springmvc配置shiro进行权限控制

Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能。本文将简单介绍springmvc中如何配置shiro。

1.首先是maven中配置shiro所需要的jar包

<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>

<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>

<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.3</version>
</dependency>

<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.3</version>
</dependency>

2.往web.xml中配置shiro过滤器

<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>

3.在web.xml中配置shiro所要拦截的请求或资源

<!--拦截所有.do请求-->

<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>

4.在spring的配置文件中配置shiro

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

 <!-- Shiro的核心安全接口,这个属性是必须的 --> 

<property name="securityManager" ref="securityManager" />

<!-- 登录的页面，当shiro验证不同过的时候，会进入该页面，请根据自己项目的实际需求配置 --> 

<property name="loginUrl" value="/views/common/login.jsp" />

<!-- 登录成功之后跳转的页面 --> 
<property name="successUrl" value="/views/login.jsp" />

<!-- 定义shiro过滤规则 --> 
<property name="filterChainDefinitions">

<value>

<!-- 这里面配置响应的请求一及所需的权限 --> 

<!-- authc表示仅需对 /information/deal_change.do进行登录验证，即必须登录之后才可以正常发送改请求，如果没有登录，即会跳转到上边配置好的loginUrl对应的页面--> 

/information/deal_change.do = authc

<!-- 此处表示既要登录，而且只允许角色是[]里面定义好的角色才可以访问--> 

/demand/getDemand.do = authc,perms[designer]

</value>

在spring配置文件中再添加如下配置其他配置

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--设置自定义realm -->
<property name="realm" ref="monitorRealm" />
</bean>


<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />


<!--自定义Realm 继承自AuthorizingRealm -->
<bean id="monitorRealm" class="com.gdqy.FCS.common.api.MonitorRealm"></bean>
<!-- securityManager -->
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager" />
<property name="arguments" ref="securityManager" />
</bean>
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
配置到此就已经完成

接下来就是编写自定义的realm

package com.gdqy.FCS.common.api;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.SimplePrincipalCollection;import org.springframework.beans.factory.annotation.Autowired;import com.gdqy.FCS.entity.User;import com.gdqy.FCS.service.UserService;//自定义的类必须继承<span style="font-family: Arial, Helvetica, sans-serif;">AuthorizingRealm ，并重写其方法</span>public class MonitorRealm extends AuthorizingRealm {public MonitorRealm() {super();}//注入角色对应的service@Autowiredprivate UserService userService;

<span style="white-space:pre"></span><span style="font-family:Consolas, Bitstream Vera Sans Mono, Courier New, Courier, monospace;color:#808080;"><span style="font-size: 12.5px; line-height: 13.75px;"></span></span>public void clearCachedAuthorizationInfo(String principal) {SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());clearCachedAuthorizationInfo(principals);}<span style="white-space:pre"></span><pre name="code" class="html"><span style="font-family:Consolas, Bitstream Vera Sans Mono, Courier New, Courier, monospace;color:#808080;"><span style="font-size: 12.5px; line-height: 13.75px;"><span style="white-space:pre"></span>//</span></span><span style="font-size: 12.5px; line-height: 13.75px; color: rgb(128, 128, 128); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace;">该方法的调用时机为需授权资源被访问时执行 </span><span style="font-size: 12.5px; line-height: 13.75px; color: rgb(128, 128, 128); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace;"> </span>

@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

<span style="white-space:pre"></span>//获取用户名，在登录的Controller中加入SecurityUtils.getSubject().login(new UsernamePasswordToken(user.getUsername(), user.getPassword()));//就可以在此处使用<span style="font-family: Arial, Helvetica, sans-serif;">String currentUsername = (String)super.getAvailablePrincipal(principals);去获取角色的用户名</span>String currentUsername = (String)super.getAvailablePrincipal(principals);

<span style="white-space:pre"></span>//访问数据库，查找对应的角色 User user = userService.selectByName(currentUsername); if(user !=null) {

<span style="white-space:pre"></span> //分配权限  SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();  simpleAuthorInfo.addRole(user.getRole());  simpleAuthorInfo.addStringPermission(user.getRole());   return simpleAuthorInfo; }return null;}<span style="white-space:pre"></span>//<span style="color: rgb(128, 128, 128); font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12.5px; line-height: 13.75px; white-space: pre;">LoginController.login()方法中执行Subject.login()时调用此方法</span>@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;return new SimpleAuthenticationInfo(token.getUsername(),token.getPassword(),getName());}}

到这里。shiro的配置就算完成了