1.首先准备五张表,分别为 用户表、角色表、权限表、用户角色表、角色权限表
CREATE TABLE `sys_users` (
`id` bigint(11) NOT NULL AUTO_INCREMENT,
`username` varchar(100) DEFAULT NULL,
`password` varchar(100) DEFAULT NULL,
`salt` varchar(100) DEFAULT NULL,
`locked` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY `idx_sys_users_username` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
CREATE TABLE `sys_roles` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`role_name` varchar(100) DEFAULT NULL,
`description` varchar(100) DEFAULT NULL,
`available` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY `idx_sys_roles_role` (`role_name`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
CREATE TABLE `sys_permissions` (
`id` bigint(20) NOT NULL AUTO_INCREMENT,
`permission` varchar(100) DEFAULT NULL,
`perm_url` varchar(100) DEFAULT NULL,
`parent_id` int(11) DEFAULT NULL,
`description` varchar(100) DEFAULT NULL,
`available` tinyint(1) DEFAULT '0',
`type` int(1) DEFAULT '0',
PRIMARY KEY (`id`),
UNIQUE KEY `idx_sys_permissions_permission` (`permission`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8;
CREATE TABLE `sys_users_roles` (
`user_id` bigint(20) NOT NULL DEFAULT '0',
`role_id` bigint(20) NOT NULL DEFAULT '0',
PRIMARY KEY (`user_id`,`role_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `sys_roles_permissions` (
`id` int(11) NOT NULL,
`role_id` bigint(20) NOT NULL DEFAULT '0',
`permission_id` bigint(20) NOT NULL DEFAULT '0',
PRIMARY KEY (`role_id`,`permission_id`,`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
2.我做的这个项目不是maven项目,所以我需要导入引入shiro的jar包,,如果你的项目是maven项目的话,可以引入maven依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.2</version>
</dependency>
3.分别建立用户、角色以及权限的实体
4、在web.xml添加过滤器,拦截所有的url请求
<!-- spring 提供的用于整合shiro的过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
5、定义和注入securityManager
<!-- 配置一个和web.xml中DelegatingFilterProxy同名的bean对象 ,当前对象(工厂)用于创建shiro框架提供的多个过滤器的-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 注入安全管理器对象 -->
<property name="securityManager" ref="securityManager"></property>
<!-- 注入登录的访问URL -->
<property name="loginUrl" value="/login"></property>
<!-- 登录成功后的跳转页面 -->
<property name="successUrl" value="/index"></property>
<!-- 注入权限不足提示页面 -->
<property name="unauthorizedUrl" value="/unauthorizedUrl"></property>
<!-- URL拦截规则
1). anon 可以被匿名访问
2). authc 必须认证(即登录)后才可能访问的页面
3).perms['']表示需要某个权限
-->
<property name="filterChainDefinitions">
<value>
/css/** = anon
/js/** = anon
/images/** = anon
/validatecode.jsp* = anon
/login =anon
/login* = anon
/page_base_staff.action = perms["staff.query"]
/* = authc
</value>
</property>
</bean>
<!-- 注册一个安全管理器对象 -->
<bean id="securityManager"class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realms" ref="shiroDbRealm"></property>
</bean>
<!-- 注册自定义realm -->
<bean id="shiroDbRealm" class="cn.my.blog.shiro.ShiroDbRealm"></bean>
6、自定义Realm内容
public class ShiroDbRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
/**
* 授权
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
User user = (User) principals.getPrimaryPrincipal();
List<Role> roleList = userService.findRolesByUserId(user.getId());
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
for(Role role : roleList){
info.addRole(role.getRoleName());
info.addStringPermissions(role.getPermList());
}
return info;
}
/**
* 认证
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token ;
String username = upToken.getUsername();
User user = userService.findUserByUsername(username);
if(username == null){
return null;
}else{
String dbPassword = user.getPassword();
AuthenticationInfo info = new SimpleAuthenticationInfo(user, dbPassword,this.getClass().getSimpleName());
return info;
}
}
}
7、使用shiro进行登录
@RequestMapping(method = RequestMethod.POST)
public String loginPost(HttpServletRequest req,Model model){
String message = "登录成功";
//获取subject
Subject subject = SecurityUtils.getSubject();
String password = req.getParameter("password");
password = MD5Utils.md5(password);
AuthenticationToken token = new UsernamePasswordToken(req.getParameter("username"), password);
try{
//使用shiro进行登录,报错及验证不通过
subject.login(token);
User user = (User)subject.getPrincipal();
session.setAttribute("user", user);
}catch(UnknownAccountException e){
e.printStackTrace();
message="用户名或密码错误";
model.addAttribute("message",message);
return LOGIN;
}catch (Exception e) {
e.printStackTrace();
message="登录失败";
model.addAttribute("message",message);
return LOGIN;
}
model.addAttribute("message",message);
return MAIN_INDEX;
}