shiro是一个轻量级的权限验证框架,小而强大,方便集成.
话不多说,直入正题.
首先,下载几个关键的jar包, shiro-core, shiro-spring 和 shiro-web, 也可以直接用waven去配.
加入包到lib之后.首先在java中新建一个class,实现AuthorizingRealm接口,这个是shiro主要的权限的接口.
其中要实现两个方法,
1.AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals)
这个是用于权限和角色的管理
2.AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
这个用于登录的校验.
下面贴一下代码,只是进行了简单的校验,没有扯到数据库交互.
package com.wuxing.learn.security;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import com.wuxing.learn.entity.UserAuthenticationToken;
/**
* @author wuxing
* @date 2015年9月19日 上午11:10:11
*
*/
public class MyAuthorizeRealm extends AuthorizingRealm{
public MyAuthorizeRealm(){
setAuthorizationCachingEnabled(false);
setAuthenticationTokenClass(UserAuthenticationToken.class);
}
/* (non-Javadoc)
* @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
String userName = (String) principals.fromRealm(getName()).iterator()
.next();// 获取登录用户名
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
if("wuxing".equals(userName)){
info.addStringPermission("go:r");
info.addStringPermission("go:a");
info.addStringPermission("go:e");
info.addStringPermission("go:d");
}
if("chris".equals(userName)){
info.addStringPermission("go:r");
}
return info;
}
/* (non-Javadoc)
* @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UserAuthenticationToken userToken = (UserAuthenticationToken) token;
String userName = userToken.getUserName();
String password = userToken.getPassword();
if (!("wuxing".equals(userName) && "123456".equals(password)) && !(("chris".equals(userName)) && ("12345".equals(password)))) {
throw new AuthenticationException("用户不存在或存在错误");
}
return new SimpleAuthenticationInfo(userName, password, getName()); // 设置用户信息
}
}
然后在appilcationContext.xml中配置一下shiro.
<!-- shiro security -->
<bean id="myRealm"
class="com.wuxing.learn.security.MyAuthorizeRealm" />
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm" />
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="unauthorizedUrl" value="/unauthorized" />
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- shiro end -->
<!-- Support Shiro Annotation -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
第一个bean是定义我们自定义的realm, 并把securityManager指向他.
shiroFilter是shiro的过滤器..其中sercurityManager这个值是必须的..其他的值是可选配置.
lifecycleBeanPostProcessor是shiro把权限等交给spring托管.
最后两行是用于注解实现.
配置好了后,在web.xml中配置一下shiroFilter
<!-- shiro -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
这个配置就不多解释了.
然后校验就在下面..用spingmvc辅助了一下.
package com.wuxing.learn.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import com.wuxing.learn.entity.UserAuthenticationToken;
/**
* @author wuxing
* @date 2015年9月19日 下午2:33:02
*
*/
@Controller
public class LoginController {
@ResponseBody
@RequestMapping("login")
public String login(HttpServletRequest request, HttpServletResponse response){
String name = request.getParameter("loginName");
String password = request.getParameter("password");
UserAuthenticationToken userToken = new UserAuthenticationToken();
userToken.setUserName(name);
userToken.setPassword(password);
try {
Subject suject = SecurityUtils.getSubject();
suject.login(userToken);
} catch (Exception e) {
return "login fail";
}
return "login success";
}
@ResponseBody
@RequiresPermissions("go:r")
@RequestMapping("read")
public String read(HttpServletRequest request, HttpServletResponse response){
return "i read";
}
@ResponseBody
@RequiresPermissions("go:e")
@RequestMapping("edit")
public String edit(HttpServletRequest request, HttpServletResponse response){
return "i edit";
}
}
通过对两个账号的权限设置不同..校验不同的权限..
大致的过程就是这样了.还有用shiro.ini配置的好像..但是感觉没有代码类加注解这么方便.所以就不考虑了