ssm整合shiro实现认证授权
1、导包
<!--加载shiro的库-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>1.3.2</version>
</dependency>
2、配置web.xml
<!--配置shiro的过滤器,注意:spring会在ioc容器去找filter同名的bean,因此filter的名字不能乱改-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3、配置applicationContext.xml
-
配置DefaultWebSecurityManager
- 注入认证器
- 注入数据域(Realm)
-
配置认证器
- 配置数据域的策略
-
配置数据域
-
配置shiro bean的后置处理器
-
配置shiro 过滤器的bean
<!--配置SecurityManager-->
<bean id="defaultWebSecurityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--注入认证器-->
<property name="authenticator" ref="modularrealmauthenticator"/>
<!--注入数据域-->
<property name="realm" ref="userRealm"/>
</bean>
<!--自定义数据域-->
<bean id="userRealm" class="com.yl.realm.UserRealm"></bean>
<!--认证器-->
<bean id="modularrealmauthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator">
<!--使用策略-->
<property name="authenticationStrategy">
<bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean>
</property>
</bean>
<!--配置 LifecycleBeanPostProcessor. 可以自定的来调用配置在Spring IOC容器中shiro bean的生命周期方法-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!--启用IOC容器中使用shiro的注解. 但必须在配置了LifecycleBeanPostProcessor之后才可以使用-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="defaultWebSecurityManager"/>
</bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="defaultWebSecurityManager"/>
<!--登录页,shiro会判断请求的地址和配置的loginUrl是否一致,不一致就返回loginUrl-->
<property name="loginUrl" value="/login.jsp"/>
<!--认证成功的页面-->
<!--<property name="successUrl" value="/index.jsp"/>-->
<!--认证失败后跳转的页面-->
<property name="unauthorizedUrl" value="/login.jsp"/>
<property name="filterChainDefinitions">
<!--anon(AnonymousFilter.class)不需要验证
authc(FormAuthenticationFilter.class)需要登陆验证
roles(RolesAuthorizationFilter.class)需要角色验证
perms(PermissionsAuthorizationFilter.class)需要权限验证-->
<value>
/user/login=anon
/js/** = anon
/layui/** = anon
/res/** = anon
/** = authc
</value>
</property>
</bean>
4、控制器
@RequestMapping("/login")
public ModelAndView login(User user){
ModelAndView modelAndView=new ModelAndView();
//获取shiro的主体
Subject subject= SecurityUtils.getSubject();
//传入令牌对象
UsernamePasswordToken usernamePasswordToken=new UsernamePasswordToken(user.getLoginName(),user.getPassword());
try {
subject.login(usernamePasswordToken);
modelAndView.setViewName("index");
}catch (AuthenticationException e) {
modelAndView.setViewName("login");
}
return modelAndView;
}
5、自定义数据域
package com.yl.realm;
import com.yl.bean.User;
import com.yl.service.IUserService;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
public class UserRealm extends AuthorizingRealm {
@Autowired
private IUserService userService;
/**
* 用户授权
* @param principalCollection
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
User user= (User) principalCollection.getPrimaryPrincipal();
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
if (user.getRid()==1){
simpleAuthorizationInfo.addRole("admin");
}else {
simpleAuthorizationInfo.addRole("user");
}
return simpleAuthorizationInfo;
}
/**
* 用户认证
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//获取用户的令牌数据(输入的用户名及密码)
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
String inputUserName = usernamePasswordToken.getUsername();
String inputPassword = new String(usernamePasswordToken.getPassword());
User user=new User();
user.setLoginName(inputUserName);
user.setPassword(inputPassword);
User dbUser=userService.login(user);
if (dbUser!=null){
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo
(dbUser, inputPassword, "UserRealm");
return simpleAuthenticationInfo;
}else {
throw new AuthenticationException("认证失败");
}
}
}