SpringMVC+Shiro权限管理
来源:互联网 发布:如果在淘宝上开店 编辑:程序博客网 时间:2024/05/17 03:13
什么是权限呢?举个简单的例子:
我有一个论坛,注册的用户分为normal用户,manager用户。
对论坛的帖子的操作有这些:
添加,删除,更新,查看,回复
我们规定:
normal用户只能:添加,查看,回复
manager用户可以:删除,更新
normal,manager对应的是角色(role)
添加,删除,更新等对应的是权限(permission)
我们采用下面的逻辑创建权限表结构(不是绝对的,根据需要修改)
一个用户可以有多种角色(normal,manager,admin等等)
一个角色可以有多个用户(user1,user2,user3等等)
一个角色可以有多个权限(save,update,delete,query等等)
一个权限只属于一个角色(delete只属于manager角色)
我们创建四张表:
t_user用户表:设置了3个用户
-------------------------------
id + username + password
---+----------------+----------
1 + tom + 000000
2 + jack + 000000
3 + rose + 000000
---------------------------------
t_role角色表:设置3个角色
--------------
id + rolename
---+----------
1 + admin
2 + manager
3 + normal
--------------
t_user_role用户角色表:tom是admin和normal角色,jack是manager和normal角色,rose是normal角色
---------------------
user_id + role_id
-----------+-----------
1 + 1
1 + 3
2 + 2
2 + 3
3 + 3
---------------------
t_permission权限表:admin角色可以删除,manager角色可以添加和更新,normal角色可以查看
-----------------------------------
id + permissionname + role_id
----+------------------------+-----------
1 + add + 2
2 + del + 1
3 + update + 2
4 + query + 3
-----------------------------------
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package com.cn.pojo;import java.util.HashSet;import java.util.List;import java.util.Set;import javax.persistence.Entity;import javax.persistence.GeneratedValue;import javax.persistence.GenerationType;import javax.persistence.Id;import javax.persistence.JoinColumn;import javax.persistence.JoinTable;import javax.persistence.ManyToMany;import javax.persistence.Table;import javax.persistence.Transient;import org.hibernate.validator.constraints.NotEmpty;@Entity@Table(name="t_user")public class User {private Integer id;@NotEmpty(message="用户名不能为空")private String username;@NotEmpty(message="密码不能为空")private String password;private List<Role> roleList;//一个用户具有多个角色@Id@GeneratedValue(strategy=GenerationType.IDENTITY)public Integer getId() {return id;}public void setId(Integer id) {this.id = id;}public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}@ManyToMany@JoinTable(name="t_user_role",joinColumns={@JoinColumn(name="user_id")},inverseJoinColumns={@JoinColumn(name="role_id")})public List<Role> getRoleList() {return roleList;}public void setRoleList(List<Role> roleList) {this.roleList = roleList;}@Transientpublic Set<String> getRolesName(){List<Role> roles=getRoleList();Set<String> set=new HashSet<String>();for (Role role : roles) {set.add(role.getRolename());}return set;}}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package com.cn.pojo;import java.util.ArrayList;import java.util.List;import javax.persistence.Entity;import javax.persistence.GeneratedValue;import javax.persistence.GenerationType;import javax.persistence.Id;import javax.persistence.JoinColumn;import javax.persistence.JoinTable;import javax.persistence.ManyToMany;import javax.persistence.OneToMany;import javax.persistence.Table;import javax.persistence.Transient;@Entity@Table(name="t_role")public class Role {private Integer id;private String rolename;private List<Permission> permissionList;//一个角色对应多个权限private List<User> userList;//一个角色对应多个用户@Id@GeneratedValue(strategy=GenerationType.IDENTITY)public Integer getId() {return id;}public void setId(Integer id) {this.id = id;}public String getRolename() {return rolename;}public void setRolename(String rolename) {this.rolename = rolename;}@OneToMany(mappedBy="role")public List<Permission> getPermissionList() {return permissionList;}public void setPermissionList(List<Permission> permissionList) {this.permissionList = permissionList;}@ManyToMany@JoinTable(name="t_user_role",joinColumns={@JoinColumn(name="role_id")},inverseJoinColumns={@JoinColumn(name="user_id")})public List<User> getUserList() {return userList;}public void setUserList(List<User> userList) {this.userList = userList;}@Transientpublic List<String> getPermissionsName(){List<String> list=new ArrayList<String>();List<Permission> perlist=getPermissionList();for (Permission per : perlist) {list.add(per.getPermissionname());}return list;}}1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
package com.cn.pojo;import javax.persistence.Entity;import javax.persistence.GeneratedValue;import javax.persistence.GenerationType;import javax.persistence.Id;import javax.persistence.JoinColumn;import javax.persistence.ManyToOne;import javax.persistence.Table;@Entity@Table(name="t_permission")public class Permission {private Integer id;private String permissionname;private Role role;//一个权限对应一个角色@Id@GeneratedValue(strategy=GenerationType.IDENTITY)public Integer getId() {return id;}public void setId(Integer id) {this.id = id;}public String getPermissionname() {return permissionname;}public void setPermissionname(String permissionname) {this.permissionname = permissionname;}@ManyToOne@JoinColumn(name="role_id")public Role getRole() {return role;}public void setRole(Role role) {this.role = role;}} 使用SHIRO的步骤:
1,导入jar
2,配置web.xml
3,建立dbRelm
4,在Spring中配置
pom.xml中配置如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.hyx</groupId> <artifactId>springmvc</artifactId> <packaging>war</packaging> <version>0.0.1-SNAPSHOT</version> <name>springmvc Maven Webapp</name> <url>http://maven.apache.org</url> <dependencies> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <!-- SpringMVC核心jar --> <dependency><groupId>org.springframework</groupId><artifactId>spring-webmvc</artifactId><version>3.2.4.RELEASE</version></dependency> <!-- springmvc连接数据库需要的jar --> <dependency><groupId>org.springframework</groupId><artifactId>spring-jdbc</artifactId><version>3.2.4.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-orm</artifactId><version>3.2.4.RELEASE</version></dependency><!-- ************************************ --> <!-- Hibernate相关jar --> <dependency><groupId>org.hibernate</groupId><artifactId>hibernate-core</artifactId><version>4.2.5.Final</version></dependency><dependency><groupId>org.hibernate</groupId><artifactId>hibernate-ehcache</artifactId><version>4.2.5.Final</version></dependency><dependency><groupId>net.sf.ehcache</groupId><artifactId>ehcache</artifactId><version>2.7.2</version></dependency><dependency><groupId>commons-dbcp</groupId><artifactId>commons-dbcp</artifactId><version>1.4</version></dependency> <dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.26</version></dependency><!-- javax提供的annotation --><dependency><groupId>javax.inject</groupId><artifactId>javax.inject</artifactId><version>1</version></dependency> <!-- **************************** --><!-- hibernate验证 --><dependency><groupId>org.hibernate</groupId><artifactId>hibernate-validator</artifactId><version>5.0.1.Final</version></dependency> <!-- 用于对@ResponseBody注解的支持 --> <dependency><groupId>org.codehaus.jackson</groupId><artifactId>jackson-mapper-asl</artifactId><version>1.9.13</version></dependency> <!-- 提供对c标签的支持 --> <dependency><groupId>javax.servlet</groupId><artifactId>jstl</artifactId><version>1.2</version></dependency><!-- servlet api --><dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version></dependency><!--Apache Shiro所需的jar包--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.2</version> </dependency> </dependencies> <build> <finalName>springmvc</finalName> <!-- maven的jetty服务器插件 --> <plugins> <plugin> <groupId>org.mortbay.jetty</groupId> <artifactId>jetty-maven-plugin</artifactId> <configuration> <scanIntervalSeconds>10</scanIntervalSeconds> <webApp> <contextPath>/</contextPath> </webApp> <!-- 修改jetty的默认端口 --> <connectors> <connector implementation="org.eclipse.jetty.server.nio.SelectChannelConnector"> <port>80</port> <maxIdleTime>60000</maxIdleTime> </connector> </connectors> </configuration></plugin> </plugins> </build></project>web.xml中的配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?xml version="1.0" encoding="UTF-8" ?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <display-name>Archetype Created Web Application</display-name> <!-- spring-orm-hibernate4的OpenSessionInViewFilter --> <filter> <filter-name>opensessioninview</filter-name> <filter-class>org.springframework.orm.hibernate4.support.OpenSessionInViewFilter</filter-class> </filter> <filter-mapping> <filter-name>opensessioninview</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 配置springmvc servlet --> <servlet> <servlet-name>springmvc</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springmvc</servlet-name> <!-- / 表示所有的请求都要经过此serlvet --> <url-pattern>/</url-pattern> </servlet-mapping> <!-- spring的监听器 --> <context-param><param-name>contextConfigLocation</param-name><param-value>classpath:applicationContext*.xml</param-value> </context-param> <listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- Shiro配置 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
package com.cn.service;import java.util.List;import javax.inject.Inject;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.springframework.stereotype.Service;import org.springframework.transaction.annotation.Transactional;import com.cn.pojo.Role;import com.cn.pojo.User;@Service@Transactionalpublic class MyShiro extends AuthorizingRealm{@Injectprivate UserService userService;/** * 权限认证 */@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {//获取登录时输入的用户名String loginName=(String) principalCollection.fromRealm(getName()).iterator().next();//到数据库查是否有此对象User user=userService.findByName(loginName);if(user!=null){//权限信息对象info,用来存放查出的用户的所有的角色(role)及权限(permission)SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();//用户的角色集合info.setRoles(user.getRolesName());//用户的角色对应的所有权限,如果只使用角色定义访问权限,下面的四行可以不要List<Role> roleList=user.getRoleList();for (Role role : roleList) {info.addStringPermissions(role.getPermissionsName());}return info;}return null;}/** * 登录认证; */@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {//UsernamePasswordToken对象用来存放提交的登录信息UsernamePasswordToken token=(UsernamePasswordToken) authenticationToken;//查出是否有此用户User user=userService.findByName(token.getUsername());if(user!=null){//若存在,将此用户存放到登录认证info中return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());}return null;}}在spring的配置文件中配置,为了区别spring原配置和shiro我们将shiro的配置独立出来。
applicationContext-shiro.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<?xml version="1.0" encoding="UTF-8" ?><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsdhttp://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsdhttp://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"><!-- 配置权限管理器 --><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <!-- ref对应我们写的realm MyShiro --> <property name="realm" ref="myShiro"/> <!-- 使用下面配置的缓存管理器 --> <property name="cacheManager" ref="cacheManager"/> </bean> <!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <!-- 调用我们配置的权限管理器 --> <property name="securityManager" ref="securityManager"/> <!-- 配置我们的登录请求地址 --> <property name="loginUrl" value="/login"/> <!-- 配置我们在登录页登录成功后的跳转地址,如果你访问的是非/login地址,则跳到您访问的地址 --> <property name="successUrl" value="/user"/> <!-- 如果您请求的资源不再您的权限范围,则跳转到/403请求地址 --> <property name="unauthorizedUrl" value="/403"/> <!-- 权限配置 --> <property name="filterChainDefinitions"> <value> <!-- anon表示此地址不需要任何权限即可访问 --> /static/**=anon <!-- perms[user:query]表示访问此连接需要权限为user:query的用户 --> /user=perms[user:query] <!-- roles[manager]表示访问此连接需要用户的角色为manager --> /user/add=roles[manager] /user/del/**=roles[admin] /user/edit/**=roles[manager] <!--所有的请求(除去配置的静态资源请求或请求地址为anon的请求)都要通过登录验证,如果未登录则跳到/login--> /** = authc </value> </property> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" /> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> </beans>用于登录,登出,权限跳转的控制:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
package com.cn.controller;import javax.validation.Valid;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.UsernamePasswordToken;import org.springframework.stereotype.Controller;import org.springframework.ui.Model;import org.springframework.validation.BindingResult;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.servlet.mvc.support.RedirectAttributes;import com.cn.pojo.User;@Controllerpublic class HomeController {@RequestMapping(value="/login",method=RequestMethod.GET)public String loginForm(Model model){model.addAttribute("user", new User());return "/login";}@RequestMapping(value="/login",method=RequestMethod.POST)public String login(@Valid User user,BindingResult bindingResult,RedirectAttributes redirectAttributes){try {if(bindingResult.hasErrors()){return "/login";}//使用权限工具进行用户登录,登录成功后跳到shiro配置的successUrl中,与下面的return没什么关系!SecurityUtils.getSubject().login(new UsernamePasswordToken(user.getUsername(), user.getPassword()));return "redirect:/user";} catch (AuthenticationException e) {redirectAttributes.addFlashAttribute("message","用户名或密码错误");return "redirect:/login";}}@RequestMapping(value="/logout",method=RequestMethod.GET) public String logout(RedirectAttributes redirectAttributes ){ //使用权限管理工具进行用户的退出,跳出登录,给出提示信息 SecurityUtils.getSubject().logout(); redirectAttributes.addFlashAttribute("message", "您已安全退出"); return "redirect:/login"; } @RequestMapping("/403")public String unauthorizedRole(){return "/403";}}三个主要的JSP:
login.jsp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>My JSP 'MyJsp.jsp' starting page</title> </head> <body> <h1>登录页面----${message }</h1> <img alt="" src="/static/img/1.jpg"> <form:form action="/login" commandName="user" method="post"> 用户名:<form:input path="username"/> <form:errors path="username" cssClass="error"/> <br/> 密 码:<form:password path="password"/> <form:errors path="password" cssClass="error" /> <br/> <form:button name="button">submit</form:button> </form:form> </body></html>user.jsp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %><%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>用户列表</title> </head> <body><h1>${message }</h1> <h1>用户列表--<a href="/user/add">添加用户</a>---<a href="/logout">退出登录</a> </h1> <h2>权限列表</h2> <shiro:authenticated>用户已经登录显示此内容</shiro:authenticated> <shiro:hasRole name="manager">manager角色登录显示此内容</shiro:hasRole> <shiro:hasRole name="admin">admin角色登录显示此内容</shiro:hasRole> <shiro:hasRole name="normal">normal角色登录显示此内容</shiro:hasRole> <shiro:hasAnyRoles name="manager,admin">**manager or admin 角色用户登录显示此内容**</shiro:hasAnyRoles> <shiro:principal/>-显示当前登录用户名 <shiro:hasPermission name="add">add权限用户显示此内容</shiro:hasPermission> <shiro:hasPermission name="user:query">query权限用户显示此内容<shiro:principal/></shiro:hasPermission> <shiro:lacksPermission name="user:del"> 不具有user:del权限的用户显示此内容 </shiro:lacksPermission> <ul> <c:forEach items="${userList }" var="user"> <li>用户名:${user.username }----密码:${user.password }----<a href="/user/edit/${user.id}">修改用户</a>----<a href="javascript:;" class="del" ref="${user.id }">删除用户</a></li> </c:forEach> </ul> <img alt="" src="/static/img/1.jpg"> <script type="text/javascript" src="http://cdn.staticfile.org/jquery/1.9.1/jquery.min.js"></script> <script> $(function(){ $(".del").click(function(){ var id=$(this).attr("ref"); $.ajax({ type:"delete", url:"/user/del/"+id, success:function(e){ } }); }); }); </script> </body></html>403.jsp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>权限错误</title> </head> <body> <h1>对不起,您没有权限请求此连接!</h1> <img alt="" src="/static/img/1.jpg"> </body></html> 0 0
- 【Shiro】SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro权限管理
- SpringMVC+Shiro 的权限管理
- 模拟大整数加、减、乘、除法
- wifidog 代码简单分析(1)
- ViewPager之欢迎界面
- JQuery-01
- 关于oracle设置字段自增的方法
- SpringMVC+Shiro权限管理
- hdu 1030 Delta-wave
- word2007如何批量删除文本框
- 10g静默安装以及静默升级
- wifidog 代码简单分析(2)
- 最近登录的效果下拉列表
- 插入排序
- 安装Orcale VBox虚拟机必须注意的问题
- 在Eclipse中使用JUnit4进行单元测试(初级篇)
