本人小白一枚,初次接触shiro,花了两天时间搞了一下可算能用了,当然虽然spring security功能更强大,但是太繁琐了,不容易入门,并且shiro功能感觉也完全够用了;各位童鞋可以参考别人的文章:http://jinnianshilongnian.iteye.com/blog/2049092
1、web.xml中增加spring-shiro.xml配置
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-shiro.xml,
classpath:beans.xml
</param-value>
</context-param>不多说,和别的spring配置文件都在启动时通过contextConfigLocation一块加载
2、spring-shiro.xml内容如下:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<!-- ========================================================= Shiro Core
Components - Not Spring Specific ========================================================= -->
<!-- Shiro's main business-tier object for web-enabled applications (use
DefaultSecurityManager instead when there is no web environment) -->
<!-- 1.配置securityManager -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager" />
<!-- 单个realm的时候用下面的这个 -->
<!-- <property name="realm" ref="jdbcRealm" /> -->
<!-- 多个的时候用下面这个 -->
<property name="authenticator" ref="authenticator" />
</bean>
<!-- Let's use some enterprise caching support for better performance. You
can replace this with any enterprise caching framework implementation that
you like (Terracotta+Ehcache, Coherence, GigaSpaces, etc -->
<!-- 2.配置CatchManager
2.1 需要加入ehcatch 的jar包及配置文件。
-->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<!-- Set a net.sf.ehcache.CacheManager instance here if you already have
one. If not, a new one will be creaed with a default config: <property name="cacheManager"
ref="ehCacheManager"/> -->
<!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance
to inject, but you want a specific Ehcache configuration to be used, specify
that here. If you don't, a default will be used.: -->
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml" />
</bean>
<bean id="authenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<property name="realms">
<list>
<ref bean="jdbcRealm"/>
<!--<ref bean="secondRealm"/>-->
</list>
</property>
<!-- FirstSuccessfulStrategy 只要有一个Realm验证成功,只返回第一个Realm身份验证成功的认证信息,其他忽略; -->
<!-- AtLeastOneSuccessfulStrategy 只要有一个返回成功即可,与FirstSuccessfulStrategy不同的是,他会返回所有Realm身份认证成功的认证信息; -->
<!-- AllSuccessfulStrategy 所有的Realm验证成功才算成功,且返回所有Realm身份验证成功的认证信息,如果有一个失败就失败了 -->
<!-- <property name="authenticationStrategy"> -->
<!-- <bean class="org.apache.shiro.authc.pam.AllSuccessfulStrategy"></bean> -->
<!-- </property> -->
</bean>
<!-- Used by the SecurityManager to access security data (users, roles,
etc). Many other realm implementations can be used too (PropertiesRealm,
LdapRealm, etc. -->
<!-- 3. 配置realm -->
<!-- 3.1 直接配置实现了Realm接口的bean -->
<bean id="jdbcRealm" class="com.neusoft.core.shiro.ShiroRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
<property name="userService" ref="userService" />
</bean>
<bean id="userService" class="com.neusoft.demo.service.UserService" />
<!--<bean id="secondRealm" class="com.neusoft.core.shiro.SecondRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA1"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>-->
<!-- ========================================================= Shiro Spring-specific
integration ========================================================= -->
<!-- Post processor that automatically invokes init() and destroy() methods
for Spring-configured Shiro objects so you don't have to 1) specify an init-method
and destroy-method attributes for every bean definition and 2) even know
which Shiro objects require these methods to be called. -->
<!-- 4.配置 LifecycleBeanPostProcessor。可以自动的调用配置在spring IOC容器中Shiro bean的生命周期方法-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after
the lifecycleBeanProcessor has run: -->
<!-- 5.启用IOC 容器中 使用Shiro的注解。但必须在配置了lifecycleBeanProcessor 之后才可以使用
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
-->
<!-- Define the Shiro Filter here (as a FactoryBean) instead of directly
in web.xml - web.xml uses the DelegatingFilterProxy to access this bean.
This allows us to wire things with more control as well utilize nice Spring
things such as PropertiesPlaceholderConfigurer and abstract beans or anything
else we might need: -->
<!-- 6. 配置 shiroFilter
6.1 id 必须和web.xml 文件中配置的DelegatingFilterProxy的 <filter-name> 一致
-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<!-- 登录页面 -->
<property name="loginUrl" value="/login.jsp" />
<!-- 登录成功后的页面 -->
<property name="successUrl" value="/index.jsp" />
<!-- 没有权限的页面 -->
<property name="unauthorizedUrl" value="/unauthorized.jsp" />
<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter
bean defined will be automatically acquired and available via its beanName
in chain definitions, but you can perform overrides or parent/child consolidated
configuration here if you like: -->
<!-- <property name="filters"> <util:map> <entry key="aName" value-ref="someFilterPojo"/>
</util:map> </property> -->
<!--
配置哪些页面需要受保护
以及访问这些页面需要的权限。
1.anno 可以被匿名访问
2.auchc 必须认证即登录后才可以访问的页面
-->
<property name="filterChainDefinitions">
<value>
#静态文件
/bootstrap/** = anon
/build/** = anon
/dist/** = anon
/documentation/** = anon
/echart/** = anon
/font-awesome-4.7.0/** = anon
/ionicons-2.0.1/** = anon
/js/** = anon
/plugins/** = anon
/resources/** = anon
/**.css = anon
/**.js = anon
#登录页面
/login.jsp = anon
/shiro/login = anon
# everything else requires authentication:
/** = authc
</value>
</property>
</bean>
</beans>
第一个地方,本配置文件是引用多个realm的实例,就跟spring的filter和struts的过滤器一样,你可以校验多层,我觉得一般系统一层就够了,无非就是校验用户信息,角色权限信息;
第二个地方,一定要注释,不然启用shiro的注解springmvc的注解就不好用了,提示can not autowird......
第三个地方,anon是指可以匿名登录,就是不用认证就可以调用,authc必须认证通过,session中保存了你的登录信息后你才可以配置角色权限访问别的页面。
3、ehcache.xml
<ehcache>
<!-- Sets the path to the directory where cache .data files are created.
If the path is a Java System Property it is replaced by
its value in the running VM.
The following properties are translated:
user.home - User's home directory
user.dir - User's current working directory
java.io.tmpdir - Default temp file path -->
<diskStore path="java.io.tmpdir"/>
<!-- <cache name="authorizationCache" -->
<!-- eternal="false" -->
<!-- timeToIdleSeconds="3600" -->
<!-- timeToLiveSeconds="0" -->
<!-- overflowToDisk="false" -->
<!-- statistics="true"> -->
<!-- </cache> -->
<!-- <cache name="authenticationCache" -->
<!-- eternal="false" -->
<!-- timeToIdleSeconds="3600" -->
<!-- timeToLiveSeconds="0" -->
<!-- overflowToDisk="false" -->
<!-- statistics="true"> -->
<!-- </cache> -->
<!-- <cache name="shiro-activeSessionCache" -->
<!-- eternal="false" -->
<!-- timeToIdleSeconds="3600" -->
<!-- timeToLiveSeconds="0" -->
<!-- overflowToDisk="false" -->
<!-- statistics="true"> -->
<!-- </cache> -->
<!--Default Cache configuration. These will applied to caches programmatically created through
the CacheManager.
The following attributes are required for defaultCache:
maxInMemory - Sets the maximum number of objects that will be created in memory
eternal - Sets whether elements are eternal. If eternal, timeouts are ignored and the element
is never expired.
timeToIdleSeconds - Sets the time to idle for an element before it expires. Is only used
if the element is not eternal. Idle time is now - last accessed time
timeToLiveSeconds - Sets the time to live for an element before it expires. Is only used
if the element is not eternal. TTL is now - creation time
overflowToDisk - Sets whether elements can overflow to disk when the in-memory cache
has reached the maxInMemory limit.
-->
<defaultCache
maxElementsInMemory="10000"
eternal="false"
timeToIdleSeconds="120"
timeToLiveSeconds="120"
overflowToDisk="true"
/>
<!--Predefined caches. Add your cache configuration settings here.
If you do not have a configuration for your cache a WARNING will be issued when the
CacheManager starts
The following attributes are required for defaultCache:
name - Sets the name of the cache. This is used to identify the cache. It must be unique.
maxInMemory - Sets the maximum number of objects that will be created in memory
eternal - Sets whether elements are eternal. If eternal, timeouts are ignored and the element
is never expired.
timeToIdleSeconds - Sets the time to idle for an element before it expires. Is only used
if the element is not eternal. Idle time is now - last accessed time
timeToLiveSeconds - Sets the time to live for an element before it expires. Is only used
if the element is not eternal. TTL is now - creation time
overflowToDisk - Sets whether elements can overflow to disk when the in-memory cache
has reached the maxInMemory limit.
-->
<!-- Sample cache named sampleCache1
This cache contains a maximum in memory of 10000 elements, and will expire
an element if it is idle for more than 5 minutes and lives for more than
10 minutes.
If there are more than 10000 elements it will overflow to the
disk cache, which in this configuration will go to wherever java.io.tmp is
defined on your system. On a standard Linux system this will be /tmp"
-->
<cache name="sampleCache1"
maxElementsInMemory="10000"
eternal="false"
timeToIdleSeconds="300"
timeToLiveSeconds="600"
overflowToDisk="true"
/>
<!-- Sample cache named sampleCache2
This cache contains 1000 elements. Elements will always be held in memory.
They are not expired. -->
<cache name="sampleCache2"
maxElementsInMemory="1000"
eternal="true"
timeToIdleSeconds="0"
timeToLiveSeconds="0"
overflowToDisk="false"
/> -->
<!-- Place configuration for your caches following -->
</ehcache>
4、编写页面,我采用的ajax异步提交,通过controller返回的信息在登录首页显示认证返回的信息,成功后才跳转到index.jsp页面
$.mpbAjax("/shiro/login",{
type : "POST",
async : false,
data : {
"_method" : "POST",
"userName" : $("#userName").val(),
"password" : $("#password").val()
},
success : function(data){
if($.isNotBlank(data)){
if(!data.success){
do_notice(data.msg);
}else{
$.mpbJumpNotOpen("/index.jsp");
}
}
}
});UsernamePasswordToken token = new UsernamePasswordToken(
user.getUserName(), user.getPassword());
token.setRememberMe(true);
// shiro登陆验证
try {
SecurityUtils.getSubject().login(token);
} catch (UnknownAccountException ex) {
return "用户不存在!";
} catch (LockedAccountException ex) {
return "用户锁定!";
} catch (IncorrectCredentialsException ex) {
return "用户名/密码验证失败!";
} catch (Exception ex) {
ex.printStackTrace();
return "内部异常!";
}6、调用.login方法时,自动进入注册的过滤器ShiroRealm.java
package com.neusoft.core.shiro;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.session.Session;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import com.neusoft.demo.entity.OrgUser;
import com.neusoft.demo.service.UserService;
public class ShiroRealm extends AuthenticatingRealm {
@Autowired
private UserService userService;
public static final String SESSION_USER_KEY = "gray";
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
// 验证用户是否可以登录
OrgUser ui = userService.selectUsers(username);
if (ui == null) {
throw new UnknownAccountException("用户不存在");
} else if ("1".equals(ui.getDeleteFlag())) {
throw new LockedAccountException("用户被锁定");
}
// 设置session
Session session = SecurityUtils.getSubject().getSession();
session.setAttribute(ShiroRealm.SESSION_USER_KEY, ui);
// 以下信息从数据库中获取
// 1 principal : 认证的实体信息,可以是username,也可以是数据表对应的实体对象。
Object principal = username;
// 3 realmName : 当前realm 对象的name , 调用父类的 getName() 方法即可
String realmName = getName();
// 4.盐值
ByteSource credentialsSalt = ByteSource.Util.bytes(username);
// 这个是不加盐的 new SimpleAuthenticationInfo(principal, credentials,
// realmName);
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(principal,
ui.getPassword(), credentialsSalt, realmName);
return info;
}
public UserService getUserService() {
return userService;
}
public void setUserService(UserService userService) {
this.userService = userService;
}
public static void main(String[] args) {
String algorithmName = "MD5";
Object credential = "123";
Object salt = ByteSource.Util.bytes("admin");
int hashIterations = 1024;
Object result = new SimpleHash(algorithmName, credential, salt,
hashIterations);
System.out.println(result);
}
}一定要注意,shiro过滤器在springmvc之前过滤,autowired不起作用,需要你增加get set方法注入,抛出的异常在controller捕获返回到前台;
框架搭建好了,后期增加验证码之类的就好加了
因为小白,也是网上各种方案,如有侵权,请通知删帖。
扫一扫
491
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
