版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
一、在ssm依赖包的基础上引入shiro相关包
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.4.0</version>
</dependency>
二、配置shiro
1.web.xml中的配置
<!-- 配置shiro的过滤器 spring-web的jar包 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2. applicationContext.xml中的配置
<!-- 配置自定的Realm类 -->
<bean id="myRealm" class="com.zhiyou.shiro.realm.MyRealm"/>
<!-- 配置SecurityManager的bean -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
<!-- 请求过滤器
id必须与web.xml文件中的过滤器名称相同
-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 如果没有认证则会跳到该页面 -->
<property name="loginUrl" value="/login.jsp"></property>
<!-- 该过滤器与SecurityManager关联再一起 -->
<property name="securityManager" ref="securityManager"></property>
<!-- 如果没有权限则跳转到该页面 -->
<property name="unauthorizedUrl" value="/403.html"></property>
<!--设置规则
anno:允许匿名访问
authc: 需要认证才可以访问
roles[角色名]:表示为拥有什么样的角色才可以访问
perms[权限] :表示拥有哪些权限才可以访问
/user/**:表示访问地址为user/必须拥有admin的角色才可以访问
-->
<property name="filterChainDefinitions">
<value>
/css/** = anon
/images/** = anon
/js/** = anon
/user/login=anon
<!-- /user/manager=perms[user:manager]
/user/delete=perms[user:delete] -->
/**=authc
</value>
</property>
</bean>
3.springmvc-servlet.xml中的配置
<!-- 启用shiro注解模式 -->
<aop:config proxy-target-class="true" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
三、创建自定义realm类,MyRealm.java
package com.zhiyou.shiro.realm;
import java.util.List;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.zhiyou.shiro.bean.Permission;
import com.zhiyou.shiro.bean.Role;
import com.zhiyou.shiro.bean.User;
import com.zhiyou.shiro.service.PermissionService;
import com.zhiyou.shiro.service.RoleService;
import com.zhiyou.shiro.service.UserService;
public class MyRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
@Autowired
private RoleService roleService;
@Autowired
private PermissionService permissionService;
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("4.需要授权的用户名"+principals);
//1.获取认证后的用户名
String username=principals.toString();
//2.根据用户名查询该用户对应的角色
List<Role> roles=roleService.findByUsername(username);
//3.判断查询的角色是否为空
if(roles.size()==0) {
return null; //表示该用户没有任何角色
}
//4.遍历该用户所具有的角色
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
for(Role r:roles) {
System.out.println("5.该用户具有的角色:"+r.getRoleName());
info.addRole(r.getRoleName());
//根据角色id查询该角色具有的权限
List<Permission> ps=permissionService.findByRoleId(r.getRoleid());
//遍历所有的权限
for(Permission p:ps) {
System.out.println("6.该用户具有的权限:"+p.getUrl());
info.addStringPermission(p.getUrl());
}
}
return info;
}
//认证功能
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username=token.getPrincipal().toString();
System.out.println("2.开始认证"+username);
//根据账号查询对应的用户信息.
User user=userService.findByUsername(username);
System.out.println("3.查询用户信息"+user);
if(user==null) {
return null;
}
SimpleAuthenticationInfo info=new SimpleAuthenticationInfo
(user.getUsername(), user.getPassword(), getName());
return info;
}
}
四、实现权限验证功能
1.登录验证
package com.zhiyou.shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("user")
public class LoginController {
@RequestMapping("login")
public String login(String username,String password) {
System.out.println("1.控制层的登录方法"+username+"----"+password);
//通过shiro完成认证功能
Subject subject=SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(username,password);
try {
subject.login(token);
return "redirect:../main.jsp";
} catch (AuthenticationException e) {
e.printStackTrace();
return "login";
}
}
}
2.权限验证
package com.zhiyou.shiro.controller;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@RequestMapping("user")
@Controller
@RequiresRoles(value= {"admin","manager"},logical=Logical.OR) //类
public class UserController {
@RequestMapping("delete")
@RequiresPermissions("user:delete") //方法
public String delete() {
System.out.println("delete");
return "index";
}
@RequestMapping("update")
@RequiresPermissions("user:update")
public String update() {
System.out.println("update");
return "index";
}
@RequestMapping("insert")
@RequiresPermissions("user:insert")
public String insert() {
System.out.println("insert");
return "index";
}
@RequestMapping("manage")
public String manage() {
System.out.println("manage");
return "index";
}
}