spring中集成shiro进行安全管理
shiro是一款轻量级的安全框架,提供认证、授权、加密和会话管理四个基础功能,除此之外也提供了很好的系统集成方案。
下面将它集成到之前的demo中,在之前spring中使用aop配置事务这篇所附代码的基础上进行集成
一、添加jar包引用
修改pom.xml文件,加入:
<!-- security -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-cas</artifactId>
<version>1.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.5</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.5</version>
</dependency>
二、添加过滤器Filter
修改web.xml文件,加入(需要加在Filter比较靠前的位置):
<!-- Shiro过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
三、添加配置文件
在"src/main/resources"代码文件夹中新建文件"spring-context-shiro.xml",内容为:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.0.xsd">
<description>Shiro Configuration</description>
<!-- 加载配置属性文件 -->
<context:property-placeholder ignore-unresolvable="true" location="classpath:demo.properties" />
<!-- 定义安全管理配置 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm" />
<property name="sessionManager" ref="defaultWebSessionManager" />
<!-- <property name="cacheManager" ref="shiroCacheManager" /> -->
</bean>
<bean id="userRealm" class="org.xs.demo1.UserRealm"></bean>
<!-- 自定义会话管理 -->
<bean id="defaultWebSessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<!-- 会话超时时间,单位:毫秒 -->
<property name="globalSessionTimeout" value="86400000" />
<!-- 定时清理失效会话, 清理用户直接关闭浏览器造成的孤立会话 -->
<property name="sessionValidationInterval" value="120000"/>
<!-- 定时检查失效的会话 -->
<property name="sessionValidationSchedulerEnabled" value="true"/>
</bean>
<!-- 安全认证过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/hello/login" />
<property name="unauthorizedUrl" value="/hello/login" />
<property name="successUrl" value="/hello/mysql" />
<property name="filterChainDefinitions">
<value>
/hello/login = anon //anon:允许匿名访问
/hello/auth = anon
/hello/* = authc //authc:需要认证才能访问
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
</beans>
四、增加安全认证实现类
在"src/main/java"代码文件夹的"org.xs.demo1"的包下新建"UserRealm.java"
package org.xs.demo1;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.stereotype.Service;
/**
* 安全认证实现类
*/
@Service
public class UserRealm extends AuthorizingRealm {
/**
* 获取授权信息
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//String currentUsername = (String) getAvailablePrincipal(principals);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermission("admin");
return info;
}
/**
* 获取认证信息
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
String username = token.getUsername();
if (username != null && !"".equals(username)) {
return new SimpleAuthenticationInfo("xs", "123", getName());
}
return null;
}
}
五、增加Controller方法
在HelloController类里添加方法:
/**
* 登录页
*/
@RequestMapping("login")
public String login() throws Exception {
return "login";
}
/**
* 登录验证
*/
@RequestMapping("auth")
public String auth(String loginName, String loginPwd) throws Exception {
SecurityUtils.getSecurityManager().logout(SecurityUtils.getSubject());
if(!"xs".equals(loginName) || !"123".equals(loginPwd)) {
return "redirect:/hello/login";
}
UsernamePasswordToken token = new UsernamePasswordToken(loginName, loginPwd);
Subject subject = SecurityUtils.getSubject();
subject.login(token);
return "redirect:/hello/mysql";
}
六、增加login.jsp页面
在WEB-INF的views文件夹中新建"login.jsp"
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
<%
/* 当前基础url地址 */
String path = request.getContextPath();
request.setAttribute("path", path);
%>
</head>
<body>
<form action="${path}/hello/auth" method="post">
登录名称:<input type="text" name="loginName" value="${userInfo.loginName}" />
登录密码:<input type="text" name="loginPwd" value="${userInfo.loginPwd}" />
<input type="submit" class="btn btn-default btn-xs" value="保存" />
</form>
</body>
</html>
七、运行测试
访问"http://localhost:8080/demo1/hello/mysql"的地址,页面会被跳转到登陆页:
输入用户名"xs"和密码"123",然后点击登录,就能跳转到mysql:
实例代码地址:https://github.com/ctxsdhy/cnblogs-example
