Shiro執行流程:應用程序—>Subject—>SecurityManager—>Realm—>安全數據
導入maven座標
<!-- 權限控制 框架 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>${shiro.version}</version>
</dependency>
web.xml配置shiroFilter(核心控制器)時,filtername的名字不能隨便定義,必須要定義爲shiroFilter,而且區分大小寫
<!-- shiro的Filter -->
<filter>
<!-- 去spring配置文件中尋找同名bean -->
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在application-shiro.xml主配置文件中,配置shiroFilter時,bean的id的名字要與web.xml中配置的核心 過濾器的filtername名稱一樣。
<!-- 配置Shiro核心Filter -->
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
配置安全管理器和Shiro生命週期處理器LifecycleBeanPostProcessor
/login.html後面加上*是因爲會有如下情況:
http://localhost:6001/ikayakibos_management/login.html;jsessionid=68A360BFE7413C7CEAE81E5069F1EE81
/**=authc放在最後
<!-- 安全管理器 -->
<property name="securityManager" ref="securityManager" />
<!-- 未認證,跳轉到哪個頁面 -->
<property name="loginUrl" value="/login.html" />
<!-- 登錄成功跳轉頁面 -->
<property name="successUrl" value="/index.html" />
<!-- 認證後,沒有權限跳轉頁面 -->
<property name="unauthorizedUrl" value="/unauthorized.html" />
<!-- shiro URL控制過濾器規則
anon未認證可以訪問
authc認證後可以訪問
perms需要特定權限才能訪問
roles需要特定角色才能訪問
user需要特定用戶才能訪問
port需要特定端口才能訪問(不常用)
rest根據指定HTTP請求才能訪問(不常用)
*文件夾中的全部文件
** 文件夾中的全部文件(含子文件夾)
-->
<property name="filterChainDefinitions">
<value>
/login.html* = anon
/css/** = anon
/js/** = anon
/upload/** = anon
/images/** = anon
/validatecode.jsp* = anon
/services/** = anon
/user_login.action* = anon
/pages/base/courier.html* = perms[courier:list]
/** = authc
</value>
</property>
</bean>
Action代碼
package com.ikayaki.bos.web.action.system;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.apache.struts2.convention.annotation.Action;
import org.apache.struts2.convention.annotation.Namespace;
import org.apache.struts2.convention.annotation.ParentPackage;
import org.apache.struts2.convention.annotation.Result;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Controller;
import com.ikayaki.bos.domain.system.User;
import com.ikayaki.bos.web.action.common.BaseAction;
@ParentPackage("json-default")
@Namespace("/")
@Controller
@Scope("prototype")
public class UserAction extends BaseAction<User> {
private static final long serialVersionUID = 1L;
@Action(value = "user_login", results = { @Result(name = "success", location = "login.html", type = "redirect"),
@Result(name = "input", location = "index.html", type = "redirect") })
public String login() {
//基於shiro登陸
Subject subject = SecurityUtils.getSubject();
//用戶名和密碼信息保存於token
AuthenticationToken token = new UsernamePasswordToken(model.getUsername(),model.getPassword());
try {
subject.login(token);
return SUCCESS;
} catch (AuthenticationException e) {
//登陸失敗
e.printStackTrace();
return INPUT;
}
}
}
自定義Realm對象,實現認證方法(實際開發中,只需要繼承AuthorizingRealm)
package com.ikayaki.bos.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.ikayaki.bos.domain.system.User;
import com.ikayaki.bos.service.system.UserService;
//自定義realm
@Service("bosRealm")
public class BosRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
@Override
//授權
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
return null;
}
@Override
//認證
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//轉換token
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
//根據用戶名查詢用戶信息
User user = userService.findByUsername(usernamePasswordToken.getUsername());
if(user ==null){
//用戶名不存在,返回null
//參數一:期望登陸後,保存在subject中的信息
//參數二:密碼,如果返回爲null,說明用戶不存在
//參數三:realm名稱
return null;
}else{
//用戶名存在,返回密碼SimpleAuthenticationInfo(user,user.getPassword(),getName())
//返回用戶密碼時,securityManager自動比較返回密碼用戶名是否一致,不一致則報錯
return new SimpleAuthenticationInfo(user,user.getPassword(),getName());
}
}
}
將自定義Realm注入安全管理器SecurityManager當中
<!-- 注入安全管理器 -->
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="bosRealm" />
</bean>
service代碼
package com.ikayaki.bos.service.system.impl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import com.ikayaki.bos.dao.system.UserRepository;
import com.ikayaki.bos.domain.system.User;
import com.ikayaki.bos.service.system.UserService;
@Service
@Transactional
public class UserServiceImpl implements UserService {
@Autowired
private UserRepository userRepository;
@Override
public User findByUsername(String username) {
return userRepository.findByUsername();
}
}
dao代碼
package com.ikayaki.bos.dao.system;
import org.springframework.data.jpa.repository.JpaRepository;
import com.ikayaki.bos.domain.system.User;
public interface UserRepository extends JpaRepository<User, Integer> {
User findByUsername();
}
在shiroFilter配置中將user_login.action放行
/user_login.action* = anon