Shiro理解

Shiro理解

原創

2020-02-22 01:42

先掃描spring配置文件對shiro部分的描述，進行URL攔截

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <!--shiro的核心安全接口，這個屬性是必須的-->
        <property name="securityManager" ref="securityManager"/>
        <!--身份認證失敗則跳轉到登陸頁面的配置-->
        <property name="loginUrl" value="/index"/>
        <!--權限認證失敗則跳轉到指定頁面-->
        <property name="unauthorizedUrl" value="/unauthor.jsp"/>
        <!--shiro連接約束配置，及過濾鏈的定義-->
        <property name="filterChainDefinitions">
            <value>
                /login=anon
                /admin=authc
                /student=roles[teacher]
            </value>
        </property>

先進行spring配置掃描，先掃描shiro相關部分，直接登陸/admin或/login（身份不匹配）身份認證失敗跳轉到loginUrl的value（/index有Controller跳轉到登陸頁面index.jsp）進行強制登陸，提交登陸表單到Controller，進行驗證

注：只要類的屬性和前端的name值一樣，一一匹配便可直接得到對象

public String login(User user,HttpServletRequest req){

Subject subject = SecurityUtils.getSubject();
       String Username = req.getParameter("Username");
       String Password = req.getParameter("Password");
        UsernamePasswordToken token = new UsernamePasswordToken(Username,Password);
        try {
            subject.login(token);//到Realm進行身份驗證
            Session session = subject.getSession();
            System.out.println("sessionid"+session.getId());
            System.out.println("sessionhost"+session.getHost());
            System.out.println("sessionTimeout"+session.getTimeout());
            session.setAttribute("info","session的數據");
            return "/success";

subject.login會調用Myrealm驗證主要通過spring配置文件調用（

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name="realm" ref="myrealm"/>
</bean>

）

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        String username = (String)authenticationToken.getPrincipal();
        User user = userService.getByUserName(username);
        if(user!=null){
           AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(),user.getPassword(),"xxx");
            return authenticationInfo;
        }
        else{
        return null;
        }
    }

該方法負責驗證

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        String username = (String)principalCollection.getPrimaryPrincipal();
        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
        authorizationInfo.setRoles((Set<String>)userService.getRoles(username));
        authorizationInfo.setStringPermissions((Set<String>)userService.getPermissions(username));
        return authorizationInfo;
    }

該方法負責從數據庫調出相應角色權限授權給該身份，驗證不通過會拋出異常，驗證通過信息存儲到Session中，此時便可訪問/admin