先掃描spring配置文件對shiro部分的描述,進行URL攔截
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!--shiro的核心安全接口,這個屬性是必須的-->
<property name="securityManager" ref="securityManager"/>
<!--身份認證失敗則跳轉到登陸頁面的配置-->
<property name="loginUrl" value="/index"/>
<!--權限認證失敗則跳轉到指定頁面-->
<property name="unauthorizedUrl" value="/unauthor.jsp"/>
<!--shiro連接約束配置,及過濾鏈的定義-->
<property name="filterChainDefinitions">
<value>
/login=anon
/admin=authc
/student=roles[teacher]
</value>
</property>
先進行spring配置掃描,先掃描shiro相關部分,直接登陸/admin或/login(身份不匹配)身份認證失敗跳轉到loginUrl的value(/index有Controller跳轉到登陸頁面index.jsp)進行強制登陸,提交登陸表單到Controller,進行驗證
注:只要類的屬性和前端的name值一樣,一一匹配便可直接得到對象
public String login(User user,HttpServletRequest req){
Subject subject = SecurityUtils.getSubject();
String Username = req.getParameter("Username");
String Password = req.getParameter("Password");
UsernamePasswordToken token = new UsernamePasswordToken(Username,Password);
try {
subject.login(token);//到Realm進行身份驗證
Session session = subject.getSession();
System.out.println("sessionid"+session.getId());
System.out.println("sessionhost"+session.getHost());
System.out.println("sessionTimeout"+session.getTimeout());
session.setAttribute("info","session的數據");
return "/success";
subject.login會調用Myrealm驗證主要通過spring配置文件調用(
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="myrealm"/> </bean>)
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
String username = (String)authenticationToken.getPrincipal();
User user = userService.getByUserName(username);
if(user!=null){
AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(),user.getPassword(),"xxx");
return authenticationInfo;
}
else{
return null;
}
}
該方法負責驗證protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String username = (String)principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setRoles((Set<String>)userService.getRoles(username));
authorizationInfo.setStringPermissions((Set<String>)userService.getPermissions(username));
return authorizationInfo;
}
該方法負責從數據庫調出相應角色權限授權給該身份,驗證不通過會拋出異常,驗證通過信息存儲到Session中,此時便可訪問/admin