1.配置shiro框架
1.1 导入shiro需要依赖的jar包
我是使用maven项目直接加载的。
在pom.xml文件中加入如下依赖:
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.3.2</version>
</dependency>
1.2配置shiro的xml文件(applicationContext-shiro.xml)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- override these for application-specific URLs if you like:
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/home.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/> -->
<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean -->
<!-- defined will be automatically acquired and available via its beanName in chain -->
<!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
//anon是可以匿名访问
//authc是必须经过验证以后才能访问
# some example chain definitions:
/admin/** = authc, roles[admin]
/docs/** = authc, perms[document:read]
/**/*.do=anon
/** = authc
# more URL-to-FilterChain definitions here
</value>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="realm" ref="myRealm"/>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<bean id="myRealm" class="com.gy.shiro.MyRealm">
</bean>
</beans>
在最后需要改一下,还有中间的配置。
1.3需要在web.xml中加载shiro的配置文件
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml,
classpath:applicationContext-transaction.xml,
classpath:applicationContext-shiro.xml,
classpath:applicationContext-mybatis.xml,
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
1.4配置好xml后需要在添加class文件
package com.gy.shiro;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.gy.service.LoginService;
public class MyRealm extends AuthorizingRealm {
@Autowired
private LoginService service;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// TODO Auto-generated method stub
return null;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken token2 = (UsernamePasswordToken) token;
boolean flag = service.findUserByUserNameAndPassword(token2.getUsername(), new String(token2.getPassword()));
if (flag) {
AuthenticationInfo info = new SimpleAuthenticationInfo(token2.getUsername(), token2.getPassword(),
getName());
return info;
} else {
throw new AuthenticationException();
}
}
}
2 shiro的简单使用
2.1 使用ssm框架操作shiro框架
这里以登录为例:
@RequestMapping("/login.do")
public String login(String userName,String password) {
Subject currentUser = SecurityUtils.getSubject();
//登录逻辑
if (!currentUser.isAuthenticated()) {
//是否被登录过
//UsernamePasswordToken用于存放当前的账号和密码
UsernamePasswordToken token = new UsernamePasswordToken(userName,password );
token.setRememberMe(true);
try {
//执行登录逻辑
currentUser.login(token);
}
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
//unexpected condition? error?
return "fail";
}
return "success";
}
return "fail";
}