Shiro使用实践
Shiro是一个强大且易于使用的Java安全框架,用于身份验证、授权、加密和会话管理等安全操作。它提供了简单的API和灵活的配置选项,可以轻松地集成到各种Java应用程序中,包括Web应用程序、REST服务和命令行工具等。
下面是使用Java代码实现Shiro入门示例的详细步骤:
-
添加依赖项:
- 在您的Java项目中,添加以下依赖项以使用Shiro:
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.7.1</version> </dependency>
-
创建Shiro配置:
- 创建一个名为
ShiroConfig.java
的类,并添加以下代码:
import org.apache.shiro.authc.credential.DefaultPasswordService; import org.apache.shiro.authc.credential.PasswordService; import org.apache.shiro.realm.jdbc.JdbcRealm; import org.apache.shiro.web.env.EnvironmentLoaderListener; import org.apache.shiro.web.servlet.ShiroFilter; import javax.servlet.annotation.WebFilter; import javax.servlet.annotation.WebListener; import javax.servlet.annotation.WebServlet; @WebFilter("/*") @WebListener public class ShiroConfig extends EnvironmentLoaderListener { @WebServlet(name = "shiro", urlPatterns = "/shiro/*", asyncSupported = true) public static class ShiroFilter extends ShiroFilter { } public static class MyJdbcRealm extends JdbcRealm { public MyJdbcRealm() { setAuthenticationQuery("SELECT password FROM users WHERE username = ?"); setPermissionsQuery("SELECT permission FROM user_permissions WHERE username = ?"); } } public static class MyAppModule { public PasswordService passwordService() { return new DefaultPasswordService(); } public MyJdbcRealm jdbcRealm() { return new MyJdbcRealm(); } } }
- 创建一个名为
-
创建Web应用程序:
- 创建一个名为
HelloServlet.java
的类,并添加以下代码:
import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.*; import org.apache.shiro.config.IniSecurityManagerFactory; import org.apache.shiro.subject.Subject; import org.apache.shiro.web.env.EnvironmentLoader; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; @WebServlet("/hello") public class HelloServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { req.getRequestDispatcher("/login.jsp").forward(req, resp); } @Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String username = req.getParameter("username"); String password = req.getParameter("password"); Subject currentUser = SecurityUtils.getSubject(); if (!currentUser.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken(username, password); try { currentUser.login(token); } catch (UnknownAccountException uae) { req.setAttribute("error", "Unknown account"); req.getRequestDispatcher("/login.jsp").forward(req, resp); return; } catch (IncorrectCredentialsException ice) { req.setAttribute("error", "Incorrect credentials"); req.getRequestDispatcher("/login.jsp").forward(req, resp); return; } catch (LockedAccountException lae) { req.setAttribute("error", "Account is locked"); req.getRequestDispatcher("/login.jsp").forward(req, resp); return; } catch (AuthenticationException ae) { req.setAttribute("error", "Authentication error"); req.getRequestDispatcher("/login.jsp").forward(req, resp); return; } } req.getRequestDispatcher("/hello.jsp").forward(req, resp); } }
- 创建一个名为
-
创建登录页面:
- 创建一个名为
login.jsp
的文件,并添加以下代码:
<html> <head> <title>Login</title> </head> <body> <h2>Login</h2> <form action="/hello" method="post"> <label for="username">Username:</label> <input type="text" name="username" id="username" required><br> <label for="password">Password:</label> <input type="password" name="password" id="password" required><br> <input type="submit" value="Login"> <p>${error}</p> </form> </body> </html>
- 创建一个名为
-
创建欢迎页面:
- 创建一个名为
hello.jsp
的文件,并添加以下代码:
<html> <head> <title>Hello</title> </head> <body> <h2>Hello, ${username}!</h2> <p>Welcome to Shiro example.</p> </body> </html>
- 创建一个名为
-
启动应用程序:
- 部署应用程序到Web容器(如Tomcat)中,并启动容器。
- 访问
http://localhost:8080/hello
,您将被重定向到登录页面。 - 输入正确的用户名和密码(可以在Shiro配置中自定义),如果成功验证,则将重定向到欢迎页面,并显示欢迎消息。
通过以上示例,您可以使用Shiro实现身份验证和授权功能,并保护Web应用程序的资源。您可以根据需要自定义Realm、配置权限和角色,并使用Shiro的API进行访问控制和会话管理。