<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
<init-param>
<param-name>configPath</param-name>
<param-value>/WEB-INF/shiro.ini</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>com.java1234.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>AdminServlet</servlet-name>
<servlet-class>com.java1234.servlet.AdminServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AdminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
</web-app>
shiro.ini:
[main]
authc.loginUrl=/login
roles.unauthorizedUrl=/unauthorizedUrl.jsp
perms.unauthorizedUrl=/unauthorizedUrl.jsp
myRealm=com.java1234.realm.MyRealm
securityManager.realms=$myRealm
[urls]
;'?'可匹配单个字符,可以匹配/admin1 /admin2 但是不能匹配/admin12 /admin
;'*'匹配零个或者一个或者多个字符 /admin* 可以匹配 /admin /admin1 /admin12 但是不能匹配/admin/abc
;'**'匹配零个或者多个路径/admin/** 可以匹配 /admin /admin/a /admin/a/b
;anon表示无需认证即可访问,authc表示需要登陆认证,roles表示需要角色认证,perms表示需要权限认证
/login=anon
/admin*/**=authc
;必须先登陆才能跳转到unauthorizedUrl.jsp页面不然跳转到/login请求
/student=roles[teacher]
/teacher=perms["user:create"]
MyRealm:
package com.java1234.realm;
import java.sql.Connection;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import com.java1234.dao.UserDao;
import com.java1234.entity.User;
import shiro01.jdbcTest;
public class MyRealm extends AuthorizingRealm{
/**
* 为当前登陆成功的用户授予角色权限
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String userName=(String)principals.getPrimaryPrincipal();
SimpleAuthorizationInfo authenticationInfo=new SimpleAuthorizationInfo();
Connection con=null;
try {
con=jdbcTest.getConnection();
authenticationInfo.setRoles(UserDao.getRoles(con,userName));
authenticationInfo.setStringPermissions(UserDao.getPermissions(con,userName));
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally{
try {
jdbcTest.closeConnection();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
return authenticationInfo;
}
/**
* 验证当前登陆的用户
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// TODO Auto-generated method stub
String userName=(String)token.getPrincipal();
Connection con=null;
try {
con=jdbcTest.getConnection();
User user=UserDao.getByUserName(con, userName);
if(user!=null){
AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(),"xx");
return authcInfo;
}else{
return null;
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally{
try {
jdbcTest.closeConnection();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
return null;
}
}
LoginServlet:
package com.java1234.servlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
public class LoginServlet extends HttpServlet{
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// TODO Auto-generated method stub
System.out.println("Login doget");
req.getRequestDispatcher("login.jsp").forward(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// TODO Auto-generated method stub
System.out.println("Login doPost");
String userName=req.getParameter("userName");
String password=req.getParameter("password");
Subject subject=SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(userName, password);
try{
subject.login(token);
//默认情况下,这两个session为同一个东西
Session session=subject.getSession();
HttpSession req_session=req.getSession();
System.out.println("sessionId"+session.getId());
System.out.println("sessionHost"+session.getHost());
System.out.println("sessionTimeout"+session.getTimeout());
session.setAttribute("test", "session_test");
System.out.println((String)req_session.getAttribute("test"));
resp.sendRedirect("success.jsp");
}catch(Exception e){
e.printStackTrace();
req.setAttribute("errorInfo", "用户名密码错误");
req.getRequestDispatcher("login.jsp").forward(req, resp);
}
}
}
当调用
subject.login(token);
时,即进入MyRealm,与数据库记录相匹配