安全框架shiro与ssm的整合

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接： https://blog.csdn.net/qq_38861828/article/details/102592251

一、在ssm依赖包的基础上引入shiro相关包

<dependency>
		    <groupId>org.apache.shiro</groupId>
		    <artifactId>shiro-core</artifactId>
		    <version>1.4.0</version>
		</dependency>
		<dependency>
		    <groupId>org.apache.shiro</groupId>
		    <artifactId>shiro-web</artifactId>
		    <version>1.4.0</version>
		</dependency>
		<dependency>
		    <groupId>org.apache.shiro</groupId>
		    <artifactId>shiro-spring</artifactId>
		    <version>1.4.0</version>
		</dependency>

二、配置shiro

1.web.xml中的配置

<!-- 配置shiro的过滤器 spring-web的jar包 -->
<filter>
   <filter-name>shiroFilter</filter-name>
   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
   <filter-name>shiroFilter</filter-name>
   <url-pattern>/*</url-pattern>
</filter-mapping>

2. applicationContext.xml中的配置

<!-- 配置自定的Realm类 -->
    <bean id="myRealm" class="com.zhiyou.shiro.realm.MyRealm"/>
    <!-- 配置SecurityManager的bean -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="myRealm"/>
    </bean>
    <!-- 请求过滤器
            id必须与web.xml文件中的过滤器名称相同
     -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<!-- 如果没有认证则会跳到该页面 -->
		<property name="loginUrl" value="/login.jsp"></property>
		<!-- 该过滤器与SecurityManager关联再一起 -->
		<property name="securityManager" ref="securityManager"></property>
		<!-- 如果没有权限则跳转到该页面 -->
		<property name="unauthorizedUrl" value="/403.html"></property>
		
		<!--设置规则
		   anno:允许匿名访问
		   authc: 需要认证才可以访问
		   roles[角色名]:表示为拥有什么样的角色才可以访问
		   perms[权限] :表示拥有哪些权限才可以访问
		   /user/**:表示访问地址为user/必须拥有admin的角色才可以访问
		-->
		<property name="filterChainDefinitions">
		    <value>
		        /css/** = anon
		        /images/** = anon
		        /js/** = anon
		        /user/login=anon
		       <!--  /user/manager=perms[user:manager]
		       /user/delete=perms[user:delete] -->
		        /**=authc
		    </value>
		</property>
	</bean>

 3.springmvc-servlet.xml中的配置

<!-- 启用shiro注解模式 -->
	<aop:config proxy-target-class="true" />
	<bean
		class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
		<property name="securityManager" ref="securityManager" />
	</bean>

三、创建自定义realm类，MyRealm.java

package com.zhiyou.shiro.realm;

import java.util.List;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

import com.zhiyou.shiro.bean.Permission;
import com.zhiyou.shiro.bean.Role;
import com.zhiyou.shiro.bean.User;
import com.zhiyou.shiro.service.PermissionService;
import com.zhiyou.shiro.service.RoleService;
import com.zhiyou.shiro.service.UserService;

public class MyRealm extends AuthorizingRealm{

	@Autowired
	private UserService userService;
	@Autowired
	private RoleService roleService;
	@Autowired
	private PermissionService permissionService;
	//授权
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		System.out.println("4.需要授权的用户名"+principals);
		//1.获取认证后的用户名
		String username=principals.toString();
		//2.根据用户名查询该用户对应的角色
		List<Role> roles=roleService.findByUsername(username);
		
		//3.判断查询的角色是否为空
		if(roles.size()==0) {
			 return null; //表示该用户没有任何角色
		}
		//4.遍历该用户所具有的角色
		SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
		for(Role r:roles) {
			  System.out.println("5.该用户具有的角色:"+r.getRoleName());
			  info.addRole(r.getRoleName());
			  //根据角色id查询该角色具有的权限
		 	  List<Permission> ps=permissionService.findByRoleId(r.getRoleid());
		      //遍历所有的权限
		 	  for(Permission p:ps) {
		 		  System.out.println("6.该用户具有的权限:"+p.getUrl());
		 		  info.addStringPermission(p.getUrl());
		 	  }
		}
		
		
		return info;
	}

	//认证功能
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
		String username=token.getPrincipal().toString();
		System.out.println("2.开始认证"+username);
		//根据账号查询对应的用户信息.
		User user=userService.findByUsername(username);
		System.out.println("3.查询用户信息"+user);
		
		if(user==null) {
			 return null;
		}
		SimpleAuthenticationInfo info=new SimpleAuthenticationInfo
				(user.getUsername(), user.getPassword(), getName());
		
		return info;
	}

}

四、实现权限验证功能

1.登录验证

package com.zhiyou.shiro.controller;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
@RequestMapping("user")
public class LoginController {
	@RequestMapping("login")
	public String login(String username,String password) {
		System.out.println("1.控制层的登录方法"+username+"----"+password);
		//通过shiro完成认证功能
		Subject subject=SecurityUtils.getSubject();
		UsernamePasswordToken token=new UsernamePasswordToken(username,password);
		try {
			subject.login(token);
			return "redirect:../main.jsp";
		} catch (AuthenticationException e) {
			e.printStackTrace();
			return "login";
		}
	}
	
}

2.权限验证

package com.zhiyou.shiro.controller;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@RequestMapping("user")
@Controller
@RequiresRoles(value= {"admin","manager"},logical=Logical.OR) //类
public class UserController {
	@RequestMapping("delete")
	@RequiresPermissions("user:delete")  //方法
	public String delete() {
		System.out.println("delete");
		return "index";
	}
	@RequestMapping("update")
	@RequiresPermissions("user:update")
	public String update() {
		System.out.println("update");
		return "index";
	}
	@RequestMapping("insert")
	@RequiresPermissions("user:insert")
	public String insert() {
		System.out.println("insert");
		return "index";
	}
	@RequestMapping("manage")
	public String manage() {
		System.out.println("manage");
		return "index";
	}
	
}