同时提供自定义Realm的实现示例。
一、集成spring环境配置
1、maven依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>2、web.xml
<!-- Shiro filter -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>3、application-shiro.xml(关联spring配置)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<!--realm 安全数据源,后面应用给出 -->
<bean id="sampleRealm" class="com.bklc.admin.shiro.BklcRealm"></bean>
<!--缓存 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager" />
<!--securityManager shiro的核心 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="sampleRealm" />
<property name="cacheManager" ref="cacheManager" />
</bean>
<!-- MD5 -->
<!-- <bean id="hashedCredentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> -->
<!-- <property name="hashAlgorithmName" value="MD5" /> -->
<!-- <property name="storedCredentialsHexEncoded" value="true" /> -->
<!-- <property name="hashIterations" value="1" /> -->
<!-- </bean> -->
<!--
shiro过滤器配置
注意:其id要跟web.xml的DelegatingFilterProxy过滤器名字一样,
如果想不一样web.xml过滤器要定义初始化参数targetBeanName
-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<!-- 配置登录页面 -->
<property name="loginUrl" value="/login.jsp" />
<!-- 登录成功后 -->
<property name="successUrl" value="login/index" />
<!-- 无权限访问时 -->
<property name="unauthorizedUrl" value="login/error" />
<!-- 过滤器(按照顺序匹配)
anon:可以被匿名访问
authc:必须认证之后(即登录后)才能访问
-->
<property name="filterChainDefinitions">
<value>
/assets/** = anon
/login.jsp = anon
/login/sysLogin =anon
/captcha = anon
/** = authc
</value>
</property>
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
</beans>二、登录认证
1、loginController核心代码
//登录用户名和密码构建UsernamePasswordToken
UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
token.setRememberMe(true);
Subject subject = SecurityUtils.getSubject();
subject.login(token);
Session session = subject.getSession();
session.setAttribute("user", loginUser);2、自定义实现realm
package com.bklc.admin.shiro;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.bklc.admin.dao.ISysMenuDao;
import com.bklc.admin.dao.ISysRoleDao;
import com.bklc.admin.dao.ISysUserDao;
import com.bklc.core.entity.SysUser;
import com.bklc.core.util.MD5;
public class BklcRealm extends AuthorizingRealm {
private static final Logger log = LogManager.getLogger(BklcRealm.class);
@Autowired
private ISysUserDao sysUserDao;
@Autowired
private ISysMenuDao sysMenuDao;
@Autowired
private ISysRoleDao sysRoleDao;
/**
* 授权(验证权限时调用)
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SysUser user = (SysUser) principals.getPrimaryPrincipal();
List<String> permsList = new ArrayList<>();
// 系统管理员,拥有最高权限
List<String> rolesList=sysRoleDao.queryUserRole(user.getId());
if (rolesList.contains("Administrator")) {
permsList=sysMenuDao.queryAllPerms();
} else {
permsList=sysMenuDao.queryPermsByUser(user.getId());
}
// 用户权限列表
Set<String> permsSet = new HashSet<String>();
for (String perms : permsList) {
if (StringUtils.isBlank(perms)) {
continue;
}
permsSet.addAll(Arrays.asList(perms.trim().split(",")));
}
//角色
Set<String> roleSet = new HashSet<String>();
roleSet.addAll(rolesList);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setRoles(roleSet);
info.setStringPermissions(permsSet);
return info;
}
/**
* 认证(登录时调用)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String userName = (String) token.getPrincipal();
String password = new String((char[]) token.getCredentials());
SysUser user = new SysUser();
user.setUserName(userName);
SysUser qryUser=sysUserDao.queryUserByParam(user);
// 帐号不存在
if (qryUser == null){
throw new RuntimeException("账号不存在!");
}else if(!qryUser.getPassword().equals(password)){
// 密码比对也可以由shiro认证,把数据库密码放入下面SimpleAuthenticationInfo
throw new RuntimeException("密码不正确!");
}
/**
* 三个参数
* principal:认证的实体信息。可以是userName,也可以是用户实体对象
* credentials:密码
* realmName:当前realm的name,调用父类的getName()即可
*/
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(qryUser, password, getName());
return info;
}
}3、支持多realm,需要修改配置
扫一扫
501
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
