Shiro的登录验证【基于SpringMVC框架下】
项目结构:
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <!-- Sample RDBMS data source that would exist in any application - not Shiro related. --> <!-- <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="org.hsqldb.jdbcDriver"/> <property name="url" value="jdbc:hsqldb:mem:shiro-spring"/> <property name="username" value="sa"/> </bean> --> <!-- Populates the sample database with sample users and roles. --> <!-- <bean id="bootstrapDataPopulator" class="org.apache.shiro.samples.spring.BootstrapDataPopulator"> <property name="dataSource" ref="dataSource"/> </bean> --> <!-- Simulated business-tier "Manager", not Shiro related, just an example --> <!-- <bean id="sampleManager" class="org.apache.shiro.samples.spring.DefaultSampleManager"/> --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <!-- <property name="sessionMode" value="native"/> --> <!-- Realm,实现类 --> <property name="realm" ref="jdbcRealm"/> </bean> <bean id="jdbcRealm" class="com.shiro.bean.ShiroRealm"> <!-- 配置密码加密使用MD5加密 --> <property name="CredentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- <bean id="jdbcRealm" class="org.apache.shiro.samples.spring.realm.SaltAwareJdbcRealm"> <property name="name" value="jdbcRealm"/> <property name="dataSource" ref="dataSource"/> <property name="credentialsMatcher"> The 'bootstrapDataPopulator' Sha256 hashes the password (using the username as the salt) then base64 encodes it: <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="SHA-256"/> true means hex encoded, false means base64 encoded <property name="storedCredentialsHexEncoded" value="false"/> </bean> </property> </bean> --> <!-- 必须要有这样一个实例,用来管理在Spring容器当中的Shiro常见的对象 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- 启用Shiro注解 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 网络方面 --> <bean id="secureRemoteInvocationExecutor"
class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 配置ShiroFilter 1.shiroFilter这个bean的id必须与web.xml文件中的filter-name保持一致 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/success.jsp"/> <property name="unauthorizedUrl" value="/adb.jsp"/> <!-- shiro过滤器具体配置 --> <property name="filterChainDefinitions"> <value> /login.jsp = anon /login = anon /logout =logout /** = authc </value> </property> </bean> </beans>
spring-mvc.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> <!-- 视图资源管理器 --> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/"></property> <property name="suffix" value=".jsp"></property> </bean> <context:component-scan base-package="*"></context:component-scan> <mvc:annotation-driven></mvc:annotation-driven> <mvc:default-servlet-handler/> </beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <!-- Spring的配置声明 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- SpringMVC的配置声明 --> <servlet> <servlet-name>SpringDispatcherServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet </servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-mvc.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>SpringDispatcherServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <!-- Filter的代理类 代理类会到IOC容器中找在filter-name当值对应的bean对象 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
缓存设置使用默认的hibernate的缓存
登录Action
package com.shiro.action; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; @Controller public class LoginAction { @RequestMapping("/login") public String login(@RequestParam("username") String username, @RequestParam("password")String password){ //创建subject实例 Subject subject = SecurityUtils.getSubject(); //判断当前用户是否登录 if(subject.isAuthenticated()==false){ //将用户名及密码封装交个UsernamePasswordToken UsernamePasswordToken token = new UsernamePasswordToken(username,password); try { subject.login(token); } catch (AuthenticationException e) { System.out.println("验证不通过,无法登录!"); return "error"; } } return "success"; } }
relam域的调用是由Shrio后台进行调用。
package com.shiro.bean; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.crypto.hash.SimpleHash; import org.apache.shiro.realm.AuthenticatingRealm; /** * * @author layne * *Action方法中执行subject.login(token)时会通过IOC容器调取Realm域进行数据和前端数据比对 */ public class ShiroRealm extends AuthenticatingRealm { /** * Returns all principals associated with the corresponding Subject. Each principal is an identifying piece of * information useful to the application such as a username, or user id, a given name, etc - anything useful * to the application to identify the current <code>Subject</code>. * <p/> * The returned PrincipalCollection should <em>not</em> contain any credentials used to verify principals, such * as passwords, private keys, etc. Those should be instead returned by {@link #getCredentials() getCredentials()}. * * @return all principals associated with the corresponding Subject. * * doGetAuthenticationInfo,获取认证消息,如果数据库没有数据,返回null. * * AuthenticationInfo可以使用 SimpleAuthenticationInfo实现类,封装给正确用户名和密码 * * token参数:需要验证的token * */ @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token) throws AuthenticationException { /** * 1.将token转换为UsernamePasswordToken * * 2.获取用户名 * * 3.查询数据库,进行验证 * * 4.结果返回 * * 5.验证不通过,抛出异常 */ //1.将token转换为UsernamePasswordToken UsernamePasswordToken upToken = (UsernamePasswordToken)token; //2.获取用户名 String userName = upToken.getUsername(); //获取用户名后。通过查询用户名查询数据库是否有值,有值则进行密码验证。 SimpleAuthenticationInfo info=null; //3。查询数据库 //使用JDBC链接数据库进行查询 try { Class.forName("com.mysql.jdbc.Driver"); String url="jdbc:mysql://localhost:3306/test"; Connection conn=DriverManager.getConnection(url,"root",""); PreparedStatement ps = conn.prepareStatement("select * from account where name=?"); ps.setString(1, userName); ResultSet rs = ps.executeQuery(); if(rs.next()){ Object principal=userName; Object credentials=rs.getString(3); String realmName=this.getName(); //SimpleHash sh=new SimpleHash(algorithmName, source, salt, iterations); //加密类型 加密资源 盐值加密 加密次数 //给从数据库中拿到的密码做MD5的加密 SimpleHash sh=new SimpleHash("MD5", credentials, null, 1024); //info = new SimpleAuthenticationInfo(principal, credentials, realmName); info = new SimpleAuthenticationInfo(principal, sh, realmName); }else{ throw new AuthenticationException(); } } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (SQLException e) { e.printStackTrace(); } return info; } }
该项目jar使用spring framerwork-4.0.0在使用4.2.3会报找不到相关的缓存class文件。
