shiro学习第四天
在前三天中我们学习了在JavaSE环境下使用shiro进行用户信息权限登录验证,但在实际应用过程中,我们经常在web环境中使用配置使用shiro,下面是servlet和shiro进行配置使用的过程,让我们揭开其神秘的面试。
按照老规矩,第一步引入相应的jar包,由于是在以前几天项目中直接进行开发,所有前面引入过的jar包不再重复
- 引入shiro-web和servlet的jar包
<!--shiro web类库--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.3</version> </dependency> <!-- servletjar包 --> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.0.1</version> <scope>provided</scope> </dependency>
- 在配置文件web.xml中配置shiro的入口,主要目的是创建WebEnvironment 对象,用它来并由该对象来读取 Shiro 配置文件,创建WebSecurityManager 与 FilterChainResolver 对象,它们都在后面将要出现的 ShiroFilter 中起到了重要作用。具体可参照文章https://blog.csdn.net/huangbaokang/article/details/77575331,有详细的介绍,这里不再大篇幅叙述。
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0" > <!-- 指定listener --> <context-param> <param-name>shiroEnvironmentClass</param-name> <param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value> </context-param> <context-param> <param-name>shiroConfigLocations</param-name> <param-value>classpath:shiro-web.ini</param-value> </context-param> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <!-- 配置shiro的过滤器 --> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
- 在resources下创建配置文件shiro-web.xml
[users]
root = secret, admin
guest = guest, guest
test = 123456, guest,test
[roles]
admin = *
guest = user:list
test = menu:list,menu:add
[urls]
/login.jsp=anon
/index.jsp = authc
/role.html=authc,roles[admin]
/menu/** = authc, roles[admin],perms[menu:*]
- anon:用户不需要验证就可以访问的
- authc:用户通过验证之后才可以访问的
- authc,roles[admin]:只有sdmin的用户才可以看到
4.创建LoginServlet继承HttpServlet并重写其两个重要方法doPost(),doGet()
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doPost(req, resp);
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String username=req.getParameter("username");
System.out.println(username);
String password=req.getParameter("password");
System.out.println(password);
//获得与当前系统交互的对象
Subject subject=SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
try {
subject.login(token);
req.getRequestDispatcher("IndexServlet1").forward(req, resp);
} catch (Exception e) {
e.printStackTrace();
req.setAttribute("error", "用户名或密码错误");
req.getRequestDispatcher("login.jsp").forward(req, resp);
}
}
类似创建IndexServlet,这里只用作页面跳转
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
this.doPost(req, resp);
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
req.getRequestDispatcher("index.jsp").forward(req, resp);
}
5.创建登录页面login.jsp
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form action="LoginServlet1">
用户名:<input type="text" name="username">
密码:<input type="password" name="password">
<input type="submit" value="登录">
</form>
</body>
</html>
创建index.jsp
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<%@taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<shiro:hasPermission name=" menu:list">
<a href="#">menu</a>
</shiro:hasPermission>
<shiro:hasRole name="admin">
<a href="#">menu</a>
</shiro:hasRole>
<h2>Hello World!</h2>
</body>
</html>
hasRole标签
<shiro:hasRole name="admin">
</shiro:hasRole>
如果当前Subject有角色将显示body体内容。
hasAnyRoles标签
<shiro:hasAnyRoles name="admin,user">
</shiro:hasAnyRoles>
如果当前Subject有任意一个角色(或的关系)将显示body体内容。
这里只介绍了上面用到的两个指令,如果想了解更多指令可参考https://www.cnblogs.com/roxy/p/7688092.html
到这里我们已经在web环境下整合了shiro框架,当你启动程序直接访问index.jsp时他会直接把你踢回login.jsp,因为我们在shiro-web.xml中配置了index.jsp的权限为只有验证过的角色用户才能访问,而login.jsp是任何角色都可以访问的。
如果你想使用自定义的数据源从数据库获取验证信息,请参考前一篇shiro学习第三天