shiro 集成 springmvc 4 小记

按照网上的教程,砌了个 shiro 和 springmvc 4 的框架,见 https://gitee.com/luobenyu/admin-console 。主要是琢磨 shiro 登录时的自定义加密、解密流程。

这个集成考虑数据库表、验证流程的可定制性,故不采取 jdbcRealm 的集成方式。查阅了一些非官方的教程,都会提到要覆盖 org.apache.shiro.realm.AuthorizingRealm 类的 doGetAuthenticationInfo(AuthenticationToken arg0) 方法。结合下文,判断为通过自定义 realm 类根据 token 包含的账号信息,查询储存在数据库中的用户登录信息、并包装在 doGetAuthenticationInfo(AuthenticationToken arg0) 返回的 AuthenticationInfo 对象中。该 AuthenticationInfo 对象将提供给 HashedCredentialsMatcher 类的 doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) 方法进行校验。

关于登录时,页面表单传入的密码是否进行加密再进入 login 流程,我查看了 shiro2 的源代码。在 HashedCredentialsMatcher 类找到了这个方法:

/**
     * Hashes the provided credentials a total of {@code hashIterations} times, using the given salt.  The hash
     * implementation/algorithm used is based on the {@link #getHashAlgorithmName() hashAlgorithmName} property.
     *
     * @param credentials    the submitted authentication token's credentials to hash
     * @param salt           the value to salt the hash, or {@code null} if a salt will not be used.
     * @param hashIterations the number of times to hash the credentials.  At least one hash will always occur though,
     *                       even if this argument is 0 or negative.
     * @return the hashed value of the provided credentials, according to the specified salt and hash iterations.
     */
    protected Hash hashProvidedCredentials(Object credentials, Object salt, int hashIterations) {
        String hashAlgorithmName = assertHashAlgorithmName();
        return new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
    }

还有这个方法:

    /**
     * Hash the provided {@code token}'s credentials using the salt stored with the account if the
     * {@code info} instance is an {@code instanceof} {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} (see
     * the class-level JavaDoc for why this is the preferred approach).
     * 

* If the {@code info} instance is not * an {@code instanceof} {@code SaltedAuthenticationInfo}, the logic will fall back to Shiro 1.0 * backwards-compatible logic: it will first check to see {@link #isHashSalted() isHashSalted} and if so, will try * to acquire the salt from {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)}. See the class-level * JavaDoc for why this is not recommended. This 'fallback' logic exists only for backwards-compatibility. * {@code Realm}s should be updated as soon as possible to return {@code SaltedAuthenticationInfo} instances * if account credentials salting is enabled (highly recommended for password-based systems). * * @param token the submitted authentication token from which its credentials will be hashed * @param info the stored account data, potentially used to acquire a salt * @return the token credentials hash * @since 1.1 */ protected Object hashProvidedCredentials(AuthenticationToken token, AuthenticationInfo info) { Object salt = null; if (info instanceof SaltedAuthenticationInfo) { salt = ((SaltedAuthenticationInfo) info).getCredentialsSalt(); } else { //retain 1.0 backwards compatibility: if (isHashSalted()) { salt = getSalt(token); } } return hashProvidedCredentials(token.getCredentials(), salt, getHashIterations()); }

所以我的判断是:1.在项目 xml 文件中配置了 credentialsMatcher 为官方提供的 HashedCredentialsMatcher ,并在 xml 文件指定了加密算法、加密次数之后;2.在数据库对应的自定义列,写进按照 shiro2 提供的加密步骤一样产生的加密后密码(需要自行实现查询数据库的逻辑);3.在springmvc 的登录(路径)方法中、调用 subject.login(token) 方法时,token 是前端表单直接传来的明文账号、明文密码,因为会在 shiro2 的默认实现中与数据库(后端)提供的 info 进行比对处理。晚一点开始验证。

拖拉快半个月,终于继续验证了。首先,shiro 是基于 filter 起作用的,所以shiro 的页面配置基本和 web.xml 无关。如果你的 web.xml 有配置 welcome-file-list 的,请将它们去除。参照网上一些做法,我们将 loginUrl 配置的地址,在 shiro 的 filterChainDefinitions 中设置为 authc (如果你的 loginUrl 和处理登录信息后重定向的地址不一样,也请把用于重定向的地址设置为 authc)。其他需要登录后才进行操作的地址(如各种业务界面地址),请在 filterChainDefinitions 中配置为 user。至于 css 样式、js脚本或者其他未登录也需要访问的资源,请在 filterChainDefinitions 中设置为 anon 。代码如下:

    
    
	    
	    
	    
	    
	        
	            # 'authc' as login to continue
	            # 'user' as a valid user or simply returns 404 results
	            # 'anon' as free to visit anyhow
	            /styles/** = anon
	            /index/loginPage = authc
	            /index/loginSuccess = authc
	            /doLogout/ = logout
	            /** = user
	        
	    
	    
	        
	            
	        
	    
    
    
    
        
        
        
        
        
		
		
		
		
		
		
		
	

关于登录后总是回到 loginUrl 的问题, shiro 默认的行为是:登录成功后,回到提交登录前访问的地址。如果你打开浏览器、首先访问了 loginUrl 的地址,然后提交登录,就会像狗追着自己尾巴一样打转了(没错,我就转了一周)。目前我们的测试步骤是:1.先访问一个业务地址(先在 filterChainDefinitions 中设置为 user 了)2.观察是否会重定向到 loginUrl 的地址 3.然后输入用户信息进行登录 4.验证是否回到了我们期望的地址。验证的控制器代码如下:

package com.maple.admin.controller;


import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;

@Controller
@RequestMapping("/index")
public class DefaultController {
	
	/**
	 * show login page
	 * @param request
	 * @param response
	 * @return
	 */
	@RequestMapping("/loginPage")
	@ResponseBody
	public ModelAndView myShowLoginPage(HttpServletRequest request, HttpServletResponse response){
		ModelAndView mv = new ModelAndView();
		mv.setViewName("/login");
		return mv;
	}
	
	/**
	 * process login info
	 * @param request
	 * @param response
	 * @return
	 */
	@RequestMapping(name="/loginSuccess")
	@ResponseBody
	public ModelAndView myProcessLoginInfo(HttpServletRequest request, HttpServletResponse response){
		ModelAndView mv = new ModelAndView();
		mv.setViewName("/hola");
		String exceptionClassName = (String)request.getAttribute("shiroLoginFailure");
        String error = null;
        if(UnknownAccountException.class.getName().equals(exceptionClassName)) {
            error = "未知账户";
        } else if(IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {
            error = "用户名/密码错误";
        } else if(exceptionClassName != null) {
            error = "其他错误:" + exceptionClassName;
        }
        if (error != null) {
			mv.addObject("errorMsg", error);
		}
		return mv;
	}
	
	/**
	 * @param request
	 * @param response
	 * @return
	 */
	@RequestMapping("/json")
	@ResponseBody
	public ModelAndView myJsonOutput(HttpServletRequest request, HttpServletResponse response){
		String usr = request.getParameter("usr");
		String pwd = request.getParameter("pwd");
		ModelAndView mv = new ModelAndView();
		mv.setViewName("/hola"); // view
		if (usr == null || pwd == null) {
			mv.addObject("errorMsg", "json output here."); // model
		}
		return mv;
	}
	
	/**
	 * test static resopurces mapping
	 * @param request
	 * @param response
	 * @return
	 */
	@RequestMapping("/starter")
	@ResponseBody
	@RequiresPermissions("user:view")
	public ModelAndView myStarter(HttpServletRequest request, HttpServletResponse response){
		ModelAndView mv = new ModelAndView();
		mv.setViewName("/starter"); // view 
		return mv;
	}
}

还需要一个登录页面、和登录成功后显示信息的页面。登录页面位于 web 目录下的 /WEB-INF/jsp/login.jsp:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>



  
  
  AdminLTE 2 | Log in console
  
  
  
  
  
  
  
  
  
  
  
  

  
  
  

  
  














登录成功后的信息页面就相对简单了,位于 web 目录的 /WEB-INF/jsp/hola.jsp,代码如下:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>




Insert title here


    Hola! ${errorMsg}

 

你可能感兴趣的:(工具使用,Java,shiro2)