本文介绍了如何在WEB应用中使用Shiro进行身份认证。
在web.xml文件中配置一个Servlet ContextListener的监听器和Filter过滤器。
<listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/login.do</url-pattern> </filter-mapping>
<FORM name="form1" action="login.do" method="POST"> <TABLE cellSpacing=0 cellPadding=0 align=center border=0> <TBODY> <TR> <TD width=250> <TABLE cellSpacing=3 cellPadding=0 border=0> <TBODY> <TR> <TD width=90><IMG height=29 src="images/title_yhm.gif" width=90></TD> <TD><INPUT class=logininput name=loginName> </TD> </TR> <TR> <TD width=90><IMG height=27 src="images/title_mima.gif" width=90></TD> <TD><INPUT class=logininput type=password name=password></TD> </TR> <TR> <TD width=90></TD> <TD align="right"></TD> </TR> </TBODY> </TABLE> </TD> <TD vAlign=top> <TABLE cellSpacing=6 cellPadding=0 border=0> <TBODY> <TR> <TD><IMG style="CURSOR: hand" onclick=doSubmit() height=35 src="images/button_login.gif" width=77 border=0></TD> </TR> </TBODY> </TABLE> </TD> </TR> </TBODY> </TABLE> </FORM>
main] ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource ds.serverName = 127.0.0.1 ds.user = root ds.password = 123456 ds.databaseName = shiro ds.url = jdbc:mysql://127.0.0.1:3306/shiro jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.permissionsLookupEnabled = true jdbcRealm.authenticationQuery = SELECT password FROM user_credence_information WHERE username = ? jdbcRealm.dataSource = $ds shiro.loginUrl = /login.jsp [users] # format: username = password, role1, role2, ..., roleN [roles] # format: roleName = permission1, permission2, ..., permissionN [urls] # The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but # the 'authc' filter must still be specified for it so it can process that url's # login submissions. It is 'smart' enough to allow those requests through as specified by the # shiro.loginUrl above. /success.jsp = authc
public class LoginController implements Controller { private static final Log log = LogFactory.getLog(LoginController.class); protected ErrMg error; public ModelAndView doReturnError(HttpServletRequest request, HttpServletResponse response, ErrMg message, String errpath) { request.setAttribute("Error_Message", message); return new ModelAndView(errpath); } public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception { String loginName = request.getParameter("loginName"); String loginPwd = request.getParameter("password"); log.info("用户认证开始:" + loginName + " , " + loginPwd); String userid = null; String username = null; error = new ErrMg(); AuthenticationToken token = new UsernamePasswordToken(loginName, loginPwd); Subject currentUser = SecurityUtils.getSubject(); try { currentUser.login(token); userid = (String)currentUser.getPrincipal(); log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." ); log.info("用户认证完毕:" + loginName + " , " + userid); HttpSession session = request.getSession(true); session.setAttribute("USERINFORMATION", userid); session.setAttribute("USERNAME", userid); return new ModelAndView("success.jsp"); } catch (UnknownAccountException uae) { log.info("用户认证失败:" + "username wasn't in the system."); error.setErrorMessage("username wasn't in the system."); } catch (IncorrectCredentialsException ice) { log.info("用户认证失败:" + "password didn't match."); error.setErrorMessage("password didn't match."); } catch (LockedAccountException lae) { log.info("用户认证失败:" + "account for that username is locked - can't login."); error.setErrorMessage("account for that username is locked - can't login."); } catch (AuthenticationException ae) { log.info("用户认证失败:" + "unexpected condition."); error.setErrorMessage("unexpected condition."); } return this.doReturnError(request, response, error, "error.jsp"); } }