shiro配置

shiro是一个轻量级的权限验证框架,小而强大,方便集成.

话不多说,直入正题.

首先,下载几个关键的jar包, shiro-core, shiro-spring 和 shiro-web, 也可以直接用waven去配.

加入包到lib之后.首先在java中新建一个class,实现AuthorizingRealm接口,这个是shiro主要的权限的接口.

其中要实现两个方法,

1.AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals)

这个是用于权限和角色的管理

2.AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)

这个用于登录的校验.

下面贴一下代码,只是进行了简单的校验,没有扯到数据库交互.

package com.wuxing.learn.security;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import com.wuxing.learn.entity.UserAuthenticationToken;/** * @author wuxing * @date 2015年9月19日 上午11:10:11 * */public class MyAuthorizeRealm extends AuthorizingRealm{public MyAuthorizeRealm(){setAuthorizationCachingEnabled(false);setAuthenticationTokenClass(UserAuthenticationToken.class);}/* (non-Javadoc) * @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) */@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {String userName = (String) principals.fromRealm(getName()).iterator().next();// 获取登录用户名SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();if("wuxing".equals(userName)){info.addStringPermission("go:r");info.addStringPermission("go:a");info.addStringPermission("go:e");info.addStringPermission("go:d");}if("chris".equals(userName)){info.addStringPermission("go:r");}return info;}/* (non-Javadoc) * @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken) */@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {UserAuthenticationToken userToken = (UserAuthenticationToken) token;String userName = userToken.getUserName();String password = userToken.getPassword();if (!("wuxing".equals(userName) && "123456".equals(password)) && !(("chris".equals(userName)) && ("12345".equals(password)))) {throw new AuthenticationException("用户不存在或存在错误");}return new SimpleAuthenticationInfo(userName, password, getName()); // 设置用户信息}}

然后在appilcationContext.xml中配置一下shiro.

<!-- shiro security --><bean id="myRealm"class="com.wuxing.learn.security.MyAuthorizeRealm" /><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realm" ref="myRealm" /></bean><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><property name="securityManager" ref="securityManager" /><property name="unauthorizedUrl" value="/unauthorized" /></bean><bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /><!-- shiro end --><!-- Support Shiro Annotation --><bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"></bean><bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">    <property name="securityManager" ref="securityManager" /></bean>

第一个bean是定义我们自定义的realm, 并把securityManager指向他.

shiroFilter是shiro的过滤器..其中sercurityManager这个值是必须的..其他的值是可选配置.

lifecycleBeanPostProcessor是shiro把权限等交给spring托管.

最后两行是用于注解实现.

配置好了后,在web.xml中配置一下shiroFilter

<!-- shiro --><filter><filter-name>shiroFilter</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><init-param><param-name>targetFilterLifecycle</param-name><param-value>true</param-value></init-param></filter><filter-mapping><filter-name>shiroFilter</filter-name><url-pattern>*.shtml</url-pattern></filter-mapping>

这个配置就不多解释了.

然后校验就在下面..用spingmvc辅助了一下.

package com.wuxing.learn.controller;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authz.annotation.RequiresPermissions;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.ResponseBody;import com.wuxing.learn.entity.UserAuthenticationToken;/** * @author wuxing * @date 2015年9月19日 下午2:33:02 * */@Controllerpublic class LoginController {@ResponseBody@RequestMapping("login")public String login(HttpServletRequest request, HttpServletResponse response){String name = request.getParameter("loginName");String password = request.getParameter("password");UserAuthenticationToken userToken = new UserAuthenticationToken();userToken.setUserName(name);userToken.setPassword(password);try {Subject suject = SecurityUtils.getSubject();suject.login(userToken);} catch (Exception e) {return "login fail";}return "login success";}@ResponseBody@RequiresPermissions("go:r")@RequestMapping("read")public String read(HttpServletRequest request, HttpServletResponse response){return "i read";}@ResponseBody@RequiresPermissions("go:e")@RequestMapping("edit")public String edit(HttpServletRequest request, HttpServletResponse response){return "i edit";}}

通过对两个账号的权限设置不同..校验不同的权限..

大致的过程就是这样了.还有用shiro.ini配置的好像..但是感觉没有代码类加注解这么方便.所以就不考虑了