springmvc配置shiro进行权限控制
2015-12-07 20:15
435 查看
Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能。本文将简单介绍springmvc中如何配置shiro。1.首先是maven中配置shiro所需要的jar包<dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.2.3</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-web</artifactId><version>1.2.3</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-ehcache</artifactId><version>1.2.3</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.2.3</version></dependency>2.往web.xml中配置shiro过滤器<filter><filter-name>shiroFilter</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><init-param><param-name>targetFilterLifecycle</param-name><param-value>true</param-value></init-param></filter>3.在web.xml中配置shiro所要拦截的请求或资源<!--拦截所有.do请求--><filter-mapping><filter-name>shiroFilter</filter-name><url-pattern>*.do</url-pattern></filter-mapping><filter-mapping><filter-name>shiroFilter</filter-name><url-pattern>*.jsp</url-pattern></filter-mapping>4.在spring的配置文件中配置shiro<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><!-- Shiro的核心安全接口,这个属性是必须的 --><property name="securityManager" ref="securityManager" /><!-- 登录的页面,当shiro验证不同过的时候,会进入该页面,请根据自己项目的实际需求配置 --><property name="loginUrl" value="/views/common/login.jsp" /><!-- 登录成功之后跳转的页面 --><property name="successUrl" value="/views/login.jsp" /><!-- 定义shiro过滤规则 --><property name="filterChainDefinitions"><value><!-- 这里面配置响应的请求一及所需的权限 --><!-- authc表示仅需对 /information/deal_change.do进行登录验证,即必须登录之后才可以正常发送改请求,如果没有登录,即会跳转到上边配置好的loginUrl对应的页面-->/information/deal_change.do = authc<!-- 此处表示既要登录,而且只允许角色是[]里面定义好的角色才可以访问-->/demand/getDemand.do = authc,perms[designer]</value>在spring配置文件中再添加如下配置其他配置<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><!--设置自定义realm --><property name="realm" ref="monitorRealm" /></bean><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /><!--自定义Realm 继承自AuthorizingRealm --><bean id="monitorRealm" class="com.gdqy.FCS.common.api.MonitorRealm"></bean><!-- securityManager --><beanclass="org.springframework.beans.factory.config.MethodInvokingFactoryBean"><property name="staticMethod"value="org.apache.shiro.SecurityUtils.setSecurityManager" /><property name="arguments" ref="securityManager" /></bean><beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"><property name="securityManager" ref="securityManager" /></bean>配置到此就已经完成接下来就是编写自定义的realm
package com.gdqy.FCS.common.api; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; import org.springframework.beans.factory.annotation.Autowired; import com.gdqy.FCS.entity.User; import com.gdqy.FCS.service.UserService; //自定义的类必须继承<span style="font-family: Arial, Helvetica, sans-serif;">AuthorizingRealm ,并重写其方法</span> public class MonitorRealm extends AuthorizingRealm { public MonitorRealm() { super(); } //注入角色对应的service @Autowired private UserService userService;
<span style="white-space:pre"> </span><span style="font-family:Consolas, Bitstream Vera Sans Mono, Courier New, Courier, monospace;color:#808080;"><span style="font-size: 12.5px; line-height: 13.75px;"> </span></span> public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection( principal, getName()); clearCachedAuthorizationInfo(principals); } <span style="white-space:pre"> </span><pre name="code" class="html"><span style="font-family:Consolas, Bitstream Vera Sans Mono, Courier New, Courier, monospace;color:#808080;"><span style="font-size: 12.5px; line-height: 13.75px;"><span style="white-space:pre"> </span>//</span></span><span style="font-size: 12.5px; line-height: 13.75px; color: rgb(128, 128, 128); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace;">该方法的调用时机为需授权资源被访问时执行 </span><span style="font-size: 12.5px; line-height: 13.75px; color: rgb(128, 128, 128); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace;"> </span>@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
<span style="white-space:pre"> </span>//获取用户名,在登录的Controller中加入SecurityUtils.getSubject().login(new UsernamePasswordToken(user.getUsername(), user.getPassword()));//就可以在此处使用<span style="font-family: Arial, Helvetica, sans-serif;">String currentUsername = (String)super.getAvailablePrincipal(principals);去获取角色的用户名</span> String currentUsername = (String)super.getAvailablePrincipal(principals);
<span style="white-space:pre"> </span>//访问数据库,查找对应的角色 User user = userService.selectByName(currentUsername); if(user !=null) {
<span style="white-space:pre"> </span> //分配权限 SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo(); simpleAuthorInfo.addRole(user.getRole()); simpleAuthorInfo.addStringPermission(user.getRole()); return simpleAuthorInfo; } return null; } <span style="white-space:pre"> </span>//<span style="color: rgb(128, 128, 128); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12.5px; line-height: 13.75px; white-space: pre;">LoginController.login()方法中执行Subject.login()时调用此方法</span> @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken; return new SimpleAuthenticationInfo(token.getUsername(), token.getPassword(),getName()); } }
到这里。shiro的配置就算完成了
相关文章推荐
- Apache Shiro 使用手册(一) Shiro架构介绍
- Apache Shiro 使用手册(二) Shiro 认证
- Apache Shiro 使用手册(五) Shiro 配置说明
- Apache Shiro 使用手册(四) Realm 实现
- 让Apache Shiro保护你的应用
- 基于Spring框架的Shiro配置方法
- 使用Shiro实现登录成功后跳转到之前的页面
- Spring+mybatis+shiro+freemarker+ehcache+ldap+mongo
- 第四章 INI配置
- 第五章 编码/加密
- 第六章 Realm及相关对象
- Shiro预览
- JFinal-Beetl-Shiro(JdbcRealm)-例子
- springrain技术详解
- S2SH整合Shiro之:SessionContext must be an HTTP compatible implementation
- S2SH整合Shiro之:java.lang.NoSuchMethodException: com.sun.proxy.$Proxy25
- 让Apache Shiro保护你的应用
- 第二章 身份验证——《跟我学Shiro》
- 第三章 授权——《跟我学Shiro》
- 第四章 INI配置——《跟我学Shiro》