shiro
一、概述
官网介绍,Apache Shiro™ is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
二、案例
在创建的项目中导入shiro的jar包。
配置web.xml
<!-- 配置spring框架提供的用于整合shiro框架的过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在applicationContext.xml中配置shiroFilter的bean,并开启注解和创建代理对象
<!-- 配置shiro框架的过滤器工厂对象 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 注入安全管理器对象 -->
<property name="securityManager" ref="securityManager"/>
<!-- 注入相关页面访问URL -->
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/index.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<!--注入URL拦截规则 -->
<property name="filterChainDefinitions">
<value>
/css/** = anon
/js/** = anon
/images/** = anon
/validatecode.jsp* = anon
/login.jsp = anon
/userAction_login.action = anon
/page_base_staff.action = perms["staff-list"]
/* = authc
</value>
</property>
</bean>
<!-- 注册安全管理器对象 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="bosRealm"/>
</bean>
<!-- 注册realm -->
<bean id="bosRealm" class="com.xingji.bos.realm.BOSRealm"></bean>
<!-- 开启shiro框架注解支持 -->
<bean id="defaultAdvisorAutoProxyCreator"
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
<!-- 必须使用cglib方式为Action对象创建代理对象 -->
<property name="proxyTargetClass" value="true"/>
</bean>
<!-- 配置shiro框架提供的切面类,用于创建代理对象 -->
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/>
编写安全管理器类BOSRealm,编写认证和授权的方法
public class BOSRealm extends AuthorizingRealm {
@Autowired
private IUserDao userDao;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
// TODO Auto-generated method stub
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermission("staff-list");
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// TODO Auto-generated method stub
System.out.println("自定义的realm中的认证方法");
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = usernamePasswordToken.getUsername();
User user = userDao.findUserByUsername(username);
if (user == null) {
return null;
}
AuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getName());
return info;
}
}
编写登录认证中userAction中的login方法
public String login() {
// 从session中获取正确的验证码
String validatecode = (String) ServletActionContext.getRequest().getSession().getAttribute("key");
// 校验验证码是否正确
if (StringUtils.isNotBlank(checkcode) && validatecode.equals(checkcode)) {
Subject subject = SecurityUtils.getSubject();
AuthenticationToken token = new UsernamePasswordToken(model.getUsername(),
MD5Utils.md5(model.getPassword()));
try {
subject.login(token);
} catch (Exception e) {
e.printStackTrace();
return LOGIN;
}
User user = (User) subject.getPrincipal();
ServletActionContext.getRequest().getSession().setAttribute("loginUser", user);
return HOME;
} else {
// 验证码输入正确
this.addActionError("验证码有误");
return LOGIN;
}
}
使用注解给特定的方法授权
@RequiresPermissions("staff-delete")
public String deleteBatch() {
staffService.deleteBatch(ids);
return LIST;
}
三、使用shiro提供的页面标签实现权限控制
在jsp中引入shiro的标签库
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
在需要使用的地方使用
<shiro:hasPermission name="staff-delete">
{
id : 'button-delete',
text : '作废',
iconCls : 'icon-cancel',
handler : doDelete
},
</shiro:hasPermission>