Spring整合Shiro

最新推荐文章于 2021-01-23 11:44:23 发布

WuBinBin-Albert

最新推荐文章于 2021-01-23 11:44:23 发布

阅读量1.1k

点赞数 2

分类专栏： shiro 文章标签： spring shiro 框架

本文链接：https://blog.csdn.net/u013034378/article/details/75087320

版权

shiro 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

最近开始学习shiro框架，今天用Spring整合了一下，顺便记录一下，方便下次使用。第一次写博客，有写不好的地方，望各位大佬多包容包容。

1.使用Maven进行依赖管理。我们需要在pom.xml加入下面配置：

    <properties>
        <java.version>1.8</java.version>
        <shiro.version>1.3.2</shiro.version>
        <spring.version>4.2.4.RELEASE</spring.version>
    </properties>

    <dependencies>
        <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>javax.servlet-api</artifactId>
        <version>3.1.0</version>
    </dependency>
    <!-- shiro -->
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-core</artifactId>
        <version>${shiro.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-web</artifactId>
        <version>${shiro.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-spring</artifactId>
        <version>${shiro.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-ehcache</artifactId>
        <version>${shiro.version}</version>
    </dependency>
    <!-- druid -->
    <dependency>  
        <groupId>com.alibaba</groupId>  
        <artifactId>druid</artifactId>  
        <version>1.0.28</version>  
    </dependency> 
    <dependency>
        <groupId>commons-logging</groupId>
        <artifactId>commons-logging</artifactId>
        <version>1.1.1</version>
    </dependency>
      <dependency>  
        <groupId>mysql</groupId>  
        <artifactId>mysql-connector-java</artifactId>  
        <version>5.1.21</version>  
    </dependency> 
  </dependencies>
  <build>
        <plugins>
            <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
                    <version>3.1</version>
                    <configuration>
                        <source>${java.version}</source>
                        <target>${java.version}</target>
                        <encoding>UTF-8</encoding>
                    </configuration>
                </plugin>
        </plugins>
  </build>

2.配置web.xml文件

<!-- Shiro拦截器 -->
    <!--这里注意的是，filter-name必须与shiro配置文件里面的拦截器bean的id一致。因为 Shiro 会来 IOC 容器中查找和
     <filter-name> 名字对应的 filter bean.-->
    <filter> 
        <filter-name>shiroFilter</filter-name> 
        <filter-class>
            org.springframework.web.filter.DelegatingFilterProxy
        </filter-class> 
    </filter> 
    <filter-mapping> 
        <filter-name>shiroFilter</filter-name> 
        <url-pattern>/*</url-pattern> 
    </filter-mapping>


    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring-shiro.xml</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


    <servlet>
        <servlet-name>springDispatcherServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:springmvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>springDispatcherServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <welcome-file-list>
        <welcome-file>/login.jsp</welcome-file>
    </welcome-file-list>

3.1 jdbc.properties连接数据库
这里属性就简单的用了，仅为了连接数据库

driverClassName=com.mysql.jdbc.Driver
url=jdbc:mysql://localhost:3306/shiro
username=root
password=Wbb2018.

3.2.spring-shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
    <!-- 载入jdbc.properties配置文件 -->
    <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">    
        <property name="location" value="classpath:jdbc.properties" />    
    </bean> 
    <!-- 连接池，连接数据库 -->
    <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource">
            <property name="url" value="${url}"></property>
            <property name="username" value="${username}"></property>
            <property name="password" value="${password}"></property>
    </bean>

    <!-- 1.配置SecurityManager-->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="cacheManager" ref="cacheManager"></property>
        <property name="authenticator" ref="authenticator"></property>
        <!-- 一个realm的时候，就用属性<property name="realm" ref="myRealm"/> --> 
        <!-- 多个realm的时候， 可以用<property name="realms"></property>-->
        <property name="realms">
            <list>
                <ref bean="myRealm"/>
                <!--  <ref bean="jdbcRealm"/>-->
            </list>
        </property>
    </bean>
    <!-- 2.配置cacheManager,这里我使用的是自带的缓存管理-->
    <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"></bean>  
    <!-- 3.配置authenticator -->
    <bean id="authenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
        <!-- 可以修改多个realm之间的匹配策略，
        FirstSuccessfulStrategy：只要有一个Realm验证成功即可，只返回第一个Realm身份验证成功的认证信息，其他的忽略；
        默认 AtLeastOneSuccessfulStrategy:只要有一个Realm验证成功即可，和FirstSuccessfulStrategy不同，返回所有Realm身份验证成功的认证信息；
        AllSuccessfulStrategy：所有Realm验证成功才算成功，且返回所有 Realm身份验证成功的认证信息，
        如果有一个失败就失败了。 -->
        <property name="authenticationStrategy">
            <bean class="org.apache.shiro.authc.pam.FirstSuccessfulStrategy"></bean>
        </property>

    </bean>

    <!-- 3.1配置realm -->
    <!--这个MyRealm是我自己定义的，密码的加密方式和加密次数跟这里要对应，不然匹配不起来-->
    <bean id="myRealm" class="com.wbb.shiro.realms.ShiroRealm">
        <property name="credentialsMatcher">
            <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
                <property name="hashAlgorithmName" value="MD5"></property><!--加密方式-->
                <property name="hashIterations" value="1024"></property><!--加密次数-->
            </bean>
        </property>
    </bean>
    <!--这个Realm，使用的是shiro自带的JdbcRealm,这个Class类,
    自带了很多属性和方法，因为我这里仅仅实现了登录的功能，
    使用仅用到authenticationQuery属性，它是这样定义的:
     protected String authenticationQuery = DEFAULT_AUTHENTICATION_QUERY;
      protected static final String DEFAULT_AUTHENTICATION_QUERY = "select password from users where username = ?";
     -->
    <!--<bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
        <property name="dataSource" ref="dataSource"/>
        如果你数据库里面的定义的表，跟class自带的查询使用
        到属性不一致的话，你可以自己在这里重新定义select语句，来覆盖 掉自带的select，比如以下:
        <property name="authenticationQuery" value="select password from user where name = ?"></property>-->


    </bean>
    <!-- 4.配置LifecycleBeanPostProcessor,可以自动的来调用配置在Spring IOC容器中shiro bean的生命周期方法 -->
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor">
    </bean>

    <!-- 5.启动呢IOC容器中使用Shiro的注解，但是必须配置在LifecycleBeanPostProcessor之后，才能使用 -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
      depends-on="lifecycleBeanPostProcessor">
    </bean>
    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager"></property>
    </bean>

    <!-- 6. 配置 ShiroFilter. 
        6.1 id 必须和 web.xml 文件中配置的 DelegatingFilterProxy 
        的 <filter-name> 一致. 若不一致, 则会抛出: NoSuchBeanDefinitionException. 因为 Shiro 会来 
        IOC 容器中查找和 <filter-name> 名字对应的 filter bean. -->
        <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
            <property name="securityManager" ref="securityManager"></property>
            <property name="loginUrl" value="/login.jsp"></property>
            <!--这里直接用Controller里面跳转到成功界面，所以没设置参数-->
            <property name="successUrl" value="/"></property>
            <property name="unauthorizedUrl" value="/"></property>
        <!-- 配置哪些页面需要受保护. 以及访问这些页面需要的权限. 
        1). anon(anonymous) 可以被匿名访问 2). authc(authentication) 
        必须认证(即登录)后才可能访问的页面. 3). logout 登出.4)等等其他的，没用到 我就不写出来了 -->
        <property name="filterChainDefinitions">
            <value>
                /login.jsp=anon
                /login=anon
                /logout=logout
                #表示其他所有的url都需要认证
                /** = authc
            </value>
        </property>

        </bean>
</beans>

3.3springmvc.xml

<context:component-scan base-package="com.wbb.shiro"></context:component-scan>
    <mvc:annotation-driven></mvc:annotation-driven>
    <bean
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/"></property>
        <property name="suffix" value=".jsp"></property>
    </bean>

4.自己定义的Realm

import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;

public class ShiroRealm extends AuthorizingRealm {

    /**
     * 认证:登录的时候用
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
            throws AuthenticationException {
        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
        String username = token.getUsername();
        String principal = username;
        String credentials = "";
        /*
         * 因为我这里没连接数据库，所以就自己生成了个密码，仅为了测试用，密码生成在main方法里
         * 两个密码都是123456
         */
        if ("admin".equalsIgnoreCase(username)) {
            credentials = "038bdaf98f2037b31f1e75b5b4c9b26e";
        } else if ("user".equalsIgnoreCase(username)) {
            credentials = "098d2c478e9c11555ce2823231e02ec1";
        }
        String realmName = getName();
        ByteSource salt = ByteSource.Util.bytes(username);
        SimpleAuthenticationInfo info = null;
        info = new SimpleAuthenticationInfo(principal, credentials, salt, realmName);
        return info;
    }

    /**
     * 授权：用到权限的时候调用
     * 
     * @param principals
     * @return
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        Object principal = principals.getPrimaryPrincipal();

        Set<String> roles = new HashSet<>();
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        if ("admin".equals(principal.toString())) {
            roles.add("admin");
            info.setRoles(roles);
            info.addStringPermissions(Arrays.asList("admin:*"));
        } else if ("user".equals(principal.toString())) {
            roles.add("user");
            info.setRoles(roles);
            info.addStringPermissions(Arrays.asList("user:*"));
        }
        return info;
    }

    public static void main(String[] args) {
        String algorithmName = "MD5";
        Object credentials = "123456";
        Object salt = ByteSource.Util.bytes("admin");
        int hashIterations = 1024;
        Object result = new SimpleHash(algorithmName, credentials, salt, hashIterations);
        System.out.println(result);
    }
}

5.login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1 >Login Page</h1>
<form action="login" >
    Username:<input type="text" name="username"/>
    <br/><br/>
    Password:<input type="password" name="password"/>
    <br/><br/>
    <%
    if(session.getAttribute("message")!=null){
        out.println(session.getAttribute("message"));
    }
    %>
    <input type="submit" value="login"/>
</form>

</body>
</html>

6.success.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>Success!!!<br/>
Welcome:
<shiro:hasRole name="admin">admin</shiro:hasRole>
<shiro:hasPermission name="admin:select">admin:select</shiro:hasPermission>
<shiro:hasRole name="user">user</shiro:hasRole>
<shiro:hasPermission name="user:select">user:select</shiro:hasPermission>
<br/>
<a href="logout">logout</a>
</h1>
</body>
</html>

7.Controller

package com.wbb.shiro.handler;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class ShiroController {

    @RequestMapping("/login")
    public String login(HttpServletRequest request){
        System.out.println("login");
        String username = request.getParameter("username");  
        String password = request.getParameter("password");  
        HttpSession session=request.getSession(true);
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);  
        Subject subject = SecurityUtils.getSubject();  
        try {  
            subject.login(token);  
            if (subject.isAuthenticated()) {  
                session.setAttribute("username", username);
                return "success";  
            } else {  
                return "login";  
            }  
        } catch (Exception e) {  
          session.setAttribute("message", "wrong");
          e.printStackTrace(); 
          return "login";  
        }

    }
}

8.最后，测试一下，运行程序，跳到登录界面

这里写图片描述
输入账号admin 密码123456，登录显示

输入账号user 密码123456，，登录显示

讲到这里，本篇文章到此也就结束了,中间可能存在一些问题,有一些不够严谨完善的地方,希望大家体谅体谅。有问题的话,欢迎大家留意,交流交流。最后附上github地址，github上面是一个比较完整的小项目，权限配置在数据库中。
Github地址为：https://github.com/Albert-WuBinBin/spring-shiro.git