shiro是一个很不错的安全框架,相对Spring security 来说要简单易用的多,使用shiro来做web的权限子系统是不错的选择。
下面记录一下shiro和Spring整合的过程:
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
- <description>Shiro 配置</description>
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager" />
- <property name="loginUrl" value="/login.jsp" />
- <property name="successUrl" value="/index.jsp" />
- <property name="unauthorizedUrl" value="/login.do" />
- <property name="filterChainDefinitions">
- <value>
- /login.jsp = anon
- /login.do = anon
- /** = authc
- </value>
- </property>
- </bean>
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <!--设置自定义realm-->
- <property name="realm" ref="monitorRealm" />
- </bean>
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
- <!--自定义Realm 继承自AuthorizingRealm-->
- <bean id="monitorRealm" class="***module.system.security.MonitorRealm"></bean>
- <!-- securityManager -->
- <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
- <property name="staticMethod"
- value="org.apache.shiro.SecurityUtils.setSecurityManager" />
- <property name="arguments" ref="securityManager" />
- </bean>
- <!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
- <!-- the lifecycleBeanProcessor has run: -->
- <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
- <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
- <property name="securityManager" ref="securityManager"/>
- </bean>
- </beans>
将shiro的配置文件引入到web.xml中:
并在web.xml中加入如下代码:
- <!-- Shiro Security filter -->
- <filter>
- <filter-name>shiroFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- <init-param>
- <param-name>targetFilterLifecycle</param-name>
- <param-value>true</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>*.do</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>*.jsp</url-pattern>
- </filter-mapping>
实现自己的Realm
- @Service("monitorRealm")
- public class MonitorRealm extends AuthorizingRealm {
- @Autowired UserService userService;
- @Autowired RoleService roleService;
- @Autowired LoginLogService loginLogService;
- public MonitorRealm(){
- super();
- }
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- /*这里编写授权代码*/
- }
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(
- AuthenticationToken authcToken) throws AuthenticationException {
- /*这里编写认证代码*/
- }
- public void clearCachedAuthorizationInfo(String principal) {
- SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());
- clearCachedAuthorizationInfo(principals);
- }
- }
登录时的代码示例:
- Subject currentUser = SecurityUtils.getSubject();
- if(!currentUser.isAuthenticated()){
- UsernamePasswordToken token;
- if(null == rememberMe)
- token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()),false,request.getRemoteAddr());
- else token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()), true, request.getRemoteAddr());
- try {
- currentUser.login(token);
- } catch ( AuthenticationException ae ) {
- request.setAttribute("message", "用户名或密码错误!");
- return "login";
- }
- }
执行currentUser.login(token);这句代码时,shiro会自动调用用户实现的Realm的doGetAuthenticationInfo进行身份认证。
登出时的代码示例:
- Subject currentUser = SecurityUtils.getSubject();
- if (currentUser != null) {
- currentUser.logout();
- }
- HttpSession session = request.getSession(false);
- if( session != null ) {
- session.invalidate();
- }
- return "login";
在对用户(角色)进行授权时会执行Realm里的doGetAuthorizationInfo方法。
OK简单的集成完成了,如果用cas或者Springsecurity恐怕没这么简单利索 哈哈。
类似功能链接:http://kdboy.iteye.com/blog/1103794
其它链接:
http://kdboy.iteye.com/blog/1154644
http://kdboy.iteye.com/blog/1154652
http://kdboy.iteye.com/blog/1155450
http://kdboy.iteye.com/blog/1169631
http://kdboy.iteye.com/blog/1169637
官方名词解释:http://shiro.apache.org/terminology.html
官方权限解释:http://shiro.apache.org/permissions.html