Shiro与Web集成,主要是通过配置一个ShiroFilter拦截所有URL,其中ShiroFilter类似于如Strut2/SpringMVC这种web框架的前端控制器,是所有请求入口点,负责根据配置如(ini配置文件),判断请求进入URL是否需要登录/权限等工作。
老规矩先贴项目结构:
pom文件:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.study</groupId>
<artifactId>shiroweb</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>shiroweb Maven Webapp</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<!-- servlet API -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.3</version>
</dependency>
<!-- shiro 的核心依赖 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
<!-- Shiro对web的支持 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.2</version>
</dependency>
</dependencies>
<build>
<finalName>shiroweb</finalName>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
步骤:
1.导入相关的依赖
2.在web.xml中配置shiro的过滤器ShiroFilter。
web.xml为
<?xml version="1.0" encoding="UTF-8"?>
<web-app >
<display-name>Archetype Created Web Application</display-name>
<!-- 配置shiroFilter过滤器,拦截所有请求 -->
<context-param>
<param-name>shiroEnvironmentClass</param-name>
<param-value>org.apache.shiro.web.env.IniWebEnvironment</param-value>
</context-param>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>classpath:shiro.ini</param-value>
</context-param>
<!--
从Shiro 1.2开始引入了Environment?WebEnvironment的概念,即由它们的实现提供相应的Securitymanage及其相应的依赖。
ShiroFilter会自动找到Environment然后获取相应的依赖。
底层:返回反射创建shiroEnvironmentClass对象,调用其init方法
ShiroEnvironmentClass中的init方法创建Securitymanager实例并绑定到当前运行环境
-->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<!-- 拦截所有的请求 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
3.配置shiro.ini配置文件
[main]
#默认是/login.jsp
#authc.loginUrl=/login
#用户无需要的角色时跳转的页面
#roles.unauthorizedUrl=/nopernission.jsp
#用户无所需要的权限时跳转的页面
#perms.unauthorizedUrl=/nopermission.jsp
#登出之后重定向的页面
#logout.redirectUrl=/main
[user]
admin=666,admin
dafei=666,deptMgr
[roles]
admin=employee:*,department:*
deptMgr=department:view
[urls]
#静态资源可以匿名访问
#/static/**=anon
#访问员工列表需要身份认证及需要拥有admin角色
#/employee=authc,roles[admin]
#访问部门列表需要身份认证及需要拥有department:view的权限
#/department=authc,perms["department:view"]
#当请求loginOut,会被logout捕获并清除session
#/loginOut=logout
#所有的请求都需要身份认证
#/**=authc
Shiro 默认的过滤器
anon 匿名拦截器:既不需要登录就可以访问,一般用于静态资源过滤:示例:“/static/**=anon”
authc 表示需要认证(登录)才能访问;示例(“/**=authc”)
主要属性:usernameParam 表单提交的用户名参数:username,passwordParam 表单提交的密码参数:passwoed;remeberMeParm:表单提交的密码参数remeberMe,loginUrl登录页面地址(/login.jsp):successUrl;登录成功后默认的重定向地址,faliurekey登录失败后错误信息存储key,(ShiroLoginFailure)
authcBasic:Basic HTTP身份证拦截器,主要属性:applycationName,弹出登录框显示的消息(application)
roles:角色授权拦截器,验证用户是否拥有角色,:式例:/employee=authc,roles[admin]
perms:权限授权拦截器,验证用户是否拥有资源权限,示例:“/usr/create=perms["user]”
user:用户拦截器,用户已经身份认证/记住我登录的都可以,示例:“/index=user”
logout:退出拦截器,主要属性:redirectUrl:退出成功后重定向的地址(/),示例 “/logout=logout”
port:端口拦截器,主要属性:port(80):可以通过的端口,示例“/test=port[80]”,如果用户访问该页面是非80端口的,将自动将请求端口改为80并且重定向到该80端口,其他数据参数等都一样
rest:rest风格拦截器,自动根据请求方法构建 权限字符串(GET=read,POST=create,PUT=update,DELETE=delete,HEAD=read,TRACE=read,OPTIONS=read,MKCOL=create)构建权限字符串,示例:“/users=rest[user]”,会自动拼出“user:read,user:create,user:update,user:delete”权限字符串进行权限匹配,(所有都得匹配,isPermittedAll)
ssl:SSL拦截器,只有请求协议是https才能通过,否则自动跳转会https端口(443),其他和post拦截一样。
anon,authcBasic,authc,user是认证过滤器,
perm,roles,ssl,rest,port 是授权过滤器。
Shiro登录过滤器解析
authc登录拦截器的工作原理
authc拦截器有两个作用:
1.登录认证
请求进来时,拦截并判断当前用户是否登录,如果已经登录了放行,如果没有登录,跳转到
authc.loginUrl=/login
配置的路径,注意默认是login.jsp
2、执行登录认证
请求进来时,如果请求的路径为authc.loginUrl属性配置的路径(没配置,默认是/login.jsp)时,如果当前用户没有登录,authc这个拦截器会尝试获取请求中的账号跟密码值,然后比对ini配置文件或者realm中的用户列表,如果比对正确,直接执行登录操作,反之,抛异常,跳转到authc.loginUrl指定的路径。
注意:请求中账号与密码固定为username跟password,如果需要改动必须额外指定。
authc.usernameParam=xxx authc.passwordParam
authc登录成功之后的处理逻辑:
authc登录失败之后的处理逻辑:
LoginServlet
package com.study.shiro.web;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(name = "loginServlet" ,urlPatterns="/login")
public class LoginServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// 如果登录失败从request中获取认证异常信息,shiroLoginFailure就是shiro异常类的全限定名
String excaptionClassName = (String) req.getAttribute("shiroLoginFailure");
//根据shiro返回的异常类路径判断,抛出指定异常信息
if(excaptionClassName !=null){
if(UnknownAccountException.class.getName().equals(excaptionClassName)){
req.setAttribute("errorMsg","账号不存在");
}else if(IncorrectCredentialsException.class.getName().equals(excaptionClassName)){
req.setAttribute("errorMsg","用户名/密码不对");
}else {
req.setAttribute("errorMsg","其他异常");
}
}
// 此方法不处理登录成功(认证成功),shiro认证成功会自动跳转到上一个请求路径
// 登录失败还到login页面
req.getRequestDispatcher("WEB-INF/views/login.jsp").forward(req,resp);
}
}
loginOutServlet
package com.study.shiro.web;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(name = "loginOutServlet", urlPatterns = "/loginOut")
public class LoginOutSerlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
req.getSession().invalidate();
resp.sendRedirect("/login.jsp");
}
}
mainServlet
package com.study.shiro.web;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(name = "mainServlet", urlPatterns = "/main")
public class MainAction extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
req.getRequestDispatcher("/WEB-INF/views/main.jsp").forward(req, resp);
}
}
departmentServlet
package com.study.shiro.web;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebServlet(name = "departmentServlet",urlPatterns = "/department")
public class DepartmentServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
doPost(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String cmd = req.getParameter("cmd");
if("input".equals(cmd)){
String id = req.getParameter("id");
if(id!=null){
req.setAttribute("name","tom");
req.setAttribute("age","20");
req.setAttribute("email","[email protected]");
req.setAttribute("cmdType","编辑");
}else {
req.setAttribute("cmdType","新增");
}
req.getRequestDispatcher("/WEB-INF/views/employee/input.jsp").forward(req,resp);
} else if("delete".equals("cmd")){
}else{
req.getRequestDispatcher("/WEB-INF/views/employee/list.jsp").forward(req,resp);
}
}
}