shiro安全框架的使用

l  Shiro的使用

在WEB.XML中配置：shiro核心控制器 DelegatingFilterProxy

applicationContext.xml 事务管理声明之前配置：开启cglib动态代理方式

配置shiro的配置文件:基于spring

Shiro配置文件：

 

         description>Shiro的配置description>

  

  

  

  

  

  

  

    <bean id="securityManager"class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

       

        <property name="realm"ref="authRealm"/>

       

        <property name="cacheManager"ref="shiroEhcacheManager"/>

    bean>

 

   

    <bean id="authRealm"class="cn.itcast.jk.shiro.AuthRealm[a1] ">

      <property name="userService"ref="userService"/>

     

      <property name="credentialsMatcher"ref="passwordMatcher"/>

   bean>

  

  

   <bean id="passwordMatcher"class="cn.itcast.jk.shiro.CustomCredentialsMatcher[a2] "/>

 

   

    <bean id="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

        <property name="securityManager"ref="securityManager"/>

       

        <property name="loginUrl"value="/index.jsp">property>

             

        <property name="successUrl"value="/home.action">property>

        <property name="filterChainDefinitions">

           

            <value>

            /index.jsp* = anon

            /home* = anon

            /sysadmin/login/login.jsp* = anon

            /sysadmin/login/logout.jsp* = anon

            /login* = anon

            /logout* = anon

            /components/** = anon

            /css/** = anon

            /images/** = anon

            /js/** = anon

            /make/** = anon

            /skin/** = anon

            /stat/** = anon

            /ufiles/** = anon

            /validator/** = anon

            /resource/** = anon

            /** = authc

            /*.* = authc

            value>

        property>

    bean>

 

   

    <bean id="shiroEhcacheManager"class="org.apache.shiro.cache.ehcache.EhCacheManager">

        <property name="cacheManagerConfigFile"value="classpath:ehcache-shiro.xml[a3] "/>

    bean>

 

   

    <bean id="lifecycleBeanPostProcessor"class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

 

   

    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"

          depends-on="lifecycleBeanPostProcessor">

        <property name="proxyTargetClass"value="true"/>

    bean>

   

   

    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

        <property name="securityManager"ref="securityManager"/>

    bean>

 

 

授权&管理 类

public class AuthRealm extends AuthorizingRealm{

   private UserService userService;

   public voidsetUserService(UserService userService) {

      this.userService = userService;

   }

   /**

    * 授权

    */

   @Override

   protectedAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {

      User user = (User)pc.fromRealm(this.getName()).iterator().next();[a4] 

      //获取对象导航

      Set roles = user.getRoles();

      List permissions = newArrayList();

      for(Role role:roles){

         //遍历角色得到每个角色下的模块列表

         Set modules = role.getModules();

         //将模块名放入permissions中

         for (Module module : modules) {

            permissions.add(module.getName());

         }

  

         SimpleAuthorizationInfo info = newSimpleAuthorizationInfo();

         info.addStringPermissions(permissions);

         return info;

      }

     

      return null;

   }

   /**

    * 认证

    */

   @Override

   protectedAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token[a5] ) throwsAuthenticationException {

     

      UsernamePasswordToken upToken = (UsernamePasswordToken)token;[a6] 

     

      //查询用户

      String hql = "fromUser where userName=?";

      List list = userService.find(hql, User.class, new String[]{upToken.getUsername()});

     

      //判断用户是否存在

      if(list!=null && list.size()>0){

         //获取用户名

         User user = list.get(0);

      //核心API

         SimpleAuthenticationInfo info = newSimpleAuthenticationInfo(user, user.getPassword(),

this.getName()[a7] );[a8] 

         return info;//进入密码比较器

      }

      return null;

   }

 

密码比较器:

  public classCustomCredentialsMatcher extendsSimpleCredentialsMatcher{

    //密码比较

    public booleandoCredentialsMatch(AuthenticationTokentoken, AuthenticationInfo info[a9] [a10] ){

        UsernamePasswordToken upToken =(UsernamePasswordToken)token;

        //将用户在界面输入的原始密码加密

        Object pwd = Encrypt.md5(new String(upToken.getPassword())[a11] , upToken.getUsername()[a12] );[a13] 

        //获取数据库中加密的密码

        Object dbPwd = info.getCredentials();

        return this.equals(pwd,dbPwd);//进行密码比较

    }

}

 

 

Action中的方法:

 

try {

            Subject subject =SecurityUtils.getSubject();[a14] 

            //调用登录方法

            UsernamePasswordToken tokan = newUsernamePasswordToken(username, password);

            subject.login(tokan);//当这一代码执行时,就会自动跳入到AuthRealm中认证方法

            //登录成功时,从shiro中取出用户的登录信息

            User user = (User) subject.getPrincipal();

        } catch (Exception e) {

            e.printStackTrace();

            request.put("errorInfo", "用户名或密码错误");

            return "login";

        }

 

 

执行过程:

 

 

 

---

 [a1]自定义认证&权限路径

 [a2]自定义的密码比较器

 [a3]缓存的配置文件

 [a4]获取user对象

 [a5]存放用户名和密码

 [a6]把接口强制转换成它的实现类

 [a7]可为任意字符串,与授权中pc.fromRealm(this.getName()).iterator().next();中的this.getName()一致

 [a8]将用户,用户名,认证名称传入SimpleAuthenticationInfo中

 [a9]来自授权&认证的数据

 [a10]AuthRealm类 info对象穿过来的参数;token 是user对象,info是客户端传来的密码

 [a11]客户端传来的密码

 [a12]Salt 是一个任意的字符串,加密的一个参数

 [a13]调用工具类给密码加密

 [a14]获取subject对象