转载自:http://blog.csdn.net/qq_31759675/article/details/72268141
| 这 | 是 |
| 什 | 么 |
| 鬼 | ! |
SpringMVC控制器
Shiro配置文件
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:context="http://www.springframework.org/schema/context" xmlns:p="http://www.springframework.org/schema/p"
- xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">
- <!-- 1. 配置 SecurityManager! -->
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <property name="cacheManager" ref="cacheManager" />
- <property name="authenticator" ref="authenticator" />
- <property name="realms">
- <list>
- <ref bean="jdbcRealm"/>
- <!-- <ref bean="shiroRealm"/> -->
- </list>
- </property>
- <!-- 设置登录时长 半天12个小时、-->
- <property name="rememberMeManager.cookie.maxAge" value="43200"></property>
- </bean>
- <!-- 2. 配置 CacheManager. -->
- <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
- <property name="cacheManagerConfigFile" value="classpath:shiro/ehcache.xml" />
- </bean>
- <bean id="authenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
- <property name="authenticationStrategy">
- <bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean>
- </property>
- </bean>
- <!-- 3. 配置 多Realm验证:MD5 SHA1... 3.1 直接配置实现了 org.apache.shiro.realm.Realm 接口的 bean -->
- <bean id="jdbcRealm" class="com.vnasi.realms.ShiroRealm">
- <property name="credentialsMatcher">
- <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
- <property name="hashAlgorithmName" value="MD5" />
- <property name="hashIterations" value="1024" />
- </bean>
- </property>
- </bean>
- <!-- 暂时没用上 -->
- <!-- <bean id="shiroRealm" class="com.vnasi.realms.SecondRealm">
- <property name="credentialsMatcher">
- <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
- <property name="hashAlgorithmName" value="SHA1" />
- <property name="hashIterations" value="1024" />
- </bean>
- </property>
- </bean> -->
- <!-- 4. 配置 LifecycleBeanPostProcessor. 可以自定的来调用配置在 Spring IOC 容器中 shiro bean 的生命周期方法. -->
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
- <!-- 5. 启用 IOC 容器中使用 shiro 的注解. 但必须在配置了 LifecycleBeanPostProcessor 之后才可以使用. -->
- <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor" />
- <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
- <property name="securityManager" ref="securityManager" />
- </bean>
- <!-- 6. 配置 ShiroFilter. -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager"/>
- <!-- <property name="loginUrl" value="/path/toLogin"/>
- <property name="successUrl" value="/foreground/index"/> -->
- <property name="unauthorizedUrl" value="/path/toUnAuthorized"/>
- <!-- 静态资源map -->
- <property name="filterChainDefinitionMap" ref="filterChainDefinitionMap" />
- </bean>
- <!-- 采用从数据表中初始化静态资源map 配置一个 bean, 该 bean 实际上是一个 Map. 通过实例工厂方法的方式-->
- <bean id="filterChainDefinitionMap" factory-bean="filterChainDefinitionMapBuilder" factory-method="buildFilterChainDefinitionMap"></bean>
- <bean id="filterChainDefinitionMapBuilder" class="com.vnasi.factory.FilterChainDefinitionMapBuilder"/>
- </beans>
静态资源map,就是shiro配置文件中的filterChainDefinitions内容动态模拟出来,实际查数据库
自定义ShiroRealm 继承AuthorizingRealm 实现授权和信息认证
- <span style="font-size:18px;">public class ShiroRealm extends AuthorizingRealm {
- @Autowired
- private UserService service;
- // 认证回调函数
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(
- AuthenticationToken token) throws AuthenticationException {
- //1.将AuthenticationToken强制转换为UsernamePasswordToken从而得到userName
- UsernamePasswordToken upToken = (UsernamePasswordToken)token;
- //2.根据转换过来的UsernamePasswordToken对象得到userName
- String username = upToken.getUsername();
- //3.根据userName从数据库查出来的对应的记录
- VnasiUser user = service.findUserByUserName(username);
- Object principal = user.getUserId();
- Object credentials = user.getPassword();
- //4.当用户不存在时
- if(!principal.equals(username)){
- throw new UnknownAccountException("该用户不存在!");
- }
- //5.当用户被锁定时
- if(!principal.equals(username)){
- throw new LockedAccountException("该用户已被锁定!");
- }
- //MD5盐值加密后的密码
- String hashAlgorithmName = "MD5";
- Object salt = ByteSource.Util.bytes(principal);
- int hashIterations = 1024;
- Object result = new SimpleHash(hashAlgorithmName,credentials,salt,hashIterations);
- //credentials密码是通过用户名和密码进行盐值加密得出的
- if(principal.equals(username)){
- credentials = result;
- }
- //6.3 盐值加密
- ByteSource credentialsSalt = ByteSource.Util.bytes(username);
- //6.4当前 realm 对象的 name. 调用父类的 getName()
- String realm = getName();
- //7.通过这个简单验证对象得到验证信息
- SimpleAuthenticationInfo info = null; //new SimpleAuthenticationInfo(principal, credentials, realmName);
- info = new SimpleAuthenticationInfo(principal, credentials,credentialsSalt,realm);
- return info;
- }
- // 授权回调函数
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- // 1. 从 PrincipalCollection 中来获取登录用户的信息
- String userName = (String) principals.getPrimaryPrincipal();
- // 2. 利用登录的用户的信息来获取当前用户的角色或权限
- VnasiUser user = service.findUserByUserName(userName);
- // 2.1
- // 无论是普通user角色还是amdin系统角色都给上一个user(1)用户角色,要是admin就给普通用户再加上一个admin(2)角色
- Set<String> roles = new HashSet<String>();
- roles.add("user");
- if (user.getUserId().equals(userName)) {
- roles.add("admin");
- }
- // 3. 创建 SimpleAuthorizationInfo, 并设置其 reles 属性.
- SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
- // 4. 返回 SimpleAuthorizationInfo 对象 .
- return info;
- }</span>
以上都是大部分完整代码,跑起来也没有任何问题,shiro相关配置也是从Copy上一个项目的,上一个项目是可以顺利运行的。搞了半天测试直接访问首页的时候就是愣是直接进去了,后台代码找了又找都没找出名堂,网上也找了很多,说是在SpringMVC配置文件加上
<aop:config proxy-target-class="true" />
发现也没有什么卵用。后台实在找不出又跑去登录成功之后跳转的前台页面找找,果然,发现没有加上Shiro的标签库和权限标签
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<shiro:hasRole name="user"></shiro:hasRole>
加上就行了,记录自己的小问题,希望可以帮到一些需要的人
286
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
