1.首先要创建数据库,创建5个表,分别是用户表,用户与角色中间表,角色表,角色与权限中间表,权限表
2.导入相关的jar包,这里使用maven导包
<dependencies>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>
</dependencies>
3.配置web.xml文件,配置与shiro过滤器
<!-- 创建权限过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4.配置spring配置文件
<!-- 权限管理 -->
<!--自己创建的类-->
<bean id="myRealm" class="cn.realm.MyRealm" autowire="byType">
<!--加密后密码验证-->
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"></property>
<property name="hashIterations" value="1024"></property>
</bean>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
<property name="rememberMeManager" ref = "rememberMeManager"></property>
<!-- <property name="rememberMeManager.cookie.maxAge" value="500"></property> -->
</bean>
<bean id="rememberMe" class="org.apache.shiro.web.servlet.SimpleCookie">
<property name="name" value="USER_CURR"></property>
<property name="httpOnly" value="true"></property>
<property name="maxAge" value="10"></property>
</bean>
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<property name="cookie" ref = "rememberMe"></property>
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean> -->
<!--该bean的名字要与过滤器的名字一致-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- <property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/home.jsp"/>
-->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<value>
<!--权限规则-->
/update1** = user
/update2** = authc
/select* = authc, perms[query]
/** = anon
</value>
</property>
</bean>
5.编写realm类
public class MyRealm extends AuthorizingRealm{
private UserDao userDao;
//获取权限
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
String username = (String) pc.getPrimaryPrincipal().toString();
User user = userDao.getUser(username);
//获取登录用户拥有的角色以及权限集合
//---------------------------------
Set<Role> role = user.getRole();
Set<String> roles = new HashSet<>();
Set<String> permission = new HashSet<>();
for (Role r : role) {
roles.add(r.getRolename());
Set<Permission> permission2 = r.getPermission();
for (Permission p : permission2) {
permission.add(p.getPname());
}
}
//---------------------------------
SimpleAuthorizationInfo sai = new SimpleAuthorizationInfo();
sai.addRoles(roles);
sai.addStringPermissions(permission);
return sai;
}
//验证是否存在用户
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken tk) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) tk;
String username = token.getUsername();
String psw = new String((char[])token.getCredentials());
System.out.println(username+"+++++++"+psw);
User user = userDao.login(username);
if(user!=null){
//使用md5加密密码
SimpleAuthenticationInfo si = new SimpleAuthenticationInfo(username, user.getPassword(), getName());
ByteSource bs = ByteSource.Util.bytes(username+psw);
si.setCredentialsSalt(bs);
return si;
}else{
return null;
}
}
public void setUserDao(UserDao userDao) {
this.userDao = userDao;
}
}
6.编写登录的action类
@RequestMapping("/login")
public String login(String username,String password,HttpServletRequest request,boolean remb){
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
Subject subject = SecurityUtils.getSubject();
try {
if(remb){
token.setRememberMe(true);
}
subject.login(token);
return "success";
} catch (AuthenticationException e) {
request.setAttribute("msg", "用户名或密码错误!");
return "login";
}
}