Shiro集成Spring
1、Shiro集成Spring,使用maven进行jar包的依赖与管理,pom.xml的配置文件,如下所示:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <project xmlns="http://maven.apache.org/POM/4.0.0"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
5 http://maven.apache.org/xsd/maven-4.0.0.xsd">
6 <parent>
7 <artifactId>shiro</artifactId>
8 <groupId>com.bie</groupId>
9 <version>1.0-SNAPSHOT</version>
10 </parent>
11 <modelVersion>4.0.0</modelVersion>
12
13 <artifactId>spring-shiro</artifactId>
14 <packaging>war</packaging>
15
16 <name>spring-shiro Maven Webapp</name>
17 <!-- FIXME change it to the project's website -->
18 <url>http://www.example.com</url>
19
20 <properties>
21 <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
22 <maven.compiler.source>1.7</maven.compiler.source>
23 <maven.compiler.target>1.7</maven.compiler.target>
24 </properties>
25
26 <dependencies>
27 <!-- junit单元测试 -->
28 <dependency>
29 <groupId>junit</groupId>
30 <artifactId>junit</artifactId>
31 <version>4.11</version>
32 <scope>test</scope>
33 </dependency>
34 <!-- 引入spring的包 -->
35 <dependency>
36 <groupId>org.springframework</groupId>
37 <artifactId>spring-context</artifactId>
38 <version>4.3.12.RELEASE</version>
39 </dependency>
40 <dependency>
41 <groupId>org.springframework</groupId>
42 <artifactId>spring-core</artifactId>
43 <version>4.3.12.RELEASE</version>
44 </dependency>
45 <dependency>
46 <groupId>org.springframework</groupId>
47 <artifactId>spring-web</artifactId>
48 <version>4.3.12.RELEASE</version>
49 </dependency>
50 <!-- 引入spring-webmvc才可以使用mvc:resources配置 -->
51 <dependency>
52 <groupId>org.springframework</groupId>
53 <artifactId>spring-webmvc</artifactId>
54 <version>4.3.12.RELEASE</version>
55 </dependency>
56
57 <!-- 引入shiro的包 -->
58 <dependency>
59 <groupId>org.apache.shiro</groupId>
60 <artifactId>shiro-core</artifactId>
61 <version>1.2.2</version>
62 </dependency>
63 <dependency>
64 <groupId>org.apache.shiro</groupId>
65 <artifactId>shiro-web</artifactId>
66 <version>1.2.2</version>
67 </dependency>
68
69 <!-- shiro集成spring的包 -->
70 <dependency>
71 <groupId>org.apache.shiro</groupId>
72 <artifactId>shiro-spring</artifactId>
73 <version>1.2.2</version>
74 </dependency>
75 </dependencies>
76
77 <build>
78 <finalName>spring-shiro</finalName>
79 <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
80 <plugins>
81 <plugin>
82 <artifactId>maven-clean-plugin</artifactId>
83 <version>3.1.0</version>
84 </plugin>
85 <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
86 <plugin>
87 <artifactId>maven-resources-plugin</artifactId>
88 <version>3.0.2</version>
89 </plugin>
90 <plugin>
91 <artifactId>maven-compiler-plugin</artifactId>
92 <version>3.8.0</version>
93 </plugin>
94 <plugin>
95 <artifactId>maven-surefire-plugin</artifactId>
96 <version>2.22.1</version>
97 </plugin>
98 <plugin>
99 <artifactId>maven-war-plugin</artifactId>
100 <version>3.2.2</version>
101 </plugin>
102 <plugin>
103 <artifactId>maven-install-plugin</artifactId>
104 <version>2.5.2</version>
105 </plugin>
106 <plugin>
107 <artifactId>maven-deploy-plugin</artifactId>
108 <version>2.8.2</version>
109 </plugin>
110 </plugins>
111 </pluginManagement>
112 </build>
113
114 </project>2、配置web.xml配置文件,里面需要指定shiro提供的过滤器、指定springmvc的配置文件、指定spring的配置文件。
1 <!DOCTYPE web-app PUBLIC
2 "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
3 "http://java.sun.com/dtd/web-app_2_3.dtd" >
4
5 <web-app>
6 <display-name>Archetype Created Web Application</display-name>
7
8 <!-- 加载Spring的bean.xml文件 -->
9 <context-param>
10 <param-name>contextConfigLocation</param-name>
11 <param-value>
12 classpath:spring/spring.xml
13 </param-value>
14 </context-param>
15 <listener>
16 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
17 </listener>
18
19 <listener>
20 <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
21 </listener>
22
23 <servlet>
24 <servlet-name>springmvc</servlet-name>
25 <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
26 <init-param>
27 <param-name>contextConfigLocation</param-name>
28 <param-value>classpath:spring/spring-mvc.xml</param-value>
29 </init-param>
30 </servlet>
31 <servlet-mapping>
32 <servlet-name>springmvc</servlet-name>
33 <!-- 拦截后缀为.action的文件,*.*,可以配置/来拦截 -->
34 <url-pattern>/</url-pattern>
35 </servlet-mapping>
36
37 <!-- shiro提供的filter过滤器 -->
38 <filter>
39 <filter-name>shiroFilter</filter-name>
40 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
41 </filter>
42 <filter-mapping>
43 <filter-name>shiroFilter</filter-name>
44 <!-- 拦截所有的请求 -->
45 <url-pattern>/*</url-pattern>
46 </filter-mapping>
47
48 <welcome-file-list>
49 <welcome-file>login.html</welcome-file>
50 </welcome-file-list>
51 </web-app>3、配置spring-mvc.xml配置,由于这里使用的是模拟数据库,所以配置较少,后续将新增读取数据库的数据。
1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xmlns:mvc="http://www.springframework.org/schema/mvc"
5 xmlns:context="http://www.springframework.org/schema/context"
6 xsi:schemaLocation="http://www.springframework.org/schema/beans
7 http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
8 http://www.springframework.org/schema/context
9 http://www.springframework.org/schema/context/spring-context-3.2.xsd
10
11
12 http://www.springframework.org/schema/mvc
13 http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
14
15 <!-- 扫描的路径包 -->
16 <context:component-scan base-package="com.bie.controller"></context:component-scan>
17
18 <!-- 开启注解 -->
19 <mvc:annotation-driven></mvc:annotation-driven>
20
21 <!-- 过滤静态资源 -->
22 <mvc:resources mapping="/*" location="/"/>
23
24 <!-- 过滤静态资源 -->
25 <!--<mvc:resources mapping="/**/*.html" location="/"/>-->
26
27 </beans>配置spring.xml,将对象注入到spring容器中,让spring进行对象的管理,如下所示:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xsi:schemaLocation="http://www.springframework.org/schema/beans
5 http://www.springframework.org/schema/beans/spring-beans.xsd">
6
7
8 <!-- 将ShiroFilterFactoryBean注入到spring容器中 -->
9 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
10 <!-- 配置SecurityManager对象 -->
11 <property name="securityManager" ref="securityManager"></property>
12 <!-- 设置登陆页的url -->
13 <property name="loginUrl" value="login.html"></property>
14 <!-- 未认证的界面 -->
15 <property name="unauthorizedUrl" value="403.html"></property>
16 <!-- 过滤器链 -->
17 <!-- shiro给我们内置了很多Filter,这里设置过滤器链 -->
18 <property name="filterChainDefinitions">
19 <!-- authc经过认证之后才可以访问相应的路径、anon不需要任何验证就可以访问 -->
20 <!-- 过滤器链是有顺序的,从上到下,需要认证的放到下面 -->
21 <!-- 根路径下面的/subLogin也不需要进行认证 -->
22 <!-- authc表示需要经过认证之后才可以访问相应数据,anon表示不需要认证,直接可以访问 -->
23 <!-- 这个过滤器链是有顺序的,从上往下匹配,匹配到之后就直接返回了,所以匹配到login.jsp不需要认证,/*需要认证,所以放在下面 -->
24 <value>
25 /login.html=anon
26 /subLogin=anon
27 /*=authc
28 </value>
29 </property>
30 </bean>
31
32 <!-- 第一步,创建SecurityManager对象 -->
33 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
34 <!-- 将自定义的Realm设置到SecurityManager环境中 -->
35 <!-- 主体提交请求之后就交给我们自定义Realm来认证和授权 -->
36 <property name="realm" ref="customRealm"></property>
37 </bean>
38
39 <!-- 第二步,创建自定义Realm -->
40 <bean id="customRealm" class="com.bie.realm.CustomRealm">
41 <!-- 将加密的设置到自定义的Realm中 -->
42 <property name="credentialsMatcher" ref="credentialsMatcher"></property>
43 </bean>
44
45 <!-- 第三步,加密管理器对象 -->
46 <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
47 <!-- 设置加密的算法为md5 -->
48 <property name="hashAlgorithmName" value="md5"></property>
49 <!-- 设置加密次数 -->
50 <property name="hashIterations" value="1"></property>
51 </bean>
52
53 </beans>4、创建一个用户实体类,主要是用户的账号字段、用户密码字段,如下所示:
1 package com.bie.po;
2
3 /**
4 * @ProjectName: shiro
5 * @Package: com.bie.po
6 * @ClassName: User
7 * @Author: biehl
8 * @Description: ${description}
9 * @Date: 2020/8/6 16:40
10 * @Version: 1.0
11 */
12 public class User {
13
14 private String username;
15 private String password;
16
17 public String getUsername() {
18 return username;
19 }
20
21 public void setUsername(String username) {
22 this.username = username;
23 }
24
25 public String getPassword() {
26 return password;
27 }
28
29 public void setPassword(String password) {
30 this.password = password;
31 }
32
33 @Override
34 public String toString() {
35 return "User{" +
36 "username='" + username + '\'' +
37 ", password='" + password + '\'' +
38 '}';
39 }
40 }这里使用自定义Realm,这里使用的模拟数据库进行登陆操作,如下所示:
1 package com.bie.realm;
2
3 import org.apache.shiro.authc.AuthenticationException;
4 import org.apache.shiro.authc.AuthenticationInfo;
5 import org.apache.shiro.authc.AuthenticationToken;
6 import org.apache.shiro.authc.SimpleAuthenticationInfo;
7 import org.apache.shiro.authz.AuthorizationInfo;
8 import org.apache.shiro.authz.SimpleAuthorizationInfo;
9 import org.apache.shiro.crypto.hash.Md5Hash;
10 import org.apache.shiro.realm.AuthorizingRealm;
11 import org.apache.shiro.subject.PrincipalCollection;
12 import org.apache.shiro.util.ByteSource;
13
14 import java.util.HashMap;
15 import java.util.HashSet;
16 import java.util.Map;
17 import java.util.Set;
18
19 /**
20 * 自定义Realm
21 *
22 * @ProjectName: shiro
23 * @Package: com.bie.shiro
24 * @ClassName: CustomRealm
25 * @Author: biehl
26 * @Description: ${description}
27 * @Date: 2020/8/6 14:58
28 * @Version: 1.0
29 */
30 public class CustomRealm extends AuthorizingRealm {
31
32 // 模拟数据表的登陆
33 private Map<String, String> userMap = new HashMap<String, String>();
34
35 {
36 // userMap.put("admin", "123456");
37 userMap.put("admin", "496edd8064892864b76c5fd3a732544b");
38
39 // 设置RealName名称
40 super.setName("customRealm");
41 }
42
43 /**
44 * 授权使用
45 *
46 * @param principals
47 * @return
48 */
49 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
50 // 1、第一步,从认证信息中获取到用户信息。
51 String userName = (String) principals.getPrimaryPrincipal();
52 // 2、第二步,从数据库中或者缓存中通过用户姓名获取到角色信息
53 Set<String> roles = getRolesByUserName(userName);
54 // 3、第三步,从数据库中或者缓存中通过用户姓名获取到权限信息
55 Set<String> permissions = getPermissionsByUserName(userName);
56 // 4、第四步,将获取到角色信息和权限信息返回
57 SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
58 // 设置权限
59 simpleAuthorizationInfo.setStringPermissions(permissions);
60 // 设置角色
61 simpleAuthorizationInfo.setRoles(roles);
62 return simpleAuthorizationInfo;
63 }
64
65 /**
66 * 通过用户名获取到权限信息
67 *
68 * @param userName
69 * @return
70 */
71 private Set<String> getPermissionsByUserName(String userName) {
72 // 创建一个集合对象
73 Set<String> sets = new HashSet<String>();
74 // 设置权限名称
75 sets.add("user:select");
76 sets.add("user:insert");
77 sets.add("user:delete");
78 sets.add("user:update");
79 return sets;
80 }
81
82 /**
83 * 模拟通过用户姓名获取到角色信息
84 *
85 * @param userName
86 * @return
87 */
88 private Set<String> getRolesByUserName(String userName) {
89 // 创建一个集合对象
90 Set<String> sets = new HashSet<String>();
91 // 设置角色名称
92 sets.add("admin");
93 sets.add("user");
94 return sets;
95 }
96
97 /**
98 * 认证使用
99 *
100 * @param token 主体传过来的认证信息
101 * @return
102 * @throws AuthenticationException
103 */
104 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
105 // 1、第一步,通过主体传过来的认证信息获取用户名
106 String username = (String) token.getPrincipal();
107 // 2、通过用户名到数据库中获取凭证
108 // 如果使用了shiro的HashedCredentialsMatcher加密,那么这里保存的是加密后的密文
109 String password = getPasswordByUserName(username);
110 // 判断获取到的密码是否存在,不存在直接返回null
111 if (password == null) {
112 return null;
113 }
114 // 如果对象存在
115 SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo("admin", password, "customRealm");
116
117 // 如果加了盐salt,认证返回的时候需要见盐salt设置进去的
118 authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes("654321"));
119 // 将加了盐的认证用户返回
120 return authenticationInfo;
121 }
122
123 /**
124 * 通过用户姓名获取到用户的密码
125 *
126 * @param username
127 * @return
128 */
129 private String getPasswordByUserName(String username) {
130 // 正常情况下,需要读取数据库,这里进行模拟
131 return this.userMap.get(username);
132 }
133
134 public static void main(String[] args) {
135 // 加盐salt让密码更加难以识破
136 Md5Hash md5Hash = new Md5Hash("123456", "654321");
137 System.out.println(md5Hash);
138 }
139
140 }创建一个Controller进行测试,看看shiro整合的spring是否好使,如下所示:
1 package com.bie.controller;
2
3 import org.apache.shiro.SecurityUtils;
4 import org.apache.shiro.authc.AuthenticationException;
5 import org.apache.shiro.authc.UsernamePasswordToken;
6 import org.apache.shiro.subject.Subject;
7 import org.springframework.stereotype.Controller;
8 import org.springframework.web.bind.annotation.RequestMapping;
9 import org.springframework.web.bind.annotation.RequestMethod;
10 import org.springframework.web.bind.annotation.RequestParam;
11 import org.springframework.web.bind.annotation.ResponseBody;
12
13 /**
14 * @ProjectName: shiro
15 * @Package: com.bie.controller
16 * @ClassName: UserController
17 * @Author: biehl
18 * @Description: ${description}
19 * @Date: 2020/8/6 16:36
20 * @Version: 1.0
21 */
22 @Controller
23 // @RequestMapping(value = "/user")
24 public class UserController {
25
26 @RequestMapping(value = "/subLogin", method = RequestMethod.POST)
27 @ResponseBody
28 public String subLogin(@RequestParam(value = "username") String username,
29 @RequestParam(value = "password") String password) {
30 // 获取到主体信息
31 Subject subject = SecurityUtils.getSubject();
32 // 创建一个token
33 UsernamePasswordToken token = new UsernamePasswordToken(username, password);
34 // 主体登陆验证
35 try {
36 subject.login(token);
37 } catch (AuthenticationException e) {
38 e.printStackTrace();
39 }
40 return "login success!";
41 }
42
43 }项目结构,如下所示:
项目测试,如下所示:
2020-08-08 14:29:48
1、Shiro集成Spring从数据库获取数据,首先需要引入mysql的jar包,如下所示:
1 <!-- 引入mysql的jar包 -->
2 <dependency>
3 <groupId>mysql</groupId>
4 <artifactId>mysql-connector-java</artifactId>
5 <version>5.1.46</version>
6 </dependency>
7
8 <!-- 引入druid数据源管理 -->
9 <dependency>
10 <groupId>com.alibaba</groupId>
11 <artifactId>druid</artifactId>
12 <version>1.1.18</version>
13 </dependency>
14
15 <!-- 引入spring-jdbc -->
16 <dependency>
17 <groupId>org.springframework</groupId>
18 <artifactId>spring-jdbc</artifactId>
19 <version>4.3.12.RELEASE</version>
20 </dependency>新建一个spring-dao.xml用来管理数据源信息,如下所示:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xsi:schemaLocation="http://www.springframework.org/schema/beans
5 http://www.springframework.org/schema/beans/spring-beans.xsd">
6
7 <!-- 配置连接数据库的账号密码,数据库 -->
8 <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource">
9 <property name="url" value="jdbc:mysql://127.0.0.1:3306/test"></property>
10 <property name="username" value="root"></property>
11 <property name="password" value="123456"></property>
12 </bean>
13
14 <!-- 使用spring的jdbcTemplate进行管理 -->
15 <bean class="org.springframework.jdbc.core.JdbcTemplate" id="jdbcTemplate">
16 <property name="dataSource" ref="dataSource"></property>
17 </bean>
18 </beans>在spring.xml配置文件中引入spring-dao.xml配置文件,配置扫描的路径,如下所示:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xmlns:context="http://www.springframework.org/schema/context"
5 xsi:schemaLocation="http://www.springframework.org/schema/beans
6 http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
7
8 <!-- 将新建的spring-dao.xml引入进来 -->
9 <import resource="spring-dao.xml"></import>
10
11 <!-- 配置扫描的路径 -->
12 <context:component-scan base-package="com.bie"></context:component-scan>
13
14 <!-- 将ShiroFilterFactoryBean注入到spring容器中 -->
15 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
16 <!-- 配置SecurityManager对象 -->
17 <property name="securityManager" ref="securityManager"></property>
18 <!-- 设置登陆页的url -->
19 <property name="loginUrl" value="login.html"></property>
20 <!-- 未认证的界面 -->
21 <property name="unauthorizedUrl" value="403.html"></property>
22 <!-- 过滤器链 -->
23 <!-- shiro给我们内置了很多Filter,这里设置过滤器链 -->
24 <property name="filterChainDefinitions">
25 <!-- authc经过认证之后才可以访问相应的路径、anon不需要任何验证就可以访问 -->
26 <!-- 过滤器链是有顺序的,从上到下,需要认证的放到下面 -->
27 <!-- 根路径下面的/subLogin也不需要进行认证 -->
28 <!-- authc表示需要经过认证之后才可以访问相应数据,anon表示不需要认证,直接可以访问 -->
29 <!-- 这个过滤器链是有顺序的,从上往下匹配,匹配到之后就直接返回了,所以匹配到login.jsp不需要认证,/*需要认证,所以放在下面 -->
30 <value>
31 /login.html=anon
32 /subLogin=anon
33 /*=authc
34 </value>
35 </property>
36 </bean>
37
38 <!-- 第一步,创建SecurityManager对象 -->
39 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
40 <!-- 将自定义的Realm设置到SecurityManager环境中 -->
41 <!-- 主体提交请求之后就交给我们自定义Realm来认证和授权 -->
42 <property name="realm" ref="customRealm"></property>
43 </bean>
44
45 <!-- 第二步,创建自定义Realm -->
46 <bean id="customRealm" class="com.bie.realm.CustomRealm">
47 <!-- 将加密的设置到自定义的Realm中 -->
48 <property name="credentialsMatcher" ref="credentialsMatcher"></property>
49 </bean>
50
51 <!-- 第三步,加密管理器对象 -->
52 <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
53 <!-- 设置加密的算法为md5 -->
54 <property name="hashAlgorithmName" value="md5"></property>
55 <!-- 设置加密次数 -->
56 <property name="hashIterations" value="1"></property>
57 </bean>
58
59 </beans>创建用户实体类、角色实体类、权限实体类,如下所示:
1 package com.bie.po;
2
3 /**
4 * @ProjectName: shiro
5 * @Package: com.bie.po
6 * @ClassName: User
7 * @Author: biehl
8 * @Description: ${description}
9 * @Date: 2020/8/6 16:40
10 * @Version: 1.0
11 */
12 public class User {
13
14 private String username;
15 private String password;
16
17 public String getUsername() {
18 return username;
19 }
20
21 public void setUsername(String username) {
22 this.username = username;
23 }
24
25 public String getPassword() {
26 return password;
27 }
28
29 public void setPassword(String password) {
30 this.password = password;
31 }
32
33 @Override
34 public String toString() {
35 return "User{" +
36 "username='" + username + '\'' +
37 ", password='" + password + '\'' +
38 '}';
39 }
40 } 1 package com.bie.po;
2
3 /**
4 * @ProjectName: shiro
5 * @Package: com.bie.po
6 * @ClassName: Roles
7 * @Author: biehl
8 * @Description: ${description}
9 * @Date: 2020/8/8 14:56
10 * @Version: 1.0
11 */
12 public class Roles {
13
14 private String userName;
15 private String roleName;
16
17 public String getUserName() {
18 return userName;
19 }
20
21 public void setUserName(String userName) {
22 this.userName = userName;
23 }
24
25 public String getRoleName() {
26 return roleName;
27 }
28
29 public void setRoleName(String roleName) {
30 this.roleName = roleName;
31 }
32
33 @Override
34 public String toString() {
35 return "Roles{" +
36 "userName='" + userName + '\'' +
37 ", roleName='" + roleName + '\'' +
38 '}';
39 }
40 } 1 package com.bie.po;
2
3 /**
4 * @ProjectName: shiro
5 * @Package: com.bie.po
6 * @ClassName: Permissions
7 * @Author: biehl
8 * @Description: ${description}
9 * @Date: 2020/8/8 16:57
10 * @Version: 1.0
11 */
12 public class Permissions {
13
14 private String roleName;
15 private String permission;
16
17 public String getRoleName() {
18 return roleName;
19 }
20
21 public void setRoleName(String roleName) {
22 this.roleName = roleName;
23 }
24
25 public String getPermission() {
26 return permission;
27 }
28
29 public void setPermission(String permission) {
30 this.permission = permission;
31 }
32
33 @Override
34 public String toString() {
35 return "Permissions{" +
36 "roleName='" + roleName + '\'' +
37 ", permission='" + permission + '\'' +
38 '}';
39 }
40 }创建用户Dao层、角色Dao层、权限Dao层,如下所示:
1 package com.bie.dao;
2
3 import com.bie.po.User;
4
5 /**
6 * @ProjectName: shiro
7 * @Package: com.bie.dao
8 * @ClassName: UserDao
9 * @Author: biehl
10 * @Description: ${description}
11 * @Date: 2020/8/8 14:38
12 * @Version: 1.0
13 */
14 public interface UserDao {
15
16 User getUserByUserName(String username);
17 } 1 package com.bie.dao;
2
3 import java.util.List;
4
5 /**
6 * @ProjectName: shiro
7 * @Package: com.bie.dao
8 * @ClassName: RolesDao
9 * @Author: biehl
10 * @Description: ${description}
11 * @Date: 2020/8/8 14:57
12 * @Version: 1.0
13 */
14 public interface RolesDao {
15
16 List<String> queryRolesByUserName(String userName);
17 } 1 package com.bie.dao;
2
3 import java.util.List;
4
5 /**
6 * @ProjectName: shiro
7 * @Package: com.bie.dao
8 * @ClassName: PermissionsDao
9 * @Author: biehl
10 * @Description: ${description}
11 * @Date: 2020/8/8 16:58
12 * @Version: 1.0
13 */
14 public interface PermissionsDao {
15
16 List<String> getPermissionsByRoleName(String roleName);
17 }创建用户Dao层实现类、角色Dao层实现类、权限Dao层实现类,如下所示:
1 package com.bie.dao.impl;
2
3 import com.bie.dao.UserDao;
4 import com.bie.po.User;
5 import org.springframework.beans.factory.annotation.Autowired;
6 import org.springframework.jdbc.core.JdbcTemplate;
7 import org.springframework.jdbc.core.RowMapper;
8 import org.springframework.stereotype.Component;
9 import org.springframework.util.CollectionUtils;
10
11 import java.sql.ResultSet;
12 import java.sql.SQLException;
13 import java.util.List;
14
15 /**
16 * @ProjectName: shiro
17 * @Package: com.bie.dao.impl
18 * @ClassName: UserDaoImpl
19 * @Author: biehl
20 * @Description: ${description}
21 * @Date: 2020/8/8 14:38
22 * @Version: 1.0
23 */
24 @Component
25 public class UserDaoImpl implements UserDao {
26
27 // 注入spring的jdbcTemplate
28 @Autowired
29 private JdbcTemplate jdbcTemplate;
30
31 @Override
32 public User getUserByUserName(String username) {
33 String sql = "select username,password from users where username = ? ";
34
35 List<User> userList = jdbcTemplate.query(sql, new String[]{username}, new RowMapper<User>() {
36 @Override
37 public User mapRow(ResultSet resultSet, int i) throws SQLException {
38 User user = new User();
39 user.setUsername(resultSet.getString("username"));
40 user.setPassword(resultSet.getString("password"));
41 return user;
42 }
43 });
44 // 判断集合是否为空,如果为空就返回空
45 if (CollectionUtils.isEmpty(userList)) {
46 return null;
47 }
48 // 返回查询到的第一条数据
49 return userList.get(0);
50 }
51
52 } 1 package com.bie.dao.impl;
2
3 import com.bie.dao.RolesDao;
4 import com.bie.po.Roles;
5 import org.springframework.beans.factory.annotation.Autowired;
6 import org.springframework.jdbc.core.JdbcTemplate;
7 import org.springframework.jdbc.core.RowMapper;
8 import org.springframework.stereotype.Component;
9
10 import java.sql.ResultSet;
11 import java.sql.SQLException;
12 import java.util.List;
13
14 /**
15 * @ProjectName: shiro
16 * @Package: com.bie.dao.impl
17 * @ClassName: RolesDaoImpl
18 * @Author: biehl
19 * @Description: ${description}
20 * @Date: 2020/8/8 14:57
21 * @Version: 1.0
22 */
23 @Component
24 public class RolesDaoImpl implements RolesDao {
25
26 // 注入spring的jdbcTemplate
27 @Autowired
28 private JdbcTemplate jdbcTemplate;
29
30 @Override
31 public List<String> queryRolesByUserName(String userName) {
32 String sql = "select role_name from user_roles where username = ? ";
33
34 List<String> roleNameList = jdbcTemplate.query(sql, new String[]{userName}, new RowMapper<String>() {
35 @Override
36 public String mapRow(ResultSet resultSet, int i) throws SQLException {
37 return resultSet.getString("role_name");
38 }
39 });
40 return roleNameList;
41 }
42
43 } 1 package com.bie.dao.impl;
2
3 import com.bie.dao.PermissionsDao;
4 import org.springframework.beans.factory.annotation.Autowired;
5 import org.springframework.jdbc.core.JdbcTemplate;
6 import org.springframework.jdbc.core.RowMapper;
7 import org.springframework.stereotype.Component;
8
9 import java.sql.ResultSet;
10 import java.sql.SQLException;
11 import java.util.List;
12
13 /**
14 * @ProjectName: shiro
15 * @Package: com.bie.dao.impl
16 * @ClassName: PermissionsDaoImpl
17 * @Author: biehl
18 * @Description: ${description}
19 * @Date: 2020/8/8 16:58
20 * @Version: 1.0
21 */
22 @Component
23 public class PermissionsDaoImpl implements PermissionsDao {
24
25 @Autowired
26 private JdbcTemplate jdbcTemplate;
27
28 @Override
29 public List<String> getPermissionsByRoleName(String roleName) {
30 String sql = "select permission from roles_permissions where role_name = ? ";
31
32 List<String> permissionsNameList = jdbcTemplate.query(sql, new String[]{roleName}, new RowMapper<String>() {
33 @Override
34 public String mapRow(ResultSet resultSet, int i) throws SQLException {
35 return resultSet.getString("permission");
36 }
37 });
38 return permissionsNameList;
39 }
40
41 创建用户登陆的控制层,进行用户登陆,角色验证,权限验证,如下所示:
1 package com.bie.controller;
2
3 import org.apache.shiro.SecurityUtils;
4 import org.apache.shiro.authc.AuthenticationException;
5 import org.apache.shiro.authc.UsernamePasswordToken;
6 import org.apache.shiro.subject.Subject;
7 import org.springframework.stereotype.Controller;
8 import org.springframework.web.bind.annotation.RequestMapping;
9 import org.springframework.web.bind.annotation.RequestMethod;
10 import org.springframework.web.bind.annotation.RequestParam;
11 import org.springframework.web.bind.annotation.ResponseBody;
12
13 /**
14 * @ProjectName: shiro
15 * @Package: com.bie.controller
16 * @ClassName: UserController
17 * @Author: biehl
18 * @Description: ${description}
19 * @Date: 2020/8/6 16:36
20 * @Version: 1.0
21 */
22 @Controller
23 // @RequestMapping(value = "/user")
24 public class UserController {
25
26 @RequestMapping(value = "/subLogin", method = RequestMethod.POST,produces = "application/json;charset=utf-8")
27 @ResponseBody
28 public String subLogin(@RequestParam(value = "username") String username,
29 @RequestParam(value = "password") String password) {
30 // 获取到主体信息
31 Subject subject = SecurityUtils.getSubject();
32 // 创建一个token
33 UsernamePasswordToken token = new UsernamePasswordToken(username, password);
34 // 主体登陆验证
35 try {
36 subject.login(token);
37 } catch (AuthenticationException e) {
38 e.printStackTrace();
39 }
40
41 // 第四步,Realm验证
42 boolean authenticated = subject.isAuthenticated();
43 System.out.println("isAuthenticated是否进行了认证:" + authenticated);
44 if (authenticated) {
45 System.out.println("该账号通过了认证:" + authenticated);
46 // 检查角色,检查管理员的角色,给用户admin配备角色admin
47 subject.checkRole("admin");
48 System.out.println("开始检查管理员admin!");
49 if (subject.hasRole("admin")) {
50 System.out.println(username + "拥有管理员admin角色!");
51 // 检查权限,检查admin角色是否拥有用户删除的权限
52 subject.checkPermission("admin:delete");
53 System.out.println("检查管理员拥有用户删除admin:delete的权限!");
54
55 subject.checkPermission("admin:update");
56 subject.checkPermission("admin:select");
57 subject.checkPermission("admin:insert");
58 System.out.println("检查管理员拥有用户删除admin:delete,admin:update,admin:select,admin:insert的权限!");
59 }
60 if (subject.hasRole("user")) {
61 System.out.println(username + "拥有普通账号user角色!");
62 // 检查权限,检查admin角色是否拥有用户删除的权限
63 subject.checkPermission("user:delete");
64 System.out.println("检查普通账号拥有用户删除user:delete的权限!");
65
66 subject.checkPermission("user:update");
67 subject.checkPermission("user:select");
68 subject.checkPermission("user:insert");
69 System.out.println("检查普通账号拥有用户删除user:delete,user:update,user:select,user:insert的权限!");
70 }
71 return "该账号通过认证具备该角色且具备此权限";
72 }
73 return "login fail!";
74 }
75
76 }自定义Realm,如下所示:
1 package com.bie.realm;
2
3 import com.alibaba.druid.util.StringUtils;
4 import com.bie.dao.PermissionsDao;
5 import com.bie.dao.RolesDao;
6 import com.bie.dao.UserDao;
7 import com.bie.po.User;
8 import org.apache.shiro.authc.AuthenticationException;
9 import org.apache.shiro.authc.AuthenticationInfo;
10 import org.apache.shiro.authc.AuthenticationToken;
11 import org.apache.shiro.authc.SimpleAuthenticationInfo;
12 import org.apache.shiro.authz.AuthorizationInfo;
13 import org.apache.shiro.authz.SimpleAuthorizationInfo;
14 import org.apache.shiro.crypto.hash.Md5Hash;
15 import org.apache.shiro.realm.AuthorizingRealm;
16 import org.apache.shiro.subject.PrincipalCollection;
17 import org.apache.shiro.util.ByteSource;
18 import org.springframework.beans.factory.annotation.Autowired;
19
20 import java.util.HashSet;
21 import java.util.Iterator;
22 import java.util.List;
23 import java.util.Set;
24
25 /**
26 * 自定义Realm
27 *
28 * @ProjectName: shiro
29 * @Package: com.bie.shiro
30 * @ClassName: CustomRealm
31 * @Author: biehl
32 * @Description: ${description}
33 * @Date: 2020/8/6 14:58
34 * @Version: 1.0
35 */
36 public class CustomRealm extends AuthorizingRealm {
37
38 // 将userDao注入进来
39 @Autowired
40 private UserDao userDao;
41
42 @Autowired
43 private RolesDao rolesDao;
44
45 @Autowired
46 private PermissionsDao permissionsDao;
47
48 /**
49 * 授权使用
50 *
51 * @param principals
52 * @return
53 */
54 public AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
55 // 1、第一步,从认证信息中获取到用户信息。
56 String userName = (String) principals.getPrimaryPrincipal();
57 // 2、第二步,从数据库中或者缓存中通过用户姓名获取到角色信息
58 Set<String> roles = getRolesByUserName(userName);
59 // 3、第三步,从数据库中或者缓存中通过用户姓名获取到权限信息
60 Set<String> permissions = getPermissionsByRoleName(roles);
61 // 4、第四步,将获取到角色信息和权限信息返回
62 SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
63 // 设置权限
64 simpleAuthorizationInfo.setStringPermissions(permissions);
65 // 设置角色
66 simpleAuthorizationInfo.setRoles(roles);
67 return simpleAuthorizationInfo;
68 }
69
70 /**
71 * 通过用户名获取到权限信息
72 *
73 * @param roles
74 * @return
75 */
76 public Set<String> getPermissionsByRoleName(Set<String> roles) {
77 Set<String> sets = new HashSet<String>();
78 Iterator<String> iterator = roles.iterator();
79 while (iterator.hasNext()) {
80 String roleName = iterator.next();
81 List<String> list = permissionsDao.getPermissionsByRoleName(roleName);
82 sets.addAll(list);
83 }
84 return sets;
85 }
86
87 /**
88 * 模拟通过用户姓名获取到角色信息
89 *
90 * @param userName
91 * @return
92 */
93 public Set<String> getRolesByUserName(String userName) {
94 List<String> list = rolesDao.queryRolesByUserName(userName);
95 Set<String> sets = new HashSet<String>(list);
96 return sets;
97 }
98
99 /**
100 * 认证使用
101 *
102 * @param token 主体传过来的认证信息
103 * @return
104 * @throws AuthenticationException
105 */
106 public AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
107 // 1、第一步,通过主体传过来的认证信息获取用户名
108 String username = (String) token.getPrincipal();
109 // 2、通过用户名到数据库中获取凭证
110 // 如果使用了shiro的HashedCredentialsMatcher加密,那么这里保存的是加密后的密文
111 String password = getPasswordByUserName(username);
112 // 判断获取到的密码是否存在,不存在直接返回null
113 if (StringUtils.isEmpty(password)) {
114 return null;
115 }
116 // 如果对象存在
117 SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(username, password, "customRealm");
118
119 // 如果加了盐salt,认证返回的时候需要见盐salt设置进去的
120 authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes("654321"));
121 // 将加了盐的认证用户返回
122 return authenticationInfo;
123 }
124
125 /**
126 * 通过用户姓名获取到用户的密码
127 *
128 * @param username
129 * @return
130 */
131 public String getPasswordByUserName(String username) {
132 // 正常情况下,需要读取数据库,这里进行模拟
133 User user = this.userDao.getUserByUserName(username);
134 return user != null ? user.getPassword() : null;
135 }
136
137 public static void main(String[] args) {
138 // 加盐salt让密码更加难以识破
139 Md5Hash md5Hash = new Md5Hash("123456", "654321");
140 System.out.println(md5Hash);
141 }
142
143 }项目结构,如下所示:
数据库测试数据,如下所示:
如果想要基于注解开发shiro和spring的整合,加上这个依赖,如下所示:
1 <!-- 基于注解开发shiro和spring整合 -->
2 <dependency>
3 <groupId>org.aspectj</groupId>
4 <artifactId>aspectjweaver</artifactId>
5 <version>1.8.9</version>
6 </dependency>在spring-mvc.xml配置文件加上此配置,如下所示:
1 <!-- 开启aop -->
2 <aop:config proxy-target-class="true"></aop:config>在spring.xml配置文件加上此配置,如下所示:
1 <!-- 注入securityManager -->
2 <bean id="attributeSourceAdvisor"
3 class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
4 <!-- 将securityManager注入 -->
5 <property name="securityManager" ref="securityManager"></property>
6 </bean>
7
8 <!-- 注入bean对象lifecycleBeanPostProcessor -->
9 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>在控制层可以加上注解进行测试,如下所示:
1 @RequiresPermissions({"admin:select","admin:insert","admin:delete","admin:update"})
2 @RequiresRoles(value = "admin")
3 @RequestMapping(value = "getRole",method = RequestMethod.GET)
4 @ResponseBody
5 public String getRoles(){
6 return "getRoles success!!!";
7 }5、Shiro内置过滤器,和认证相关的过滤器。
1)、anon:不需要任何认证就可以进行访问。 2)、authBasic:就是http authBasic。 3)、authc:需要认证才可以进行访问。 4)、user:需要当前存在用户才可以进行访问。 5)、loout:退出。
6、Shiro内置过滤器,和授权相关的过滤器。
1)、perms:需要具备相关的权限才可以访问。 2)、roles:和perms类似。 3)、ssl:安全的协议。 4)、port:要求指定的端口号。
1 package com.bie.controller;
2
3 import org.apache.shiro.SecurityUtils;
4 import org.apache.shiro.authc.AuthenticationException;
5 import org.apache.shiro.authc.UsernamePasswordToken;
6 import org.apache.shiro.authz.annotation.RequiresPermissions;
7 import org.apache.shiro.authz.annotation.RequiresRoles;
8 import org.apache.shiro.subject.Subject;
9 import org.springframework.stereotype.Controller;
10 import org.springframework.web.bind.annotation.RequestMapping;
11 import org.springframework.web.bind.annotation.RequestMethod;
12 import org.springframework.web.bind.annotation.RequestParam;
13 import org.springframework.web.bind.annotation.ResponseBody;
14
15 /**
16 * @ProjectName: shiro
17 * @Package: com.bie.controller
18 * @ClassName: UserController
19 * @Author: biehl
20 * @Description: ${description}
21 * @Date: 2020/8/6 16:36
22 * @Version: 1.0
23 */
24 @Controller
25 // @RequestMapping(value = "/user")
26 public class UserController {
27
28 @RequestMapping(value = "/subLogin", method = RequestMethod.POST, produces = "application/json;charset=utf-8")
29 @ResponseBody
30 public String subLogin(@RequestParam(value = "username") String username,
31 @RequestParam(value = "password") String password) {
32 // 获取到主体信息
33 Subject subject = SecurityUtils.getSubject();
34 // 创建一个token
35 UsernamePasswordToken token = new UsernamePasswordToken(username, password);
36 // 主体登陆验证
37 try {
38 subject.login(token);
39 } catch (AuthenticationException e) {
40 e.printStackTrace();
41 }
42
43 // 第四步,Realm验证
44 boolean authenticated = subject.isAuthenticated();
45 System.out.println("isAuthenticated是否进行了认证:" + authenticated);
46 if (authenticated) {
47 System.out.println("该账号通过了认证:" + authenticated);
48 // 检查角色,检查管理员的角色,给用户admin配备角色admin
49 subject.checkRole("admin");
50 System.out.println("开始检查管理员admin!");
51 if (subject.hasRole("admin")) {
52 System.out.println(username + "拥有管理员admin角色!");
53 // 检查权限,检查admin角色是否拥有用户删除的权限
54 subject.checkPermission("admin:delete");
55 System.out.println("检查管理员拥有用户删除admin:delete的权限!");
56
57 subject.checkPermission("admin:update");
58 subject.checkPermission("admin:select");
59 subject.checkPermission("admin:insert");
60 System.out.println("检查管理员拥有用户删除admin:delete,admin:update,admin:select,admin:insert的权限!");
61 }
62 if (subject.hasRole("user")) {
63 System.out.println(username + "拥有普通账号user角色!");
64 // 检查权限,检查admin角色是否拥有用户删除的权限
65 subject.checkPermission("user:delete");
66 System.out.println("检查普通账号拥有用户删除user:delete的权限!");
67
68 subject.checkPermission("user:update");
69 subject.checkPermission("user:select");
70 subject.checkPermission("user:insert");
71 System.out.println("检查普通账号拥有用户删除user:delete,user:update,user:select,user:insert的权限!");
72 }
73 return "该账号通过认证具备该角色且具备此权限";
74 }
75 return "login fail!";
76 }
77
78 // @RequiresPermissions({"admin:select", "admin:insert", "admin:delete", "admin:update"})
79 // @RequiresRoles(value = "admin")
80 // @RequestMapping(value = "getRole", method = RequestMethod.GET)
81 // @ResponseBody
82 // public String getRoles() {
83 // return "getRoles success!!!";
84 // }
85
86
87 @RequestMapping(value = "getRole", method = RequestMethod.GET)
88 @ResponseBody
89 public String getRole() {
90 return "getRole success!!!";
91 }
92
93 @RequestMapping(value = "getRole1", method = RequestMethod.GET)
94 @ResponseBody
95 public String getRole1() {
96 return "getRole1 success!!!";
97 }
98
99
100 @RequestMapping(value = "getPerms", method = RequestMethod.GET)
101 @ResponseBody
102 public String getPerms() {
103 return "getPerms success!!!";
104 }
105
106
107 @RequestMapping(value = "getPerms1", method = RequestMethod.GET)
108 @ResponseBody
109 public String getPerms1() {
110 return "getPerms1 success!!!";
111 }
112
113
114 } 1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xmlns:context="http://www.springframework.org/schema/context"
5 xsi:schemaLocation="http://www.springframework.org/schema/beans
6 http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
7
8 <!-- 将新建的spring-dao.xml引入进来 -->
9 <import resource="spring-dao.xml"></import>
10
11 <!-- 配置扫描的路径 -->
12 <context:component-scan base-package="com.bie"></context:component-scan>
13
14 <!-- 将ShiroFilterFactoryBean注入到spring容器中 -->
15 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
16 <!-- 配置SecurityManager对象 -->
17 <property name="securityManager" ref="securityManager"></property>
18 <!-- 设置登陆页的url -->
19 <property name="loginUrl" value="login.html"></property>
20 <!-- 未认证的界面 -->
21 <property name="unauthorizedUrl" value="403.html"></property>
22 <!-- 过滤器链 -->
23 <!-- shiro给我们内置了很多Filter,这里设置过滤器链 -->
24 <property name="filterChainDefinitions">
25 <!-- authc经过认证之后才可以访问相应的路径、anon不需要任何验证就可以访问 -->
26 <!-- 过滤器链是有顺序的,从上到下,需要认证的放到下面 -->
27 <!-- 根路径下面的/subLogin也不需要进行认证 -->
28 <!-- authc表示需要经过认证之后才可以访问相应数据,anon表示不需要认证,直接可以访问 -->
29 <!-- 这个过滤器链是有顺序的,从上往下匹配,匹配到之后就直接返回了,所以匹配到login.jsp不需要认证,/*需要认证,所以放在下面 -->
30 <value>
31 /login.html = anon
32 /subLogin = anon
33 /getRole = roles["admin"]
34 /getRole1 = roles["admin","user"]
35 /getPerms = perms["admin:delete"]
36 /getPerms1 = perms["admin:select", "admin:insert", "admin:delete", "admin:update"]
37 /* = authc
38 </value>
39 </property>
40 </bean>
41
42 <!-- 第一步,创建SecurityManager对象 -->
43 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
44 <!-- 将自定义的Realm设置到SecurityManager环境中 -->
45 <!-- 主体提交请求之后就交给我们自定义Realm来认证和授权 -->
46 <property name="realm" ref="customRealm"></property>
47 </bean>
48
49 <!-- 第二步,创建自定义Realm -->
50 <bean id="customRealm" class="com.bie.realm.CustomRealm">
51 <!-- 将加密的设置到自定义的Realm中 -->
52 <property name="credentialsMatcher" ref="credentialsMatcher"></property>
53 </bean>
54
55 <!-- 第三步,加密管理器对象 -->
56 <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
57 <!-- 设置加密的算法为md5 -->
58 <property name="hashAlgorithmName" value="md5"></property>
59 <!-- 设置加密次数 -->
60 <property name="hashIterations" value="1"></property>
61 </bean>
62
63 <!-- 注入securityManager -->
64 <bean id="attributeSourceAdvisor"
65 class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
66 <!-- 将securityManager注入 -->
67 <property name="securityManager" ref="securityManager"></property>
68 </bean>
69
70 <!-- 注入bean对象lifecycleBeanPostProcessor -->
71 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
72
73 </beans>7、Shiro自定义过滤器。
1 package com.bie.filter;
2
3 import org.apache.shiro.subject.Subject;
4 import org.apache.shiro.web.filter.authz.AuthorizationFilter;
5
6 import javax.servlet.ServletRequest;
7 import javax.servlet.ServletResponse;
8
9 /**
10 * 满足任何一个角色就可以进行操作
11 * <p>
12 * AuthorizationFilter:此类是和授权相关的过滤器Filter
13 * <p>
14 * AuthenticatingFilter:此类是和认证相关的过滤器Filter
15 *
16 * @ProjectName: shiro
17 * @Package: com.bie.filter
18 * @ClassName: ShiroRolesFilter
19 * @Author: biehl
20 * @Description: ${description}
21 * @Date: 2020/8/11 16:23
22 * @Version: 1.0
23 */
24 public class ShiroRolesFilter extends AuthorizationFilter {
25
26 /**
27 * @param request
28 * @param response
29 * @param mappedValue
30 * @return
31 */
32 @Override
33 protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
34 // 获取到相应的主体subject
35 Subject subject = getSubject(request, response);
36 // 获取到角色数据
37 String[] roles = (String[]) mappedValue;
38 // 判断如果数组为空,说明可以直接访问,不需要任何角色
39 if (roles == null || roles.length == 0) {
40 return true;
41 }
42 // 如果不为空,就开始进行遍历
43 for (String role : roles) {
44 // 如果包含当前的角色
45 if (subject.hasRole(role)) {
46 // 直接返回为true
47 return true;
48 }
49 }
50 return false;
51 }
52
53 }自定义过滤器,需要进行配置才可以生效的,如下所示:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xmlns:context="http://www.springframework.org/schema/context"
5 xmlns:util="http://www.springframework.org/schema/util"
6 xsi:schemaLocation="http://www.springframework.org/schema/beans
7 http://www.springframework.org/schema/beans/spring-beans.xsd
8 http://www.springframework.org/schema/context
9 http://www.springframework.org/schema/context/spring-context.xsd
10 http://www.springframework.org/schema/util
11 http://www.springframework.org/schema/util/spring-util.xsd">
12
13 <!-- 将新建的spring-dao.xml引入进来 -->
14 <import resource="spring-dao.xml"></import>
15
16 <!-- 配置扫描的路径 -->
17 <context:component-scan base-package="com.bie"></context:component-scan>
18
19 <!-- 将ShiroFilterFactoryBean注入到spring容器中 -->
20 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
21 <!-- 配置SecurityManager对象 -->
22 <property name="securityManager" ref="securityManager"></property>
23 <!-- 设置登陆页的url -->
24 <property name="loginUrl" value="login.html"></property>
25 <!-- 未认证的界面 -->
26 <property name="unauthorizedUrl" value="403.html"></property>
27 <!-- 过滤器链 -->
28 <!-- shiro给我们内置了很多Filter,这里设置过滤器链 -->
29 <property name="filterChainDefinitions">
30 <!-- authc经过认证之后才可以访问相应的路径、anon不需要任何验证就可以访问 -->
31 <!-- 过滤器链是有顺序的,从上到下,需要认证的放到下面 -->
32 <!-- 根路径下面的/subLogin也不需要进行认证 -->
33 <!-- authc表示需要经过认证之后才可以访问相应数据,anon表示不需要认证,直接可以访问 -->
34 <!-- 这个过滤器链是有顺序的,从上往下匹配,匹配到之后就直接返回了,所以匹配到login.jsp不需要认证,/*需要认证,所以放在下面 -->
35 <value>
36 /login.html = anon
37 /subLogin = anon
38 /getRole = rolesOr["admin","user"]
39 /getRole1 = roles["admin","user"]
40 /* = authc
41 </value>
42 </property>
43 <!-- 引入自定义的授权过滤器 -->
44 <!--<property name="filters">
45 <map>
46 <entry key="rolesOr" value="rolesOrFilter"></entry>
47 </map>
48 </property>-->
49 <property name="filters">
50 <util:map>
51 <entry key="rolesOr" value-ref="rolesOrFilter"></entry>
52 </util:map>
53 </property>
54 </bean>
55
56
57 <!-- 创建自定义filter -->
58 <bean id="rolesOrFilter" class="com.bie.filter.ShiroRolesFilter"></bean>
59
60
61 <!-- 第一步,创建SecurityManager对象 -->
62 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
63 <!-- 将自定义的Realm设置到SecurityManager环境中 -->
64 <!-- 主体提交请求之后就交给我们自定义Realm来认证和授权 -->
65 <property name="realm" ref="customRealm"></property>
66 </bean>
67
68 <!-- 第二步,创建自定义Realm -->
69 <bean id="customRealm" class="com.bie.realm.CustomRealm">
70 <!-- 将加密的设置到自定义的Realm中 -->
71 <property name="credentialsMatcher" ref="credentialsMatcher"></property>
72 </bean>
73
74 <!-- 第三步,加密管理器对象 -->
75 <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
76 <!-- 设置加密的算法为md5 -->
77 <property name="hashAlgorithmName" value="md5"></property>
78 <!-- 设置加密次数 -->
79 <property name="hashIterations" value="1"></property>
80 </bean>
81
82 <!-- 注入securityManager -->
83 <bean id="attributeSourceAdvisor"
84 class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
85 <!-- 将securityManager注入 -->
86 <property name="securityManager" ref="securityManager"></property>
87 </bean>
88
89 <!-- 注入bean对象lifecycleBeanPostProcessor -->
90 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
91
92 </beans>本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2020-08-29 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
暂无评论
推荐阅读
编辑精选文章
换一批
推荐阅读
相关推荐
Shiro 整合 Spring 第一次
更多 >
腾讯云开发者
