Shiro功能概述:
Shiro是一个功能强大且灵活的开源安全框架,可以清晰地处理身份验证,授权,企业会话管理和加密。
-
身份验证:有时也称为“登录”,这是证明用户是他们所说的人的行为。
-
授权:访问控制的过程,即确定“谁”可以访问“什么”。
-
会话管理:即使在非Web或EJB应用程序中,也可以管理特定于用户的会话。
-
加密:使用加密算法保持数据安全,同时仍然易于使用。
Shiro的简要概述:
我们传统的登录认证方式是,从前端页面获取到用户输入的账号和密码之后,传到后台直接去数据库查询账号和密码是否匹配和存在,如果匹配和存在就登录成功,没有就提示登陆失败
而shiro的认证方式则是,从前端页面获取到用户输入的账号和密码之后,传入给一个UsernamePasswordToken对象也就是令牌,
然后再把令牌传给subject,subject会调用自定义的 realm,
realm做的事情就是用前端用户输入的用户名,去数据库查询出一条记录(只用用户名去查,查询拿到返回用户名和密码),然后再把两个密码进行对比,不一致就跑出异常
也就是说如果subject.login(token);没有抛出异常,就表示用户名和密码是匹配的,那么就表示登录成功!
今天要做的就是在SSM项目中集成Shiro安全框架实现简单的登陆认证!
废话不多说,开干!
第一步,先看看基本的项目结构(前台页面和静态资源我已经导入了,源码会放在最后)
然后添加maven依赖
<!--声明版本-->
<properties>
<servlet.version>3.1.0</servlet.version>
<jsp.version>2.3.1</jsp.version>
<jstl.version>1.2</jstl.version>
<mybatis.version>3.4.6</mybatis.version>
<mybatis-spring.version>1.3.2</mybatis-spring.version>
<spring.version>4.3.13.RELEASE</spring.version>
<mysql.version>5.1.40</mysql.version>
<log4j.version>1.2.17</log4j.version>
<shiro.version>1.3.2</shiro.version>
</properties>
<dependencies>
<!--添加shiro依赖-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>${shiro.version}</version>
</dependency>
<!-- 加入servlet的依赖 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${servlet.version}</version>
<scope>provided</scope>
</dependency>
<!-- 加入jsp的依赖 -->
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>javax.servlet.jsp-api</artifactId>
<version>${jsp.version}</version>
<scope>provided</scope>
</dependency>
<!-- 加入jstl的依赖 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>${jstl.version}</version>
</dependency>
<!-- 加入mybtais的依赖 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>${mybatis.version}</version>
</dependency>
<!-- 加入mybtais-spring的依赖 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>${mybatis-spring.version}</version>
</dependency>
<!-- 加入spring的依赖 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- 加入springmvc的依赖 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- 加入mysql的依赖 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>${mysql.version}</version>
</dependency>
<!-- 加入log4j的依赖 -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.3</version>
</dependency>
</dependencies>
然后开始创建对应的接口和类
(关于项目中的实体类和mapper文件还有mapping文件的自动生成方法参见这里)
首先在realm中创建一个UserRealm继承AuthorizingRealm并重新它的两个方法
package com.sixmac.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
public class UserRealm extends AuthorizingRealm {
/**
* 认证的时候回调
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
return null;
}
/**
* 授权的时候回调
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
}
然后是shiro的配置文件application-shiro.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 扫描realm -->
<context:component-scan
base-package="com.sixmac.realm"></context:component-scan>
<!-- 创建凭证管理器 -->
<!--MD5加密-->
<!--<bean id="credentialsMatcher"
class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<!–<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="2"></property>–>
</bean>-->
<!-- 创建 userRealm -->
<bean id="userRealm" class="com.sixmac.realm.UserRealm">
<!--<property name="credentialsMatcher" ref="credentialsMatcher"></property>-->
</bean>
<!-- securityManager安全管理器 -->
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm"></property>
</bean>
<!-- Shiro 的Web过滤器 id必须和web.xml里面的shiroFilter的 targetBeanName的值一样 -->
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- Shiro的核心安全接口,这个属性是必须的 -->
<property name="securityManager" ref="securityManager" />
<!-- 要求登录时的链接(登录页面地址),非必须的属性,默认会自动寻找Web工程根目录下的"/login.jsp"页面 -->
<property name="loginUrl" value="/login/toLogin" />
<!-- 登录成功后要跳转的连接(本例中此属性用不到,因为登录成功后的处理逻辑在UserController里硬编码) -->
<!-- <property name="successUrl" value="/success.action"/> -->
<!-- 用户访问未对其授权的资源时,所显示的连接 -->
<property name="unauthorizedUrl" value="/refuse.jsp" />
<!-- 过虑器链定义,从上向下顺序执行,一般将/**放在最下边 -->
<property name="filterChainDefinitions">
<value>
<!-- /** = authc 所有url都必须认证通过才可以访问 -->
/index.jsp*=anon
/login/toLogin*=anon
/login/login*=anon
<!-- 如果用户访问user/logout就使用Shiro注销session -->
/login/logout = logout
<!-- /** = anon所有url都不可以匿名访问 -->
<!-- /** = authc -->
<!-- /*/* = authc -->
<!-- /** = authc所有url都不可以匿名访问 必须放到最后面 -->
/** = authc
</value>
</property>
</bean>
</beans>
然后是配置文件:application-dao.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 解析db.properties 因为 db.properties里面有username=root 如果在下面的数据源中使用${username}它取到的是当前系统的登陆名
如果要使用db.properties里面的username必须加system-properties-mode="FALLBACK"这个属性 -->
<context:property-placeholder location="classpath:db.properties"
system-properties-mode="FALLBACK" />
<!-- 配置数据源 -->
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${driver}" />
<property name="url" value="${url}" />
<property name="username" value="${username}" />
<property name="password" value="${password}" />
</bean>
<!-- 配置sqlSessinoFactory -->
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource"></property>
<!--mybatis的配置文件 -->
<property name="configLocation" value="classpath:mybatis.cfg.xml" />
<!--扫描 XXXmapper.xml映射文件,配置扫描的路径 这个不配置也可以,但是不配置的话,下面dao和xxxMapper.xml必须放在同一个包下面 -->
<property name="mapperLocations">
<array>
<value>classpath:com/sixmac/mapping/*.xml</value>
</array>
</property>
</bean>
<!-- Mapper接口所在包名,Spring会自动查找之中的类 -->
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<!-- 以下的配置只能指向一个包 如果配置多个呢 就在包的中间加, -->
<property name="basePackage" value="com.sixmac.mapper" />
<property name="sqlSessionFactoryBeanName" value="sqlSessionFactory"></property>
</bean>
</beans>
然后是application-service.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:aop="http://www.springframework.org/schema/aop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd">
<!-- 扫描service -->
<context:component-scan base-package="com.sixmac.service.impl"></context:component-scan>
<!-- 1,配置事务 -->
<bean id="transactionManager"
class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource"></property>
</bean>
<!-- 2 声明事务切面 -->
<tx:advice id="txAdvice" transaction-manager="transactionManager">
<tx:attributes>
<tx:method name="add*" propagation="REQUIRED" />
<tx:method name="insert*" propagation="REQUIRED" />
<tx:method name="save*" propagation="REQUIRED" />
<tx:method name="start*" propagation="REQUIRED" />
<tx:method name="delete*" propagation="REQUIRED" />
<tx:method name="update*" propagation="REQUIRED" />
<tx:method name="load*" propagation="REQUIRED" read-only="true" />
<tx:method name="get*" propagation="REQUIRED" read-only="true" />
<tx:method name="*" propagation="REQUIRED" read-only="true" />
</tx:attributes>
</tx:advice>
<!-- 进行aop的配置 -->
<aop:config>
<!-- 声明切入点 -->
<aop:pointcut expression="execution(* com.sixmac.service.impl.*.*(..))" id="pc1" />
<!--<aop:pointcut expression="execution(* com.sixmac.service.impl.*.*(..))" id="pc2" />-->
<aop:advisor advice-ref="txAdvice" pointcut-ref="pc1" />
<!--<aop:advisor advice-ref="txAdvice" pointcut-ref="pc2" />-->
</aop:config>
</beans>
applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 引入application-dao.xml application-service.xml -->
<import resource="classpath:application-dao.xml" />
<import resource="classpath:application-service.xml" />
<import resource="classpath:application-shiro.xml"/>
</beans>
springmvc.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">
<!-- 扫描controller -->
<context:component-scan base-package="com.sixmac.controller"></context:component-scan>
<!-- 配置映射器和适配器 -->
<mvc:annotation-driven></mvc:annotation-driven>
<!-- 配置视图解析器 -->
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<!-- 拦截器 -->
<!-- <mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/user/toLogin*" />
<mvc:exclude-mapping path="/user/login*" />
<bean class="com.sixmac.interceptor.LoginInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors> -->
<!-- 过滤静态资源 -->
<mvc:default-servlet-handler />
</beans>
mybatis.cfg.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!-- 导头文件 -->
<!DOCTYPE configuration
PUBLIC "-//mybatis.org//DTD Config 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-config.dtd">
<!-- mybatis的核心配置文件 -->
<configuration>
<!-- 配置日志的输出方式 -->
<settings>
<setting name="logImpl" value="LOG4J" />
</settings>
<!-- 别外优化 -->
<typeAliases>
<package name="com.sixmac.domain"/>
</typeAliases>
<!--<!– 分页插件 –>
<plugins>
<plugin interceptor="com.github.pagehelper.PageInterceptor"></plugin>
</plugins>-->
</configuration>
dp.properties:
driver=com.mysql.jdbc.Driver
url=jdbc\:mysql\://localhost\:3306/manager
username=root
password=root
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
id="WebApp_ID" version="3.0">
<display-name>erp1</display-name>
<!-- 编码过滤器开始 -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 编码过滤器结束 -->
<!--过滤静态资源,一定要放在Spring的Dispatcher的前面-->
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/resources/*</url-pattern>
</servlet-mapping>
<!-- shiro集成开始 -->
<!-- shiro过虑器,DelegatingFilterProxy通过代理模式将spring容器中的bean和filter关联起来 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<!-- 设置true由servlet容器控制filter的生命周期 -->
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
<!-- 设置spring容器filter的bean id,如果不设置则找与filter-name一致的bean -->
<init-param>
<param-name>targetBeanName</param-name>
<param-value>shiroFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<!-- 代表访问springmvc【是springmvc的前端控制器的servlet的名字】这个Servlet时就启用shiro的认证和授权 -->
<servlet-name>springmvc</servlet-name>
<!-- 拦截所有的url 包括 css js image 等等 -->
<!-- <url-pattern>/*</url-pattern> -->
</filter-mapping>
<!-- shiro集成结束 -->
<!-- 配置spring的监听器开始 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<!-- 配置spring的监听器结束 -->
<!-- 配置前端控制器开始 -->
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
<!--用来标记是否在项目启动时就加在此Servlet,0或正数表示容器在应用启动时就加载这个Servlet, 当是一个负数时或者没有指定时,则指示容器在该servlet被选择时才加载.正数值越小启动优先值越高 -->
<load-on-startup>1</load-on-startup>
</servlet>
<!--为DispatcherServlet建立映射 -->
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<!-- 拦截所有请求,千万注意是(/)而不是(/*) -->
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- 配置前端控制器结束 -->
</web-app>
配置文件没问题的话就创建controller,设置页面跳转路径与登陆认证的接口~
package com.sixmac.controller;
import com.sixmac.domain.User;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import javax.servlet.http.HttpSession;
@Controller
@RequestMapping("login")
public class LoginController {
@RequestMapping("toLogin")
public String toLogin(){
return "login.jsp";
}
@RequestMapping("login")
public String login(String loginname, String password, Model model, HttpSession session){
UsernamePasswordToken token = new UsernamePasswordToken(loginname, password);
// 得到认证主体
Subject subject = SecurityUtils.getSubject();
try {
//这里会加载自定义的realm
subject.login(token); //把令牌放到login里面进行查询,如果查询账号和密码时候匹配,如果匹配就把user对象获取出来,失败就抛异常
System.out.println("认证成功!");
User user = (User) subject.getPrincipal();//获取登录成功的用户对象(以前是直接去service里调用方法面查)
session.setAttribute("user",user);//放入session
return "/system/index.jsp";
}catch (Exception e){
model.addAttribute("error","用户名密码不匹配!");
return "login.jsp";
}
}
}
然后在自定义的realm里写shiro登陆认证的方法
package com.sixmac.realm;
import com.sixmac.domain.User;
import com.sixmac.service.LoginService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@Component
public class UserRealm extends AuthorizingRealm {
@Autowired
private LoginService loginService;
/**
* 认证的时候回调
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;//获取令牌(里面存放new UsernamePasswordToken的时候放入的账号和密码)
String loginname = userToken.getUsername();
User user = loginService.login(loginname);//去数据库查询用户名是否存在,如果存在返回对象(账号和密码都有的对象)
if (user!=null){
//参数1.用户认证的对象(Controller中subject.getPrincipal()方法返回的对象),
//参数2.从数据库根据用户名查询到的用户密码
//参数3.把当前自定义的realm对象传给SimpleAuthenticationInfo,在配置文件需要注入
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getName());
return info;
}else {
return null;
}
}
/**
* 授权的时候回调
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
}
到这里基本上就完成了shiro的登陆认证,登陆成功的页面如下:
核心代码其实就只有这么多,当然这只是最简单的一部分,shiro还有很多其他强大的功能,这里就不细说了
源码在此:点击下载源码!
The end!!!