shiro是一个很不错的安全框架,相对Spring security 来说要简单易用的多,使用shiro来做web的权限子系统是不错的选择。
下面记录一下shiro和Spring整合的过程:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd"> <description>Shiro 配置</description> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/login.jsp" /> <property name="successUrl" value="/index.jsp" /> <property name="unauthorizedUrl" value="/login.do" /> <property name="filterChainDefinitions"> <value> /login.jsp = anon /login.do = anon /** = authc </value> </property> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!--设置自定义realm--> <property name="realm" ref="monitorRealm" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!--自定义Realm 继承自AuthorizingRealm--> <bean id="monitorRealm" class="***module.system.security.MonitorRealm"></bean> <!-- securityManager --> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager" /> <property name="arguments" ref="securityManager" /> </bean> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after --> <!-- the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> </beans>
将shiro的配置文件引入到web.xml中:
并在web.xml中加入如下代码:
<!-- Shiro Security filter --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>
实现自己的Realm
@Service("monitorRealm")
public class MonitorRealm extends AuthorizingRealm {
@Autowired UserService userService;
@Autowired RoleService roleService;
@Autowired LoginLogService loginLogService;
public MonitorRealm(){
super();
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
/*这里编写授权代码*/
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
/*这里编写认证代码*/
}
public void clearCachedAuthorizationInfo(String principal) {
SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());
clearCachedAuthorizationInfo(principals);
}
}
登录时的代码示例:
Subject currentUser = SecurityUtils.getSubject();
if(!currentUser.isAuthenticated()){
UsernamePasswordToken token;
if(null == rememberMe)
token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()),false,request.getRemoteAddr());
else token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()), true, request.getRemoteAddr());
try {
currentUser.login(token);
} catch ( AuthenticationException ae ) {
request.setAttribute("message", "用户名或密码错误!");
return "login";
}
}
执行currentUser.login(token);这句代码时,shiro会自动调用用户实现的Realm的doGetAuthenticationInfo进行身份认证。
登出时的代码示例:
Subject currentUser = SecurityUtils.getSubject();
if (currentUser != null) {
currentUser.logout();
}
HttpSession session = request.getSession(false);
if( session != null ) {
session.invalidate();
}
return "login";
在对用户(角色)进行授权时会执行Realm里的doGetAuthorizationInfo方法。
OK简单的集成完成了,如果用cas或者Springsecurity恐怕没这么简单利索 哈哈。
还有其他的细节,注解、授权、安全标签等等 以后再贴吧。
补贴个图吧,公司安全做的太恶心,代码考不出来。