Shiro执行流程:应用程序—>Subject—>SecurityManager—>Realm—>安全数据
导入maven坐标
<!-- 权限控制 框架 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>${shiro.version}</version>
</dependency>
web.xml配置shiroFilter(核心控制器)时,filtername的名字不能随便定义,必须要定义为shiroFilter,而且区分大小写
<!-- shiro的Filter -->
<filter>
<!-- 去spring配置文件中寻找同名bean -->
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在application-shiro.xml主配置文件中,配置shiroFilter时,bean的id的名字要与web.xml中配置的核心 过滤器的filtername名称一样。
<!-- 配置Shiro核心Filter -->
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
配置安全管理器和Shiro生命周期处理器LifecycleBeanPostProcessor
/login.html后面加上*是因为会有如下情况:
http://localhost:6001/ikayakibos_management/login.html;jsessionid=68A360BFE7413C7CEAE81E5069F1EE81
/**=authc放在最后
<!-- 安全管理器 -->
<property name="securityManager" ref="securityManager" />
<!-- 未认证,跳转到哪个页面 -->
<property name="loginUrl" value="/login.html" />
<!-- 登录成功跳转页面 -->
<property name="successUrl" value="/index.html" />
<!-- 认证后,没有权限跳转页面 -->
<property name="unauthorizedUrl" value="/unauthorized.html" />
<!-- shiro URL控制过滤器规则
anon未认证可以访问
authc认证后可以访问
perms需要特定权限才能访问
roles需要特定角色才能访问
user需要特定用户才能访问
port需要特定端口才能访问(不常用)
rest根据指定HTTP请求才能访问(不常用)
*文件夹中的全部文件
** 文件夹中的全部文件(含子文件夹)
-->
<property name="filterChainDefinitions">
<value>
/login.html* = anon
/css/** = anon
/js/** = anon
/upload/** = anon
/images/** = anon
/validatecode.jsp* = anon
/services/** = anon
/user_login.action* = anon
/pages/base/courier.html* = perms[courier:list]
/** = authc
</value>
</property>
</bean>
Action代码
package com.ikayaki.bos.web.action.system;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.apache.struts2.convention.annotation.Action;
import org.apache.struts2.convention.annotation.Namespace;
import org.apache.struts2.convention.annotation.ParentPackage;
import org.apache.struts2.convention.annotation.Result;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Controller;
import com.ikayaki.bos.domain.system.User;
import com.ikayaki.bos.web.action.common.BaseAction;
@ParentPackage("json-default")
@Namespace("/")
@Controller
@Scope("prototype")
public class UserAction extends BaseAction<User> {
private static final long serialVersionUID = 1L;
@Action(value = "user_login", results = { @Result(name = "success", location = "login.html", type = "redirect"),
@Result(name = "input", location = "index.html", type = "redirect") })
public String login() {
//基于shiro登陆
Subject subject = SecurityUtils.getSubject();
//用户名和密码信息保存于token
AuthenticationToken token = new UsernamePasswordToken(model.getUsername(),model.getPassword());
try {
subject.login(token);
return SUCCESS;
} catch (AuthenticationException e) {
//登陆失败
e.printStackTrace();
return INPUT;
}
}
}
自定义Realm对象,实现认证方法(实际开发中,只需要继承AuthorizingRealm)
package com.ikayaki.bos.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.ikayaki.bos.domain.system.User;
import com.ikayaki.bos.service.system.UserService;
//自定义realm
@Service("bosRealm")
public class BosRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
@Override
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
return null;
}
@Override
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//转换token
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
//根据用户名查询用户信息
User user = userService.findByUsername(usernamePasswordToken.getUsername());
if(user ==null){
//用户名不存在,返回null
//参数一:期望登陆后,保存在subject中的信息
//参数二:密码,如果返回为null,说明用户不存在
//参数三:realm名称
return null;
}else{
//用户名存在,返回密码SimpleAuthenticationInfo(user,user.getPassword(),getName())
//返回用户密码时,securityManager自动比较返回密码用户名是否一致,不一致则报错
return new SimpleAuthenticationInfo(user,user.getPassword(),getName());
}
}
}
将自定义Realm注入安全管理器SecurityManager当中
<!-- 注入安全管理器 -->
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="bosRealm" />
</bean>
service代码
package com.ikayaki.bos.service.system.impl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import com.ikayaki.bos.dao.system.UserRepository;
import com.ikayaki.bos.domain.system.User;
import com.ikayaki.bos.service.system.UserService;
@Service
@Transactional
public class UserServiceImpl implements UserService {
@Autowired
private UserRepository userRepository;
@Override
public User findByUsername(String username) {
return userRepository.findByUsername();
}
}
dao代码
package com.ikayaki.bos.dao.system;
import org.springframework.data.jpa.repository.JpaRepository;
import com.ikayaki.bos.domain.system.User;
public interface UserRepository extends JpaRepository<User, Integer> {
User findByUsername();
}
在shiroFilter配置中将user_login.action放行
/user_login.action* = anon