springMVC集成shiRospringMVC集成shiRo
- shiRo简介
Apache Shiro是一个功能强大且灵活的开源安全框架,主要功能包括用户认证、授权、会话管理以及加密。
Apache Shiro的首要目标是易于使用和理解。系统安全是非常复杂甚至痛苦的,但Shiro并不是。一个框架应该尽可能的隐藏那些复杂的细节,并且公开一组简洁直观的API以简化开发人员在系统安全上所付出的努力。
- ** 通过Apache Shiro完成下面这些事情:**
-
验证用户身份
-
控制用户访问,例如:
-
确定用户是否被分配某个角色
-
确定用户是否被允许做某些操作
-
实现“记住我”功能,使用户不必每次都要登录
- 步骤
- 依赖
<dependencies>
<!-- shiro依赖 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.4.0</version>
</dependency>
<!-- framework依赖 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>4.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.1.3.RELEASE</version>
</dependency>
<!-- mybatis依赖 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.2.3</version>
</dependency>
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.2.2</version>
</dependency>
<!-- mysql依赖 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.6</version>
</dependency>
<dependency>
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.2.2</version>
</dependency>
<!-- 文件上传 -->
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<!-- jackson json -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.4.2</version>
</dependency>
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>jsr250-api</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope><!-- 编译期用,运行的时候tomcat自己有,不写的话会冲突 -->
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!--分页 -->
<dependency>
<groupId>com.github.pagehelper</groupId>
<artifactId>pagehelper</artifactId>
<version>5.0.0</version>
</dependency>
<!--aop -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.8.5</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>17</source>
<target>1.7</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
<configuration>
<port>8080</port>
<path>/</path>
<uriEncoding>UTF-8</uriEncoding>
</configuration>
</plugin>
</plugins>
</build>
2.配置web.xml
<!-- shiro过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<!-- 监听启动框架 -->
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- 编码过滤器 -->
<filter>
<filter-name>CharacterEncoding</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CharacterEncoding</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.配置springmvc.xml
<context:component-scan base-package="com.tjetc.controller"/>
<mvc:annotation-driven >
<!-- 消息转换器 -->
<mvc:message-converters register-defaults="true">
<bean class="org.springframework.http.converter.StringHttpMessageConverter">
<property name="supportedMediaTypes" value="text/html;charset=UTF-8"/>
</bean>
</mvc:message-converters>
</mvc:annotation-driven>
<mvc:default-servlet-handler />
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver"></bean>
<!--
配置为true即使用cglib继承的方式,
false为jdk的接口动态代理 控制器没有实现接口
-->
<aop:config proxy-target-class="true" />
<bean class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- 使用第三方去扫描shiro的注解 -->
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor ">
<property name="securityManager" ref="securityManager">
</property>
</bean>
</beans>
4.配置applicationContext.xml文件
<context:component-scan base-package="com.tjetc"></context:component-scan>
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property ref="securityManager" name="securityManager"></property>
<property name="loginUrl" value="login"></property>
<property name="unauthorizedUrl" value="../403.jsp"></property>
<property name="filterChainDefinitions">
<value>
/login.jsp=anon
/user/subLogin=anon
/index.jsp = authc
<!-- /user/testRole=perms["admin:update"] -->
/user/logout=logout
/**=authc
</value>
</property>
</bean>
<!-- 创建 securityManager 对象 -->
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="realm"></property>
<!--注入缓存-->
<property name="cacheManager" ref="ehCache"/>
<!-- 设置记住我 3天 -->
<property name="rememberMeManager.cookie.maxAge" value="259200"></property>
</bean>
<!-- 自定义realm -->
<bean id="realm" class="com.tjetc.shiro.realm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!-- 凭证匹配器 -->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="md5" />
<property name="hashIterations" value="1"></property>
</bean>
<!-- 缓存管理器 -->
<bean id="ehCache" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:shiro-ehcache.xml"/>
</bean>
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView"></property>
<property name="prefix" value="/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<context:property-placeholder
location="classpath:db.properties" />
<bean id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName" value="${driver}"></property>
<property name="url" value="${url}"></property>
<property name="username" value="${xx}"></property>
<property name="password" value="${password}"></property>
</bean>
<bean id="sqlSessionFactory"
class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="configLocation" value="classpath:mybatis.xml"></property>
<!-- 别名 -->
<property name="typeAliasesPackage" value="com.tjetc.domain"></property>
</bean>
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<!--指定会话工厂,如果当前上下文中只定义了一个则该属性可省去 -->
<property name="sqlSessionFactoryBeanName"
value="sqlSessionFactory"></property>
<!-- 指定要自动扫描接口的基础包,实现接口 -->
<property name="basePackage" value="com.tjetc.mapper"></property>
</bean>
<!--定义事物管理器,由spring管理事务 -->
<bean id="transactionManager"
class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource"></property>
</bean>
4.mybatis.xml
<!DOCTYPE configuration
PUBLIC "-//mybatis.org//DTD Config 3.0//EN"
"http://mybatis.org/dtd/mybatis-3-config.dtd">
<configuration>
<plugins>
<!-- com.github.pagehelper为PageHelper类所在包名 -->
<plugin interceptor="com.github.pagehelper.PageInterceptor">
<!-- 什么都不配,使用默认的配置 -->
<property name="reasonable" value="true"/>
</plugin>
</plugins>
</configuration>
5.shiro-ehcache.xml 本地缓存配置文件
<ehcache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd">
<defaultCache
maxElementsInMemory="1000"
maxElementsOnDisk="10000000"
eternal="false"
overflowToDisk="false"
diskPersistent="false"
timeToIdleSeconds="120"
timeToLiveSeconds="120"
diskExpiryThreadIntervalSeconds="120"
memoryStoreEvictionPolicy="LRU">
</defaultCache>
</ehcache>
6.db.properties 数据库信息
driver=com.mysql.jdbc.Driver
url=jdbc:mysql:///ii
xx=root
password=123
7.自定义的realm
package com.tjetc.shiro;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Resource;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import com.tjetc.domain.User;
import com.tjetc.mapper.usermapper;
public class realm extends AuthorizingRealm {
@Resource
private usermapper mapper;
/*
* Map<String, String> userMap = new HashMap<String, String>(); {
* userMap.put("jiawei", "123456"); super.setName("realm"); }
*/
@SuppressWarnings("null")
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String userName = (String) principals.getPrimaryPrincipal();
Set<String> roles = getRolesByUserName(userName);
Set<String> permissions = new HashSet<String>();
if (roles != null) {
for (String roleName : roles) {
Set<String> perssion = mapper.getpermissionsByRoleName(roleName);
if (perssion != null) {
for (String per : perssion) {
permissions.add(per);
}
}
}
}
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
simpleAuthorizationInfo.setRoles(roles);
simpleAuthorizationInfo.setStringPermissions(permissions);
for (String permission : permissions) {
System.out.println("所有权限的" + permission.toString());
}
return simpleAuthorizationInfo;
}
private Set<String> getRolesByUserName(String userName) {
Set<String> sets = mapper.getRolesByUserName(userName);
return sets;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// 1从主体传过来的认证信息中,获取用户名
String userName = (String) token.getPrincipal();
// 通过用户名到数据库获取凭证
User user = mapper.getUserByUsrName(userName);
if (user == null) {
/*
* //判断是否锁定 if(user.getIsLock()) { throw new LockedAccountException("Account ["
* + user.getUsername() + "] is locked."); }
*/
return null;
}
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(userName, user.getPassword(),
"realm");
authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes(userName));
return authenticationInfo;
}
}
8.controller类
package com.tjetc.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import com.tjetc.domain.User;
@Controller
@RequestMapping("/user")
public class usercontroller {
@ResponseBody
@RequestMapping("/subLogin")
public String subLogin(User user) {
System.out.println(user.toString());
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), user.getPassword());
try {
subject.login(token);
return "登录成功";
} catch (UnknownAccountException e) {
return "用户名不存在";
} catch (IncorrectCredentialsException e) {
return "密码不正确";
} catch (LockedAccountException e) {
return "帐户已锁定";
}
}
@ResponseBody
@RequiresPermissions("admin:update")
@RequestMapping("/testRole")
public String testRole(Exception ex) {
return "欢迎:admin:update";
}
@ResponseBody
@ExceptionHandler(UnauthorizedException.class)
public String authorzation(Exception ex) {
return "无权限";// 无权限返回的信息
}
}
9.user实体类
package com.tjetc.domain;
public class User {
private int id;
private String username;
private String password;
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getUsername() {
return username;
}
public User(String username, String password) {
super();
this.username = username;
this.password = password;
}
public User() {
super();
}
public User(int id, String username, String password) {
super();
this.id = id;
this.username = username;
this.password = password;
}
@Override
public String toString() {
return "User [id=" + id + ", username=" + username + ", password=" + password + "]";
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
10.usermapper接口
package com.tjetc.mapper;
import java.util.Set;
import com.tjetc.domain.User;
public interface usermapper {
User getUserByUsrName(String userName);
Set<String> getRolesByUserName(String userName);
Set<String> getpermissionsByRoleName(String roleName);
}
11.usermapper.xml,sql文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.tjetc.mapper.usermapper">
<select id="getUserByUsrName" parameterType="string" resultType="user">
select * from user where username=#{value}
</select>
<select id="getRolesByUserName" parameterType="string" resultType="string">
select rname from user_roles where uname=#{value}
</select>
<select id="getpermissionsByRoleName" parameterType="string" resultType="string">
select permission from role_permission where rname=#{value}
</select>
</mapper>
12.web下的三个jsp文件
login.jsp
index.jsp
403.jsp
13.github地址,参考视频