背景:
需要做权限控制,不过权限控制模型已经成熟的很,那么应该基于已有的,那么就省去了开发的时间,那么此处采用了shiro,框架基于注解spring mvc那么需要继承
转帖请注明:http://snv.iteye.com/
依赖Lib:
<!-- apache common start --> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-io</artifactId> <version>1.3.2</version> </dependency> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-collections4</artifactId> <version>4.0</version> </dependency> <dependency> <groupId>org.codehaus.jackson</groupId> <artifactId>jackson-mapper-lgpl</artifactId> <version>1.9.13</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>3.1.0.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>3.1.0.RELEASE</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>jsp-api</artifactId> <version>2.0</version> <scope>provided</scope> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> <scope>provided</scope> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.1.36</version> </dependency> <!-- shiro start --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.2</version> </dependency> <!-- shiro end -->
web.xml中加入shiroFilter:
<!-- shiro filter start --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- shiro filter end -->
在spring-x.xml中配置shiroFilter的实现,以及自定义Realm:
<!--shiro start --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/usr/login" /> <property name="successUrl" value="/usr/index" /> <property name="unauthorizedUrl" value="/usr/tologin" /> <property name="filterChainDefinitions"> <value> /usr/** = anon /html/** = user </value> </property> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="com.someabcd.csr.web.authenticCSRRealm" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!--shiro end -->
说明如下:
loginUrl:执行具体的登陆认证对于的action的url
successUrl:认证通过跳转的页面对应的url
unauthorizedUrl:未通过认证跳转页面对应的url
filterChainDefinitions:对应url通过过滤器验证,anon为内置过滤器名称,shiro有多个内置过滤器,当然也可以自定义自己的过滤器
securityManager:在realm配置自定义的Realm,具体的概念后面会做阐述
自定义Realm实现:AuthenticCSRRealm:
@Component("com.someabcd.csr.web.authenticCSRRealm")
public class AuthenticCSRRealm extends AuthorizingRealm {
private Logger log = LoggerFactory.getLogger(AuthenticCSRRealm.class);
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
log.info("******doGetAuthorizationInfo:PrincipalCollection");
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
String userName = token.getUsername();
log.info("******doGetAuthorizationInfo:AuthenticationToken");
if (userName != null && !"".equals(userName)) {
return new SimpleAuthenticationInfo(userName,
userName, getName());
}
return null;
}
}
校验Controller:
@Controller
@RequestMapping("usr")
public class UsrController {
private Logger log = LoggerFactory.getLogger(UsrController.class);
@RequestMapping(value = "/login", method = RequestMethod.POST)
public String login(HttpServletRequest request) {
String username = request.getParameter("username");
String password = request.getParameter("password");
log.info("username:{} and pwd:{}", username, password);
Subject currentUser = SecurityUtils.getSubject();
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
try {
currentUser.login(token);
} catch (Exception uae) {
log.info("There is no user with username of "
+ token.getPrincipal());
return "usr/toLogin";
}
}
return "usr/index";
}
@RequestMapping(value = "/tologin", method = RequestMethod.GET)
public String toLogin(HttpServletRequest request) {
return "usr/toLogin";
}
@RequestMapping(value = "/index", method = RequestMethod.GET)
public String index(HttpServletRequest request) {
return "usr/index";
}
}
详细参看下个博客介绍