Spring3与安全框架apache shiro的整合

最新推荐文章于 2024-04-25 17:05:19 发布

iteye_6870

最新推荐文章于 2024-04-25 17:05:19 发布

阅读量110

点赞数

分类专栏： shiro spring 文章标签： apache shiro Spring3 安全权限

本文链接：https://blog.csdn.net/iteye_6870/article/details/82301988

版权

shiro 同时被 2 个专栏收录

2 篇文章 0 订阅

订阅专栏

spring

1 篇文章 0 订阅

订阅专栏

shiro是一个很不错的安全框架，相对Spring security 来说要简单易用的多，使用shiro来做web的权限子系统是不错的选择。

下面记录一下shiro和Spring整合的过程：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">

	<description>Shiro 配置</description>
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<property name="securityManager" ref="securityManager" />
		<property name="loginUrl" value="/login.jsp" />
		<property name="successUrl" value="/index.jsp" />
		<property name="unauthorizedUrl" value="/login.do" />
		<property name="filterChainDefinitions">
			<value>
				/login.jsp = anon
				/login.do = anon
				/** = authc
               </value>
		</property>
	</bean>

	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		<!--设置自定义realm-->
		<property name="realm" ref="monitorRealm" />
	</bean>

	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
	
	<!--自定义Realm 继承自AuthorizingRealm-->
	<bean id="monitorRealm" class="***module.system.security.MonitorRealm"></bean>
	<!-- securityManager -->
	<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
		<property name="staticMethod"
			value="org.apache.shiro.SecurityUtils.setSecurityManager" />
		<property name="arguments" ref="securityManager" />
	</bean>
	
	<!-- Enable Shiro Annotations for Spring-configured beans.  Only run after -->
	<!-- the lifecycleBeanProcessor has run: -->
	<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager"/>
    
</bean>
</beans>

将shiro的配置文件引入到web.xml中：

并在web.xml中加入如下代码：

<!-- Shiro Security filter -->
	<filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>*.do</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>*.jsp</url-pattern>
    </filter-mapping>

实现自己的Realm

@Service("monitorRealm")
public class MonitorRealm extends AuthorizingRealm {
	
	@Autowired UserService userService;
	@Autowired RoleService roleService;
	@Autowired LoginLogService loginLogService;
	
	public MonitorRealm(){
		super();

	}
	
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		/*这里编写授权代码*/
		
	}

	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(
			AuthenticationToken authcToken) throws AuthenticationException {
	/*这里编写认证代码*/
	}
	
	public void clearCachedAuthorizationInfo(String principal) {
		SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());
		clearCachedAuthorizationInfo(principals);
	}

}

登录时的代码示例：

Subject currentUser = SecurityUtils.getSubject();
        if(!currentUser.isAuthenticated()){
        	UsernamePasswordToken token;
            if(null == rememberMe)
            	token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()),false,request.getRemoteAddr());
            else token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()), true, request.getRemoteAddr());
            try {
            	currentUser.login(token);
            } catch ( AuthenticationException ae ) {
            	request.setAttribute("message", "用户名或密码错误！");
            	return "login";
            }
        }

执行currentUser.login(token);这句代码时，shiro会自动调用用户实现的Realm的doGetAuthenticationInfo进行身份认证。

登出时的代码示例：

Subject currentUser = SecurityUtils.getSubject();
        if (currentUser != null) {
        	currentUser.logout();
        }
        HttpSession session = request.getSession(false);
        if( session != null ) {
            session.invalidate();
        }
		return "login";

在对用户（角色）进行授权时会执行Realm里的doGetAuthorizationInfo方法。

OK简单的集成完成了，如果用cas或者Springsecurity恐怕没这么简单利索哈哈。

还有其他的细节，注解、授权、安全标签等等以后再贴吧。

补贴个图吧，公司安全做的太恶心，代码考不出来。

iteye_6870

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Spring3与安全框架apache shiro的整合

shiro是一个很不错的安全框架，相对Spring security 来说要简单易用的多，使用shiro来做web的权限子系统是不错的选择。下面记录一下shiro和Spring整合的过程： &lt;?xml version="1.0" encoding="UTF-8"?&gt;&lt;beans xmlns="http://www.springframework.o...
复制链接

扫一扫