關於項目的安全保護,我一直想找一個簡單配置就能達到目的的方法,自從接觸了shiro,這個目標總算達成了,如下結合我使用shiro的經驗,談談比較輕便地集成該功能。html
首先咱們先了解一下shiro是什麼。java
apache shiro 是一個功能強大和易於使用的Java安全框架,爲開發人員提供一個直觀而全面的的解決方案的認證,受權,加密,會話管理。web
其實按照我我的的理解,就是個過濾器,按照配置(或者註解)的規則進行權限驗證。spring
個人項目基於maven管理依賴jar包,首先把apache shiro相關須要用到的jar引入:數據庫
<!-- shiro --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>1.2.1</version> </dependency>
其中shiro-web和shiro-spring必須,若是要緩存權限的話,就引入shiro-ehcache,後邊會詳細說道shiro-ehcache的使用。apache
看一下login.action裏是如何實現用戶登陸寫入的,獲取用戶表單信息以及查詢數據庫驗證就不說了,直接上關鍵代碼:緩存
//驗證用戶信息後進行token寫入,這裏爲了簡單,我把用戶的id和姓名做爲token的username和password UsernamePasswordToken token = new UsernamePasswordToken(m.getId() .toString(), m.getUsername()); Subject subject1 = SecurityUtils.getSubject(); subject1.login(token); subject1.getSession();
既然是個過濾器,那咱們就看一下這個過濾器的寫法:安全
package com.airfey.tech.nuo.action.shiro.filter; import java.io.IOException; import java.security.Principal; import javax.annotation.Resource; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import com.airfey.tech.nuo.common.security.MD5; import com.airfey.tech.nuo.core.domain.Manager; import com.airfey.tech.nuo.core.service.ManagerService; public class shiroFilter implements Filter {
//管理員用戶service @Resource private ManagerService managerService; @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Subject subjects = SecurityUtils.getSubject(); HttpServletRequest requestHttp = (HttpServletRequest) request; HttpServletResponse responseHttp = (HttpServletResponse) response; Principal principal = requestHttp.getUserPrincipal(); if (null != principal) {
//principal.getName()裏保存的是用戶的id,就是上邊登陸處token裏的信息 System.out.println(principal.getName()); Manager m = managerService.findOne(Long.parseLong(principal .getName())); if (null != m && 1 == m.getAudit()) { UsernamePasswordToken token = new UsernamePasswordToken( m.getId(), m.getId());//做爲例子,這裏我只是把用戶id放進了token,你能夠修改爲其它複雜點的信息 Subject subject1 = SecurityUtils.getSubject(); subject1.login(token); subject1.getSession(); } else { if (subjects != null) { subjects.logout(); } } } chain.doFilter(requestHttp, responseHttp); } @Override public void destroy() { } }
至此,能夠說登陸和過濾器已經完成了。而後就進行web.xml和spring文件以及權限驗證的實現。app
一、在web.xml里加入shiro的過濾器配置:框架
<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
此過濾器要位於全部過濾器的前面。
二、權限驗證代碼實現,咱們寫一個realm類集成shiro的AuthorizingRealm
package com.airfey.tech.nuo.action.shiro.realm; import javax.annotation.Resource; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.cache.Cache; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; public class ShiroRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals) { if (principals == null) { throw new AuthorizationException( "PrincipalCollection method argument cannot be null."); } String username = (String) getAvailablePrincipal(principals); System.out.println("-------------------" + username);//輸出的實際上是用戶id SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); // 增長默認角色 info.addRole("ROLE_USER");
/*如下能夠從數據庫獲取用戶的角色以及權限信息,獲取到的信息添加入info便可,具體獲取數據庫的代碼我就省略了*/ // // 增長自定義角色 // if (null != userInfo.getRoleList()) { // for (RoleInfo roleInfo : userInfo.getRoleList()) { // if (null != roleInfo.getName() // && !"".equals(roleInfo.getName())) { // info.addRole(roleInfo.getName()); // } // } // } // if (null != userInfo.getModuleInfo()) { // for (ModuleInfo moduleInfo : userInfo.getModuleInfo()) { // if (null != moduleInfo.getGuid() // && !"".equals(moduleInfo.getGuid())) { // info.addStringPermission(moduleInfo.getGuid()); // } // } // } return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; String userName = token.getUsername(); if (userName != null && !"".equals(userName)) { return new SimpleAuthenticationInfo(token.getPrincipal(), token.getPassword(), token.getUsername()); } return null; } /** * 清空用戶關聯權限認證,待下次使用時從新加載。 * * @param principal */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection( principal, getName()); clearCachedAuthorizationInfo(principals); } /** * 清空全部關聯認證 */ public void clearAllCachedAuthorizationInfo() { Cache<Object, AuthorizationInfo> cache = getAuthorizationCache(); if (cache != null) { for (Object key : cache.keys()) { cache.remove(key); } } } }
三、applicationContext.xml的配置 (這裏只保留了shiro相關的信息)
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.0.xsd"> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="successUrl" value="/manage/index.do" /> <property name="loginUrl" value="/manage/login.do" /> <property name="unauthorizedUrl" value="/manage/401.html" /> <property name="filters"> <map> <entry key="authc" value-ref="shiro"></entry> </map> </property> <property name="filterChainDefinitions"> <value> /manage/admin.html = authc,perms[shiro_admin:view] /manage/user.html=authc,perms[shiro_user:view] /manage/login.do=anon /manage/401.html=anon
/manage/js/**=anon
/manage/img/**=anon
/manage/kindeditor/**=anon /manage/**=authc,roles["ROLE_USER"] /**=anon </value> </property> </bean> <bean id="shiro" class="com.airfey.tech.nuo.action.shiro.filter.shiroFilter"> </bean> <bean id="shiroRealm" class="com.airfey.tech.nuo.action.shiro.realm.ShiroRealm" /> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroRealm" /> <property name="cacheManager" ref="shiroEhcacheManager" /> </bean> <!-- 用戶受權信息Cache, 採用EhCache,須要的話就配置上此信息 --> <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> </beans>
驗證規則裏以下讓靜態文件好比js img 目錄配置上anon
/manage/admin.html = authc,perms[shiro_admin:view]
/manage/user.html=authc,perms[shiro_user:view]
/manage/login.do=anon
/manage/401.html=anon
/manage/js/**=anon
/manage/img/**=anon
/manage/kindeditor/**=anon
/manage/**=authc,roles["ROLE_USER"]
/**=anon
結束,收工。很久不寫這麼長的博文了,敲起來真費勁。原創文章,文中不免有遺漏或者錯誤之處,請指正。