shiro框架的设计以及接口类之间的关系不在这里学习,下面直接看看shiro的验证、授权代码
一、shiro的验证
1、shiro中用到的jar包 pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.test</groupId>
<artifactId>shiro</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>shiro</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<!-- 项目所依赖的jar包 -->
<dependencies>
<!-- spring springmvc -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>4.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>4.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>4.2.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.8.6</version>
</dependency>
<!-- mybatis -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.3.0</version>
</dependency>
<!-- mybatis 链接spring包 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.2.3</version>
</dependency>
<!-- mysql 驱动 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.36</version>
</dependency>
<!--druid数据库连接池 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.0.15</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>1.9.12</version>
</dependency>
<!--文件上传 -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<!-- servlet -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<!--jackson-->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.6.1</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.6.1</version>
</dependency>
<!--json -->
<dependency>
<groupId>net.sf.json-lib</groupId>
<artifactId>json-lib</artifactId>
<version>2.4</version>
<classifier>jdk15</classifier>
</dependency>
<!--log -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.2</version>
</dependency>
<!-- jsp c标签引入 -->
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-spec</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.taglibs</groupId>
<artifactId>taglibs-standard-impl</artifactId>
<version>1.2.1</version>
</dependency>
<!--AES MD5加密编码 -->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.4</version>
</dependency>
<!-- httpclient -->
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.0.1</version>
</dependency>
<!--测试 -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<!-- dubbo -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>dubbo</artifactId>
<version>2.5.3</version>
</dependency>
<!-- zkclient -->
<dependency>
<groupId>com.github.sgroschupf</groupId>
<artifactId>zkclient</artifactId>
<version>0.1</version>
</dependency>
<!-- zookeeper -->
<dependency>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
<version>3.4.5</version>
</dependency>
<!-- shiro begin -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.3</version>
</dependency>
<!-- shiro end -->
<!--md5-->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.4</version>
</dependency>
</dependencies>
<!-- 构建项目所需要的信息 -->
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.1.1</version>
<configuration>
<!--指定web.xml的路径 -->
<webXml>WebRoot\WEB-INF\web.xml</webXml>
<!--指定jsp、js、css的路劲 -->
<warSourceDirectory>WebRoot</warSourceDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.7</source>
<target>1.7</target>
</configuration>
</plugin>
</plugins>
</build>
</project>2、使用shiro过滤器时的web.xml 配置文件
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>shiro</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- log4j -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:config/springmvc-servlet.xml,
classpath:config/ApplicationContext.xml
</param-value>
</context-param>
<!-- log4j -->
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>
classpath:log4j.properties
</param-value>
</context-param>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<!-- shiro过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!-- 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 -->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:config/springmvc-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
</welcome-file-list>
</web-app>3、spring 配置文件中添加shiro相关的bean
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:dubbo="http://code.alibabatech.com/schema/dubbo"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.2.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
http://code.alibabatech.com/schema/dubbo
http://code.alibabatech.com/schema/dubbo/dubbo.xsd
">
<!-- shiro begin -->
<!--自定义拦截器 -->
<bean id="testFilter" class="com.test.shiro.controller.TestFilter"/>
<!--重写Realm,验证、授权调用的就是这里的两个方法-->
<bean id="systemAuthorizingRealm" class="com.test.shiro.controller.SystemAuthorizingRealm">
<!-- 密码加密验证方式,这里是md5 -->
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5" />
</bean>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="systemAuthorizingRealm"/>
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- Shiro的核心安全接口,这个属性是必须的 -->
<property name="securityManager" ref="securityManager"/>
<!-- 要求登录时的链接(可根据项目的URL进行替换),非必须的属性,默认会自动寻找Web工程根目录下的"/login.jsp"页面 -->
<property name="loginUrl" value="/user/login.do"/>
<!-- 登录成功后要跳转的连接 -->
<property name="successUrl" value="/user/success.do"/>
<!-- 用户访问未对其授权的资源时,所显示的连接 -->
<!-- 若想更明显的测试此属性可以修改它的值,如unauthor.jsp,然后用[玄玉]登录后访问/admin/listUser.jsp就看见浏览器会显示unauthor.jsp -->
<property name="unauthorizedUrl" value="/user/error.do"/>
<!-- Shiro权限过滤过滤器定义 ,这里是过滤器链-->
<property name="filterChainDefinitions">
<ref bean="shiroFilterChainDefinitions"/>
</property>
<!--过滤器 -->
<property name="filters">
<map>
<entry key="testfilter" value-ref="testFilter"/>
</map>
</property>
</bean>
<!--过滤器链 -->
<bean name="shiroFilterChainDefinitions" class="java.lang.String">
<constructor-arg>
<value>
/user/login.do=anon
/user/info.do=authc
/user/info.do= roles[admin]
/user/success.do=testfilter
/dologin=anon
/logout=anon
/user/info.do=anon
/getVerifyCodeImage=anon
/admin/channel/** = authc,perms[admin:channel]
/admin/content/** = authc,perms[admin:content]
/admin/sys/** = authc,perms[admin:sys]
/admin/**=authc
</value>
</constructor-arg>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- AOP式方法级权限检查,开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<!-- shiro end -->
</beans>
这里我们对/user/info.do路劲的请求要进行登录验证,而success的访问要通过自定义的过滤器……
4、controller层的校验
package com.test.shiro.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping(value = "/user")
public class UserController {
@RequestMapping(value="/login.do")
public String login(HttpServletRequest request){
return "login";
}
@RequestMapping(value="/success.do")
public String success(HttpServletRequest request){
return "successInfo";
}
@RequestMapping(value="/error.do")
public String error(HttpServletRequest request){
return "error";
}
@RequestMapping(value = "/info.do")
public String info(HttpServletRequest request, HttpServletResponse response) {
String username = request.getParameter("name");
String pwd = request.getParameter("password");
UsernamePasswordToken token = new UsernamePasswordToken(username, pwd);
Subject currentUser = SecurityUtils.getSubject();
String error="";
try{
//验证其实这里调用了自己实现的realm的doGetAuthenticationInfo方法即SystemAuthorizingRealm中的doGetAuthenticationInfo方法
currentUser.login(token);
}catch(UnknownAccountException e){
error="用户名密码错误";
} catch (IncorrectCredentialsException e) {
error = "用户名/密码错误";
} catch (ExcessiveAttemptsException e) {
// TODO: handle exception
error = "登录失败多次,账户锁定10分钟";
} catch (AuthenticationException e) {
// 其他错误,比如锁定,如果想单独处理请单独catch处理
error = "其他错误:" + e.getMessage();
}
System.out.println("验证结束");
//判断验证是否成功
boolean authenticated=currentUser.isAuthenticated();
if(authenticated){
return "success";
}else{
return "login";
}
}
@RequestMapping(value="/loginout.do")
public String loginout(){
Subject currentUser = SecurityUtils.getSubject();
//其实也就是session的删除
currentUser.logout();
System.out.println("退出");
return "login";
}
}
5、重写的验证授权方法
package com.test.shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.session.InvalidSessionException;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import com.test.shiro.bean.User;
import com.test.shiro.utils.MD5;
public class SystemAuthorizingRealm extends AuthorizingRealm{
private static final String myname="whd";
private static final String password="123456";
//授权回调方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//两种方式获取当前用信息
String currentUsername = (String)super.getAvailablePrincipal(principals);
String username = (String) principals.getPrimaryPrincipal();
SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
//按照获取的用户名,从数据中获取用户角色,添加用户角色
String role="admin";
simpleAuthorInfo.addRole(role);
//按照userid从数据库中获取权限
String permission="info.do";
simpleAuthorInfo.addStringPermission(permission);
//将角色 权限赋值在返回
return simpleAuthorInfo;
}
//验证回调方法
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
// TODO Auto-generated method stub
//获取基于用户名和密码的令牌
//实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
UsernamePasswordToken token = (UsernamePasswordToken)authcToken;
//判断验证码的
//按照token的用户名从数据库中获取对象
//MemberModel member = memberService.getMemberByName(token.getUsername());
User user = new User();
String name= token.getUsername();
//这里的密码是加密过的
char[] password=token.getPassword();
String npass=String.valueOf(password);
//注意如果在配置文件中配置了shiro对密码的加密方式那么在这里要用对应的方式加密,比如我在配置文件中使用了md5所以我在这里也使用了md5
npass=MD5.afterMd5(npass);
user.setName(name);
if(user != null){
//这些判断应该是数据库获取的,而这里为了简便直接写死了……
if(user.getName()==null||!myname.equals(user.getName())){
throw new AuthenticationException("msg:该已帐号禁止登录.");
}
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(user.getName(),npass, this.getName());
//这里没有使用server的session而是使用shiro的session
this.setSession("currentUser", user.getName());
return authcInfo;
}
return null;
}
//session 中保存数据
private void setSession(Object key, Object value){
Session session = getSession();
System.out.println("Session默认超时时间为[" + session.getTimeout() + "]毫秒");
if(null != session){
session.setAttribute(key, value);
}
}
//获取session
private Session getSession(){
try{
Subject subject = SecurityUtils.getSubject();
Session session = subject.getSession(false);
if (session == null){
session = subject.getSession();
}
if (session != null){
return session;
}
}catch (InvalidSessionException e){
}
return null;
}
}
6、重写的过滤器
package com.test.shiro.controller;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.web.filter.authc.AuthenticationFilter;
import com.test.shiro.bean.User;
public class TestFilter extends AuthenticationFilter {
/**
* 这个方法中你可以对指定的路劲进行相应的判断,如果满足要求返回true不满足要求返回false
* 如果返回true就会跳转到你访问的路径
* 如果不满足则设置跳转地址返回false会返回到指定地址。
*/
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response)
throws Exception {
String name=request.getParameter("name");
String password=request.getParameter("password");
if(StringUtils.isNotBlank(name)&&StringUtils.isNotBlank(password)){
User user= new User();
user.setName(name);
user.setPassword(password);
//跳转到访问的地址。
return true;
}else{
// 设置返回页面
//如果不设置redirectToLogin而直接返回的话他没有返回到loginUrl地址
//如果设置了redirectToLogin就会返回到loginUrl那个地址
//重新赋值给重定向,这个赋值的loginUrl会覆盖配合文件中配置的值。
this.setLoginUrl("error.do");
this.redirectToLogin(request, response);
return false;
}
}
}
ok到这里一个简单的shiro验证就好了,简单总结一下:
1、添加shiro 需要的以及shiro-spring的jar包
2、web.xml中配置shiro这个过滤器
3、spring的配置文件中配置shiro相关bean
4、通过上面的配置我们发现我们只需要自己动手写两个类即Relm这个类的实现和自定义过滤器的实现,这个程序中也就是SystemAuthorizingRealm和TestFilter这两个类
5、过滤器链filterChainDefinitions的配置是从上到下的顺序执行的。
6、过滤器,我们可以按照自己的需求定义过滤器来配置在过滤器链中比如testfilter过滤器一样
7、可以按照自己需求定义很多过滤器配置在过滤器链中,过滤器的配置如下:
<property name="filters">
<map>
<entry key="testfilter" value-ref="testFilter"/>
</map>
</property> 9、successUrl这个属性是在验证通过后会自动跳转到这个页面
二、shiro的授权
shiro的授权也是在Realm的实现类中调用方法进行授权的,而一个文件的访问权限的配置也是在过滤器链中进行配置的。具体的见配置文件
但是授权这个方法不回调,在网上大家也都有同样的问题,对这个问题网上找了一篇文章,这篇文章很类似哦:
1、http://www.javaweb1024.com/java/JavaWebzhongji/2016/06/06/966.html
shiro验证代码下载:点击打开链接
扫一扫
7155
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
