官网:shiro.apache.org 点击打开链接
pom.xml配置:
<!-- 引入shiro框架的依赖 --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-all</artifactId> <version>1.2.2</version> </dependency>
web.xml配置:
<!-- 配置整合shiro框架 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
applicationContext.xml配置:
<!-- 配置shiro框架 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean" > <!-- 注入安全管理器 --> <property name="securityManager" ref="securityManager" /> <!-- URL配置 loginUrl:未登录状态跳转的页面 successUrl:登录状态跳转的页面 unauthorizedUrl:权限不足时跳转的页面 --> <property name="loginUrl" value="/login.jsp" /> <property name="successUrl" value="/index.jsp" /> <property name="unauthorizedUrl" value="/unauthorized.jsp" /> <property name="filterChainDefinitions"> <value> /css/** = anon /js/** = anon /images/** = anon /login.jsp* = anon /UserAction_login* = anon /validatecode.jsp = anon /* = authc </value> </property> </bean> <!-- 配置安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="bosRealm"></property> </bean> <!-- 配置Realm --> <bean id="bosRealm" class="com.xushuai.bos.realm.BOSRealm"></bean>
Shiro框架提供的过滤器:
实例代码(UserAction):
/**
* 登录(Shiro认证)
* @return
*/
public String login(){
//从session中获取生成的验证码
String vcode = (String) ActionContext.getContext().getSession().get("key");
//校验验证码
if(StringUtils.isNotBlank(checkcode) && vcode.equals(checkcode)){//验证码正确
Subject subject = SecurityUtils.getSubject();
AuthenticationToken token = new UsernamePasswordToken(model.getUsername(), MD5Utils.md5(model.getPassword()));
try {
subject.login(token);
User user = (User) subject.getPrincipal();
ActionContext.getContext().getSession().put("user", user);
} catch (UnknownAccountException e1) {
e1.printStackTrace();
this.addActionError("用户名不存在!");
return LOGIN;
} catch (IncorrectCredentialsException e2) {
e2.printStackTrace();
this.addActionError("密码错误!");
return LOGIN;
}
return HOME;
}else{//验证码错误
this.addActionError("验证码错误");
return LOGIN;
}
}
BOSRealm(自定义Realm对象):
package com.xushuai.bos.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import com.xushuai.bos.dao.UserDao;
import com.xushuai.bos.entity.User;
public class BOSRealm extends AuthorizingRealm {
@Autowired
@Qualifier("userDao")
private UserDao userDao;
public void setUserDao(UserDao userDao) {
this.userDao = userDao;
}
@Override
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken)authenticationToken;
String username = usernamePasswordToken.getUsername();
//根据用户名查询用户
User user = userDao.findByUsername(username);
//校验user是否存在
if(user == null){//用户名不存在
return null;
}
/*
* 密码校验shiro框架会自动完成,我们只需要创建一个AuthenticationInfo对象
* 并将其返回
*/
AuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getName());
return info;
}
@Override
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
// TODO Auto-generated method stub
return null;
}
}