springmvc拦截器实现登录验证

首先创建一个实体类：

Customer：　

package com.petcare.pojo.base;

import java.sql.Date;
import java.sql.Timestamp;

/**
 * Created by frank on 2017/5/7.
 */

public class Customer {
    private Long customerId;
    private String account;
    private String passwd;
    private String customerName;
    private String wechat;
    private String mobile;

    public Long getCustomerId() {
        return customerId;
    }
    public void setCustomerId(Long customerId) {
        this.customerId = customerId;
    }
    public String getAccount() {
        return account;
    }
    public void setAccount(String account) {
        this.account = account;
    }
    public String getPasswd() {
        return passwd;
    }
    public void setPasswd(String passwd) {
        this.passwd = passwd;
    }
    public String getCustomerName() {
        return customerName;
    }
    public void setCustomerName(String customerName) {
        this.customerName = customerName;
    }
    public String getWechat() {
        return wechat;
    }
    public void setWechat(String wechat) {
        this.wechat = wechat;
    }
    public String getMobile() {
        return mobile;
    }
    public void setMobile(String mobile) {
        this.mobile = mobile;
    }

    @Override
    public boolean equals(Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;

        Customer customer = (Customer) o;

        if (customerId != customer.customerId) return false;
        if (account != null ? !account.equals(customer.account) : customer.account != null) return false;
        if (passwd != null ? !passwd.equals(customer.passwd) : customer.passwd != null) return false;
        if (customerName != null ? !customerName.equals(customer.customerName) : customer.customerName != null)
            return false;
        if (wechat != null ? !wechat.equals(customer.wechat) : customer.wechat != null) return false;
        if (mobile != null ? !mobile.equals(customer.mobile) : customer.mobile != null) return false;
        if (homephone != null ? !homephone.equals(customer.homephone) : customer.homephone != null) return false;
        if (customerSex != null ? !customerSex.equals(customer.customerSex) : customer.customerSex != null)
            return false;
        if (customerBirth != null ? !customerBirth.equals(customer.customerBirth) : customer.customerBirth != null)
            return false;
        if (address != null ? !address.equals(customer.address) : customer.address != null) return false;
        if (createSeid != null ? !createSeid.equals(customer.createSeid) : customer.createSeid != null) return false;
        if (createTime != null ? !createTime.equals(customer.createTime) : customer.createTime != null) return false;
        if (updateTime != null ? !updateTime.equals(customer.updateTime) : customer.updateTime != null) return false;

        return true;
    }

    @Override
    public int hashCode() {
        int result = (int) (customerId ^ (customerId >>> 32));
        result = 31 * result + (account != null ? account.hashCode() : 0);
        result = 31 * result + (passwd != null ? passwd.hashCode() : 0);
        result = 31 * result + (customerName != null ? customerName.hashCode() : 0);
        result = 31 * result + (wechat != null ? wechat.hashCode() : 0);
        result = 31 * result + (mobile != null ? mobile.hashCode() : 0);
        result = 31 * result + (homephone != null ? homephone.hashCode() : 0);
        result = 31 * result + (customerSex != null ? customerSex.hashCode() : 0);
        result = 31 * result + (customerBirth != null ? customerBirth.hashCode() : 0);
        result = 31 * result + (address != null ? address.hashCode() : 0);
        result = 31 * result + (createSeid != null ? createSeid.hashCode() : 0);
        result = 31 * result + (createTime != null ? createTime.hashCode() : 0);
        result = 31 * result + (updateTime != null ? updateTime.hashCode() : 0);
        return result;
    }
}

controller层;

@Controller
public class LoginController {

    private Logger log = LoggerFactory.getLogger(getClass());

    public static final AjaxResponse ACCOUNT_NOT_EXIST = new AjaxResponse(-100101, "账号不存在");
    public static final AjaxResponse PASSWORD_NOT_PASSED = new AjaxResponse(-100102, "您输入密码错误");
    public static final AjaxResponse SYSTEM_BUSY = new AjaxResponse(-100000, "系统繁忙");
    public static final AjaxResponse ACCOUNT_LOCKED = new AjaxResponse(-100103, "您的帐号被锁定");


    @Autowired
    private CustomerService customerService;

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public  String loginPage(){
        return  "/login";
    }

    @RequestMapping(value = "/login", method = RequestMethod.POST)
    @ResponseBody
    public  AjaxResponse login(String u , String p, HttpSession session){

        // 封装令牌
        UsernamePasswordToken token = new UsernamePasswordToken(u,p);
        Subject subject = null;
        try {
            subject = SecurityUtils.getSubject();
            // 用令牌登陆,如果登陆失败，则抛出异常
            subject.login(token);
            token.clear();
        } catch (AccountNotExistException ex) {
            return ACCOUNT_NOT_EXIST;
        } catch (PasswordWrongException ex) {
            return PASSWORD_NOT_PASSED;
        }
        catch (AccountLockedException ex) {
            return ACCOUNT_LOCKED;
        }
        catch (Exception ex) {
            log.error("login error happend.", ex);
            return SYSTEM_BUSY;
        }

        Customer c = customerService.getBaseCustomer(u);

        // 保存会话
        session.setAttribute(Const.SESSION_SUBJECT, subject); // shiro已登录用户
        session.setAttribute(Const.SESSION_USER_KEY,c );// 登陆用户
        return AjaxResponse.OK;

    }
}

UsernamePasswordToken源码：

package org.apache.shiro.authc;
/**
     * Constructs a new UsernamePasswordToken encapsulating the username and password submitted
     * during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and a
     * <tt>rememberMe</tt> default of <tt>false</tt>.
     *
     * @param username the username submitted for authentication
     * @param password the password character array submitted for authentication
     */
    public UsernamePasswordToken(final String username, final char[] password) {
        this(username, password, false, null);
    }

    /**
     * Constructs a new UsernamePasswordToken encapsulating the username and password submitted
     * during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and
     * a <tt>rememberMe</tt> default of <tt>false</tt>
     * <p/>
     * <p>This is a convience constructor and maintains the password internally via a character
     * array, i.e. <tt>password.toCharArray();</tt>.  Note that storing a password as a String
     * in your code could have possible security implications as noted in the class JavaDoc.</p>
     *
     * @param username the username submitted for authentication
     * @param password the password string submitted for authentication
     */
    public UsernamePasswordToken(final String username, final String password) {
        this(username, password != null ? password.toCharArray() : null, false, null);
    }

 getSubject()源码：

package org.apache.shiro;

import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.ThreadContext;


/**
 * Accesses the currently accessible {@code Subject} for the calling code depending on runtime environment.
 *
 * @since 0.2
 */
public abstract class SecurityUtils {

    /**
     * ONLY used as a 'backup' in VM Singleton environments (that is, standalone environments), since the
     * ThreadContext should always be the primary source for Subject instances when possible.
     */
    private static SecurityManager securityManager;

    /**
     * Returns the currently accessible {@code Subject} available to the calling code depending on
     * runtime environment.
     * <p/>
     * This method is provided as a way of obtaining a {@code Subject} without having to resort to
     * implementation-specific methods.  It also allows the Shiro team to change the underlying implementation of
     * this method in the future depending on requirements/updates without affecting your code that uses it.
     *
     * @return the currently accessible {@code Subject} accessible to the calling code.
     * @throws IllegalStateException if no {@link Subject Subject} instance or
     *                               {@link SecurityManager SecurityManager} instance is available with which to obtain
     *                               a {@code Subject}, which which is considered an invalid application configuration
     *                               - a Subject should <em>always</em> be available to the caller.
     */
    public static Subject getSubject() {
        Subject subject = ThreadContext.getSubject();
        if (subject == null) {
            subject = (new Subject.Builder()).buildSubject();
            ThreadContext.bind(subject);
        }
        return subject;
    }
}

login源码：

/**
     * Performs a login attempt for this Subject/user.  If unsuccessful,
     * an {@link AuthenticationException} is thrown, the subclass of which identifies why the attempt failed.
     * If successful, the account data associated with the submitted principals/credentials will be
     * associated with this {@code Subject} and the method will return quietly.
     * <p/>
     * Upon returning quietly, this {@code Subject} instance can be considered
     * authenticated and {@link #getPrincipal() getPrincipal()} will be non-null and
     * {@link #isAuthenticated() isAuthenticated()} will be {@code true}.
     *
     * @param token the token encapsulating the subject's principals and credentials to be passed to the
     *              Authentication subsystem for verification.
     * @throws org.apache.shiro.authc.AuthenticationException
     *          if the authentication attempt fails.
     * @since 0.9
     */
    void login(AuthenticationToken token) throws AuthenticationException;

clear源码：

/*--------------------------------------------
    |               M E T H O D S               |
    ============================================*/

    /**
     * Clears out (nulls) the username, password, rememberMe, and inetAddress.  The password bytes are explicitly set to
     * <tt>0x00</tt> before nulling to eliminate the possibility of memory access at a later time.
     */
    public void clear() {
        this.username = null;
        this.host = null;
        this.rememberMe = false;

        if (this.password != null) {
            for (int i = 0; i < password.length; i++) {
                this.password[i] = 0x00;
            }
            this.password = null;
        }

    }

四个异常类，此时产生一个疑问，怎么验证数据那，此时需要一个配置我文件spring-shiro：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee"
    xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
    default-lazy-init="true">

    <!-- 安全管理器 -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="shiroDBRealm" />
        <!--<property name="cacheManager" ref="cacheManager" />-->
    </bean>
    <!--<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />-->

    <!-- shiro过滤器 -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/login.action" />
        <property name="successUrl" value="/welcome.action" />
        <property name="unauthorizedUrl" value="/login.action" />
        <property name="filterChainDefinitions">
            <value>
            </value>
        </property>
    </bean>
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

    <!-- 验证数据类 -->
    <bean id="shiroDBRealm" class="com.petcare.admin.security.shiro.ShiroDBRealm" />

</beans>

类shiroDBRealm：

/**
 * Specl.com Inc.
 * Copyright (c) 2010-2011 All Rights Reserved.
 */
package com.petcare.admin.security.shiro;

import com.petcare.admin.service.CustomerService;
import com.petcare.pojo.base.Customer;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.annotation.Resource;



/**
 * 权限数据访问类。
 *
 *
 */
public class ShiroDBRealm extends AuthorizingRealm {

    private Logger log = LoggerFactory.getLogger(this.getClass());

    /**
     * 账号访问层。
     */
    @Resource
    private CustomerService customerService;

    /**
     * 认证方法。
     */
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {

        log.debug("do authentication ，token data [{}]", authcToken);

        UsernamePasswordToken token = (UsernamePasswordToken) authcToken;

        if (token.getUsername() == null) {
            return null;
        }

        // 根据账户名获得账户
         Customer customer = customerService.getBaseCustomer(token.getUsername());

        // 当账号密码不存在
        if (customer == null) {
            log.debug("customer not exist.");
            throw new AccountNotExistException();
        }

        // 当密码错误
        if (!StringUtils.equals(customer.getPasswd(), new String(token.getPassword()))) {
            log.debug("password not equals.");
            throw new PasswordWrongException();
        }

//        if(customer.getIsDelete()==1) {
//            log.debug("customer is locked.");
//            throw new AccountLockedException();
//        }
        return new SimpleAuthenticationInfo(customer.getAccount(), customer.getPasswd(), getName());
    }

    /**
     * 授权方法。
     */
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

        log.debug("do authortization , principals data [{}]", principals);

//        String username = (String) principals.fromRealm(getName()).iterator().next();
//
//        // 根据账户名获得账户
//         CustomerAccount account = customerAccountDao.getAccountByUsername(username);
//
//        if (account == null) {
//            log.debug("account not exist.");
//            throw new AccountNotExistException();
//        }

        // 封装授权信息
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        // 将用户的角色字符，进行授权
//        info.addRoles(account.getRoleStringList());
        // 将用户的权限字符，进行授权
//        info.addStringPermissions(account.getPermissionStringList());
        return info;
    }
}

web.xml:

有待修改：

    <!-- listeners -->
    <listener>
        <listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


    <!-- shiro,find spring bean by filter name is 'shiroFilter' -->
    <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>