基于spring的shiro配置
来源:互联网 发布:oppo手机照片导入mac 编辑:程序博客网 时间:2024/05/10 21:57
Shiro继承spring
1.需要所有的springmvc.xml的配置
2.需要所有的web.xml的配置
3.需要所有的pom.xml的依赖
4.需要所有的spring.xml的配置
5.jdbc.properties文件
Web.xml配置
[html] view plain copy
- <!-- 配置shiro的代理过滤器 filter-name的名字和spring中bean的id一样 -->
- <filter>
- <filter-name>shiroFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetFilterLifecycle</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
在spring.xml中配置realm
[html] view plain copy
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- lt;!-- ref="myDbRealm" 自定义类MyDbRealm加注解@component继承AuthorizingRealm -->
- <property name="realm" ref="myDbRealm"/>
- lt;/bean>
- <!-- 后置处理器(用来注销securityManager) -->
- lt;bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
在spring.xml中配置ini
[html] view plain copy
- <!-- spring 配置ini bean的id与web.xml中filter-name一样-->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager"/>
- <property name="loginUrl" value="/login.html"/>
- <property name="unauthorizedUrl" value="/un.html"/>
- <property name="filterChainDefinitions">
- <value>
- /login.html = anon
- /scu.jsp = authc
- </value>
- </property>
- </bean>
加入依赖:
[html] view plain copy
- 1. <dependency>
- 2. <groupId>org.apache.shiro</groupId>
- 3. <artifactId>shiro-spring</artifactId>
- 4. <version>1.4.0</version>
- 5. </dependency>
自定义filter实现动态配置url拦截
[html] view plain copy
- package cn.et.shiro.conf;
- import java.util.List;
- import java.util.Set;
- import java.util.regex.Pattern;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
- import org.apache.shiro.subject.Subject;
- import org.apache.shiro.util.CollectionUtils;
- import org.apache.shiro.web.filter.authz.AuthorizationFilter;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.stereotype.Component;
- import cn.et.shiro.dao.UserMapper;
- import cn.et.shiro.entity.Menu;
- @Component
- public class MyFilter extends AuthorizationFilter {
- @Autowired
- private ShiroFilterFactoryBean sffb;
- /**
- * 匹配指定过滤器规则的url
- * @param regex
- * @param url
- * @return
- */
- public static boolean matchUrl(String regex,String url){
- regex=regex.replaceAll("/+", "/");
- if(regex.equals(url)){
- return true;
- }
- regex=regex.replaceAll("\\.", "\\\\.");
- // /login.html /l*.html
- regex=regex.replaceAll("\\*", ".*");
- // /**/login.html /a/b/login.html
- if(regex.indexOf("/.*.*/")>=0){
- regex=regex.replaceAll("/\\.\\*\\.\\*/", "((/.*/)+|/)");
- }
- System.out.println(regex+"----"+url);
- return Pattern.matches(regex, url);
- }
- @Autowired
- UserMapper userMapper;
- /**
- * 测试
- * @param args
- */
- public static void main(String[] args) {
- System.out.println(matchUrl("/**/s*.html","/t/g/login.html"));
- }
- /**
- * isAccessAllowed用于判断当前url的请求是否能验证通过 如果验证失败 调用父类的onAccessDenied决定跳转到登录失败页还是授权失败页面
- */
- @Override
- protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
- throws Exception {
- HttpServletRequest req=(HttpServletRequest)request;
- String contextPath=req.getContextPath();
- //获取用户访问的资源的路径
- String url=req.getRequestURI();
- url=url.split(contextPath)[1];
- //获取哪些url需要哪些认证
- //List<Menu> queryMenu=userMapper.queryMenuByUrl(url);
- List<Menu> queryMenu=userMapper.qieryMenu();
- if(queryMenu.size()==0){
- return false;
- }
- String urlAuth=null;
- for(Menu menu:queryMenu){
- if(matchUrl(menu.getMenuUrl(),url)){
- //取出权限
- urlAuth=menu.getMenuFilter();
- }
- }
- //通数据库没有配置当前url的授权
- if(urlAuth==null){
- return false;
- }
- //配置的过滤器是anon 直接放过
- if(urlAuth.startsWith("anon")){
- return true;
- }
- //配置的是authc 判断当前用户是否认证通过
- Subject subject = getSubject(request, response);
- if(urlAuth.startsWith("authc")){
- return subject.isAuthenticated();
- }
- //授权认证 也需要判断是否登录 没有登录返回 登录继续下面的验证
- boolean ifAuthc=subject.isAuthenticated();
- if(!ifAuthc)
- return ifAuthc;
- //如果是定义的roles过滤器 获取所有的roles 一般是roles[a,b]
- if(urlAuth.startsWith("roles")){
- String[] rolesArray=urlAuth.split("roles\\[")[1].split("\\]")[0].split(",");
- if (rolesArray == null || rolesArray.length == 0) {
- return true;
- }
- Set<String> roles = CollectionUtils.asSet(rolesArray);
- return subject.hasAllRoles(roles);
- }
- if(urlAuth.startsWith("perms")){
- String[] perms=urlAuth.split("perms\\[")[1].split("\\]")[0].split(",");
- boolean isPermitted = true;
- if (perms != null && perms.length > 0) {
- if (perms.length == 1) {
- if (!subject.isPermitted(perms[0])) {
- isPermitted = false;
- }
- } else {
- if (!subject.isPermittedAll(perms)) {
- isPermitted = false;
- }
- }
- }
- return isPermitted;
- }
- return false;
- }
- }
认证登录实现AuthorizingRealm
[html] view plain copy
- package cn.et.shiro.conf;
- import java.util.Set;
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.authc.AuthenticationInfo;
- import org.apache.shiro.authc.AuthenticationToken;
- import org.apache.shiro.authc.SimpleAccount;
- import org.apache.shiro.authc.UsernamePasswordToken;
- import org.apache.shiro.authz.AuthorizationInfo;
- import org.apache.shiro.authz.SimpleAuthorizationInfo;
- import org.apache.shiro.realm.AuthorizingRealm;
- import org.apache.shiro.subject.PrincipalCollection;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.stereotype.Component;
- import cn.et.shiro.dao.UserMapper;
- import cn.et.shiro.entity.UserInfo;
- @Component
- public class MyDbRealm extends AuthorizingRealm {
- @Autowired
- UserMapper userMapper;
- /**
- * 认证
- * 将登陆输入的用户名和密码和数据库中的用户名和密码对比 是否相等
- * 返回值null表示认证失败 非null认证通过
- */
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- //获取从页面传入的token
- UsernamePasswordToken upt=(UsernamePasswordToken)token;
- //从数据库中查询userinfo对象
- UserInfo queryUser=userMapper.queryUser(upt.getUsername());
- //如果对象不为空,且密码相等 可以登录
- if(queryUser!=null && queryUser.getPassword().equals(new String(upt.getPassword()))){
- SimpleAccount sa=new SimpleAccount(upt.getUsername(),upt.getPassword(),"MyDbRealm");
- return sa;
- }
- return null;
- }
- /**
- * 获取当前文件的授权数据
- * 将当前用户在数据库的角色和权限 加载到AuthorizationInfo
- * 默认在进行授权认证的调用 检查权限调用checkRole checkPerm
- */
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- //获取用户名
- String userName=principals.getPrimaryPrincipal().toString();
- //获取角色
- Set<String> roleList=userMapper.queryRoleByName(userName);
- //获取权限
- Set<String> permsList=userMapper.queryPermsByName(userName);
- SimpleAuthorizationInfo sa=new SimpleAuthorizationInfo();
- sa.setRoles(roleList);
- sa.setStringPermissions(permsList);
- return sa;
- }
- }
阅读全文