shiro是一种权限认证框架,实现一个简单的登录鉴权:
1、控制器层:
@Controller
@RequestMapping("/blogger")
public class BloggerController {
@Resource
private BloggerService bloggerService;
@RequestMapping("/login")
public String login(Blogger blogger,HttpServletRequest request){
//shiro身份验证
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(blogger.getUserName(), CryptographyUtil.md5(blogger.getPassword(), "123456"));
try {
subject.login(token); //身份认证
return "redirect:/admin/main.jsp";
} catch (Exception e) {
e.printStackTrace();
request.setAttribute("blogger", blogger);
request.setAttribute("errorInfo", "用户名或密码错误");
return "login";
}
}
}
Subject,可以理解为当前的用户主体,Shiro的session机制摆脱了http session限制,在非web环境中使用企业级session管理进行session会话管理,SecurityUtils为单例的工具类,返回当前Subject对象。
token,最基本是用户名密码token,当然也可以自己拓展,构建token后调用Subject的login方法,提交token到realm的doGetAuthenticationInfo进行身份验证:
public class MyRealm extends AuthorizingRealm{
@Resource
private BloggerService bloggerService;
/**
* 获取用户信息的所有资料,如权限角色等.
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
/**
* 验证当前登录的用户
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String userName = (String) token.getPrincipal();
Blogger blogger = bloggerService.getByUserName(userName);
if(blogger != null){ //存在该用户名
SecurityUtils.getSubject().getSession().setAttribute("currentUser", blogger);
AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(blogger.getUserName(), blogger.getPassword(),"any");
return authcInfo;
}else{
return null;
}
}
}
这里拿到用户名后查询数据库获取正确的blogger登录对象,构建SimpleAuthenticationInfo认证信息对象,身份判别结果Shiro都会反映在异常中:
try {
subject.login(token); //身份认证
return "redirect:/admin/main.jsp";
} catch (Exception e) {
e.printStackTrace();
request.setAttribute("blogger", blogger);
request.setAttribute("errorInfo", "用户名或密码错误");
return "login";
}
这里统一用Exception异常表示用户判别失败,ok了。。。