ssm整合shiro实现认证授权

ssm整合shiro实现认证授权

1、导包

<!--加载shiro的库-->
<dependency>
    <groupId>org.apache.shiro</groupId>
    <artifactId>shiro-all</artifactId>
    <version>1.3.2</version>
</dependency>

2、配置web.xml

<!--配置shiro的过滤器，注意：spring会在ioc容器去找filter同名的bean，因此filter的名字不能乱改-->
<filter>
    <filter-name>shiroFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>shiroFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

3、配置applicationContext.xml

• 配置DefaultWebSecurityManager

  • 注入认证器
  • 注入数据域（Realm）

• 配置认证器

  • 配置数据域的策略

• 配置数据域

• 配置shiro bean的后置处理器

• 配置shiro 过滤器的bean

<!--配置SecurityManager-->
<bean id="defaultWebSecurityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <!--注入认证器-->
    <property name="authenticator" ref="modularrealmauthenticator"/>
    <!--注入数据域-->
    <property name="realm" ref="userRealm"/>
</bean>

<!--自定义数据域-->
<bean id="userRealm" class="com.yl.realm.UserRealm"></bean>

<!--认证器-->
<bean id="modularrealmauthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
    <!--使用策略-->
    <property name="authenticationStrategy">
        <bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean>
    </property>
</bean>

<!--配置 LifecycleBeanPostProcessor. 可以自定的来调用配置在Spring IOC容器中shiro bean的生命周期方法-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!--启用IOC容器中使用shiro的注解. 但必须在配置了LifecycleBeanPostProcessor之后才可以使用-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
      depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="defaultWebSecurityManager"/>
</bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="defaultWebSecurityManager"/>
    <!--登录页,shiro会判断请求的地址和配置的loginUrl是否一致，不一致就返回loginUrl-->
    <property name="loginUrl" value="/login.jsp"/>
    <!--认证成功的页面-->
    <!--<property name="successUrl" value="/index.jsp"/>-->
    <!--认证失败后跳转的页面-->
    <property name="unauthorizedUrl" value="/login.jsp"/>

    <property name="filterChainDefinitions">
        <!--anon(AnonymousFilter.class)不需要验证
                authc(FormAuthenticationFilter.class)需要登陆验证
                roles(RolesAuthorizationFilter.class)需要角色验证
                perms(PermissionsAuthorizationFilter.class)需要权限验证-->
        <value>
            /user/login=anon
            /js/** = anon
            /layui/** = anon
            /res/** = anon
            /** = authc
        </value>
    </property>
</bean>

4、控制器

 @RequestMapping("/login")
    public ModelAndView login(User user){
        ModelAndView modelAndView=new ModelAndView();

        //获取shiro的主体
        Subject subject= SecurityUtils.getSubject();
        //传入令牌对象
        UsernamePasswordToken usernamePasswordToken=new UsernamePasswordToken(user.getLoginName(),user.getPassword());

        try {
            subject.login(usernamePasswordToken);
            modelAndView.setViewName("index");
        }catch (AuthenticationException e) {
            modelAndView.setViewName("login");
        }

        return modelAndView;
    }

5、自定义数据域

package com.yl.realm;

import com.yl.bean.User;
import com.yl.service.IUserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

public class UserRealm extends AuthorizingRealm {
    @Autowired
    private IUserService userService;

    /**
     * 用户授权
     * @param principalCollection
     * @return
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        User user= (User) principalCollection.getPrimaryPrincipal();

        SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();

        if (user.getRid()==1){
            simpleAuthorizationInfo.addRole("admin");
        }else {
            simpleAuthorizationInfo.addRole("user");
        }

        return simpleAuthorizationInfo;
    }

    /**
     * 用户认证
     * @param authenticationToken
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        //获取用户的令牌数据（输入的用户名及密码）
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        String inputUserName = usernamePasswordToken.getUsername();
        String inputPassword = new String(usernamePasswordToken.getPassword());

        User user=new User();
        user.setLoginName(inputUserName);
        user.setPassword(inputPassword);

        User dbUser=userService.login(user);

        if (dbUser!=null){
            SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo
                    (dbUser, inputPassword, "UserRealm");
            return simpleAuthenticationInfo;
        }else {
            throw new AuthenticationException("认证失败");
        }
    }
}