博客

Spring整合Shiro做权限控制模块详细案例分析

  • Post author:
  • Post category:其他


1.引入Shiro的Maven依赖

<!-- Spring 整合Shiro需要的依赖 -->

	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-core</artifactId>
		<version>1.2.1</version>
	</dependency>
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-web</artifactId>
		<version>1.2.1</version>
	</dependency>
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-ehcache</artifactId>
		<version>1.2.1</version>
	</dependency>
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-spring</artifactId>
		<version>1.2.1</version>
	</dependency>
	<!-- 除此之外还有一些东西也不可少spring, spring-mvc, ibatis等 spring.3.1.2 spring-mvc.3.1.2 
		ibatis.2.3.4 cglib.2.2 -->




2.web.xml中配置

<!-- 配置shiro的核心拦截器 -->
	<filter>  
		<filter-name>shiroFilter</filter-name>  
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
	</filter>  
	<filter-mapping>  
		<filter-name>shiroFilter</filter-name>  
		<url-pattern>/*</url-pattern>  
	</filter-mapping>




3.    编写自己的UserRealm类继承自Realm,主要实现认证和授权的管理操作

package com.jay.demo.shiro;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

import com.jay.demo.bean.Permission;
import com.jay.demo.bean.Role;
import com.jay.demo.bean.User;
import com.jay.demo.service.UserService;

public class UserRealm extends AuthorizingRealm{
	
	@Autowired
	private UserService userService;

	/**
	 * 授权操作
	 */
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//		String username = (String) getAvailablePrincipal(principals);
		String username = (String) principals.getPrimaryPrincipal();
		
		Set<Role> roleSet =  userService.findUserByUsername(username).getRoleSet();
		//角色名的集合
		Set<String> roles = new HashSet<String>();
		//权限名的集合
		Set<String> permissions = new HashSet<String>();
		
		Iterator<Role> it = roleSet.iterator();
		while(it.hasNext()){
			roles.add(it.next().getName());
			for(Permission per:it.next().getPermissionSet()){
				permissions.add(per.getName());
			}
		}

		
		SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
		
		authorizationInfo.addRoles(roles);
		authorizationInfo.addStringPermissions(permissions);
		
		
		return authorizationInfo;
	}

	/**
	 * 身份验证操作
	 */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(
			AuthenticationToken token) throws AuthenticationException {
		
		String username = (String) token.getPrincipal();
		User user = userService.findUserByUsername(username);
		
		if(user==null){
			//木有找到用户
			throw new UnknownAccountException("没有找到该账号");
		}
		/* if(Boolean.TRUE.equals(user.getLocked())) {  
	            throw new LockedAccountException(); //帐号锁定  
	        } */
		
		/**
		 * 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以在此判断或自定义实现  
		 */
		SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(),getName());
		
		
		return info;
	}
	
	@Override
	public String getName() {
		return getClass().getName();
	}

}




4.在Spring的applicationContext.xml中进行Shiro的相关配置

1、添加shiroFilter定义

Xml代码

  1. <!– Shiro Filter –>
  2. < bean   id = “shiroFilter”   class = “org.apache.shiro.spring.web.ShiroFilterFactoryBean” >
  3. < property   name = “securityManager”   ref = “securityManager”   />
  4. < property   name = “loginUrl”   value = “/login”   />
  5. < property   name = “successUrl”   value = “/user/list”   />
  6. < property   name = “unauthorizedUrl”   value = “/login”   />
  7. < property   name = “filterChainDefinitions” >
  8. < value >
  9. / login  =  anon
  10. /user/** = authc
  11. /role/edit/* = perms[role:edit]
  12. /role/ save  =  perms [role:edit]
  13. /role/ list  =  perms [role:view]
  14. /** = authc
  15. </ value >
  16. </ property >
  17. </ bean >

2、添加securityManager定义

Xml代码

  1. < bean   id = “securityManager”   class = “org.apache.shiro.web.mgt.DefaultWebSecurityManager” >
  2. < property   name = “realm”   ref = “myRealm”   />
  3. </ bean >

3、添加realm定义

Xml代码

  1. < bean   id = ” myRealm”   class = “com.jay.demo.shiro.

    UserRealm<span class="attribute-value" style="font-size: 1em; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', Consolas, 'Courier New', monospace; background-color: rgb(250, 250, 250);">"</span><span style="color: black; font-size: 1em; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', Consolas, 'Courier New', monospace; background-color: rgb(250, 250, 250);"> </span><span class="tag" style="font-size: 1em; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', Consolas, 'Courier New', monospace; color: rgb(0, 102, 153); font-weight: bold; background-color: rgb(250, 250, 250);">/></span><span style="color: black; font-size: 1em; font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', Consolas, 'Courier New', monospace; background-color: rgb(250, 250, 250);">  </span>

4、配置EhCache

< bean   id = “cacheManager”   class = “org.apache.shiro.cache.ehcache.EhCacheManager”   />

5、 保证实现了Shiro内部lifecycle函数的bean执行 

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>


特别注意:

如果使用Shiro相关的注解,需要在springmvc-servlet.xml中配置一下信息 

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager"/>
</bean>




备注:Shiro权限管理的过滤器解释:

默认过滤器(10个) 
anon -- org.apache.shiro.web.filter.authc.AnonymousFilter
authc -- org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic -- org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
perms -- org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port -- org.apache.shiro.web.filter.authz.PortFilter
rest -- org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles -- org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl -- org.apache.shiro.web.filter.authz.SslFilter
user -- org.apache.shiro.web.filter.authc.UserFilter
logout -- org.apache.shiro.web.filter.authc.LogoutFilter


anon:例子/admins/**=anon 没有参数,表示可以匿名使用。 
authc:例如/admins/user/**=authc表示需要认证(登录)才能使用,没有参数 
roles:例子/admins/user/**=roles[admin],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,当有多个参数时,例如admins/user/**=roles["admin,guest"],每个参数通过才算通过,相当于hasAllRoles()方法。 
perms:例子/admins/user/**=perms[user:add:*],参数可以写多个,多个时必须加上引号,并且参数之间用逗号分割,例如/admins/user/**=perms["user:add:*,user:modify:*"],当有多个参数时必须每个参数都通过才通过,想当于isPermitedAll()方法。 
rest:例子/admins/user/**=rest[user],根据请求的方法,相当于/admins/user/**=perms[user:method] ,其中method为post,get,delete等。 
port:例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等,serverName是你访问的host,8081是url配置里port的端口,queryString是你访问的url里的?后面的参数。 
authcBasic:例如/admins/user/**=authcBasic没有参数表示httpBasic认证 
ssl:例子/admins/user/**=ssl没有参数,表示安全的url请求,协议为https 
user:例如/admins/user/**=user没有参数表示必须存在用户,当登入操作时不做检查

码源:

mingli

有兴趣的朋友们可以前往球球哦~一起分享学习技术:2042849237


版权声明:本文为qq_38409948原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。