本文介绍了如何将Spring与Shiro结合实现权限控制,包括引入Shiro Maven依赖、配置web.xml、自定义UserRealm类、在Spring的applicationContext.xml中配置Shiro,以及Shiro过滤器和权限管理的详细配置。示例中使用了基于角色的ACL权限控制,涉及User、Role、Permission等实体表及关系表的操作。
1.引入Shiro的Maven依赖
<!-- Spring 整合Shiro需要的依赖 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.1</version>
</dependency>
<!-- 除此之外还有一些东西也不可少spring, spring-mvc, ibatis等 spring.3.1.2 spring-mvc.3.1.2
ibatis.2.3.4 cglib.2.2 -->2.web.xml中配置
<!-- 配置shiro的核心拦截器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> 3. 编写自己的UserRealm类继承自Realm,主要实现认证和授权的管理操作
package com.jay.demo.shiro;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.jay.demo.bean.Permission;
import com.jay.demo.bean.Role;
import com.jay.demo.bean.User;
import com.jay.demo.service.UserService;
public class UserRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
/**
* 授权操作
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// String username = (String) getAvailablePrincipal(principals);
String username = (String) principals.getPrimaryPrincipal();
Set<Role> roleSet = userService.findUserByUsername(username).getRoleSet();
//角色名的集合
Set<String> roles = new HashSet<String>();
//权限名的集合
Set<String> permissions = new HashSet<String>();
Iterator<Role> it = roleSet.iterator();
while(it.hasNext()){
roles.add(it.next().getName());
for(Permission per:it.next().getPermissionSet()){
permissions.add(per.getName());
}
}
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.addRoles(roles);
authorizationInfo.addStringPermissions(permissions);
return authorizationInfo;
}
/**
* 身份验证操作
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
String username = (String) token.getPrincipal();
User user = userService.findUserByUsername(username);
if(user==null){
//木有找到用户
throw new UnknownAccountException("没有找到该账号");
}
/* if(Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); //帐号锁定
} */
/**
* 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以在此判断或自定义实现
*/
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(),getName());
return info;
}
@Override
public String getName() {
return getClass().getName();
}
}
4.在Spring的applicationContext.xml中进行Shiro的相关配置
1、添加shiroFilter定义
Xml代码
- <!-- Shiro Filter -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="security
最低0.47元/天 解锁文章
865
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
