先扫描spring配置文件对shiro部分的描述,进行URL拦截
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!--shiro的核心安全接口,这个属性是必须的-->
<property name="securityManager" ref="securityManager"/>
<!--身份认证失败则跳转到登陆页面的配置-->
<property name="loginUrl" value="/index"/>
<!--权限认证失败则跳转到指定页面-->
<property name="unauthorizedUrl" value="/unauthor.jsp"/>
<!--shiro连接约束配置,及过滤链的定义-->
<property name="filterChainDefinitions">
<value>
/login=anon
/admin=authc
/student=roles[teacher]
</value>
</property>
先进行spring配置扫描,先扫描shiro相关部分,直接登陆/admin或/login(身份不匹配)身份认证失败跳转到loginUrl的value(/index有Controller跳转到登陆页面index.jsp)进行强制登陆,提交登陆表单到Controller,进行验证
注:只要类的属性和前端的name值一样,一一匹配便可直接得到对象
public String login(User user,HttpServletRequest req){
subject.login会调用Myrealm验证主要通过spring配置文件调用(Subject subject = SecurityUtils.getSubject(); String Username = req.getParameter("Username"); String Password = req.getParameter("Password"); UsernamePasswordToken token = new UsernamePasswordToken(Username,Password); try { subject.login(token);//到Realm进行身份验证 Session session = subject.getSession(); System.out.println("sessionid"+session.getId()); System.out.println("sessionhost"+session.getHost()); System.out.println("sessionTimeout"+session.getTimeout()); session.setAttribute("info","session的数据"); return "/success";
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="myrealm"/> </bean>)
该方法负责验证protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { String username = (String)authenticationToken.getPrincipal(); User user = userService.getByUserName(username); if(user!=null){ AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(),user.getPassword(),"xxx"); return authenticationInfo; } else{ return null; } }
该方法负责从数据库调出相应角色权限授权给该身份,验证不通过会抛出异常,验证通过信息存储到Session中,此时便可访问/adminprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { String username = (String)principalCollection.getPrimaryPrincipal(); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); authorizationInfo.setRoles((Set<String>)userService.getRoles(username)); authorizationInfo.setStringPermissions((Set<String>)userService.getPermissions(username)); return authorizationInfo; }