整合Shiro框架

此部分在上一篇博客搭建的SSM框架基础上进行整合，调试了好几遍终于调通，记录下来便于以后查看。结构如下，红色为新增，蓝色为修改。

1、在maven中添加架包，pom.xml：

在<properties></properties>中添加

<shiro.version>1.2.3</shiro.version>；

在<dependencies></dependencies>中添加

<!-- shiro -->

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-spring</artifactId>

<version>${shiro.version}</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-ehcache</artifactId>

<version>${shiro.version}</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-core</artifactId>

<version>${shiro.version}</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-web</artifactId>

<version>${shiro.version}</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-quartz</artifactId>

<version>${shiro.version}</version>

</dependency>

全部源码：

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"><modelVersion>4.0.0</modelVersion><groupId>SSM</groupId><artifactId>PersonalWeb</artifactId><packaging>war</packaging><version>0.0.1-SNAPSHOT</version><name>TEST Maven Webapp</name><url>http://maven.apache.org</url><!-- <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> </dependencies> --><properties><!-- spring版本号 --><spring.version>4.0.2.RELEASE</spring.version><!-- mybatis版本号 --><mybatis.version>3.2.6</mybatis.version><!-- log4j日志文件管理包版本 --><slf4j.version>1.7.7</slf4j.version><log4j.version>1.2.17</log4j.version><shiro.version>1.2.3</shiro.version></properties><dependencies><dependency><groupId>junit</groupId><artifactId>junit</artifactId><version>4.11</version><!-- 表示开发的时候引入，发布的时候不会加载此包 --><scope>test</scope></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-core</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-web</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-oxm</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-tx</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-aop</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-jdbc</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-webmvc</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-aop</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-context-support</artifactId><version>${spring.version}</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-test</artifactId><version>${spring.version}</version></dependency><!-- mybatis核心包 --><dependency><groupId>org.mybatis</groupId><artifactId>mybatis</artifactId><version>${mybatis.version}</version></dependency><!-- mybatis/spring包 --><dependency><groupId>org.mybatis</groupId><artifactId>mybatis-spring</artifactId><version>1.2.2</version></dependency><!-- 导入java ee jar 包 --><dependency><groupId>javax</groupId><artifactId>javaee-api</artifactId><version>7.0</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>druid</artifactId><version>1.0.31</version></dependency><!-- 导入Mysql数据库链接jar包 --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.30</version></dependency><!-- 导入dbcp的jar包，用来在applicationContext.xml中配置数据库 --><dependency><groupId>commons-dbcp</groupId><artifactId>commons-dbcp</artifactId><version>1.2.2</version></dependency><!-- JSTL标签类 --><dependency><groupId>jstl</groupId><artifactId>jstl</artifactId><version>1.2</version></dependency><!-- 日志文件管理包 --><!-- log start --><dependency><groupId>log4j</groupId><artifactId>log4j</artifactId><version>${log4j.version}</version></dependency><!-- 格式化对象，方便输出日志 --><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>1.1.41</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-api</artifactId><version>${slf4j.version}</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-log4j12</artifactId><version>${slf4j.version}</version></dependency><!-- log end --><!-- 映入JSON --><dependency><groupId>org.codehaus.jackson</groupId><artifactId>jackson-mapper-asl</artifactId><version>1.9.13</version></dependency><!-- 上传组件包 --><dependency><groupId>commons-fileupload</groupId><artifactId>commons-fileupload</artifactId><version>1.3.1</version></dependency><dependency><groupId>commons-io</groupId><artifactId>commons-io</artifactId><version>2.4</version></dependency><dependency><groupId>commons-codec</groupId><artifactId>commons-codec</artifactId><version>1.9</version></dependency><!-- shiro --><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>${shiro.version}</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-ehcache</artifactId><version>${shiro.version}</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>${shiro.version}</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-web</artifactId><version>${shiro.version}</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-quartz</artifactId><version>${shiro.version}</version></dependency></dependencies><build><finalName>PersonalWeb</finalName><plugins><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><version>3.1</version><configuration><source>1.8</source><target>1.8</target></configuration></plugin></plugins></build></project>

2、新增applicationContext-shiro.xml（shiro配置）、

ehcache-shiro.xml（缓存配置）

applicationContext-shiro.xml：

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:util="http://www.springframework.org/schema/util" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"><description>apache shiro配置</description><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><property name="securityManager" ref="securityManager" /><property name="loginUrl" value="/rest/login" /><property name="successUrl" value="/rest/index" /><property name="unauthorizedUrl" value="/rest/page/401" /><property name="filterChainDefinitions"><value><!-- 对静态资源设置匿名访问 -->/js/**  = anon/img/**  = anon/css/**  = anon<!-- /js/** = anon --><!-- /styles/** = anon --><!-- 验证码，可匿名访问 --><!-- /validatecode.jsp = anon --><!-- 请求 logout.action地址，shiro去清除session-->/logout = logout<!-- 配置记住我或认证通过可以访问的地址 --><!-- /index.jsp  = user --><!-- /first.action = user --><!-- /welcome.jsp = user --><!-- /** = authc 所有url都必须认证通过才可以访问-->/** = authc<!-- /** = anon所有url都可以匿名访问 --></value></property></bean><!-- 缓存管理器 使用Ehcache实现 --><bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"><property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" /></bean><!-- 会话DAO --><bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.MemorySessionDAO" /><!-- 会话管理器 --><bean id="sessionManager"class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"><property name="sessionDAO" ref="sessionDAO" /></bean><!-- 安全管理器 --><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realms"><list><ref bean="securityRealm" /></list></property><!-- cacheManager,集合spring缓存工厂 --><!-- <property name="cacheManager" ref="shiroEhcacheManager" /> --><!-- <property name="sessionManager" ref="sessionManager" /> --></bean><!-- Shiro生命周期处理器 --><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /></beans>

注意配置<property name="loginUrl" value="/rest/login" />

<property name="successUrl" value="/rest/index" />

以及哪些资源需要身份验证，哪些不需要：anon（资源可访问）、authc（资源需验证后访问）

以及*securityManager！

 

ehcache-shiro.xml：

<ehcache updateCheck="false" name="shiroCache">    <defaultCache            maxElementsInMemory="10000"            eternal="false"            timeToIdleSeconds="120"            timeToLiveSeconds="120"            overflowToDisk="false"            diskPersistent="false"            diskExpiryThreadIntervalSeconds="120"      /></ehcache>

3、web.xml中配置：

<param-value></param-value>中添加

classpath*:applicationContext-shiro.xml，

添加：

<filter>

<filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

<async-supported>true</async-supported>

<init-param>

<param-name>targetFilterLifecycle</param-name>

<param-value>true</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>shiroFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

完整代码：

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns="http://java.sun.com/xml/ns/javaee"xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"version="3.0"><display-name>Archetype Created Web Application</display-name><!-- Spring和mybatis的配置文件 --><context-param><param-name>contextConfigLocation</param-name><param-value>classpath:spring-mybatis.xmlclasspath*:applicationContext-shiro.xml</param-value></context-param><listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener><!-- 编码过滤器 --><filter><filter-name>encodingFilter</filter-name><filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class><async-supported>true</async-supported><init-param><param-name>encoding</param-name><param-value>UTF-8</param-value></init-param></filter><filter-mapping><filter-name>encodingFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- Spring监听器 --><listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener><!-- 防止Spring内存溢出监听器 --><listener><listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class></listener><filter><filter-name>shiroFilter</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><async-supported>true</async-supported><init-param><param-name>targetFilterLifecycle</param-name><param-value>true</param-value></init-param></filter><filter-mapping><filter-name>shiroFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- Spring MVC servlet --><servlet><servlet-name>SpringMVC</servlet-name><servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><init-param><param-name>contextConfigLocation</param-name><param-value>classpath:spring-mvc.xml</param-value></init-param><load-on-startup>1</load-on-startup><async-supported>true</async-supported></servlet><servlet-mapping><servlet-name>SpringMVC</servlet-name><!-- 此处可以可以配置成*.do，对应struts的后缀习惯 --><!-- 本人习惯使用加rest/前缀 --><!-- <url-pattern>*.do</url-pattern> --><url-pattern>/rest/*</url-pattern></servlet-mapping><welcome-file-list><!-- 欢迎页面，访问/rest/index方法，也可以直接指定一个jsp(index.jsp) --><welcome-file>rest/index</welcome-file></welcome-file-list></web-app>

4、在spring-mvc.xml中添加:

<!-- 开启aop，对类代理 -->

<aop:config proxy-target-class="true"></aop:config>

<!-- 启用shrio授权注解拦截方式 -->

<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

    <property name="securityManager" ref="securityManager"/>

</bean>

完整代码：

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"       xmlns:aop="http://www.springframework.org/schema/aop"       xmlns:context="http://www.springframework.org/schema/context"       xmlns:mvc="http://www.springframework.org/schema/mvc"       xmlns:tx="http://www.springframework.org/schema/tx"       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xmlns:p="http://www.springframework.org/schema/p"       xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd         http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd         http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd"><!-- 自动扫描该包，使SpringMVC认为包下用了@controller注解的类是控制器 --><context:component-scan base-package="com.lzs.PersonalWeb.controller" /><!--避免IE执行AJAX时，返回JSON出现下载文件 --><bean id="mappingJacksonHttpMessageConverter"class="org.springframework.http.converter.json.MappingJacksonHttpMessageConverter"><property name="supportedMediaTypes"><list><value>text/html;charset=UTF-8</value></list></property></bean><!-- 启动SpringMVC的注解功能，完成请求和注解POJO的映射 --><beanclass="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter"><property name="messageConverters"><list><ref bean="mappingJacksonHttpMessageConverter" /> <!-- JSON转换器 --></list></property></bean><!-- 定义跳转的文件的前后缀 ，视图模式配置 --><beanclass="org.springframework.web.servlet.view.InternalResourceViewResolver"><!-- 这里的配置我的理解是自动给后面action的方法return的字符串加上前缀和后缀，变成一个 可用的url地址 --><property name="prefix" value="/WEB-INF/jsp/" /><property name="suffix" value=".jsp" /></bean><!-- 配置文件上传，如果没有使用文件上传可以不用配置，当然如果不配，那么配置文件中也不必引入上传组件包 --><bean id="multipartResolver"class="org.springframework.web.multipart.commons.CommonsMultipartResolver"><!-- 默认编码 --><property name="defaultEncoding" value="utf-8" /><!-- 文件大小最大值 --><property name="maxUploadSize" value="10485760000" /><!-- 内存中的最大值 --><property name="maxInMemorySize" value="40960" /></bean><!-- 开启aop，对类代理 -->    <aop:config proxy-target-class="true"></aop:config>    <!-- 启用shrio授权注解拦截方式 -->    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">        <property name="securityManager" ref="securityManager"/>    </bean></beans>

5、最重要！！！：配置securityManager

在src/main/java中新建com.lzs.PersonalWeb.security包，在下面新建SecurityRealm.java

 

详细解释：

web.xml中配置<welcome-file>rest/index</welcome-file>，欢迎页面为一个方法；applicationContext-shiro.xml中配置<property name="loginUrl" value="/rest/login" />，

a.登录时，走登录方法，进login方法，加载登录页面完成；

b.填写完毕登录信息，点击登录，方法被shiro拦截，先走SecurityRealm.java中的doGetAuthenticationInfo方法，填写的登录信息被shiro自动封装入AuthenticationToken中，从中取出用户填写的信息，与数据库对比，一系列方法自己写。若失败，则登录失败；若成功，将用户信息封装入SecurityUtils中，跳转到<property name="successUrl" value="/rest/index" />配置的index方法，再把信息从SecurityUtils中取出，放入model。。。

SecurityRealm.java:

package com.lzs.PersonalWeb.security;import java.util.Date;import javax.annotation.Resource;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.crypto.hash.Md5Hash;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.util.ByteSource;import org.springframework.stereotype.Component;import com.lzs.PersonalWeb.model.SysUser;import com.lzs.PersonalWeb.service.SysUserService;/** * 用户身份验证,授权 Realm 组件 *  * @author StarZou * @since 2014年6月11日 上午11:35:28 **/@Component(value = "securityRealm")public class SecurityRealm extends AuthorizingRealm {@Resourceprivate SysUserService userService;@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {// TODO Auto-generated method stubreturn null;}@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;// token是用户输入的用户名和密码 // 第一步从token中取出用户名String userName = (String) token.getPrincipal();String passWord = String.valueOf(usernamePasswordToken.getPassword());String passwordString= encrypt(passWord);//加密//SysUser user=userService.selectByPrimaryKey(1);SysUser user = userService.selectByUsername(userName);if(user == null){return null;}else{String truePass = user.getPassword();if(truePass.equals(passwordString)){//user.setLasttime(new Date());//user.setLogintimes(user.getLogintimes()+1);//userService.updateByPrimaryKey(user);}SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(user, passWord,getName());return simpleAuthenticationInfo;}}//清除缓存public void clearCached() {PrincipalCollection principals = SecurityUtils.getSubject().getPrincipals();super.clearCache(principals);}    //将传进来密码加密方法      private String encrypt(String data) {          Object sha384Hex = new Md5Hash(data,"jacksung",2);//这里可以选择自己的密码验证方式 比如 md5或者sha256等          return sha384Hex.toString();      }}

login方法：

@RequestMapping("login")//登录    public String login(HttpServletRequest request,Model model,String locateurl) throws Exception    {     System.out.println("进入登录action!");    Subject subject=SecurityUtils.getSubject();    subject.logout();String result="";//如果登陆失败从request中获取认证异常信息，shiroLoginFailure就是shiro异常类的全限定名String exceptionClassName = (String) request.getAttribute("shiroLoginFailure");//根据shiro返回的异常类路径判断，抛出指定异常信息if(exceptionClassName!=null){if (UnknownAccountException.class.getName().equals(exceptionClassName)) {//最终会抛给异常处理器result="账号不存在";} else if (IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {result="密码错误";} else if("randomCodeError".equals(exceptionClassName)){result="验证码错误 ";}else {result="请重试";//最终在异常处理器生成未知错误}}System.out.println("登录页面获取locateurl"+locateurl);model.addAttribute("result", result);model.addAttribute("locateurl", locateurl);//此方法不处理登陆成功（认证成功），shiro认证成功会自动跳转到上一个请求路径//登陆失败还到login页面        return "login";}

Index方法：

@RequestMapping("index")//总页面public String index(Model model){    //从shiro的session中取activeUserSubject subject = SecurityUtils.getSubject();//取身份信息SysUser user = (SysUser) subject.getPrincipal();//通过model传到页面model.addAttribute("user", user);    return "index";}