spring中集成shiro进行安全管理
shiro是一款轻量级的安全框架,提供认证、授权、加密和会话管理四个基础功能,除此之外也提供了很好的系统集成方案。
下面将它集成到之前的demo中,在之前spring中使用aop配置事务这篇所附代码的基础上进行集成
一、添加jar包引用
修改pom.xml文件,加入:
<!-- security --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.5</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.5</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-cas</artifactId> <version>1.2.5</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.5</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>1.2.5</version> </dependency>
二、添加过滤器Filter
修改web.xml文件,加入(需要加在Filter比较靠前的位置):
<!-- Shiro过滤器 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
三、添加配置文件
在"src/main/resources"代码文件夹中新建文件"spring-context-shiro.xml",内容为:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd"> <description>Shiro Configuration</description> <!-- 加载配置属性文件 --> <context:property-placeholder ignore-unresolvable="true" location="classpath:demo.properties" /> <!-- 定义安全管理配置 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="userRealm" /> <property name="sessionManager" ref="defaultWebSessionManager" /> <!-- <property name="cacheManager" ref="shiroCacheManager" /> --> </bean> <bean id="userRealm" class="org.xs.demo1.UserRealm"></bean> <!-- 自定义会话管理 --> <bean id="defaultWebSessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <!-- 会话超时时间,单位:毫秒 --> <property name="globalSessionTimeout" value="86400000" /> <!-- 定时清理失效会话, 清理用户直接关闭浏览器造成的孤立会话 --> <property name="sessionValidationInterval" value="120000"/> <!-- 定时检查失效的会话 --> <property name="sessionValidationSchedulerEnabled" value="true"/> </bean> <!-- 安全认证过滤器 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/hello/login" /> <property name="unauthorizedUrl" value="/hello/login" /> <property name="successUrl" value="/hello/mysql" /> <property name="filterChainDefinitions"> <value> /hello/login = anon //anon:允许匿名访问 /hello/auth = anon /hello/* = authc //authc:需要认证才能访问 </value> </property> </bean> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> </beans>
四、增加安全认证实现类
在"src/main/java"代码文件夹的"org.xs.demo1"的包下新建"UserRealm.java"
package org.xs.demo1; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.stereotype.Service; /** * 安全认证实现类 */ @Service public class UserRealm extends AuthorizingRealm { /** * 获取授权信息 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { //String currentUsername = (String) getAvailablePrincipal(principals); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.addStringPermission("admin"); return info; } /** * 获取认证信息 */ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; String username = token.getUsername(); if (username != null && !"".equals(username)) { return new SimpleAuthenticationInfo("xs", "123", getName()); } return null; } }
五、增加Controller方法
在HelloController类里添加方法:
/** * 登录页 */ @RequestMapping("login") public String login() throws Exception { return "login"; } /** * 登录验证 */ @RequestMapping("auth") public String auth(String loginName, String loginPwd) throws Exception { SecurityUtils.getSecurityManager().logout(SecurityUtils.getSubject()); if(!"xs".equals(loginName) || !"123".equals(loginPwd)) { return "redirect:/hello/login"; } UsernamePasswordToken token = new UsernamePasswordToken(loginName, loginPwd); Subject subject = SecurityUtils.getSubject(); subject.login(token); return "redirect:/hello/mysql"; }
六、增加login.jsp页面
在WEB-INF的views文件夹中新建"login.jsp"
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> <% /* 当前基础url地址 */ String path = request.getContextPath(); request.setAttribute("path", path); %> </head> <body> <form action="${path}/hello/auth" method="post"> 登录名称:<input type="text" name="loginName" value="${userInfo.loginName}" /> 登录密码:<input type="text" name="loginPwd" value="${userInfo.loginPwd}" /> <input type="submit" class="btn btn-default btn-xs" value="保存" /> </form> </body> </html>
七、运行测试
访问"http://localhost:8080/demo1/hello/mysql"的地址,页面会被跳转到登陆页:
输入用户名"xs"和密码"123",然后点击登录,就能跳转到mysql:
实例代码地址:https://github.com/ctxsdhy/cnblogs-example