shiro配置

shiro是一个轻量级的权限验证框架,小而强大,方便集成.

话不多说,直入正题.

首先,下载几个关键的jar包, shiro-core, shiro-spring 和 shiro-web, 也可以直接用waven去配.

加入包到lib之后.首先在java中新建一个class,实现AuthorizingRealm接口,这个是shiro主要的权限的接口.

其中要实现两个方法,

1.AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals)

这个是用于权限和角色的管理

2.AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)

这个用于登录的校验.

下面贴一下代码,只是进行了简单的校验,没有扯到数据库交互.

package com.wuxing.learn.security;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

import com.wuxing.learn.entity.UserAuthenticationToken;

/**
 * @author wuxing
 * @date 2015年9月19日 上午11:10:11
 *
 */
public class MyAuthorizeRealm extends AuthorizingRealm{

	
	public MyAuthorizeRealm(){
		setAuthorizationCachingEnabled(false);
		setAuthenticationTokenClass(UserAuthenticationToken.class);
	}
	
	/* (non-Javadoc)
	 * @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)
	 */
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(
			PrincipalCollection principals) {
		
		String userName = (String) principals.fromRealm(getName()).iterator()
				.next();// 获取登录用户名
		SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
		if("wuxing".equals(userName)){
			info.addStringPermission("go:r");
			info.addStringPermission("go:a");
			info.addStringPermission("go:e");
			info.addStringPermission("go:d");
		}
		if("chris".equals(userName)){
			info.addStringPermission("go:r");
		}
		return info;
	}

	/* (non-Javadoc)
	 * @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)
	 */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(
			AuthenticationToken token) throws AuthenticationException {
		UserAuthenticationToken userToken = (UserAuthenticationToken) token;
		
		String userName = userToken.getUserName();
		String password = userToken.getPassword();

		if (!("wuxing".equals(userName) && "123456".equals(password)) && !(("chris".equals(userName)) && ("12345".equals(password)))) {
			throw new AuthenticationException("用户不存在或存在错误");
		}
		return new SimpleAuthenticationInfo(userName, password, getName()); // 设置用户信息
	}

}

然后在appilcationContext.xml中配置一下shiro.

<!-- shiro security -->
	<bean id="myRealm"
		class="com.wuxing.learn.security.MyAuthorizeRealm" />

	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		<property name="realm" ref="myRealm" />
	</bean>

	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<property name="securityManager" ref="securityManager" />
		<property name="unauthorizedUrl" value="/unauthorized" />
	</bean>

	<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
	<!-- shiro end -->
	
	<!-- Support Shiro Annotation -->
	<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
	</bean>
	
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
	    <property name="securityManager" ref="securityManager" />
	</bean>

第一个bean是定义我们自定义的realm, 并把securityManager指向他.

shiroFilter是shiro的过滤器..其中sercurityManager这个值是必须的..其他的值是可选配置.

lifecycleBeanPostProcessor是shiro把权限等交给spring托管.

最后两行是用于注解实现.

配置好了后,在web.xml中配置一下shiroFilter

<!-- shiro -->
	<filter>
		<filter-name>shiroFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
		<init-param>
			<param-name>targetFilterLifecycle</param-name>
			<param-value>true</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>shiroFilter</filter-name>
		<url-pattern>*.shtml</url-pattern>
	</filter-mapping>

这个配置就不多解释了.

然后校验就在下面..用spingmvc辅助了一下.

package com.wuxing.learn.controller;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import com.wuxing.learn.entity.UserAuthenticationToken;

/**
 * @author wuxing
 * @date 2015年9月19日 下午2:33:02
 *
 */
@Controller
public class LoginController {
	
	@ResponseBody
	@RequestMapping("login")
	public String login(HttpServletRequest request, HttpServletResponse response){
		String name = request.getParameter("loginName");
		String password = request.getParameter("password");
		UserAuthenticationToken userToken = new UserAuthenticationToken();
		userToken.setUserName(name);
		userToken.setPassword(password);
		try {
			Subject suject = SecurityUtils.getSubject();
			suject.login(userToken);
		} catch (Exception e) {
			return "login fail";
		}
		return "login success";
	}
	
	@ResponseBody
	@RequiresPermissions("go:r")
	@RequestMapping("read")
	public String read(HttpServletRequest request, HttpServletResponse response){
		return "i read";
	}
	
	@ResponseBody
	@RequiresPermissions("go:e")
	@RequestMapping("edit")
	public String edit(HttpServletRequest request, HttpServletResponse response){
		return "i edit";
	}
}

通过对两个账号的权限设置不同..校验不同的权限..

大致的过程就是这样了.还有用shiro.ini配置的好像..但是感觉没有代码类加注解这么方便.所以就不考虑了