shiro是一款java安全框架、簡單而且可以滿足實際的工作需要
第一步、導入maven依賴
Java代碼 ![收藏代碼]()
- <!-- shiro -->
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- <version>${org.apache.shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-web</artifactId>
- <version>${org.apache.shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-spring</artifactId>
- <version>${org.apache.shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-ehcache</artifactId>
- <version>${org.apache.shiro.version}</version>
- </dependency>
第二步、在項目中定義shiro的過濾器(shiro的實現主要是通過filter實現)
Java代碼 ![收藏代碼]()
- <!-- Shiro Security filter -->
- <filter>
- <filter-name>shiroFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetFilterLifecycle</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>/*</url-pattern>
- <dispatcher>REQUEST</dispatcher>
- </filter-mapping>
第三步、創建一個Realm
Java代碼 ![收藏代碼]()
- public class UserRealm extends AuthorizingRealm {
- @Autowired
- private UserBiz biz;
- //驗證用戶信息,認證的實現
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
- String userno = (String) authenticationToken.getPrincipal();
- String password = new String((char[]) authenticationToken.getCredentials());
- Result<RcUser> result = biz.login(userno, password);
- if (result.isStatus()) {
- Session session = SecurityUtils.getSubject().getSession();
- session.setAttribute(Constants.Token.RONCOO, userno);
- RcUser user = result.getResultData();
- return new SimpleAuthenticationInfo(user.getUserNo(), user.getPassword(), getName());
- }
- return null;
- }
- //驗證用戶的權限,實現認證
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
- String userno = (String) principals.getPrimaryPrincipal();
- Result<RcUser> result = biz.queryByUserNo(userno);
- if(result.isStatus()){
- Result<List<RcRole>> resultRole = biz.queryRoles(result.getResultData().getId());
- if(resultRole.isStatus()){
- //獲取角色
- HashSet<String> roles = new HashSet<String>();
- for (RcRole rcRole : resultRole.getResultData()) {
- roles.add(rcRole.getRoleValue());
- }
- System.out.println("角色:"+roles);
- authorizationInfo.setRoles(roles);
- //獲取權限
- Result<List<RcPermission>> resultPermission = biz.queryPermissions(resultRole.getResultData());
- if(resultPermission.isStatus()){
- HashSet<String> permissions = new HashSet<String>();
- for (RcPermission rcPermission : resultPermission.getResultData()) {
- permissions.add(rcPermission.getPermissionsValue());
- }
- System.out.println("權限:"+permissions);
- authorizationInfo.setStringPermissions(permissions);
- }
- }
- }
- return authorizationInfo;
- }
- }
第四步、添加shiro配置
Java代碼 ![收藏代碼]()
- 1、shiro緩存
- <?xml version="1.0" encoding="UTF-8"?>
- <!DOCTYPE xml>
- <ehcache updateCheck="false" name="shiroCache">
- <!-- http://ehcache.org/ehcache.xml -->
- <defaultCache
- maxElementsInMemory="10000"
- eternal="false"
- timeToIdleSeconds="120"
- timeToLiveSeconds="120"
- overflowToDisk="false"
- diskPersistent="false"
- diskExpiryThreadIntervalSeconds="120"
- />
- </ehcache>
- 2、在spring的core配置文件中配置shiro
- <description>Shiro安全配置</description>
- <bean id="userRealm" class="com.roncoo.adminlte.controller.realm.UserRealm" />
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <property name="realm" ref="userRealm" />
- <property name="cacheManager" ref="shiroEhcacheManager" />
- </bean>
- <!-- Shiro 過濾器 -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <!-- Shiro的核心安全接口,這個屬性是必須的 -->
- <property name="securityManager" ref="securityManager" />
- <!-- 身份認證失敗,則跳轉到登錄頁面的配置 -->
- <property name="loginUrl" value="/login" />
- <property name="successUrl" value="/certification" />
- <property name="unauthorizedUrl" value="/error" />
- <!-- Shiro連接約束配置,即過濾鏈的定義 -->
- <property name="filterChainDefinitions">
- <value>
- /login = authc
- /exit = anon
- /admin/security/list=authcBasic,perms[admin:read]
- /admin/security/save=authcBasic,perms[admin:insert]
- /admin/security/update=authcBasic,perms[admin:update]
- /admin/security/delete=authcBasic,perms[admin:delete]
- </value>
- </property>
- </bean>
- <!-- 用戶授權信息Cache, 採用EhCache -->
- <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
- <property name="cacheManagerConfigFile" value="classpath:ehcache/ehcache-shiro.xml" />
- </bean>
- <!-- 保證實現了Shiro內部lifecycle函數的bean執行 -->
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
- <!-- AOP式方法級權限檢查 -->
- <bean
- class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
- depends-on="lifecycleBeanPostProcessor">
- <property name="proxyTargetClass" value="true" />
- </bean>
- <bean
- class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
- <property name="securityManager" ref="securityManager" />
- </bean>
第五步、shiro退出登錄的實現
Java代碼 ![收藏代碼]()
- 第一種方式
- /**
- * 退出登陸操作
- */
- @RequestMapping(value = "/exit", method = RequestMethod.GET)
- public String exit(RedirectAttributes redirectAttributes, HttpSession session) {
- session.removeAttribute(Constants.Token.RONCOO);
- SecurityUtils.getSubject().logout();
- redirectAttributes.addFlashAttribute("msg", "您已經安全退出");
- return redirect("/login");
- }
- 第二種方式:在shiroFilter的約束配置中配置
- <!-- Shiro連接約束配置,即過濾鏈的定義 -->
- <property name="filterChainDefinitions">
- <value>
- /exit = logout
- </value>
- </property>