背景:
需要做权限控制,不过权限控制模型已经成熟的很,那么应该基于已有的,那么就省去了开发的时间,那么此处采用了shiro,框架基于注解spring mvc那么需要继承
转帖请注明:http://snv.iteye.com/
依赖Lib:
<!-- apache common start --> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-io</artifactId> <version>1.3.2</version> </dependency> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-collections4</artifactId> <version>4.0</version> </dependency> <dependency> <groupId>org.codehaus.jackson</groupId> <artifactId>jackson-mapper-lgpl</artifactId> <version>1.9.13</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>3.1.0.RELEASE</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc</artifactId> <version>3.1.0.RELEASE</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>jsp-api</artifactId> <version>2.0</version> <scope>provided</scope> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> <scope>provided</scope> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>fastjson</artifactId> <version>1.1.36</version> </dependency> <!-- shiro start --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.2</version> </dependency> <!-- shiro end -->
web.xml中加入shiroFilter:
<!-- shiro filter start --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- shiro filter end -->
在spring-x.xml中配置shiroFilter的实现,以及自定义Realm:
<!--shiro start --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/usr/login" /> <property name="successUrl" value="/usr/index" /> <property name="unauthorizedUrl" value="/usr/tologin" /> <property name="filterChainDefinitions"> <value> /usr/** = anon /html/** = user </value> </property> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="com.someabcd.csr.web.authenticCSRRealm" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!--shiro end -->
说明如下:
loginUrl:执行具体的登陆认证对于的action的url
successUrl:认证通过跳转的页面对应的url
unauthorizedUrl:未通过认证跳转页面对应的url
filterChainDefinitions:对应url通过过滤器验证,anon为内置过滤器名称,shiro有多个内置过滤器,当然也可以自定义自己的过滤器
securityManager:在realm配置自定义的Realm,具体的概念后面会做阐述
自定义Realm实现:AuthenticCSRRealm:
@Component("com.someabcd.csr.web.authenticCSRRealm") public class AuthenticCSRRealm extends AuthorizingRealm { private Logger log = LoggerFactory.getLogger(AuthenticCSRRealm.class); @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals) { SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); log.info("******doGetAuthorizationInfo:PrincipalCollection"); return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; String userName = token.getUsername(); log.info("******doGetAuthorizationInfo:AuthenticationToken"); if (userName != null && !"".equals(userName)) { return new SimpleAuthenticationInfo(userName, userName, getName()); } return null; } }
校验Controller:
@Controller @RequestMapping("usr") public class UsrController { private Logger log = LoggerFactory.getLogger(UsrController.class); @RequestMapping(value = "/login", method = RequestMethod.POST) public String login(HttpServletRequest request) { String username = request.getParameter("username"); String password = request.getParameter("password"); log.info("username:{} and pwd:{}", username, password); Subject currentUser = SecurityUtils.getSubject(); if (!currentUser.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken(username, password); try { currentUser.login(token); } catch (Exception uae) { log.info("There is no user with username of " + token.getPrincipal()); return "usr/toLogin"; } } return "usr/index"; } @RequestMapping(value = "/tologin", method = RequestMethod.GET) public String toLogin(HttpServletRequest request) { return "usr/toLogin"; } @RequestMapping(value = "/index", method = RequestMethod.GET) public String index(HttpServletRequest request) { return "usr/index"; } }
详细参看下个博客介绍