shiro,登录处理

来源：互联网发布：cf手游m249天羽数据编辑：程序博客网时间：2024/06/06 02:51

1原理

使用FormAuthenticationFilter过虑器实现，原理如下：

将用户没有认证时，请求loginurl进行认证，用户身份和用户密码提交数据到loginurl

FormAuthenticationFilter拦截住取出request中的username和password（两个参数名称是可以配置的）

FormAuthenticationFilter调用realm传入一个token（username和password）

realm认证时根据username查询用户信息（在Activeuser中存储，包括 userid、usercode、username、menus）。

如果查询不到，realm返回null，FormAuthenticationFilter向request域中填充一个参数（记录了异常信息）

2 登陆页面

由于FormAuthenticationFilter的用户身份和密码的input的默认值（username和password），修改页面的账号和密码的input的名称为username和password

3.登陆代码实现

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.me</groupId><artifactId>shiro-web</artifactId><version>0.0.1-SNAPSHOT</version><packaging>war</packaging><dependencies><dependency><groupId>junit</groupId><artifactId>junit</artifactId><version>3.8.1</version><scope>test</scope></dependency><!-- 添加Servlet支持 --><dependency><groupId>javax.servlet</groupId><artifactId>javax.servlet-api</artifactId><version>3.1.0</version></dependency><dependency><groupId>javax.servlet.jsp</groupId><artifactId>javax.servlet.jsp-api</artifactId><version>2.3.1</version></dependency><!-- 添加jtl支持 --><dependency><groupId>javax.servlet</groupId><artifactId>jstl</artifactId><version>1.2</version></dependency><!-- 添加Spring支持 --><dependency><groupId>org.springframework</groupId><artifactId>spring-core</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-beans</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-tx</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-context</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-context-support</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-web</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-webmvc</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-aop</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-aspects</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-jdbc</artifactId><version>4.1.7.RELEASE</version></dependency><dependency><groupId>org.mybatis</groupId><artifactId>mybatis-spring</artifactId><version>1.2.3</version></dependency><!-- 添加日志支持 --><dependency><groupId>log4j</groupId><artifactId>log4j</artifactId><version>1.2.17</version></dependency><!-- 添加mybatis支持 --><dependency><groupId>org.mybatis</groupId><artifactId>mybatis</artifactId><version>3.3.0</version></dependency><!-- jdbc驱动包 --><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>5.1.38</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.2.4</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-log4j12</artifactId><version>1.7.12</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-web</artifactId><version>1.2.4</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-spring</artifactId><version>1.2.4</version></dependency></dependencies></project>

web.xml

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns="http://java.sun.com/xml/ns/javaee"xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"id="WebApp_ID" version="3.0"><display-name>shiro-web</display-name><welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list><!-- Spring监听器 --><context-param><param-name>contextConfigLocation</param-name><!-- Spring配置文件 --><param-value>classpath:spring/applicationContext-*.xml</param-value></context-param><listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener><!-- shiro的filter --><!-- shiro过虑器，DelegatingFilterProxy通过代理模式将spring容器中的bean和filter关联起来 --><filter><filter-name>shiroFilter</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><!-- 设置true由servlet容器控制filter的生命周期 --><init-param><param-name>targetFilterLifecycle</param-name><param-value>true</param-value></init-param><!-- 设置spring容器filter的bean id，如果不设置则找与filter-name一致的bean--><init-param><param-name>targetBeanName</param-name><param-value>shiroFilter</param-value></init-param></filter><filter-mapping><filter-name>shiroFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!-- 添加对springmvc的支持 --><servlet><servlet-name>springMVC</servlet-name><servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><init-param><param-name>contextConfigLocation</param-name><param-value>classpath:spring/spring-mvc.xml</param-value></init-param><load-on-startup>1</load-on-startup><async-supported>true</async-supported></servlet><servlet-mapping><servlet-name>springMVC</servlet-name><url-pattern>*.do</url-pattern></servlet-mapping><!-- post乱码处理 --><filter><filter-name>CharacterEncodingFilter</filter-name><filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class><init-param><param-name>encoding</param-name><param-value>utf-8</param-value></init-param></filter><filter-mapping><filter-name>CharacterEncodingFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping></web-app>

index.jsp

<%response.sendRedirect("first.do");%>

login.jsp

</pre>login.jsp<div></div><p></p><pre name="code" class="html"><%@ page language="java" contentType="text/html; charset=UTF-8"      pageEncoding="UTF-8"%>  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">  <html>  <head>  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">  <title>Insert title here</title>  </head>  <body>  <form action="${pageContext.request.contextPath }/user/login.do" method="post">      userName:<input type="text" name="username" value="${username }"/><br/>      password:<input type="password" name="password" value="${password }"><br/>      <input type="submit" value="login"/><font color="red">${errorMsg }</font>  </form>  </body>  </html>

package cn.me.ssm.controller;import javax.servlet.http.HttpServletRequest;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.IncorrectCredentialsException;import org.apache.shiro.authc.UnknownAccountException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.session.Session;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import cn.me.ssm.exception.CustomException;@Controllerpublic class LoginController {//登陆提交地址，和applicationContext-shiro.xml中配置的loginurl一致@RequestMapping("/login")public String login(HttpServletRequest request) throws Exception {// 如果登录失败从request中获取认证异常信息，shiroLoginFailure就是shiro异常类的全限定名// 根据shiro返回的异常类路径判断，抛出指定异常信息String exceptionClassName = (String) request.getAttribute("shiroLoginFailure");if (exceptionClassName != null) {if (UnknownAccountException.class.getName().equals(exceptionClassName)) {request.setAttribute("errorMsg", "用户名不存在");} else if (IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {request.setAttribute("errorMsg", "用户名/密码不正确");}else {throw new Exception();// 最终在异常处理器生成未知错误}}// 此方法不处理登陆成功（认证成功），shiro认证成功会自动跳转到上一个请求路径// 登陆失败还到login页面request.setAttribute("username", request.getParameter("username"));return "login";}}

package cn.me.ssm.controller;import org.springframework.stereotype.Controller;import org.springframework.ui.Model;import org.springframework.web.bind.annotation.RequestMapping;@Controllerpublic class FirstAction {//系统首页@RequestMapping("/first")public String first(Model model)throws Exception{return "/first";}//欢迎页面@RequestMapping("/welcome")public String welcome(Model model)throws Exception{return "/welcome";}}

application-shiro.xml

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"xmlns:aop="http://www.springframework.org/schema/aop" xmlns:context="http://www.springframework.org/schema/context"xmlns:jee="http://www.springframework.org/schema/jee" xmlns:tx="http://www.springframework.org/schema/tx"xsi:schemaLocation="            http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd          http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd          http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd          http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-4.0.xsd          http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd"><!-- 自定义Realm --><bean id="customRealm" class="cn.me.ssm.shiro.CustomRealm" /><!-- 安全管理器 --><bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"><property name="realm" ref="customRealm" /></bean><!-- Shiro过滤器 --><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><!-- Shiro的核心安全接口,这个属性是必须的 --><property name="securityManager" ref="securityManager" /><!-- loginUrl认证提交地址，如果没有认证将会请求此地址进行认证，请求此地址将由formAuthenticationFilter进行表单认证 --><property name="loginUrl" value="/login.do" /><!-- 认证成功统一跳转到first.action，建议不配置，shiro认证成功自动到上一个请求路径 --><property name="successUrl" value="/first.do" /><!-- 通过unauthorizedUrl指定没有权限操作时跳转页面 --><property name="unauthorizedUrl" value="/refuse.jsp" /><!-- Shiro连接约束配置,即过滤链的定义 --><property name="filterChainDefinitions"><value>    <!-- /** = anon所有url都可以匿名访问 --><!-- 对静态资源设置匿名访问 -->/images/** = anon/js/** = anon/styles/** = anon<!-- 验证码，可匿名访问 -->/validatecode.jsp = anon<!-- 请求 logout.action地址，shiro去清除session -->/logout.action = logout<!-- /** = authc 所有url都必须认证通过才可以访问-->/**=authc</value></property></bean><!-- 保证实现了Shiro内部lifecycle函数的bean执行 --><!-- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> --></beans>

退出

使用LogoutFilter
不用我们去实现退出，只要去访问一个退出的url（该 url是可以不存在），由LogoutFilter拦截住，清除session。

在applicationContext-shiro.xml配置的中添加退出url如：/logout.action = logout

<property name="filterChainDefinitions"><value>           <!-- 请求 logout.action地址，shiro去清除session -->              /logout.action = logout        </value></property>

授权过滤器测试

使用PermissionsAuthorizationFilter
在applicationContext-shiro.xml中配置url所对应的权限。

测试流程：
1、在applicationContext-shiro.xml中配置filter规则

/items/queryItems.action = perms[item:query]
2、用户在认证通过后，请求/items/queryItems.action
3、被PermissionsAuthorizationFilter拦截，发现需要“item:query”权限
4、PermissionsAuthorizationFilter调用realm中的doGetAuthorizationInfo获取数据库中正确的权限
5、PermissionsAuthorizationFilter对item:query 和从realm中获取权限进行对比，如果“item:query”在realm返回的权限列表中，授权通过。

创建refuse.jsp
如果授权失败，跳转到refuse.jsp，需要在spring容器中配置：

<!-- Shiro过滤器 --><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"><!-- Shiro的核心安全接口,这个属性是必须的 --><property name="securityManager" ref="securityManager" /><!-- loginUrl认证提交地址，如果没有认证将会请求此地址进行认证，请求此地址将由formAuthenticationFilter进行表单认证 --><property name="loginUrl" value="/login.do" /><!-- 认证成功统一跳转到first.action，建议不配置，shiro认证成功自动到上一个请求路径 --><property name="successUrl" value="/first.do" /><!-- 通过unauthorizedUrl指定没有权限操作时跳转页面 --><property name="unauthorizedUrl" value="/refuse.jsp" />

授权问题总结
1、在applicationContext-shiro.xml中配置过虑器链接，需要将全部的url和权限对应起来进行配置，比较发麻不方便使用。

2、每次授权都需要调用realm查询数据库，对于系统性能有很大影响，可以通过shiro缓存来解决。

shiro的过虑器

过滤器简称对应的java类
anon org.apache.shiro.web.filter.authc.AnonymousFilter
authc org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authcBasic org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
perms org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
port org.apache.shiro.web.filter.authz.PortFilter
rest org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
roles org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
ssl org.apache.shiro.web.filter.authz.SslFilter
user org.apache.shiro.web.filter.authc.UserFilter
logout org.apache.shiro.web.filter.authc.LogoutFilter

anon:例子/admins/**=anon 没有参数，表示可以匿名使用。
authc:例如/admins/user/**=authc表示需要认证(登录)才能使用，FormAuthenticationFilter是表单认证，没有参数
perms：例子/admins/user/**=perms[user:add:*],参数可以写多个，多个时必须加上引号，并且参数之间用逗号分割，例如/admins/user/**=perms["user:add:*,user:modify:*"]，当有多个参数时必须每个参数都通过才通过，想当于isPermitedAll()方法。
user:例如/admins/user/**=user没有参数表示必须存在用户, 身份认证通过或通过记住我认证通过的可以访问，当登入操作时不做检查

0 0