maven工程的pom文件引入相关的依赖就不赘述了。下面开始过程:
shiro本质还是过滤器所以,
首先在web.xml中进行如下配置:
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
然后spring-shiro.xml的配置大致如下:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:p="http://www.springframework.org/schema/p" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd">
<!-- 自定义的Realm实现 -->
<bean id="bugeasyRealm" class="bugeasy.shiro.BugeasyRealm"></bean>
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="bugeasyRealm" />
<property name="sessionManager" ref="sessionManager" />
<property name="cacheManager" ref="cacheManager"/>
</bean>
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"/>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/pages/login.jsp"></property>
<property name="successUrl" value="/pages/main.jsp"/>
<property name="unauthorizedUrl" value="/pages/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<!--
anon 访客访问;
authc 认证通过即可;
user 记住的或者认证通过的;
-->
<value>
/user/login = anon
/js/** = anon
/images/** = anon
/index.jsp = anon
/pages/register.jsp = anon
/pages/login.jsp = anon
/logout = logout
/pages/test/testFileUpload.jsp = anon
/file/upload = anon
/** = authc
</value>
</property>
</bean>
<!-- 基于Form表单的身份验证过滤器,不配置将也会注册此过虑器,表单中的用户账号、密码及loginurl将采用默认值,建议配置 -->
<!-- <bean id="formAuthenticationFilter"
class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
表单中账号的input名称
<property name="usernameParam" value="usercode" />
表单中密码的input名称
<property name="passwordParam" value="password" />
<property name="rememberMeParam" value="rememberMe"/>
loginurl:用户登陆地址,此地址是可以http访问的url地址
<property name="loginUrl" value="/user/login" />
</bean> -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
<property name="proxyTargetClass" value="true"/>
</bean>
<!-- 会话ID生成器 -->
<bean id="sessionIdGenerator"
class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
<!-- 会话DAO -->
<bean id="sessionDAO"
class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<!-- 会话验证调度器 -->
<bean id="sessionValidationScheduler"
class="org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler">
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>
<!-- 会话Cookie模板 -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<!-- <constructor-arg value="sid"/> -->
<property name="httpOnly" value="true"/>
<property name="maxAge" value="180000"/>
<constructor-arg name="name" value="shiro.sesssion"/>
<property name="path" value="/"/>
</bean>
<!-- 会话管理器 -->
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1800000"/>
<property name="deleteInvalidSessions" value="true"/>
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionDAO" ref="sessionDAO"/>
<property name="sessionIdCookieEnabled" value="true"/>
<property name="sessionIdCookie" ref="sessionIdCookie"/>
</bean>
</beans>
注意:如果用shiro的注解,需要在spring-mvc.xml中配置下面:
<!-- 开启shiro注解的支持。 -->
<aop:config proxy-target-class="true"></aop:config>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
自定义的Realm类:
public class BugeasyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Autowired
private RoleService roleService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("--------------------------开始授权认证---------------------------------");
//授权
String username = (String)principals.getPrimaryPrincipal();
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
Set<String> roles = userService.getUserRoleByName(username);
authorizationInfo.setRoles(roles);
Set<String> permissions = roleService.getRolePermissionsByRoleIds(username);
authorizationInfo.setStringPermissions(permissions);
return authorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//身份认证
String name = (String) token.getPrincipal();
String password = new String( (char[])token.getCredentials());
UserBean userBean = new UserBean();
userBean.setName(name);
userBean.setPassword(password);
UserBean hasBean = userService.getUserByNameAndPwd(userBean);
if(hasBean == null){
throw new UnknownAccountException();//没找到帐号
}
AuthenticationInfo info = new SimpleAuthenticationInfo(name,password,"bugeasyRealm");
return info;
}
}
service、dao代码暂时省去。
controller代码如下:
@PostMapping(path="/login")
public ModelAndView loginByShiro(HttpServletRequest request, HttpServletResponse response,@ModelAttribute("user") UserBean user){
ModelAndView mv = new ModelAndView();
if(user != null){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(user.getName(), user.getPassword());
try{
subject.login(token);
mv.addObject("user", user);
mv.addObject("userName", user.getName());
mv.setViewName("/main");
}catch(Exception e){
e.printStackTrace();
mv.addObject("errmsg", "登录的用户名/密码错误,请重新登录");
mv.setViewName("/login");
}
return mv;
}
return mv;
}
JSP页面如果使用标签,需要引入:
<%@taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
这样,就完成了和ssm的整合,项目中就可以使用编程式、注解、JSP标签进行shiro的使用了。