shiro--控制授权
以下代码需要在上一篇博客代码的基础上增加!
LoginService 接口文件
package shiro.service;
import org.apache.shiro.authc.UsernamePasswordToken;
// 登录服务
public interface LoginService {
// 登入
boolean login(UsernamePasswordToken token);
// 登出
void logout();
}
LoginServiceImpl实现类
package shiro.service.impl;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import shiro.service.LoginService;
public class LoginServiceImpl implements LoginService {
@Override
public boolean login(UsernamePasswordToken token) {
Subject subject = SecurityUtils.getSubject();
try {
subject.login(token);
} catch (AuthenticationException e) {
return false;
}
return subject.isAuthenticated();
}
@Override
public void logout() {
Subject subject = SecurityUtils.getSubject();
subject.logout();
}
}
5个servlet文件
HomeServlet
package shiro.web;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/home")
public class HomeServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("home.jsp").forward(request, response);
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
LoginServlet
package shiro.web;
import org.apache.shiro.authc.UsernamePasswordToken;
import shiro.service.LoginService;
import shiro.service.impl.LoginServiceImpl;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/login")
public class LoginServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter("loginName");
String password = request.getParameter("password");
// 构建登录使用的token
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
LoginService loginService = new LoginServiceImpl();
boolean isLogin = loginService.login(token);
if (isLogin) {
request.getRequestDispatcher("/home").forward(request, response);
}else{
response.sendRedirect("login.jsp");
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
LogoutServlet
package shiro.web;
import org.apache.shiro.authc.UsernamePasswordToken;
import shiro.service.LoginService;
import shiro.service.impl.LoginServiceImpl;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/logout")
public class LogoutServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
LoginService loginService = new LoginServiceImpl();
loginService.logout();
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
OrderAddServlet
package shiro.web;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/order-add")
public class OrderAddServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("order-add.jsp").forward(request, response);
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
OrderAddServlet
package shiro.web;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/order-add")
public class OrderAddServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("order-add.jsp").forward(request, response);
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
使用shiro.ini文件控制授权
shiro文件内容
#声明自定义的realm,且为安全管理器指定realm
[main]
definitionRealm=shiro.realm.DefinitionRealm
securityManager.realms=$definitionRealm
# 用户退出后跳转到指定jsp页面
logout.redirectUrl=/login.jsp
# 若没有登录,则被authc过滤器重定向到login.jsp
authc.loginUrl=/login.jsp
[urls]
/login=anon
# 发送/home请求需要先登录
/home=authc
# 发送/order/list请求需要管理员角色
/order-list=roles[admin]
# 添加代码需要order:add权限
/order-add=perms["order:add"]
# 删除代码需要order:del权限
/order-del=perms["order:del"]
# 发送退出请求则用退出过滤器
/logout = logout
设置以上配置文件后,就可以对权限进行控制
使用java代码控制授权
注释掉ini文件的部分内容
#声明自定义的realm,且为安全管理器指定realm
[main]
definitionRealm=shiro.realm.DefinitionRealm
securityManager.realms=$definitionRealm
# 用户退出后跳转到指定jsp页面
logout.redirectUrl=/login.jsp
# 若没有登录,则被authc过滤器重定向到login.jsp
authc.loginUrl=/login.jsp
[urls]
/login=anon
# 发送/home请求需要先登录
; /home=authc
; # 发送/order/list请求需要管理员角色
; /order-list=roles[admin]
; # 添加代码需要order:add权限
; /order-add=perms["order:add"]
; # 删除代码需要order:del权限
; /order-del=perms["order:del"]
# 发送退出请求则用退出过滤器
/logout = logout
HomeServlet修改部分
package shiro.web;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/home")
public class HomeServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// 获得当前主体
Subject currentUser = SecurityUtils.getSubject();
// 当前主体是否登录
boolean isAuthenticated = currentUser.isAuthenticated();
if (isAuthenticated) {
request.getRequestDispatcher("home.jsp").forward(request, response);
}else {
request.getRequestDispatcher("/login").forward(request, response);
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
OrderAddServlet修改部分
package shiro.web;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/order-add")
public class OrderAddServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// 获得当前主体
Subject subject = SecurityUtils.getSubject();
// 判断当前主体是否具有order:add权限
boolean isPermitted = subject.isPermitted("order:add");
if (isPermitted) {
request.getRequestDispatcher("order-add.jsp").forward(request, response);
}else {
request.getRequestDispatcher("/login").forward(request, response);
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
OrderListServlet修改部分
package shiro.web;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(urlPatterns = "/order-list")
public class OrderListServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// 获得当前主体
Subject currentUser = SecurityUtils.getSubject();
// 当前主体是否具有admin角色
boolean isAdmin = currentUser.hasRole("admin");
if (isAdmin) {
request.getRequestDispatcher("order-list.jsp").forward(request, response);
}else {
request.getRequestDispatcher("/login").forward(request, response);
}
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
}
使用jsp标签控制授权
Shiro提供一套jsp标签库实现页面级的授权控制,首先需要在jsp引入Shiro标签
home.jsp内容
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<a href="${pageContext.request.contextPath}/logout">退出</a>
<shiro:hasRole name="admin">
<a href="${pageContext.request.contextPath}/order-list">列表</a>
</shiro:hasRole>
<shiro:hasPermission name="order:add">
<a href="${pageContext.request.contextPath}/order-add">添加</a>
</shiro:hasPermission>
</body>
</html>
注意
使用jsp标签控制授权,只是隐藏了标签,不防止未授权用户盗链,而采用ini配置文件和java代码的方式可以防止盗链发生
本文来自博客园,作者:NE_STOP,转载请注明原文链接:https://www.cnblogs.com/alineverstop/p/19453916
浙公网安备 33010602011771号