在之前的博文,常用框架(一)中讲述了spring+springMvc+mybatis+maven框架的搭建,而在常用框架(二)中又集成了Redis,
这篇文章主要讲述如何集成shiro+freemarker及其简单应用,还是在原有项目上做扩展,
需要回顾的请点链接跳转:http://blog.csdn.net/mynoteblog/article/details/54922775
项目说明:
(1) 使用freemarker模板,在html页面中可以获取attribute参数,替代jsp。
(2) 使用shiro做登录验证,以及权限分配
(3) pom.xml 追加依赖,这里加入了日志框架,源码会分享,这里就不做介绍了:
- <!-- freemarker -->
- <dependency>
- <groupId>org.freemarker</groupId>
- <artifactId>freemarker</artifactId>
- <version>2.3.23</version>
- </dependency>
- <!-- Spring 整合Shiro需要的依赖 -->
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- <version>${shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-web</artifactId>
- <version>${shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-ehcache</artifactId>
- <version>${shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-spring</artifactId>
- <version>${shiro.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-freemarker-tags</artifactId>
- <version>0.1-SNAPSHOT</version>
- <exclusions>
- <exclusion>
- <artifactId>javax.servlet-api</artifactId>
- <groupId>javax.servlet</groupId>
- </exclusion>
- </exclusions>
- </dependency>
- <!-- slf4j日志框架 -->
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- <version>${slf4j.version}</version>
- </dependency>
- <dependency>
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
- <version>1.1.3</version>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- <version>${slf4j.version}</version>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>log4j-over-slf4j</artifactId>
- <version>${slf4j.version}</version>
- </dependency>
- <dependency>
- <groupId>org.logback-extensions</groupId>
- <artifactId>logback-ext-spring</artifactId>
- <version>0.1.2</version>
- </dependency>
一,整合freemarker,新建Spring-freemarker.xml,配置如下:
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">
- <!-- 配置freeMarker的模板路径 -->
- <bean id="freemarkerConfig"
- class="org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer">
- <!-- 模板页面放置位置 -->
- <property name="templateLoaderPaths" value="/WEB-INF/template/" />
- <property name="freemarkerSettings">
- <props>
- <prop key="tag_syntax">auto_detect</prop>
- <prop key="template_update_delay">0</prop>
- <prop key="default_encoding">UTF-8</prop>
- <prop key="output_encoding">UTF-8</prop>
- <prop key="locale">zh_CN</prop>
- <prop key="number_format">0.##########</prop>
- <prop key="boolean_format">true,false</prop>
- <prop key="datetime_format">yyyy-MM-dd HH:mm:ss</prop>
- <prop key="date_format">yyyy-MM-dd</prop>
- <prop key="time_format">HH:mm:ss</prop>
- <prop key="classic_compatible">true</prop>
- <prop key="whitespace_stripping">true</prop>
- <prop key="template_exception_handler">ignore</prop>
- </props>
- </property>
- </beans>
二,在Spring-config.xml中引入以上新建的配置文件,配置如下:
- <import resource="classpath:Spring-freemarker.xml" />
三,修改Spring-servlet.xml,配置freeMarker视图解析器,如下:
- <!-- 配置freeMarker视图解析器 -->
- <bean id="viewResolver" class="org.springframework.web.servlet.view.freemarker.FreeMarkerViewResolver">
- <property name="contentType" value="text/html; charset=UTF-8" />
- <property name="suffix" value=".ftl" />
- </bean>
- <!DOCTYPE html>
- <html>
- <head>
- <meta charset="UTF-8">
- <title>Insert title here</title>
- </head>
- <body>
- [#--从Attribute中获取参数--]
- <h1>${msg}</h1>
- [#--判断句式--]
- <h1>${(1 == 1)?string("yes", "no")}</h1>
- [#--集合遍历--]
- <ul>
- [#list list as item]
- <li>${item}</li>
- [/#list]
- </ui>
- [#if msg=='hello']
- <h1>say hello</h1>
- [#else]
- <h1>say goodbye</h1>
- [/#if]
- </body>
- </html>
五,新建测试Controller,FreemarkerController,代码如下:
- package com.maven.web.controller;
- import java.util.ArrayList;
- import java.util.List;
- import org.springframework.stereotype.Controller;
- import org.springframework.ui.Model;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.bind.annotation.RequestMethod;
- @Controller
- @RequestMapping("/freemarker")
- public class FreemarkerController {
- @RequestMapping(value="/hello",method=RequestMethod.GET)
- public String sayHello(Model model){
- String msg = "Hello World";
- List<String> list = new ArrayList<String>(3);
- list.add("a");
- list.add("b");
- list.add("c");
- model.addAttribute("msg", msg);
- model.addAttribute("list", list);
- return "hello";
- }
- }
***************************************************************
单独集成freemarker演示到此结束,下面重点来看shiro集成。
一,添加Spring-shiro.xml配置文件,如下:
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">
- <!-- Shiro主过滤器的拦截 -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <!-- 权限管理器 -->
- <property name="securityManager" ref="securityManager" />
- <!-- 登录地址 -->
- <property name="loginUrl" value="/template/login.ftl" />
- <!-- 登录后跳转到业务页面 -->
- <property name="successUrl" value="/template/main.ftl" />
- <!-- 错误页面 -->
- <property name="unauthorizedUrl" value="/template/error.ftl" />
- <!-- 鉴权过滤器 -->
- <property name="filters">
- <map>
- <entry key="logout" value-ref="logoutFilter" />
- <entry key="authc" value-ref="myAuthenticationFilter" />
- </map>
- </property>
- <!-- 权限配置 -->
- <property name="filterChainDefinitions">
- <value>
- <!-- 对静态资源不需要进行认证 -->
- /static/** = anon
- /tags/** = anon
- <!-- 登录退出不需要验证 -->
- /login/**=anon
- /logout = logout
- <!-- 对所有url都需要进行认证 -->
- /** = authc
- </value>
- </property>
- </bean>
- <!-- 配置权限管理器 -->
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <!-- 缓存管理器 -->
- <property name="cacheManager" ref="cacheManager" />
- <!-- 我们自定义的realm -->
- <property name="realm" ref="myRealm" />
- </bean>
- <!-- 自定义的Realm,若有多个Realm,可使用'realms'属性代替 -->
- <bean id="myRealm" class="com.maven.web.shiro.MyRealm" />
- <!-- 重写的认证filter-->
- <bean id="myAuthenticationFilter" class="com.maven.web.shiro.MyAuthenticationFilter" />
- <!-- 使用shiro提供的logout filter -->
- <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter">
- <property name="redirectUrl" value="/template/login.ftl" />
- </bean>
- <!-- shiro 缓存管理 -->
- <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
- <!-- Shiro生命周期处理器 -->
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
- </beans>
这里需要注意:
默认的shiro authc 认证参数是username+password,我这里重写了认证方法,改为认证phone+password,
如果没有此需要的,去掉上面配置文件中的以下配置即可,采用默认过滤器
同理,其他anon,logout过滤器也可以重写,还可以自定义过滤器,这些大家可以根据需要来实现,不多介绍。
二,在web.xml 中添加shiro核心过滤器,配置如下:
- <!-- shiro过滤器 -->
- <filter>
- <filter-name>shiroFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetFilterLifecycle</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
三,在Spring-config.xml中引入shiro配置文件,配置如下:
- <import resource="classpath:Spring-shiro.xml" />
四,重写自己的Realm授权+认证方法,在此之前,先实现我们需要的认证参数。
(一) 新建MyAuthenticationToken继承UsernamePasswordToken,添加我们需要的phone属性,代码如下:
(如果不需要自定义属性就不需要写这一步了,直接用UsernamePasswordToken即可)
- package com.maven.web.shiro;
- import org.apache.shiro.authc.UsernamePasswordToken;
- /**
- * 重新token,对用户名的认证改为手机号
- * @author Administrator
- *
- */
- public class MyAuthenticationToken extends UsernamePasswordToken{
- private static final long serialVersionUID = 1425855488092920451L;
- /** 手机号 */
- private String phone;
- public MyAuthenticationToken(String phone, String password, boolean rememberMe, String host) {
- super(null, password, rememberMe, host);
- this.phone = phone;
- }
- /** 默认是返回用户名,改写返回手机号 */
- @Override
- public Object getPrincipal() {
- return phone;
- }
- @Override
- public void clear() {
- super.clear();
- phone = null;
- }
- public String getPhone() {
- return phone;
- }
- public void setPhone(String phone) {
- this.phone = phone;
- }
- }
- package com.maven.web.shiro;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.apache.shiro.authc.AuthenticationToken;
- import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
- import org.apache.shiro.web.util.WebUtils;
- /**
- * 重写token认证
- * @author Administrator
- *
- */
- public class MyAuthenticationFilter extends FormAuthenticationFilter{
- public static final String DEFAULT_PHONE_PARAM = "phone";
- private String phoneParam = DEFAULT_PHONE_PARAM;
- public MyAuthenticationFilter(){
- setFailureKeyAttribute(DEFAULT_ERROR_KEY_ATTRIBUTE_NAME);
- }
- @Override
- protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
- String phone = getPhone(request);
- String password = getPassword(request);
- boolean rememberMe = isRememberMe(request);
- String host = getHost(request);
- return new com.maven.web.shiro.MyAuthenticationToken(phone,password,rememberMe,host);
- }
- public String getPhoneParam() {
- return phoneParam;
- }
- public void setPhoneParam(String phoneParam) {
- this.phoneParam = phoneParam;
- }
- protected String getPhone(ServletRequest request) {
- return WebUtils.getCleanParam(request, getPhoneParam());
- }
- }
- package com.maven.web.shiro;
- import java.util.ArrayList;
- import java.util.Iterator;
- import java.util.List;
- import javax.annotation.Resource;
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.authc.AuthenticationInfo;
- import org.apache.shiro.authc.AuthenticationToken;
- import org.apache.shiro.authc.DisabledAccountException;
- import org.apache.shiro.authc.IncorrectCredentialsException;
- import org.apache.shiro.authc.SimpleAuthenticationInfo;
- import org.apache.shiro.authz.AuthorizationInfo;
- import org.apache.shiro.authz.SimpleAuthorizationInfo;
- import org.apache.shiro.realm.AuthorizingRealm;
- import org.apache.shiro.subject.PrincipalCollection;
- import com.maven.web.entity.MenuChild;
- import com.maven.web.entity.RoleInfo;
- import com.maven.web.entity.UserInfo;
- import com.maven.web.exception.AuthenticateException;
- import com.maven.web.mapper.MenuChildMapper;
- import com.maven.web.mapper.RoleInfoMapper;
- import com.maven.web.service.impl.UserService;
- public class MyRealm extends AuthorizingRealm{
- @Resource
- private UserService userService;
- @Resource
- private MenuChildMapper menuChildMapper;
- @Resource
- private RoleInfoMapper roleInfoMapper;
- public MyRealm() {
- setAuthenticationTokenClass(AuthenticationToken.class);
- }
- /**
- * 重写认证方法
- */
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
- UserInfo userInfo = null;
- if(token instanceof MyAuthenticationToken){
- MyAuthenticationToken myToken = (MyAuthenticationToken) token;
- String phone = myToken.getPhone();
- String password = new String(myToken.getPassword());
- try {
- userInfo = userService.getUserInfoNyPhone(phone,password);
- } catch (AuthenticateException e){
- throw new IncorrectCredentialsException(e);
- }
- if (null == userInfo) {
- throw new IncorrectCredentialsException("账号或密码错误!");
- }
- if (!"0".equals(userInfo.getStatus())) {
- throw new DisabledAccountException("帐号"+myToken.getPrincipal()+"已失效!");
- }
- //比对成功则返回authcInfo
- AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(userInfo, userInfo.getPassword().toCharArray(),this.getName());
- // this.setSession("currentUser", userInfo);
- return authcInfo;
- }
- return null;
- }
- /**
- * 为认证成功的用户授权,然后就可以调用subject.hasRole等方法进行逻辑判断
- */
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- //认证通过后会将需要的身份信息放到SimpleAuthenticationInfo中返回,这是是获取到其中的principal对象
- Iterator<?> iterator = principals.fromRealm(getName()).iterator();
- if (iterator.hasNext()) {
- UserInfo userInfo = (UserInfo) iterator.next();
- if (null != userInfo) {
- List<String> roleList = new ArrayList<String>();
- List<String> permissionList = new ArrayList<String>();
- //查询用户角色
- RoleInfo userRole = roleInfoMapper.selectByUserId(userInfo.getId());
- if(null !=userRole){
- roleList.add(userRole.getRoleName());
- List<MenuChild> roleMenus = menuChildMapper.getMenuChildByRoleId(userRole.getId());
- if(null !=roleMenus){
- for(MenuChild menu:roleMenus){
- permissionList.add(menu.getMenuName());
- }
- }
- }
- //为用户添加权限,角色
- SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
- simpleAuthorInfo.addRoles(roleList);
- simpleAuthorInfo.addStringPermissions(permissionList);
- return simpleAuthorInfo;
- }
- }
- return null;
- }
- /**
- * 将一些数据放到ShiroSession中,以便于其它地方使用
- * @see 比如Controller,使用时直接用HttpSession.getAttribute(key)就可以取到
- * 也可以直接从subject的身份对象中取
- */
- /* private void setSession(Object key, Object value){
- Subject currentUser = SecurityUtils.getSubject();
- if(null != currentUser){
- Session session = currentUser.getSession();
- System.out.println("Session默认超时时间为[" + session.getTimeout() + "]毫秒");
- if(null != session){
- session.setAttribute(key, value);
- }
- }
- }*/
- }
这里说明一下:
认证方法,是对用户在登录页面提交的信息做校验,登录成功才会跳转到主页。
授权方法,用户登录成功后可以根据用户信息查找相关角色,权限,存储到授权对象中。
以后就可以通过Java代码,shiro标签等,获取当前用户的角色,权限,进行模块功能分配等等。下面会演示。
五,用户登录
(一) 新建登录页面,login.ftl,代码如下:
- <!DOCTYPE html>
- <html>
- <head>
- <meta charset="UTF-8">
- <title>Insert title here</title>
- </head>
- <body>
- <form action="/com.maven.web/login/login" method="post" id="form">
- <article>手机号:</article>
- <input type="text" name="phone"/>
- <article>密码:</article>
- <input type="password" name="password"/>
- <br/>
- <br/>
- <input type="submit" value="登录" />
- <br/>
- </form>
- <span style="color:red">${msg}</span>
- </body>
- </html>
(二) 新建 LoginContoller,代码如下:
- package com.maven.web.controller;
- import javax.servlet.http.HttpServletRequest;
- import org.apache.shiro.SecurityUtils;
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.subject.Subject;
- import org.slf4j.Logger;
- import org.springframework.stereotype.Controller;
- import org.springframework.ui.Model;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.bind.annotation.RequestMethod;
- import com.maven.web.entity.UserInfo;
- import com.maven.web.shiro.MyAuthenticationToken;
- import com.maven.web.util.LoggerUtils;
- @Controller
- @RequestMapping("/login")
- public class LoginController {
- private final Logger logger = LoggerUtils.getLogger("LoginController");
- /**
- * 基于手机号和密码的身份认证
- * @param userInfo
- * @param model
- * @param request
- * @return
- */
- @RequestMapping(value="/login",method=RequestMethod.POST)
- public String checkLogin(UserInfo userInfo,Model model,HttpServletRequest request){
- logger.debug("userInfo", userInfo);;
- MyAuthenticationToken token = new MyAuthenticationToken(userInfo.getPhone(), userInfo.getPassword(), true, null);
- Subject subject = SecurityUtils.getSubject();
- try {
- subject.login(token);//会到自定义的Realm中进行验证返回
- if(subject.isAuthenticated()){
- return "redirect:/menu/list";
- }else{
- token.clear();
- }
- }catch(AuthenticationException e){
- model.addAttribute("msg",e.getMessage());
- }
- return "login";
- }
- /**
- * 用户登出
- */
- @RequestMapping("/logout")
- public String logout(){
- SecurityUtils.getSubject().logout();
- return "login";
- }
- }
(三) 新建登录成功页面,main.ftl,代码如下:
- <!DOCTYPE html>
- <html>
- <head>
- <meta charset="UTF-8">
- <title>Insert title here</title>
- </head>
- <body>
- <span>菜单栏</span>
- <ul>
- [#list menus as menu]
- <li><a href="#">${menu.menuParent.menuName}</a></li>
- <li>
- <ul>
- [#list menu.menuChilds as menuChild]
- <li><a href=${menuChild.menuUrl}>${menuChild.menuName}</a></li>
- [/#list]
- </ul>
- </li>
- [/#list]
- </ul>
- <span>${msg}</span>
- <br/>
- <div>
- [@shiro.hasRole name="管理员"]
- <span>角色是管理员才能看到此信息</span>
- [/@shiro.hasRole]
- </div>
- <a href="/com.maven.web/login/logout">logout</a>
- </body>
- </html>
- package com.maven.web.controller;
- import java.util.ArrayList;
- import java.util.List;
- import javax.annotation.Resource;
- import org.apache.shiro.SecurityUtils;
- import org.apache.shiro.subject.Subject;
- import org.springframework.stereotype.Controller;
- import org.springframework.ui.Model;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.bind.annotation.RequestMethod;
- import com.maven.web.entity.MenuChild;
- import com.maven.web.entity.MenuParent;
- import com.maven.web.mapper.MenuChildMapper;
- import com.maven.web.mapper.MenuParentMapper;
- import com.maven.web.vo.Menu;
- @Controller
- @RequestMapping("/menu")
- public class MenuController {
- @Resource
- private MenuParentMapper menuParentMapper;
- @Resource
- private MenuChildMapper menuChildMapper;
- @RequestMapping(value="/list",method=RequestMethod.GET)
- public String listMenu(Model model){
- List<Menu> menus = new ArrayList<Menu>();
- List<MenuParent> parents = menuParentMapper.getMenuParentList();
- if(parents!=null && !parents.isEmpty()){
- for(MenuParent parent:parents){
- Menu menu = new Menu();
- menu.setMenuParent(parent);
- List<MenuChild> childs = menuChildMapper.getMenuChildByPid(parent.getId());
- if(childs!=null && !childs.isEmpty()){
- menu.setMenuChilds(childs);
- }
- menus.add(menu);
- }
- }
- model.addAttribute("menus",menus);
- Subject subject = SecurityUtils.getSubject();
- if(subject.hasRole("管理员")){
- model.addAttribute("msg","这里是管理员私人信息!");
- }
- return "main";
- }
- }
六,启动tomcat,测试:
这里先给大家看一下我数据库的用户信息:
启动访问,未登录会跳转到登录页面
测试一:错误用户信息
测试二:新注册用户状态为未激活
测试三:管理员登录
测试四:普通用户登录
*******************************************************************************************************
这里请大家注意,管理员登录成功后可以看到红色框和黄色框两条信息,普通用户登录后看不到。
(1) 红色框信息:
这是因为在MenuController中做了角色判断,注意代码片段:
- Subject subject = SecurityUtils.getSubject();
- if(subject.hasRole("管理员")){
- model.addAttribute("msg","这里是管理员私人信息!");
- }
(2) 黄色框信息:
这是因为在main.ftl页面中使用了shiro标签,注意代码片段:
- <div>
- [@shiro.hasRole name="管理员"]
- <span>角色是管理员才能看到此信息</span>
- [/@shiro.hasRole]
- </div>
接下来说明shiro标签的使用:
(一) 在freemarker中需要先引入shiro-freemarker-tags-0.1-SNAPSHOT.jar,本例已经添加到pom.xml文件中,
大家可以下载源码,在lib中找到jar包添加到本地,也可以到网上下载,下面会贴出链接。
(二) 新建CustomFreeMarkerConfigurer 继承FreeMarkerConfigurer,代码如下:
- package com.maven.web.template;
- import java.io.IOException;
- import org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer;
- import com.jagregory.shiro.freemarker.ShiroTags;
- import freemarker.template.TemplateException;
- /**
- * 编写自己的freemarker配置
- * @author Administrator
- *
- */
- public class CustomFreeMarkerConfigurer extends FreeMarkerConfigurer{
- /**
- * 重写导入shiro标签
- */
- @Override
- public void afterPropertiesSet() throws IOException, TemplateException {
- super.afterPropertiesSet();
- this.getConfiguration().setSharedVariable("shiro", new ShiroTags());
- }
- }
关于shiro标签与freemarker的整合,大家可以跳转链接学习:http://blog.csdn.net/lingyundouer/article/details/50487459
如果使用默认的authc认证,只需要将代码中MyAuthenticationToken替换成UsernamePasswordToken,
然后获取到的phone参数替换成username就可以,其他都是一样的。
以上就介绍完毕了,可能有所遗漏,大家可以下载源码参考:http://pan.baidu.com/s/1dFilb6h