SpringMVC集成shrio框架
2016-06-28 15:15
441 查看
使用SHIRO的步骤:
1,导入jar
2,配置web.xml
3,建立dbRelm
4,在Spring中配置
添加所需jar包:
<!--Apache Shiro所需的jar包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.2</version>
</dependency>
</dependencies>
web.xml中配置shrio的过滤器:
<!-- Shiro配置 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
权限控制类:
在spring的配置文件中配置:新建spring-shrio.xml文件:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- 配置权限管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- ref对应我们写的realm MyShiro -->
<property name="realm" ref="myShiro"/>
<!-- 使用下面配置的缓存管理器 -->
<property name="cacheManager" ref="cacheManager"/>
</bean>
<!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 调用我们配置的权限管理器 -->
<property name="securityManager" ref="securityManager"/>
<!-- 配置我们的登录请求地址 -->
<property name="loginUrl" value="/login"/> <!--login方法我们自定义一个控制器-->
<!-- 配置我们在登录页登录成功后的跳转地址,如果你访问的是非/login地址,则跳到您访问的地址 -->
<property name="successUrl" value="/main"/>
<!-- 如果您请求的资源不再您的权限范围,则跳转到/unauthorized请求地址 -->
<property name="unauthorizedUrl" value="/unauthorized"/>
<!-- 权限配置 -->
<property name="filterChainDefinitions">
<value>
<!-- anon表示此地址不需要任何权限即可访问 -->
/static/**=anon
<!-- perms[user:query]表示访问此连接需要权限为user:query的用户 -->
/user=perms[user:query]
<!-- roles[manager]表示访问此连接需要用户的角色为manager -->
/user/add=roles[manager]
/user/del/**=roles[admin]
/user/edit/**=roles[manager]
<!--所有的请求(除去配置的静态资源请求或请求地址为anon的请求)都要通过登录验证,如果未登录则跳到/login-->
/** = authc
</value>
</property>
</bean>
<bean id="myShiro" class="ShrioRealm"/><!--权限控制类的全类名-->
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
</beans>
对于登录,未授权,错误的请求url写上请求控制处理方法:
1,导入jar
2,配置web.xml
3,建立dbRelm
4,在Spring中配置
添加所需jar包:
<!--Apache Shiro所需的jar包-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.2</version>
</dependency>
</dependencies>
web.xml中配置shrio的过滤器:
<!-- Shiro配置 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
权限控制类:
public class ShiroRealm extends AuthorizingRealm { private static final Logger log = Logger.getLogger(ShiroRealm.class); @Autowired private SysUsersService userService; @Autowired private SysUserRolesService userRoleService; @Autowired private SysRolePermissionsService sysRolePermissionsService; @Autowired private SysPermissionsService sysPermissionsService; /** * 为当前登录的Subject授予角色和权限 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { // 获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next() String currentUsername = (String) super.getAvailablePrincipal(principals); List<String> roleList = new ArrayList<String>(); List<String> permissionList = new ArrayList<String>(); // 从数据库中获取当前登录用户的详细信息 // roleList.add("admin"); SysUsers user = userService.getUserByUsername(currentUsername); if(null != user){ //超级用户直接获取所有权限 if(user.getIsAdministrator()==1){ List<SysPermissions> pList = sysPermissionsService.getAll(); if(pList!=null && pList.size()>0){ for (SysPermissions p: pList) { permissionList.add(p.getPermissionKey()); } } }else { //获取用户角色列表 List<SysUserRoles> roles = userRoleService.getUserRolesByUserName(currentUsername); List<Integer> roleIdList = new ArrayList<>(); if (roles != null&&roles.size()>0) { for (SysUserRoles role : roles) { System.out.println(role.getRoleKey()); log.debug("授予角色>>>" + role.getRoleKey()); roleList.add(role.getRoleKey()); roleIdList.add(role.getRoleId()); } } //获取用户权限列表 List<SysRolePermissions> permissionsList = sysRolePermissionsService.getPermissionsByRoleIds(roleIdList); if (permissionsList != null && permissionsList.size() > 0) { for (SysRolePermissions pmss : permissionsList) { if (!StringUtils.isBlank(pmss.getPermissionKey())) { log.debug("授予权限>>>>" + pmss.getPermissionKey()); permissionList.add(pmss.getPermissionKey()); } } } } }else { throw new AuthorizationException(); } // if (null != user) { // // 实体类User中包含有用户角色的实体类信息 // if (null != user.getRoles() && user.getRoles().size() > 0) { // // 获取当前登录用户的角色 // for (Role role : user.getRoles()) { // if (!StringUtils.isBlank(role.getName())) { // log.debug("授予角色>>>" + role.getName()); // roleList.add(role.getName()); // } // } // } // // 实体类User中包含有角色权限的实体类信息 // if (null != user.getPermissions() && user.getPermissions().size() > 0) { // for (Permission pmss : user.getPermissions()) { // if (!StringUtils.isBlank(pmss.getPermission())) { // log.debug("授予权限>>>>" + pmss.getPermission()); // permissionList.add(pmss.getPermission()); // } // } // } // } else { // throw new AuthorizationException(); // } // 为当前用户设置角色和权限 SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo(); simpleAuthorInfo.addRoles(roleList); simpleAuthorInfo.addStringPermissions(permissionList); return simpleAuthorInfo; } /** * 验证当前登录的Subject * 认证回调函数,登录时调用. */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException { // 获取基于用户名和密码的令牌 UsernamePasswordToken token = (UsernamePasswordToken) authcToken; SysUsers user = userService.getUserByUsername(token.getUsername()); AuthenticationInfo authcInfo = null; if (user == null) { throw new UnknownAccountException();// 未知账户 } else if(!user.getPassword().equals(ParseMD5.parseStrToMd5L32(String.valueOf(token.getPassword())))){ throw new UnknownAccountException();// 账户密码错误,与管理员联系 } else if (user.getStatus() == 0) { throw new LockedAccountException();// 账户已锁定,与管理员联系 } else { authcInfo = new SimpleAuthenticationInfo(user.getUsername(), token.getPassword(), getName()); this.setSession("currentUser", user.getUsername()); } return authcInfo; } /** * 更新授权信息缓存 */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName()); clearCachedAuthorizationInfo(principals); } /** * ShiroSession设置 * * @see 使用时直接用HttpSession.getAttribute(key)就可以取到 */ private void setSession(Object key, Object value) { Subject currentUser = SecurityUtils.getSubject(); if (null != currentUser) { Session session = currentUser.getSession(); if (null != session) { session.setAttribute(key, value); } } } }
在spring的配置文件中配置:新建spring-shrio.xml文件:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- 配置权限管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!-- ref对应我们写的realm MyShiro -->
<property name="realm" ref="myShiro"/>
<!-- 使用下面配置的缓存管理器 -->
<property name="cacheManager" ref="cacheManager"/>
</bean>
<!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 调用我们配置的权限管理器 -->
<property name="securityManager" ref="securityManager"/>
<!-- 配置我们的登录请求地址 -->
<property name="loginUrl" value="/login"/> <!--login方法我们自定义一个控制器-->
<!-- 配置我们在登录页登录成功后的跳转地址,如果你访问的是非/login地址,则跳到您访问的地址 -->
<property name="successUrl" value="/main"/>
<!-- 如果您请求的资源不再您的权限范围,则跳转到/unauthorized请求地址 -->
<property name="unauthorizedUrl" value="/unauthorized"/>
<!-- 权限配置 -->
<property name="filterChainDefinitions">
<value>
<!-- anon表示此地址不需要任何权限即可访问 -->
/static/**=anon
<!-- perms[user:query]表示访问此连接需要权限为user:query的用户 -->
/user=perms[user:query]
<!-- roles[manager]表示访问此连接需要用户的角色为manager -->
/user/add=roles[manager]
/user/del/**=roles[admin]
/user/edit/**=roles[manager]
<!--所有的请求(除去配置的静态资源请求或请求地址为anon的请求)都要通过登录验证,如果未登录则跳到/login-->
/** = authc
</value>
</property>
</bean>
<bean id="myShiro" class="ShrioRealm"/><!--权限控制类的全类名-->
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
</beans>
对于登录,未授权,错误的请求url写上请求控制处理方法:
package net.lcheng.manage.controller; import net.lcheng.commons.utils.ParseMD5; import net.lcheng.manage.utils.ControllerUtils; import net.lcheng.manage.vo.PasswordModel; import net.lcheng.model.SysUsers; import net.lcheng.service.SysPermissionsService; import net.lcheng.service.SysUsersService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.subject.Subject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.validation.BindingResult; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import javax.validation.Valid; @Controller public class HomeController { @Autowired private SysUsersService usersService; @Autowired private SysPermissionsService permissionsService; @RequestMapping("/main") // @RequiresRoles("admin") // @RequiresPermissions("user:create") public String main(Model model) throws Exception { ControllerUtils.common(model,permissionsService,""); return "main"; } /**权限不足错误页面*/ @RequestMapping("/unauthorized") public String unauthorized(Model model){ Subject currentUser = SecurityUtils.getSubject();//获取当前用户 if(currentUser.isAuthenticated()) { model.addAttribute("userName",currentUser.getPrincipals()); } return "unauthorized"; } /**错误页面*/ @RequestMapping("/error") public String error(Model model){ Subject currentUser = SecurityUtils.getSubject();//获取当前用户 if(currentUser.isAuthenticated()) { model.addAttribute("userName",currentUser.getPrincipals()); } return "error"; } @RequestMapping(value = "/change_pwd",method = RequestMethod.GET) public String changePwd(Model model){ model.addAttribute("PasswordModel",new PasswordModel()); ControllerUtils.common(model,permissionsService,""); return "change_pwd"; } @RequestMapping(value = "/change_pwd",method = RequestMethod.POST) public String changePwdPost(Model model,@Valid @ModelAttribute("PasswordModel") PasswordModel user, BindingResult result){ Subject currentUser = SecurityUtils.getSubject();//获取当前用户 ControllerUtils.common(model,permissionsService,""); if (result.hasErrors()) { return "change_pwd"; } SysUsers sysUser = usersService.getUserByUsername(currentUser.getPrincipals().toString()); if(sysUser!=null) { if(!sysUser.getPassword().equals(ParseMD5.parseStrToMd5L32(user.getOldPwd()))){ model.addAttribute("error", "原密码错误"); return "change_pwd"; } if(!user.getNewPwd().equals(user.getRePwd())){ model.addAttribute("error", "二次密码不一致"); return "change_pwd"; } if(ParseMD5.parseStrToMd5L32(user.getNewPwd()).equals(ParseMD5.parseStrToMd5L32(user.getOldPwd()))){ model.addAttribute("error", "新密码和原密码一样"); return "change_pwd"; } usersService.changePassword(sysUser.getId(), ParseMD5.parseStrToMd5L32(user.getNewPwd())); model.addAttribute("error", "密码修改成功,请使用新密码重新登录!"); }else{ model.addAttribute("error", "用户不存在"); } return "change_pwd"; } }
package net.lcheng.manage.controller; import net.lcheng.commons.utils.ParseMD5; import net.lcheng.manage.vo.LoginEntity; import net.lcheng.model.SysUsers; import net.lcheng.service.SysUsersService; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.validation.BindingResult; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import javax.validation.Valid; /** * Created by qiliping on 15/12/1. * 登录Controller */ @Controller public class LoginController { @Autowired private SysUsersService sysUsersService; /** * 登录GET */ @RequestMapping(value = "/login", method = RequestMethod.GET) public String Index(Model model) { if (!model.containsAttribute("LoginEntity")) { model.addAttribute("LoginEntity", new LoginEntity()); } return "login"; } /*** * 用户登陆 * <p>注解配置,只允许POST提交到该方法 * * @param username * @param password * @return */ @RequestMapping(value = "/login", method = RequestMethod.POST) public String login(Model model, @Valid @ModelAttribute("LoginEntity") LoginEntity user, BindingResult result) { if (result.hasErrors()) { return "login"; } SysUsers userModel = sysUsersService.getUserByUsername(user.getUsername()); if (userModel != null) { String inputPwd = ParseMD5.parseStrToMd5L32(user.getPassword()); if (!userModel.getPassword().equals(inputPwd)) { model.addAttribute("error", "登录密码错误"); return "login"; } if (userModel.getStatus() != 1) { model.addAttribute("error", "无效的用户"); return "login"; } //登录成功 SecurityUtils.getSubject().login(new UsernamePasswordToken(user.getUsername(), user.getPassword())); return "redirect:/main"; } else { model.addAttribute("error", "用户不存在"); return "login"; } } /*** * 退出 * @param model * @return */ @RequestMapping(value = "logout") public String logout(Model model) { SecurityUtils.getSubject().logout(); return "redirect:/login"; } /*** * 验证参数是否为空 * * @param params * @return */ private boolean checkParams(String[] params) { for (String param : params) { if (param == "" || param == null || param.isEmpty()) { return false; } } return true; } }
相关文章推荐
- Spring Bean的作用域类型
- JavaWEB 生成网页验证码
- java服务器
- Java中自定泛型方法
- java性能优化
- java中List Set Map使用
- MyEclipse简单设置
- SpringMVC中的@PathVariable
- 面向对象之instanceof
- spring boot 配置MyBatis,支持多个数据源和分页插件
- Java中的this关键字
- Java web学习笔记之二——编写Servlet
- 25匹马赛跑问题
- Java多线程
- spring中bean生命周期
- java 读取xml
- java_常用数据类型转换基础篇
- java pio项目使用
- 在myeclipse中安装JBOSS(转载)
- Java中的HashCode(2)之Hashset造成的内存泄露