shiro的简单应用

工具：jar包：https://download.csdn.net/download/ly_linyuan/10393067
1.先导入jar包

2.配置过滤器：web.xml:

shiroFilter

  org.springframework.web.filter.DelegatingFilterProxy

  
  
shiroFilter
/*

3.spring整合shiro的配置文件spring-shiro.xml

     
        
     

    
        
            /user/login = anon 
            /user/tologin = anon 
            /js/** = anon
            
            /user/* = authc 
        
    




    
    
    
    






    
    

4.编写密码比较器：

public class CustomCredentialsMatcher extends SimpleCredentialsMatcher {

//密码比较的方法   token代表用户在界面输入的用户名和密码     info代表从数据库中得到加密数据
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
    System.out.println("进入密码比较器中");
    //1.向下转型 
    UsernamePasswordToken upToken = (UsernamePasswordToken) token;

    //2.将用户在界面输入的原始密码加密
    Object pwd = MD5Change.GetMD5Code(new String(upToken.getPassword()));
    //3.取出数据库中加密的密码
    Object dbPwd = info.getCredentials();
    return this.equals(pwd, dbPwd);
}

}

5.编写自定义realm域

public class MyShiroReaml extends AuthorizingRealm {

@Autowired
private UserRoleService userRoleService;

@Autowired
private RolePermissionService rolePermissionService;

@Autowired
private PermissionService permissionService;

@Autowired
private UserService userService;

private ShiroService shiroService;

public ShiroService getShiroService() {
    return shiroService;
}
public void setShiroService(ShiroService shiroService) {
    this.shiroService = shiroService;
}
//授权   当jsp页面出现Shiro标签时，就会执行授权方法
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {
    System.out.println("授权");
    User user = (User) pc.fromRealm(this.getName()).iterator().next();//根据realm的名字去找对应的realm
    //根据用户的id查询用户的用户角色关系表
    List urlist = userRoleService.getByUserId(user.getId()); 
    //新建一个集合保存用户所有权限名称
    List permissions = new ArrayList();
    //遍历用户角色关系表，得到用户角色权限表
    for(UserRole ur : urlist){
        //根据角色id查询角色权限关系表
        List rplist = rolePermissionService.getByRid(ur.getRoleid());
        //遍历角色权限关系表，得到所有权限
        for(RolePermission rp : rplist){
            //根据角色权限关系表中的权限id查询到权限信息
            Permission p = permissionService.getById(rp.getPermissionId());
            permissions.add(p.getDescription());
        }
    }
    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
    info.addStringPermissions(permissions);//添加用户的模块（权限）
    return info;
}
//认证   token 代表用户在界面输入的用户名和密码
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    System.out.println("认证");

    //1.向下转型
    UsernamePasswordToken upToken  = (UsernamePasswordToken) token;
    //2.调用业务方法，实现根据用户名查询
    User user = userService.getUserByUserName(upToken.getUsername());
    if(user != null){
        AuthenticationInfo info = new SimpleAuthenticationInfo(user,user.getPassword(),this.getName());
        System.out.println(info);
        return info;   //此处如果返回，就会立即进入到密码比较器
    }
    return null;//就会出现异常
}

}

6.登录controller代码：

@Controller
@RequestMapping("/user")
public class LoginController {
@Autowired
private ShiroService shiroService;

private Logger logger = Logger.getLogger(LoginController.class);
/**
 * 跳转到登录页面
 */
@RequestMapping("/tologin")
public String tologin(){
    return "login";
}

/**
 * 验证登录
 * @param username
 * @param password
 * @param session
 * @return url
 */
@RequestMapping(value = "/login")
public String Login(String username, String password, HttpSession session, Model model){

    if(username==null){
        model.addAttribute("message", "账号不为空");
        return "login";
    }


    //主体,当前状态为没有认证的状态“未认证”
    Subject subject = SecurityUtils.getSubject();
    // 登录后存放进shiro token
    UsernamePasswordToken token=new UsernamePasswordToken(username,password);
    System.out.println(token);
    User user;
    //登录方法（认证是否通过）
    //使用subject调用securityManager,安全管理器调用Realm
    try {
        //利用异常操作
        //需要开始调用到Realm中
        System.out.println("========================================");
        System.out.println("1、进入认证方法");
        subject.login(token);
        user = (User)subject.getPrincipal();
        session.setAttribute("user",subject);
        model.addAttribute("message", "登录完成");
        System.out.println("登录完成");
    } catch (UnknownAccountException e) {
        model.addAttribute("message", "账号密码不正确");
        return "index";
    }

    return "test";

}

@RequestMapping("/check")
public String check(HttpSession session){
    Subject subject=(Subject)session.getAttribute("user");

    User user=(User)subject.getPrincipal();
    System.out.println(user.toString());
    return "permission";
}

@RequestMapping("/readName")
public String readName(HttpSession session){
    return "name";
}

@RequestMapping("/readData")
public String readData(){
    return "data";
}


@RequestMapping("/nopermission")
public String noPermission(){
    return "error";
}

}

7.进入授权判断的页面： 当jsp页面出现Shiro标签时，就会执行授权方法

<%@ page language="java" isELIgnored="false" pageEncoding="UTF-8"%>
<%@ taglib uri="http://shiro.apache.org/tags" prefix="shiro" %>









查看名单


查看数据

8.效果：
首页登录的用户有两个权限：查看名单，查看数据

再次登录另一个用户只有一个权限：查看名单