shiro是一個很不錯的安全框架,相對Spring security 來說要簡單易用的多,使用shiro來做web的權限子系統是不錯的選擇。
下面記錄一下shiro和Spring整合的過程:
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
- <description>Shiro 配置</description>
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager" />
- <property name="loginUrl" value="/login.jsp" />
- <property name="successUrl" value="/index.jsp" />
- <property name="unauthorizedUrl" value="/login.do" />
- <property name="filterChainDefinitions">
- <value>
- /login.jsp = anon
- /login.do = anon
- /** = authc
- </value>
- </property>
- </bean>
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <!--設置自定義realm-->
- <property name="realm" ref="monitorRealm" />
- </bean>
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
- <!--自定義Realm 繼承自AuthorizingRealm-->
- <bean id="monitorRealm" class="***module.system.security.MonitorRealm"></bean>
- <!-- securityManager -->
- <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
- <property name="staticMethod"
- value="org.apache.shiro.SecurityUtils.setSecurityManager" />
- <property name="arguments" ref="securityManager" />
- </bean>
- <!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
- <!-- the lifecycleBeanProcessor has run: -->
- <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
- <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
- <property name="securityManager" ref="securityManager"/>
- </bean>
- </beans>
將shiro的配置文件引入到web.xml中:
並在web.xml中加入如下代碼:
- <!-- Shiro Security filter -->
- <filter>
- <filter-name>shiroFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetFilterLifecycle</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>*.do</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>*.jsp</url-pattern>
- </filter-mapping>
實現自己的Realm
- @Service("monitorRealm")
- public class MonitorRealm extends AuthorizingRealm {
- @Autowired UserService userService;
- @Autowired RoleService roleService;
- @Autowired LoginLogService loginLogService;
- public MonitorRealm(){
- super();
- }
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- /*這裏編寫授權代碼*/
- }
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(
- AuthenticationToken authcToken) throws AuthenticationException {
- /*這裏編寫認證代碼*/
- }
- public void clearCachedAuthorizationInfo(String principal) {
- SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());
- clearCachedAuthorizationInfo(principals);
- }
- }
登錄時的代碼示例:
- Subject currentUser = SecurityUtils.getSubject();
- if(!currentUser.isAuthenticated()){
- UsernamePasswordToken token;
- if(null == rememberMe)
- token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()),false,request.getRemoteAddr());
- else token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()), true, request.getRemoteAddr());
- try {
- currentUser.login(token);
- } catch ( AuthenticationException ae ) {
- request.setAttribute("message", "用戶名或密碼錯誤!");
- return "login";
- }
- }
執行currentUser.login(token);這句代碼時,shiro會自動調用用戶實現的Realm的doGetAuthenticationInfo進行身份認證。
登出時的代碼示例:
- Subject currentUser = SecurityUtils.getSubject();
- if (currentUser != null) {
- currentUser.logout();
- }
- HttpSession session = request.getSession(false);
- if( session != null ) {
- session.invalidate();
- }
- return "login";
在對用戶(角色)進行授權時會執行Realm裏的doGetAuthorizationInfo方法。
OK簡單的集成完成了,如果用cas或者Springsecurity恐怕沒這麼簡單利索 哈哈。
類似功能鏈接:http://kdboy.iteye.com/blog/1103794
其它鏈接:
http://kdboy.iteye.com/blog/1154644
http://kdboy.iteye.com/blog/1154652
http://kdboy.iteye.com/blog/1155450
http://kdboy.iteye.com/blog/1169631
http://kdboy.iteye.com/blog/1169637
官方名詞解釋:http://shiro.apache.org/terminology.html
官方權限解釋:http://shiro.apache.org/permissions.html