第一步在maven中添加
<!--shiro shiro-all shiro-web spring-shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>1.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.5</version>
</dependency>
第二步,找到web.xml配置spring的动态代理filter
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>
第三步,配置spring-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- 1:spring和shiro整合的配置文件当中,需要定义bean shirofilter -->
<bean id="ShiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<!-- 如果没有认证将要跳转的登陆地址,http可访问的url,如果不在表单认证过虑器FormAuthenticationFilter中指定此地址就为身份认证地址 -->
<property name="loginUrl" value="/login/toLogin" />
<!-- 没有权限跳转的地址 -->
<property name="unauthorizedUrl" value="/login/noauth" />
<!-- shiro拦截器配置 -->
<!-- 定义权限拦截的规则
authc 权限认证通过才可以访问
anon 不需要登录认证 也不需要权限认证
user 登录认证通过才可以访问
logout 退出登录 不需要自己定义退出登录功能
-->
<!-- 过滤器链定义 shirofilter可以拦截静态子资源的,所以静态资源一定得在这里配置 -->
<property name="filterChainDefinitions">
<value>
/login
第四步,配置web.xml
<!-- springmvc的核心控制器dispatcherServlet -->
<servlet>
<servlet-name>dispactherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:spring/springmvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
在处理登录的conllter中
Subject subject= SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(vo.getLoginName(),vo.getPassword());
subject.login(token);
这个时候到哪里了?到我们的UserRealm 创建一个 UserRealm 实现 AuthorizingRealm接口,重写两个方法 ,这边我们在登录认证这里写下,登录认证的逻辑
@Description: 登录认证的方法
* @Author: sunflower
* @Param: [authenticationToken]
* @Return org.apache.shiro.authc.AuthenticationInfo
**/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token=(UsernamePasswordToken)authenticationToken;
LoginVo vo=new LoginVo();
vo.setPassword(SHA1Util.encode(new String(token.getPassword())));
vo.setLoginName(token.getUsername());
SysUser user=userService.findUserByLoginNameAndPassword(vo);
if (user==null){
throw new AccountException("2");
}else {
AuthenticationInfo info = new SimpleAuthenticationInfo(user, token.getPassword(), getName());
return info;
}
}
登陆成功返回了authenticationInfo对象,登录失败抛出一个异常,那我们在登录的controllter进行一个捕获
try {
subject.login(token);
}catch (Exception e){
response.getWriter().write(e.getMessage());
}
SysUser user=(SysUser)SecurityUtils.getSubject().getPrincipal();
request.getSession().setAttribute("user",user);
response.getWriter().write(3);
这样的话,我们的登录认证就写完了,下面来写授权的逻辑。
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SysUser user=(SysUser)principalCollection.getPrimaryPrincipal();
Role role=userService.findRoleByRoleId(user.getRoleId());
List<String> roleList=new ArrayList<>();
roleList.add(role.getRoleEnglishName());
List<Menu> menuList=userService.findMenusById(user.getId());
List<String> permisstionList=new ArrayList<>();
for (Menu menu:menuList){
permisstionList.add(menu.getMenuKey());
}
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
info.addRoles(roleList);
info.addStringPermissions(permisstionList);
return info;
}
启动项目,大功告成。
接下来,说一下shiro的退出,不需要自己开发,只需要定义退出的路径就可以了。在spring-shiro加上一行/logout = logout