shiro权限管理

1.导入jar包shiro-all-1.2.3.jar

2.在resources下的spring包中的ApplicationContext.xml中加入

 

 

 

<!-- ================ Shiro start ================ -->

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<property name="realm" ref="ShiroRealm" />

</bean>

<!-- 項目自定义的Realm -->

    <bean id="ShiroRealm" class="com.fh.interceptor.shiro.ShiroRealm" ></bean>

<!-- Shiro Filter -->

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

<property name="securityManager" ref="securityManager" />

<property name="loginUrl" value="/" />

<property name="successUrl" value="/main/index" />

<property name="unauthorizedUrl" value="/login_toLogin" />

<property name="filterChainDefinitions">

<value>

     /login/login = anon

/static/login/** = anon

/static/js/myjs/** = authc

/static/js/** = anon

            /code.do = anon

            /login_login   = anon

            /app**/** = anon

            /weixin/** = anon

            /** = authc

</value>

</property>

</bean>

<!-- ================ Shiro end ================ -->

 

anon是忽略权限，aythc是需要权限

 

3.然后在src下com.fh的interceptor的shiro包中加入ShiroRealm.java文件，内容如下：

 

package com.fh.interceptor.shiro;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authc.AuthenticationInfo;

import org.apache.shiro.authc.AuthenticationToken;

import org.apache.shiro.authc.SimpleAuthenticationInfo;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

/**

 * @author fh

 *  2015-3-6

 */

public class ShiroRealm extends AuthorizingRealm {

/*

 * 登录信息和用户验证信息验证(non-Javadoc)

 * @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken)

 */

@Override

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

 

 String username = (String)token.getPrincipal();   //得到用户名

     String password = new String((char[])token.getCredentials()); //得到密码

     if(null != username && null != password){

      return new SimpleAuthenticationInfo(username, password, getName());

     }else{

      return null;

     }      

}

/*

 * 授权查询回调函数,进行鉴权但缓存中无用户的授权信息时调用,负责在应用程序中决定用户的访问控制的方法(non-Javadoc)

 * @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)

 */

@Override

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {

System.out.println("========2");

return null;

}

}

 

 

 

4.在web.xml中配置shiro

<filter>

    <filter-name>shiroFilter</filter-name>

    <filter-class>

org.springframework.web.filter.DelegatingFilterProxy

</filter-class>

    <init-param>

      <param-name>targetFilterLifecycle</param-name>

      <param-value>true</param-value>

    </init-param>

  </filter>

  <filter-mapping>

    <filter-name>shiroFilter</filter-name>

    <url-pattern>/*</url-pattern>

  </filter-mapping>

5.在controller中应用shiro

 

Subject currentUser = SecurityUtils.getSubject();  

Session session = currentUser.getSession();

        

Subject subject = SecurityUtils.getSubject();

UsernamePasswordToken token = new UsernamePasswordToken(userRole.getString("USERID"), userRole.getString("PASSWORD"));

 

subject.login(token);