Spring与shiro集成

背景：

需要做权限控制，不过权限控制模型已经成熟的很，那么应该基于已有的，那么就省去了开发的时间，那么此处采用了shiro，框架基于注解spring mvc那么需要继承

转帖请注明:http://snv.iteye.com/

依赖Lib：

<!-- apache common start -->
<dependency>
	<groupId>org.apache.commons</groupId>
	<artifactId>commons-io</artifactId>
	<version>1.3.2</version>
</dependency>
<dependency>
	<groupId>org.apache.commons</groupId>
	<artifactId>commons-collections4</artifactId>
	<version>4.0</version>
</dependency>
 
<dependency>
	<groupId>org.codehaus.jackson</groupId>
	<artifactId>jackson-mapper-lgpl</artifactId>
	<version>1.9.13</version>
</dependency>
<dependency>
	<groupId>org.springframework</groupId>
	<artifactId>spring-web</artifactId>
	<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
	<groupId>org.springframework</groupId>
	<artifactId>spring-webmvc</artifactId>
	<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
	<groupId>javax.servlet</groupId>
	<artifactId>jstl</artifactId>
	<version>1.2</version>
</dependency>
<dependency>
	<groupId>javax.servlet</groupId>
	<artifactId>jsp-api</artifactId>
	<version>2.0</version>
	<scope>provided</scope>
</dependency>
<dependency>
	<groupId>javax.servlet</groupId>
	<artifactId>servlet-api</artifactId>
	<version>2.5</version>
	<scope>provided</scope>
</dependency>
<dependency>
	<groupId>com.alibaba</groupId>
	<artifactId>fastjson</artifactId>
	<version>1.1.36</version>
</dependency>
<!-- shiro start -->
<dependency>
	<groupId>org.apache.shiro</groupId>
	<artifactId>shiro-spring</artifactId>
	<version>1.2.2</version>
</dependency>
<dependency>
	<groupId>org.apache.shiro</groupId>
	<artifactId>shiro-core</artifactId>
	<version>1.2.2</version>
</dependency>
<!-- shiro end -->

web.xml中加入shiroFilter：

<!-- shiro filter start -->
<filter>
	<filter-name>shiroFilter</filter-name>
	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	<init-param>
		<param-name>targetFilterLifecycle</param-name>
		<param-value>true</param-value>
	</init-param>
</filter>
<filter-mapping>
	<filter-name>shiroFilter</filter-name>
	<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- shiro filter end -->

在spring-x.xml中配置shiroFilter的实现，以及自定义Realm：

<!--shiro start -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
	<property name="securityManager" ref="securityManager" />
	<property name="loginUrl" value="/usr/login" />
	<property name="successUrl" value="/usr/index" />
	<property name="unauthorizedUrl" value="/usr/tologin" />
	   <property name="filterChainDefinitions">
	<value>
		/usr/** = anon
		/html/** = user
	</value>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
	<property name="realm" ref="com.someabcd.csr.web.authenticCSRRealm" />
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!--shiro end -->

说明如下：

loginUrl：执行具体的登陆认证对于的action的url

successUrl：认证通过跳转的页面对应的url

unauthorizedUrl：未通过认证跳转页面对应的url

filterChainDefinitions：对应url通过过滤器验证，anon为内置过滤器名称，shiro有多个内置过滤器，当然也可以自定义自己的过滤器

securityManager：在realm配置自定义的Realm，具体的概念后面会做阐述

 

自定义Realm实现：AuthenticCSRRealm：

@Component("com.someabcd.csr.web.authenticCSRRealm")
public class AuthenticCSRRealm extends AuthorizingRealm {
	private Logger log = LoggerFactory.getLogger(AuthenticCSRRealm.class);
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(
			PrincipalCollection principals) {
		 SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); 
		 log.info("******doGetAuthorizationInfo:PrincipalCollection");
		return info;
	}

	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(
			AuthenticationToken authcToken) throws AuthenticationException {
		UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
		String userName = token.getUsername();
		log.info("******doGetAuthorizationInfo:AuthenticationToken");
		if (userName != null && !"".equals(userName)) {
				return new SimpleAuthenticationInfo(userName,
						userName, getName());
		}
		return null;
	}

}

校验Controller：

@Controller
@RequestMapping("usr")
public class UsrController {
	private Logger log = LoggerFactory.getLogger(UsrController.class);
	@RequestMapping(value = "/login", method = RequestMethod.POST)
	public String login(HttpServletRequest request) {
		String username = request.getParameter("username");
		String password = request.getParameter("password");
		log.info("username:{}  and pwd:{}", username, password);
		Subject currentUser = SecurityUtils.getSubject();
		if (!currentUser.isAuthenticated()) {
			UsernamePasswordToken token = new UsernamePasswordToken(username,
					password);
			try {
				currentUser.login(token);
			} catch (Exception uae) {
				log.info("There is no user with username of "
						+ token.getPrincipal());
				return "usr/toLogin";
			}
		}
		return "usr/index";
	}

	@RequestMapping(value = "/tologin", method = RequestMethod.GET)
	public String toLogin(HttpServletRequest request) {
		return "usr/toLogin";
	}

	@RequestMapping(value = "/index", method = RequestMethod.GET)
	public String index(HttpServletRequest request) {
		return "usr/index";
	}
}

详细参看下个博客介绍