最近开始学习shiro框架,今天用Spring整合了一下,顺便记录一下,方便下次使用。第一次写博客,有写不好的地方,望各位大佬多包容包容。
1.使用Maven进行依赖管理。我们需要在pom.xml加入下面配置:
<properties>
<java.version>1.8</java.version>
<shiro.version>1.3.2</shiro.version>
<spring.version>4.2.4.RELEASE</spring.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>${shiro.version}</version>
</dependency>
<!-- druid -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.0.28</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.21</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
</plugins>
</build>
2.配置web.xml文件
<!-- Shiro拦截器 -->
<!--这里注意的是,filter-name必须与shiro配置文件里面的拦截器bean的id一致。因为 Shiro 会来 IOC 容器中查找和
<filter-name> 名字对应的 filter bean.-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-shiro.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>springDispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springDispatcherServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/login.jsp</welcome-file>
</welcome-file-list>
3.1 jdbc.properties连接数据库
这里属性就简单的用了,仅为了连接数据库
driverClassName=com.mysql.jdbc.Driver
url=jdbc:mysql://localhost:3306/shiro
username=root
password=Wbb2018.
3.2.spring-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
<!-- 载入jdbc.properties配置文件 -->
<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location" value="classpath:jdbc.properties" />
</bean>
<!-- 连接池,连接数据库 -->
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource">
<property name="url" value="${url}"></property>
<property name="username" value="${username}"></property>
<property name="password" value="${password}"></property>
</bean>
<!-- 1.配置SecurityManager-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"></property>
<property name="authenticator" ref="authenticator"></property>
<!-- 一个realm的时候,就用属性<property name="realm" ref="myRealm"/> -->
<!-- 多个realm的时候, 可以用<property name="realms"></property>-->
<property name="realms">
<list>
<ref bean="myRealm"/>
<!-- <ref bean="jdbcRealm"/>-->
</list>
</property>
</bean>
<!-- 2.配置cacheManager,这里我使用的是自带的缓存管理-->
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"></bean>
<!-- 3.配置authenticator -->
<bean id="authenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<!-- 可以修改多个realm之间的匹配策略,
FirstSuccessfulStrategy:只要有一个Realm验证成功即可,只返回第一个Realm身份验证成功的认证信息,其他的忽略;
默认 AtLeastOneSuccessfulStrategy:只要有一个Realm验证成功即可,和FirstSuccessfulStrategy不同,返回所有Realm身份验证成功的认证信息;
AllSuccessfulStrategy:所有Realm验证成功才算成功,且返回所有 Realm身份验证成功的认证信息,
如果有一个失败就失败了。 -->
<property name="authenticationStrategy">
<bean class="org.apache.shiro.authc.pam.FirstSuccessfulStrategy"></bean>
</property>
</bean>
<!-- 3.1配置realm -->
<!--这个MyRealm是我自己定义的,密码的加密方式和加密次数跟这里要对应,不然匹配不起来-->
<bean id="myRealm" class="com.wbb.shiro.realms.ShiroRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property><!--加密方式-->
<property name="hashIterations" value="1024"></property><!--加密次数-->
</bean>
</property>
</bean>
<!--这个Realm,使用的是shiro自带的JdbcRealm,这个Class类,
自带了很多属性和方法,因为我这里仅仅实现了登录的功能,
使用仅用到authenticationQuery属性,它是这样定义的:
protected String authenticationQuery = DEFAULT_AUTHENTICATION_QUERY;
protected static final String DEFAULT_AUTHENTICATION_QUERY = "select password from users where username = ?";
-->
<!--<bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
<property name="dataSource" ref="dataSource"/>
如果你数据库里面的定义的表,跟class自带的查询使用
到属性不一致的话,你可以自己在这里重新定义select语句,来覆盖 掉自带的select,比如以下:
<property name="authenticationQuery" value="select password from user where name = ?"></property>-->
</bean>
<!-- 4.配置LifecycleBeanPostProcessor,可以自动的来调用配置在Spring IOC容器中shiro bean的生命周期方法 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor">
</bean>
<!-- 5.启动呢IOC容器中使用Shiro的注解,但是必须配置在LifecycleBeanPostProcessor之后,才能使用 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"></property>
</bean>
<!-- 6. 配置 ShiroFilter.
6.1 id 必须和 web.xml 文件中配置的 DelegatingFilterProxy
的 <filter-name> 一致. 若不一致, 则会抛出: NoSuchBeanDefinitionException. 因为 Shiro 会来
IOC 容器中查找和 <filter-name> 名字对应的 filter bean. -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<property name="loginUrl" value="/login.jsp"></property>
<!--这里直接用Controller里面跳转到成功界面,所以没设置参数-->
<property name="successUrl" value="/"></property>
<property name="unauthorizedUrl" value="/"></property>
<!-- 配置哪些页面需要受保护. 以及访问这些页面需要的权限.
1). anon(anonymous) 可以被匿名访问 2). authc(authentication)
必须认证(即登录)后才可能访问的页面. 3). logout 登出.4)等等其他的,没用到 我就不写出来了 -->
<property name="filterChainDefinitions">
<value>
/login.jsp=anon
/login=anon
/logout=logout
#表示其他所有的url都需要认证
/** = authc
</value>
</property>
</bean>
</beans>
3.3springmvc.xml
<context:component-scan base-package="com.wbb.shiro"></context:component-scan>
<mvc:annotation-driven></mvc:annotation-driven>
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
4.自己定义的Realm
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
public class ShiroRealm extends AuthorizingRealm {
/**
* 认证:登录的时候用
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken)
throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
String username = token.getUsername();
String principal = username;
String credentials = "";
/*
* 因为我这里没连接数据库,所以就自己生成了个密码,仅为了测试用,密码生成在main方法里
* 两个密码都是123456
*/
if ("admin".equalsIgnoreCase(username)) {
credentials = "038bdaf98f2037b31f1e75b5b4c9b26e";
} else if ("user".equalsIgnoreCase(username)) {
credentials = "098d2c478e9c11555ce2823231e02ec1";
}
String realmName = getName();
ByteSource salt = ByteSource.Util.bytes(username);
SimpleAuthenticationInfo info = null;
info = new SimpleAuthenticationInfo(principal, credentials, salt, realmName);
return info;
}
/**
* 授权:用到权限的时候调用
*
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
Object principal = principals.getPrimaryPrincipal();
Set<String> roles = new HashSet<>();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
if ("admin".equals(principal.toString())) {
roles.add("admin");
info.setRoles(roles);
info.addStringPermissions(Arrays.asList("admin:*"));
} else if ("user".equals(principal.toString())) {
roles.add("user");
info.setRoles(roles);
info.addStringPermissions(Arrays.asList("user:*"));
}
return info;
}
public static void main(String[] args) {
String algorithmName = "MD5";
Object credentials = "123456";
Object salt = ByteSource.Util.bytes("admin");
int hashIterations = 1024;
Object result = new SimpleHash(algorithmName, credentials, salt, hashIterations);
System.out.println(result);
}
}
5.login.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1 >Login Page</h1>
<form action="login" >
Username:<input type="text" name="username"/>
<br/><br/>
Password:<input type="password" name="password"/>
<br/><br/>
<%
if(session.getAttribute("message")!=null){
out.println(session.getAttribute("message"));
}
%>
<input type="submit" value="login"/>
</form>
</body>
</html>
6.success.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<h1>Success!!!<br/>
Welcome:
<shiro:hasRole name="admin">admin</shiro:hasRole>
<shiro:hasPermission name="admin:select">admin:select</shiro:hasPermission>
<shiro:hasRole name="user">user</shiro:hasRole>
<shiro:hasPermission name="user:select">user:select</shiro:hasPermission>
<br/>
<a href="logout">logout</a>
</h1>
</body>
</html>
7.Controller
package com.wbb.shiro.handler;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class ShiroController {
@RequestMapping("/login")
public String login(HttpServletRequest request){
System.out.println("login");
String username = request.getParameter("username");
String password = request.getParameter("password");
HttpSession session=request.getSession(true);
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
if (subject.isAuthenticated()) {
session.setAttribute("username", username);
return "success";
} else {
return "login";
}
} catch (Exception e) {
session.setAttribute("message", "wrong");
e.printStackTrace();
return "login";
}
}
}
8.最后,测试一下,运行程序,跳到登录界面
输入账号admin 密码123456,登录显示
输入账号user 密码123456,,登录显示
讲到这里,本篇文章到此也就结束了,中间可能存在一些问题,有一些不够严谨完善的地方,希望大家体谅体谅。有问题的话,欢迎大家留意,交流交流。最后附上github地址,github上面是一个比较完整的小项目,权限配置在数据库中。
Github地址为:https://github.com/Albert-WuBinBin/spring-shiro.git