Shiro与Web进行集成,与web项目集成后,shiro的工作模式如下:
1:如上:ShiroFilter会在springmvc之前拦截所有请求,对于请求做访问控制,如请求对应的功能是否需要有认证的身份,是否需要某种角色,是否需要某种权限。
(1):如果没有做身份认证,则讲请求强制跳转到登录页面,如果没有充分的角色或权限,则将请求跳转到权限不足的页面
(2):如果校验成功,则执行请求的业务逻辑。
过程:当客户端发送请求时,会先经过ShiroFilter,然后会经理这几个过滤器,如果失败则跳到错误页面,如果成功则会进到DispatcherServlet中进行验证。
第一步:导入依赖
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<!--SpringMvc-->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.6.RELEASE</version>
</dependency>
<!--shiro配置-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<!--日志-->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.12</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.12</version>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.16</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
第二步:配置springmvc.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<!-- 开启注解扫描,只扫描Controller注解 -->
<context:component-scan base-package="cn.itcast">
<context:include-filter type="annotation"
expression="org.springframework.stereotype.Controller" />
</context:component-scan>
<!-- 配置视图解析器,让浏览器往哪跳 -->
<bean id="internalResourceViewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/pages/" />
<property name="suffix" value=".jsp" />
</bean>
<!-- 过滤静态资源 -->
<!--<mvc:resources location="/WEB-INF/css/" mapping="/css/**" />
<mvc:resources location="/WEB-INF/images/" mapping="/images/**" />
<mvc:resources location="/WEB-INF/js/" mapping="/js/**" />
<mvc:resources location="/WEB-INF/plugins/" mapping="/plugins/**" />-->
<!-- 开启springmvc注解 -->
<mvc:annotation-driven />
</beans>
第三步:配置web.xml
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>springmvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springmvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!--搭建shiro环境
在项目最外层,构建访问控制层
在启动时,初始化shir环境-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--在项目启动时,加载web-info或classpath下的shiro.ini
并且构件webSecurityManager,构建所有配置中使用的过滤器链,ShiroFilter会获取此过滤器链-->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
</web-app>
第四步:建立shiro.ini文件
;[users]
;zhangsan=123,admin
;lisi=456,manager,seller
;wangwu=789,clerk
# -----------------------------------------------------------------------------
# 角色及其权限信息
# 预定权限:user:query
# user:detail:query
# user:update
# user:delete
# user:insert
# order:update
# ....
;[roles]
;# admin 拥有所有权限,用*表示
;admin=*
;# clerk 只有查询权限
;clerk=user:query,user:detail:query
;# manager 有 user 的所有权限
;manager="user:query,insert,update",order:query
[main]
#没有身份认证时,跳转地址
shiro.loginUrl = /user/login
#角色或权限校验不通过时,跳转地址
shiro.unauthorizedUrl=/user/perms/error
#登出后的跳转地址,回首页
shiro.redirectUrl=/
#声明自定义的Realm
realm04=com.qianfeng.realm.MyRealm
#将自定义的Realm注册给 核心控制者:Securitymanager
securityManager.realms=$realm04
[urls]
/user/all = authc,perms["user:query2"]
/user/logout = logout
#/user/login/page = anon
#/user/login/logic = anon
#/user/query = authc
#/user/update = authc,roles["manager","seller"]
#/user/delete = authc, perms["user:update","user:delete"]
#/user/logout = logout
第五步:进行简单的登录测试
package cn.itcast.controller;
import cn.itcast.domain.User;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("/user")
public class TestController {
@RequestMapping("/login")
public String login(User user){
System.out.println("去登陆");
Subject subject= SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(user.getUsername(),user.getPassword());
subject.login(token);
return "success";
}
}
注意这一行: Subject subject= SecurityUtils.getSubject();
之前是通过获得SecurityManager,然后讲SecurityManager放到SecurityUtils中,才可以获得Subject。
而现在直接获得是因为当ShiroFilter启动时会通过当前线程绑定一个subject和SecurityManager,供请求内使用,可以通过SecurityManager()获得Subject,会将SecurityManager放入SecurityManager()中,也就是说当我们配置了ShiroFilter后就可以直接获得Subjiect。
建立实体bean和网页比较简单,在这里就不写了
第六步:当用户名密码错误时,跳转到登录页面,编写异常解析器:
package cn.itcast.exception;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyExceptionResolver implements HandlerExceptionResolver {
@Override
public ModelAndView resolveException(HttpServletRequest Request, HttpServletResponse Response, Object handler, Exception ex) {
System.out.println(ex.getClass());
ex.printStackTrace();//开发必须
ModelAndView mv=new ModelAndView();
if(ex instanceof IncorrectCredentialsException|| ex instanceof UnknownAccountException){
mv.setViewName("redirect:/user/login");
}
return null;
}
}