好吧,shiro是真正意义上,自己学的一个新的东西……
写个文档记录下下。(好吧,我承认这是别人一直逼着我写的,唉。)
一、在web.xml配制shiroFilter
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
二、在spring的application.xml中添加配制,缓存配制暂未使用
<!--securityManager是shiro的核心,初始化时协调各个模块运行-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--单个realm使用realm,如果有多个realm,使用realms属性代替-->
<property name="realm" ref="shiroRealm" />
<!-- <property name="cacheManager" ref="shiroEhcacheManager" /> -->
</bean>
<!--realm配置,realm是shiro的桥梁,它主要是用来判断subject是否可以登录及权限等-->
<bean id="shiroRealm" class="com.shiro.realm.ShiroRealm">
<property name="userService" ref="userService" />
</bean>
<bean id="userService" class="com.shiro.service.UserService" />
<!--shiro过滤器配置,bean的id值须与web中的filter-name的值相同-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<!-- 没有权限或者失败后跳转的页面 -->
<property name="loginUrl" value="/index.jsp" />
<property name="successUrl" value="/loginSuccess.jsp" />
<property name="unauthorizedUrl" value="" />
<property name="filterChainDefinitions">
<value>
/logout.do = logout
/user/** = authc
/admin/** = authc,roles[admin]
</value>
</property>
</bean>
<!-- 用户授权/认证信息Cache, 采用EhCache 缓存 -->
<!--
<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="/WEB-INF/ehcache-shiro.xml" />
</bean>
-->
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- AOP式方法级权限检查 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true" />
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
三、ShiroRealm文件基本代码
ShiroRealm extends AuthorizingRealm
/**
* 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用.
*/
@SuppressWarnings("unused")
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection p) {
logger.info("授权认证:" + p.getRealmNames());
ShiroUser shiroUser = (ShiroUser)p.getPrimaryPrincipal();
User user = userService.getUserByName(shiroUser.loginName);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
for (Role role : user.getRoles()) {
//基于用户名的角色信息
info.addRole(role.getName());
//基于角色的权限信息
info.setStringPermissions(role.getPermissions());
}
return info;
}
/**
* 认证回调函数,登录时调用.
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
logger.info("authc pass:");
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
logger.info("authc name:" + token.getUsername());
User user = userService.getUserByName(token.getUsername());
if (user != null) {
logger.info("authc name:" + token.getUsername() + " user:"
+ user.getName() + " pwd:" + user.getPwd()
+ "getname:" + getName());
return new SimpleAuthenticationInfo(new ShiroUser(user.getName(), user.getName()),
user.getPwd(), getName());
}
return null;
}
四、User与Role实体(用户关联角色,角色关联权限的关系,个人习惯,可自行配制其他方式)
User
private String name;
private String pwd;
private List<Role> roles;
Role
private String name;
private Set<String> permissions;
五、页面shiro常用标签的使用
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<shiro:guest>//未登录</shiro:guest>
<shiro:user>//当前有用户登录
<shiro:principal />//当前登录用户名
</shiro:user>
<shiro:hasRole name="admin">//角色为admin</shiro:hasRole>
<shiro:hasPermission name="insert">//具有insert权限</shiro:hasPermission>