通过maven方式添加支持jar包:
<!--shiro--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.3.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.3.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>1.3.0</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.3.0</version> </dependency> <!--ehcache--> <dependency> <groupId>net.sf.ehcache</groupId> <artifactId>ehcache-core</artifactId> <version>${ehcache.version}</version> </dependency> <dependency> <groupId>net.sf.ehcache</groupId> <artifactId>ehcache-web</artifactId> <version>${ehcache-web.version}</version> </dependency> <!--redis and jedis--> <dependency> <groupId>redis.clients</groupId> <artifactId>jedis</artifactId> <version>2.9.0</version> </dependency> <dependency> <groupId>commons-pool</groupId> <artifactId>commons-pool</artifactId> <version>1.6</version> </dependency>
spring + shiro 配置:
web.xml中的配置:
<context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-common.xml,classpath:spring-mybatis.xml,classpath:spring-shiro.xml</param-value> </context-param>
<!-- Apache Shiro 1.3.0 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
spring-shiro.xml配置:
<bean id="userFormAuthenticationFilter" class="com.lf.security.UserFormAuthenticationFilter"/>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/login.do" /> <property name="successUrl" value="/main.do" /> <property name="filters"> <map> <entry key="authc" value-ref="userFormAuthenticationFilter"/> </map> </property> <property name="filterChainDefinitions"> <value> /login.do = authc /= authc </value> </property> </bean>
(1)、其中spring-shiro.xml中id=shiroFilter的ID名字和web.xml中的filter-name名字要一致;<!-- Shiro security manager --> <bean id="systemAuthorizingRealm" class="com.lf.security.SystemAuthorizingRealm"></bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="systemAuthorizingRealm" /> <property name="cacheManager" ref="shiroEhcacheManager"/> <property name="sessionManager" ref="sessionManager" /> </bean>
(2)、<ptoperty name="filter">表示
这样使用authc的时候就是我们自定一个过滤器了,如果觉得用同个名字不好也可以自己定义名字!
UserFormAuthenticationFilter的配置如下:
public class UserFormAuthenticationFilter extends FormAuthenticationFilter{}
(3)、其中SystemAuthorizingRealm类如下继承关系:
public class SystemAuthorizingRealm extends AuthorizingRealm {}
(4)、整个过滤过程如下:当请求/login.do的时候,shiro进行拦截,进入UserFormAuthenticationFilter类,如上面配置的shiro过滤链,执行的方法有:executeLogin(FormAuthenticationFilter类中的方法)
@Override protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception { CustomUsernamePasswordToken cupToken = createToken(request,response); try{ /**验证码确认*/ doCaptchaValidate(request,cupToken); /**登录信息验证*/ Subject subject = getSubject(request, response); subject.login(cupToken); return onLoginSuccess(cupToken,subject,request,response); }catch(AuthenticationException authenticationException){ return onLoginFailure(cupToken,authenticationException,request,response); } }
在执行subject.login()方法的时候,shiro内部的工作流程,会主动调用上面配置的SystemAuthorizingRealm类中的身份认证方法doGetAuthenticationInfo(),进行身份认证,
认证成功以后就会调用到相应的Controller类中,标注有@RequestMapping(value = "/login")方法上面,跳转到制定的页面,如果在指定的Controller层方法中有shiro的权限/角色等,如@RequiresPermissions("user"),@RequiresRoles("user")等,那么系统就会进入SystemAuthorizingRealm类中的doGetAuthorizationInfo进行权限认证,更细的信息,请在debug中进行查看。