spring mvc整合shiro登录 权限验证
1、需要用到的shiro相关包
[html] view plain
copy
- <dependency>
- <groupId>org.apache.shirogroupId>
- <artifactId>shiro-coreartifactId>
- <version>1.2.3version>
- dependency>
- <dependency>
- <groupId>org.apache.shirogroupId>
- <artifactId>shiro-webartifactId>
- <version>1.2.3version>
- dependency>
- <dependency>
- <groupId>org.apache.shirogroupId>
- <artifactId>shiro-ehcacheartifactId>
- <version>1.2.3version>
- dependency>
- <dependency>
- <groupId>org.apache.shirogroupId>
- <artifactId>shiro-springartifactId>
- <version>1.2.3version>
- dependency>
2、首先在web.xml中添加shiro过滤器
[html] view plain
copy
- xml version="1.0" encoding="UTF-8"?>
- <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
- version="2.5">
- <display-name>abel-shiro Applicationdisplay-name>
- <context-param>
- <param-name>contextConfigLocationparam-name>
- <param-value>
- classpath:applicationContext.xml
- param-value>
- context-param>
- <listener>
- <listener-class>org.springframework.web.context.ContextLoaderListenerlistener-class>
- listener>
- <listener>
- <listener-class>org.springframework.web.util.WebAppRootListenerlistener-class>
- listener>
- <filter>
- <filter-name>shiroFilterfilter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxyfilter-class>
- <init-param>
- <param-name>targetFilterLifecycleparam-name>
- <param-value>trueparam-value>
- init-param>
- filter>
- <filter-mapping>
- <filter-name>shiroFilterfilter-name>
- <url-pattern>/*url-pattern>
- filter-mapping>
- <servlet>
- <servlet-name>springservlet-name>
- <servlet-class>org.springframework.web.servlet.DispatcherServletservlet-class>
- <init-param>
- <param-name>contextConfigLocationparam-name>
- <param-value>/WEB-INF/spring-shiro.xmlparam-value>
- init-param>
- <load-on-startup>1load-on-startup>
- servlet>
- <servlet-mapping>
- <servlet-name>springservlet-name>
- <url-pattern>/url-pattern>
- <bean id="systemAuthorizingRealm" class="com.abel.shiro.security.SystemAuthorizingRealm">
- <property name="credentialsMatcher">
- <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
- <property name="hashAlgorithmName" value="MD5" />
- bean>
- property>
- bean>
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <property name="realm" ref="systemAuthorizingRealm"/>
- bean>
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager"/>
- <property name="loginUrl" value="/login"/>
- <property name="successUrl" value="/admin/index"/>
- <property name="unauthorizedUrl" value="/403"/>
- <property name="filterChainDefinitions">
- <ref bean="shiroFilterChainDefinitions"/>
- property>
- bean>
- <bean name="shiroFilterChainDefinitions" class="java.lang.String">
- <constructor-arg>
- <value>
- /login=anon
- /dologin=anon
- /logout=anon
- /getVerifyCodeImage=anon
- /admin/channel/** = authc,perms[admin:channel]
- /admin/content/** = authc,perms[admin:content]
- /admin/sys/** = authc,perms[admin:sys]
- /admin/**=authc
- value>
- constructor-arg>
- bean>
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
- <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
- <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
- <property name="securityManager" ref="securityManager"/>
- bean>
- beans>
4、SystemAuthorizingRealm的实现
[java] view plain
copy
- package com.abel.shiro.security;
- import java.util.List;
- import org.apache.shiro.SecurityUtils;
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.authc.AuthenticationInfo;
- import org.apache.shiro.authc.AuthenticationToken;
- import org.apache.shiro.authc.SimpleAuthenticationInfo;
- import org.apache.shiro.authz.AuthorizationInfo;
- import org.apache.shiro.authz.SimpleAuthorizationInfo;
- import org.apache.shiro.realm.AuthorizingRealm;
- import org.apache.shiro.session.InvalidSessionException;
- import org.apache.shiro.session.Session;
- import org.apache.shiro.subject.PrincipalCollection;
- import org.apache.shiro.subject.Subject;
- import org.springframework.beans.factory.annotation.Autowired;
- import com.abel.shiro.Constants;
- import com.abel.shiro.model.MemberModel;
- import com.abel.shiro.model.PermissionModel;
- import com.abel.shiro.model.RoleModel;
- import com.abel.shiro.services.MemberService;
- /**
- * 自定义的指定Shiro验证用户登录的类
- * @author abel.lin
- */
- public class SystemAuthorizingRealm extends AuthorizingRealm {
- @Autowired
- private MemberService memberService;
- /**
- * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用
- */
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals){
- //获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next()
- String currentUsername = (String)super.getAvailablePrincipal(principals);
- MemberModel member = memberService.getMemberByName(currentUsername);
- if(member == null){
- throw new AuthenticationException("msg:用户不存在。");
- }
- SimpleAuthorizationInfo simpleAuthorInfo = new SimpleAuthorizationInfo();
- List
roleList = memberService.selectRoleByMemberId(member.getId()); - List
permList = memberService.selectPermissionByMemberId(member.getId()); - if(roleList != null && roleList.size() > 0){
- for(RoleModel role : roleList){
- if(role.getRoleCode() != null){
- simpleAuthorInfo.addRole(role.getRoleCode());
- }
- }
- }
- if(permList != null && permList.size() > 0){
- for(PermissionModel perm : permList){
- if(perm.getCode() != null){
- simpleAuthorInfo.addStringPermission(perm.getCode());
- }
- }
- }
- return simpleAuthorInfo;
- }
- /**
- * 认证回调函数, 登录时调用
- */
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
- //获取基于用户名和密码的令牌
- //实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
- UsernamePasswordToken token = (UsernamePasswordToken)authcToken;
- Session session = getSession();
- String code = (String)session.getAttribute(Constants.VALIDATE_CODE);
- if (token.getCaptcha() == null || !token.getCaptcha().toUpperCase().equals(code)){
- throw new AuthenticationException("msg:验证码错误, 请重试.");
- }
- MemberModel member = memberService.getMemberByName(token.getUsername());
- if(member != null){
- if(member.getIslock() !=null && member.getIslock() == 1){
- throw new AuthenticationException("msg:该已帐号禁止登录.");
- }
- AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(member.getLoginName(), member.getPwd(), this.getName());
- this.setSession("currentUser", member.getLoginName());
- return authcInfo;
- }
- return null;
- }
- /**
- * 保存登录名
- */
- private void setSession(Object key, Object value){
- Session session = getSession();
- System.out.println("Session默认超时时间为[" + session.getTimeout() + "]毫秒");
- if(null != session){
- session.setAttribute(key, value);
- }
- }
- private Session getSession(){
- try{
- Subject subject = SecurityUtils.getSubject();
- Session session = subject.getSession(false);
- if (session == null){
- session = subject.getSession();
- }
- if (session != null){
- return session;
- }
- }catch (InvalidSessionException e){
- }
- return null;
- }
- }
5、登录操作LoginController
[java] view plain
copy
- package com.abel.shiro.controller;
- import java.awt.Color;
- import java.awt.image.BufferedImage;
- import java.io.IOException;
- import javax.imageio.ImageIO;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.apache.shiro.SecurityUtils;
- import org.apache.shiro.subject.Subject;
- import org.springframework.stereotype.Controller;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.bind.annotation.ResponseBody;
- import com.abel.shiro.Constants;
- import com.abel.shiro.security.UsernamePasswordToken;
- /**
- * @author abel.lin
- */
- @Controller
- public class LoginController {
- @RequestMapping("login")
- public String login(HttpServletRequest request){
- return "login";
- }
- @RequestMapping("login/auth")
- public String doLogin(HttpServletRequest request){
- String username = request.getParameter("loginname");
- String pwd = request.getParameter("password");
- String captcha = request.getParameter("captcha");
- UsernamePasswordToken token = new UsernamePasswordToken(username, pwd, captcha);
- Subject currentUser = SecurityUtils.getSubject();
- currentUser.login(token);
- return "redirect:/admin/index";
- }
- @ResponseBody
- @RequestMapping("admin/index")
- public String index(HttpServletRequest request){
- return "wellcome index";
- }
- @ResponseBody
- @RequestMapping("admin/channel")
- public String channel(HttpServletRequest request){
- return "wellcome channel";
- }
- @ResponseBody
- @RequestMapping("admin/content")
- public String content(HttpServletRequest request){
- return "wellcome content";
- }
- @ResponseBody
- @RequestMapping("admin/sys")
- public String sys(HttpServletRequest request){
- return "wellcome sys";
- }
- @RequestMapping("logout")
- public String logout(HttpServletRequest request){
- SecurityUtils.getSubject().logout();
- return "redirect:/login";
- }
- /**
- * 获取验证码图片和文本(验证码文本会保存在HttpSession中)
- */
- @RequestMapping("/genCaptcha")
- public void genCaptcha(HttpServletRequest request, HttpServletResponse response) throws IOException {
- //设置页面不缓存
- response.setHeader("Pragma", "no-cache");
- response.setHeader("Cache-Control", "no-cache");
- response.setDateHeader("Expires", 0);
- String verifyCode = VerifyCodeUtil.generateTextCode(VerifyCodeUtil.TYPE_NUM_ONLY, 4, null);
- //将验证码放到HttpSession里面
- request.getSession().setAttribute(Constants.VALIDATE_CODE, verifyCode);
- System.out.println("本次生成的验证码为[" + verifyCode + "],已存放到HttpSession中");
- //设置输出的内容的类型为JPEG图像
- response.setContentType("image/jpeg");
- BufferedImage bufferedImage = VerifyCodeUtil.generateImageCode(verifyCode, 90, 30, 5, true, Color.WHITE, null, null);
- //写给浏览器
- ImageIO.write(bufferedImage, "JPEG", response.getOutputStream());
- }
- }
6、登录页面
[html] view plain
copy
- >
- <html>
- <head>
- <meta charset="UTF-8">
- <title>Shiro logintitle>
- head>
- <body>
- <form action="/login/auth" method="post">
- <div><label>用户名label><input type="text" name="loginname" />div>
- <div><label>密 码label><input type="text" name="password" />div>
- <div><label>验证码label><input type="text" name="captcha" /><img src="/genCaptcha" />div>
- <div><input type="submit" value="登录" />div>
- form>
- body>
- html>
项目源码下载(包含数据库): http://download.csdn.net/detail/rongku/9513091