官网:shiro.apache.org 点击打开链接
pom.xml配置:
<!-- 引入shiro框架的依赖 --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-all</artifactId> <version>1.2.2</version> </dependency>
web.xml配置:
<!-- 配置整合shiro框架 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
applicationContext.xml配置:
<!-- 配置shiro框架 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean" > <!-- 注入安全管理器 --> <property name="securityManager" ref="securityManager" /> <!-- URL配置 loginUrl:未登录状态跳转的页面 successUrl:登录状态跳转的页面 unauthorizedUrl:权限不足时跳转的页面 --> <property name="loginUrl" value="/login.jsp" /> <property name="successUrl" value="/index.jsp" /> <property name="unauthorizedUrl" value="/unauthorized.jsp" /> <property name="filterChainDefinitions"> <value> /css/** = anon /js/** = anon /images/** = anon /login.jsp* = anon /UserAction_login* = anon /validatecode.jsp = anon /* = authc </value> </property> </bean> <!-- 配置安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="bosRealm"></property> </bean> <!-- 配置Realm --> <bean id="bosRealm" class="com.xushuai.bos.realm.BOSRealm"></bean>
Shiro框架提供的过滤器:
实例代码(UserAction):
/** * 登录(Shiro认证) * @return */ public String login(){ //从session中获取生成的验证码 String vcode = (String) ActionContext.getContext().getSession().get("key"); //校验验证码 if(StringUtils.isNotBlank(checkcode) && vcode.equals(checkcode)){//验证码正确 Subject subject = SecurityUtils.getSubject(); AuthenticationToken token = new UsernamePasswordToken(model.getUsername(), MD5Utils.md5(model.getPassword())); try { subject.login(token); User user = (User) subject.getPrincipal(); ActionContext.getContext().getSession().put("user", user); } catch (UnknownAccountException e1) { e1.printStackTrace(); this.addActionError("用户名不存在!"); return LOGIN; } catch (IncorrectCredentialsException e2) { e2.printStackTrace(); this.addActionError("密码错误!"); return LOGIN; } return HOME; }else{//验证码错误 this.addActionError("验证码错误"); return LOGIN; } }
BOSRealm(自定义Realm对象):
package com.xushuai.bos.realm; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import com.xushuai.bos.dao.UserDao; import com.xushuai.bos.entity.User; public class BOSRealm extends AuthorizingRealm { @Autowired @Qualifier("userDao") private UserDao userDao; public void setUserDao(UserDao userDao) { this.userDao = userDao; } @Override //认证 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken)authenticationToken; String username = usernamePasswordToken.getUsername(); //根据用户名查询用户 User user = userDao.findByUsername(username); //校验user是否存在 if(user == null){//用户名不存在 return null; } /* * 密码校验shiro框架会自动完成,我们只需要创建一个AuthenticationInfo对象 * 并将其返回 */ AuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), this.getName()); return info; } @Override //授权 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { // TODO Auto-generated method stub return null; } }