前言:本文最终效果是基于ssm+shiro的一个简单的页面权限控制。源码地址:https://github.com/coVdiing/shiro.git
1、Shiro是什么?
Apache Shiro 是 Java 的一个安全框架。
2.Shiro一些基本概念
3.Shiro结合数据库。
RBAC的概念
Roles base access controll
基于角色的权限控制
或者
Resources base access controll
基于资源的权限控制
通俗来说,你得获得对应的资源或者权限才能够进行访问
表结构
最简单的权限控制,是建立在 “用户” —— ”角色“ —— “权限” 之间的关系。
其中用户和角色之间是多对多关系,角色和权限是多对多关系。
在进行表的设计时,可以考虑在用户、角色、权限三张表的基础上,再建立
用户-角色表,角色-权限表来维护他们之间的关系。
所以,最简单的RBAC需要五张表来实现。
4.编码,通过数据库的设计实现最简单的权限控制
SQL:
1 DROP DATABASE IF EXISTS shiro; 2 CREATE DATABASE shiro DEFAULT CHARACTER SET utf8; 3 USE shiro; 4 5 drop table if exists user; 6 drop table if exists role; 7 drop table if exists permission; 8 drop table if exists user_role; 9 drop table if exists role_permission; 10 11 create table user ( 12 id bigint auto_increment, 13 name varchar(100), 14 password varchar(100), 15 constraint pk_users primary key(id) 16 ) charset=utf8 ENGINE=InnoDB; 17 18 create table role ( 19 id bigint auto_increment, 20 name varchar(100), 21 constraint pk_roles primary key(id) 22 ) charset=utf8 ENGINE=InnoDB; 23 24 create table permission ( 25 id bigint auto_increment, 26 name varchar(100), 27 constraint pk_permissions primary key(id) 28 ) charset=utf8 ENGINE=InnoDB; 29 30 create table user_role ( 31 uid bigint, 32 rid bigint, 33 constraint pk_users_roles primary key(uid, rid) 34 ) charset=utf8 ENGINE=InnoDB; 35 36 create table role_permission ( 37 rid bigint, 38 pid bigint, 39 constraint pk_roles_permissions primary key(rid, pid) 40 ) charset=utf8 ENGINE=InnoDB;
插入数据
1 INSERT INTO `permission` VALUES (1,'addProduct'); 2 INSERT INTO `permission` VALUES (2,'deleteProduct'); 3 INSERT INTO `permission` VALUES (3,'editProduct'); 4 INSERT INTO `permission` VALUES (4,'updateProduct'); 5 INSERT INTO `permission` VALUES (5,'listProduct'); 6 INSERT INTO `permission` VALUES (6,'addOrder'); 7 INSERT INTO `permission` VALUES (7,'deleteOrder'); 8 INSERT INTO `permission` VALUES (8,'editOrder'); 9 INSERT INTO `permission` VALUES (9,'updateOrder'); 10 INSERT INTO `permission` VALUES (10,'listOrder'); 11 INSERT INTO `role` VALUES (1,'admin'); 12 INSERT INTO `role` VALUES (2,'productManager'); 13 INSERT INTO `role` VALUES (3,'orderManager'); 14 INSERT INTO `role_permission` VALUES (1,1); 15 INSERT INTO `role_permission` VALUES (1,2); 16 INSERT INTO `role_permission` VALUES (1,3); 17 INSERT INTO `role_permission` VALUES (1,4); 18 INSERT INTO `role_permission` VALUES (1,5); 19 INSERT INTO `role_permission` VALUES (1,6); 20 INSERT INTO `role_permission` VALUES (1,7); 21 INSERT INTO `role_permission` VALUES (1,8); 22 INSERT INTO `role_permission` VALUES (1,9); 23 INSERT INTO `role_permission` VALUES (1,10); 24 INSERT INTO `role_permission` VALUES (2,1); 25 INSERT INTO `role_permission` VALUES (2,2); 26 INSERT INTO `role_permission` VALUES (2,3); 27 INSERT INTO `role_permission` VALUES (2,4); 28 INSERT INTO `role_permission` VALUES (2,5); 29 INSERT INTO `role_permission` VALUES (3,6); 30 INSERT INTO `role_permission` VALUES (3,7); 31 INSERT INTO `role_permission` VALUES (3,8); 32 INSERT INTO `role_permission` VALUES (3,9); 33 INSERT INTO `role_permission` VALUES (3,10); 34 INSERT INTO `user` VALUES (1,'zhang3','12345'); 35 INSERT INTO `user` VALUES (2,'li4','abcde'); 36 INSERT INTO `user_role` VALUES (1,1); 37 INSERT INTO `user_role` VALUES (2,2);
User.java
User类对应user表。
1 public class User { 2 private int id; 3 private String name; 4 private String password; 5 6 public String getName() { 7 return name; 8 } 9 10 public void setName(String name) { 11 this.name = name; 12 } 13 14 public String getPassword() { 15 return password; 16 } 17 18 public void setPassword(String password) { 19 this.password = password; 20 } 21 }
Dao.java
Dao类用于展示权限相关的查询,由于在数据库中限定好了user,roles,permission各自的关系,所以在Dao中不需要提供对User的增删改功能,因此也不需要实现Role,Permission类。
1 public class Dao { 2 private static final String URL = "jdbc:mysql://127.0.0.1:3306/shiro?characterEncoding=UTF-8"; 3 private static final String USERNAME = "root"; 4 private static final String PASSWORD = "root"; 5 6 public Dao() { 7 try { 8 Class.forName("com.mysql.jdbc.Driver"); 9 } catch (ClassNotFoundException e) { 10 e.printStackTrace(); 11 } 12 } 13 14 public Connection getConnection() throws SQLException { 15 return DriverManager.getConnection(URL, USERNAME, PASSWORD); 16 } 17 18 /** 19 * 根据用户名查询密码 20 * @param username 21 * @return 22 */ 23 public String getPassword(String username) { 24 String sql = "SELECT password FROM user WHERE user.name = ? "; 25 PreparedStatement pstmt = null; 26 ResultSet rs = null; 27 Connection c = null; 28 29 try { 30 c = getConnection(); 31 pstmt = c.prepareStatement(sql); 32 pstmt.setString(1,username); 33 rs = pstmt.executeQuery(); 34 while (rs.next()) { 35 return rs.getString("password"); 36 } 37 } catch (SQLException e) { 38 e.printStackTrace(); 39 } finally { 40 try { 41 if (rs != null) 42 rs.close(); 43 if (pstmt != null) 44 pstmt.close(); 45 if (c != null) 46 c.close(); 47 } catch (SQLException e) { 48 e.printStackTrace(); 49 } 50 } 51 return null; 52 } 53 54 /** 55 * 根据用户名查询角色 56 * @param username 57 * @return 58 */ 59 public Set<String> listRoles(String username) { 60 Set<String> roles = new HashSet<>(); 61 String sql = "SELECT r.name name FROM user u " + 62 "LEFT JOIN user_role u_r ON u.id = u_r.uid " + 63 "LEFT JOIN role r ON u_r.rid = r.id WHERE u.name = ?"; 64 PreparedStatement pstmt = null; 65 ResultSet rs = null; 66 Connection c = null; 67 68 try { 69 c = getConnection(); 70 pstmt = c.prepareStatement(sql); 71 pstmt.setString(1,username); 72 rs = pstmt.executeQuery(); 73 while (rs.next()) { 74 roles.add(rs.getString("name")); 75 } 76 } catch (SQLException e) { 77 e.printStackTrace(); 78 } finally { 79 try { 80 if (rs != null) 81 rs.close(); 82 if (pstmt != null) 83 pstmt.close(); 84 if (c != null) 85 c.close(); 86 } catch (SQLException e) { 87 e.printStackTrace(); 88 } 89 } 90 return roles; 91 } 92 93 /** 94 * 根据用户名列出对应的权限 95 * @param username 96 * @return 97 */ 98 public Set<String> listPermissions(String username) { 99 //五张表的连接 100 String sql = "SELECT p.name name FROM user u " + 101 "LEFT JOIN user_role u_r ON u.id = u_r.uid " + 102 "LEFT JOIN role r ON u_r.rid = r.id " + 103 "LEFT JOIN role_permission r_p ON r.id = r_p.rid " + 104 "LEFT JOIN permission p ON r_p.pid = p.id WHERE u.name = ?"; 105 Set<String> permissions = new HashSet<>(); 106 PreparedStatement pstmt = null; 107 ResultSet rs = null; 108 Connection c = null; 109 110 try { 111 c = getConnection(); 112 pstmt = c.prepareStatement(sql); 113 pstmt.setString(1,username); 114 rs = pstmt.executeQuery(); 115 while (rs.next()) { 116 permissions.add(rs.getString("name")); 117 } 118 } catch (SQLException e) { 119 e.printStackTrace(); 120 } finally { 121 try { 122 if (rs != null) 123 rs.close(); 124 if (pstmt != null) 125 pstmt.close(); 126 if (c != null) 127 c.close(); 128 } catch (SQLException e) { 129 e.printStackTrace(); 130 } 131 } 132 return permissions; 133 } 134 135 }
main方法
1 Dao dao = new Dao(); 2 System.out.println("zhang3"); 3 System.out.println(dao.getPassword("zhang3")); 4 System.out.println(dao.listRoles("zhang3")); 5 System.out.println(dao.listPermissions("zhang3")); 6 7 System.out.println("--------------------------------------------------------------vi--------------------------------------------------------------"); 8 System.out.println("li4"); 9 System.out.println(dao.getPassword("li4")); 10 System.out.println(dao.listRoles("li4")); 11 System.out.println(dao.listPermissions("li4"));
结果如下图:
体验过简单版本的RBAC之后,接下来学习下Shiro是怎么做的。
5.Shiro的认证过程
1.创建一个maven工程,这个就不说了。
2.导入依赖,pom.xml
1 <dependencies> 2 <!--shiro核心--> 3 <dependency> 4 <groupId>org.apache.shiro</groupId> 5 <artifactId>shiro-core</artifactId> 6 <version>1.4.0</version> 7 </dependency> 8 9 <dependency> 10 <groupId>junit</groupId> 11 <artifactId>junit</artifactId> 12 <version>RELEASE</version> 13 </dependency> 14 15 <dependency> 16 <groupId>org.slf4j</groupId> 17 <artifactId>slf4j-nop</artifactId> 18 <version>1.7.28</version> 19 </dependency> 20 </dependencies>
shiro-core是shiro的核心,junit则是为了单元测试,slf4j-nop,尽管网上查了很多博客,包括shiro的入门视频里都没有提到这个包,但是实际使用过程中,没有加上就一直报错。
1 public class testAuthentication { 2 SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm(); 3 4 @Before 5 public void addUser() { 6 simpleAccountRealm.addAccount("Mark","12345"); 7 } 8 9 @Test 10 public void authentication(){ 11 //1.创建SecurityManager环境 12 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); 13 //2.设置环境 14 SecurityUtils.setSecurityManager(defaultSecurityManager); 15 //3.设置Realm 16 defaultSecurityManager.setRealm(simpleAccountRealm); 17 //4.获取主体 18 Subject subject = SecurityUtils.getSubject(); 19 //5.获取用户名密码 20 UsernamePasswordToken token = new UsernamePasswordToken("Mark", "12345"); 21 //6.认证 22 try { 23 subject.login(token); 24 } catch (Exception e) { 25 e.printStackTrace(); 26 } 27 System.out.println("isAuthentication:"+subject.isAuthenticated()); 28 //登出 29 subject.logout(); 30 System.out.println("isAuthentication:"+subject.isAuthenticated()); 31 } 32 }
6.授权过程
与上面的认证过程基本一致,将之前的代码稍作修改
1 public class testAuthentication { 2 SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm(); 3 4 @Before 5 public void addUser() { 6 //在password后可以添加角色参数,该参数是一个可变参数 7 simpleAccountRealm.addAccount("Mark","12345","admin","user"); 8 } 9 10 @Test 11 public void authentication(){ 12 //1.创建SecurityManager环境 13 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); 14 //2.设置环境 15 SecurityUtils.setSecurityManager(defaultSecurityManager); 16 //3.设置Realm 17 defaultSecurityManager.setRealm(simpleAccountRealm); 18 //4.获取主体 19 Subject subject = SecurityUtils.getSubject(); 20 //5.获取用户名密码 21 UsernamePasswordToken token = new UsernamePasswordToken("Mark", "12345"); 22 //6.认证 23 try { 24 subject.login(token); 25 26 } catch (Exception e) { 27 e.printStackTrace(); 28 } 29 System.out.println("isAuthentication:"+subject.isAuthenticated()); 30 subject.checkRoles("admin1","user"); 31 } 32 }
如果checkRole方法中的参数与simpleAccountRealm.addAccount()方法中角色的参数一致,程序正常运行,如果不一致,则会发生UnauthorizedException。
7.IniRealm
IniRealm是Shiro的内置Realm之一,相比之前的SimpleAccountRealm,不仅可以用于认证和角色查询,还增加了权限相关的功能。下面使用IniRealm来进行简单的认证和权限查询。
首先在resources文件夹(类路径下)中创建一个ini文件,用于存储用户、角色、权限相关的数据
account.ini
1 #用户名:Mark 密码:12345 角色:admin 2 [users] 3 Mark=12345,admin 4 #admin角色拥有 对user的add和delete权限 5 [roles] 6 admin=user:delete,user:add
IniRealmDemo.java
1 public class IniRealmDemo { 2 @Test 3 public void testini() { 4 IniRealm iniRealm = new IniRealm("classpath:account.ini");//realm从数据源获取相关数据 5 //1.创建SecurityManager环境 6 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); 7 //2.设置环境 8 defaultSecurityManager.setRealm(iniRealm); 9 //3.设置Realm 10 SecurityUtils.setSecurityManager(defaultSecurityManager); 11 //4.获得主体 12 Subject subject = SecurityUtils.getSubject(); 13 //5.获取用户名密码 14 UsernamePasswordToken token = new UsernamePasswordToken("Mark", "12345"); 15 //6.登录 16 subject.login(token); 17 //7.检测用户是否有admin角色 18 subject.checkRole("admin"); 19 //8.检测用户是否有user:add,user:delete权限 20 subject.checkPermissions("user:add","user:delete"); 21 } 22 }
8.JdbcRealm
同样是Shiro的内置Realm,可以连接数据库使用。
为了示范它的基本用法,首先导入mysql连接驱动以及druid数据源依赖。
1 <!--mysql驱动--> 2 <dependency> 3 <groupId>mysql</groupId> 4 <artifactId>mysql-connector-java</artifactId> 5 <version>5.1.47</version> 6 </dependency> 7 <!--数据源--> 8 <dependency> 9 <groupId>com.alibaba</groupId> 10 <artifactId>druid</artifactId> 11 <version>1.1.20</version> 12 </dependency>
JdbcRealmDemo.java
1 public class JdbcRealmDemo { 2 DruidDataSource dataSource = new DruidDataSource(); 3 { 4 dataSource.setUrl("jdbc:mysql://localhost:3306/shiro"); 5 dataSource.setUsername("root"); 6 dataSource.setPassword("root"); 7 } 8 9 @Test 10 public void testJdbcRealm() { 11 JdbcRealm jdbcRealm = new JdbcRealm(); 12 String sql = "SELECT password FROM user WHERE name = ?"; 13 //调用自定义的查询语句,进行认证查询 14 jdbcRealm.setAuthenticationQuery(sql); 15 //设置数据源 16 jdbcRealm.setDataSource(dataSource); 17 //1.创建SecurityManager环境 18 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); 19 //2.设置环境 20 defaultSecurityManager.setRealm(jdbcRealm); 21 //3.设置Realm 22 SecurityUtils.setSecurityManager(defaultSecurityManager); 23 //4.获取主体 24 Subject subject = SecurityUtils.getSubject(); 25 //5.获取用户名密码 26 UsernamePasswordToken token = new UsernamePasswordToken("zhang3", "12345"); 27 //6.认证 28 subject.login(token); 29 System.out.println(subject.isAuthenticated()); 30 } 31 }
执行结果:
如果修改成没有记录在数据库中的用户名:mayun
发生未知账户异常,就算马云来了也不好使。
如果修改成不对应的密码:admin
发生错误的凭证异常
进行角色验证之前,需要先编写对应的查询角色SQL,然后调用对应的查询方法
1 public void testJdbcRealm() { 2 JdbcRealm jdbcRealm = new JdbcRealm(); 3 String sql = "SELECT password FROM user WHERE name = ?"; 4 String roleSQL = "SELECT r.name FROM user u" + 5 " LEFT JOIN user_role u_r ON u.id = u_r.uid" + 6 " LEFT JOIN role r ON u_r.rid = r.id WHERE u.name = ?"; 7 8 //调用自定义的查询语句,进行认证查询 9 jdbcRealm.setAuthenticationQuery(sql); 10 //角色查询 11 jdbcRealm.setUserRolesQuery(roleSQL); 12 //设置数据源 13 jdbcRealm.setDataSource(dataSource); 14 //1.创建SecurityManager环境 15 DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); 16 //2.设置环境 17 defaultSecurityManager.setRealm(jdbcRealm); 18 //3.设置Realm 19 SecurityUtils.setSecurityManager(defaultSecurityManager); 20 //4.获取主体 21 Subject subject = SecurityUtils.getSubject(); 22 //5.获取用户名密码 23 UsernamePasswordToken token = new UsernamePasswordToken("zhang3", "12345"); 24 //6.认证 25 subject.login(token); 26 System.out.println(subject.isAuthenticated()); 27 //查询角色 28 System.out.println("zhang3 -> admin:"+subject.hasRole("admin")); 29 }
执行结果:
9.自定义Realm
JdbcRealm是AuthorizingRealm的子类,我们要实现自定义Realm就需要去继承这个抽象类。
这个类中有两个抽象方法需要我们去实现:
- doGetAuthenticationInfo() 用于认证
- doGetAuthorizationInfo() 用于授权
DatabaseRealm.java
1 public class DatabaseRealm extends AuthorizingRealm { 2 3 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { 4 //能进入到这里,表示账号已经通过认证了 5 String username = (String) principals.getPrimaryPrincipal(); 6 //通过Dao获取角色和权限 7 Set<String> permissions = new Dao().listPermissions(username); 8 Set<String> roles = new Dao().listRoles(username); 9 //授权对象 10 SimpleAuthorizationInfo sai = new SimpleAuthorizationInfo(); 11 //把通过Dao获取到的角色和权限都放进去 12 sai.setStringPermissions(permissions); 13 sai.setRoles(roles); 14 return sai; 15 } 16 17 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { 18 //获取账号密码 19 UsernamePasswordToken upt = (UsernamePasswordToken) token; 20 String username = token.getPrincipal().toString(); 21 String password = new String(upt.getPassword()); 22 //获取数据库中的密码 23 String passwordInDB = new Dao().getPassword(username); 24 //如果为空就是账号不存在,如果不相同就是密码错误,但是都抛出AuthenticationException,而不抛出具体错误原因,以防给破解者提供帮助信息 25 if (null == passwordInDB || !password.equals(passwordInDB)) { 26 throw new AuthenticationException(); 27 } 28 //认证信息里存放账号和密码,getName()是当前Realm的继承方法,通常返回当前类名:DatabaseRealm 29 SimpleAuthenticationInfo sai = new SimpleAuthenticationInfo(username,password,getName()); 30 return sai; 31 } 32 }
自定义Realm虽然由我们定义,但是却是由Shiro自动调用(使用subject时)。
需要注意的几点:
认证时获取用户名是通过token对象的getPrincipal()方法,获取密码是通过UsernamePasswordToken对象的getPassword方法。存放认证信息,返回的对象是AuthenticationInfo对象,构造方法需要传入
username,password,以及当前类名
授权时,通过PrincipalCollection 对象的getPrimaryPrincipal()方法获取用户名,将获取到的权限和角色数据存入AuthorizationInfo 对象返回。
10.加密
md5加密
在前面的例子中,密码都是明文的,存在巨大风险,通常我们需要将密码加密以后存储到数据库中,采用的加密手段通常都是不可逆的。
什么是不可逆的加密呢?简单来说,输入字符串"123",假设通过计算得到密文"02CB962AC59075B964B07152D2",但是反过来却不能通过计算得到原密码,称这种加密是不可逆的。
md5就是这样的一种加密方法。
把加密后的密文存在数据库中,这样下次登录时,把登录的数据加密以后再进行比较,就可以判断是否正确了,同时避免了暴露密码的风险
1 public void testMd5() { 2 String password = "123"; 3 String encryptPwd = new Md5Hash(password).toString(); 4 System.out.println(encryptPwd);//结果:202cb962ac59075b964b07152d234b70 5 }
加盐
尽管通过md5是不可逆的加密,但仍然存在一些缺陷,比如说,假如两个人的密码都是"123",那么得到的密文就是相同的,通过这个思路,就可以使用穷举法对一些比较常用的密码进行破解。
考虑到这个原因,我们需要在加密的过程中做“加盐”处理,“盐”在这里可以理解为加密的程度,相同的密码,通过不同程度的加密,也会得到不同的密文。
举个例子,当密码都是123时,在加密之前,给123加上不同的随机值,再进行加密,就会得到不同的密文,这里的随机值就是我们的“盐”,不同的用户对应不同的盐,而盐也需要存进数据库里,与此同时,加密的次数也会导致密文的不同。下面演示如何用Shiro自带的工具类,通过盐来进行md5加密。
1 public void testSalt() { 2 String password = "123"; 3 String salt = new SecureRandomNumberGenerator().nextBytes().toString(); 4 int times = 2; 5 String algorithmName = "md5"; 6 String encryptPwd = new SimpleHash(algorithmName, password, salt, times).toString(); 7 System.out.printf("算法为:%s ,明文:%s ,盐:%s ,加密次数:%d ,结果: %s",algorithmName,password,salt,times,encryptPwd); 8 }
结果:
为了存储字段"盐",修改表结构,加入"salt"字段。
alter table user add(salt varchar(100));
首先在Dao中增加一个addUser(name,password)方法用于注册。
1 /** 2 * 新增用户 3 * @param name 4 * @param password 5 */ 6 public void addUser(String name, String password) { 7 String sql = "INSERT INTO user VALUES(null,?,?,?)"; 8 String salt = new SecureRandomNumberGenerator().nextBytes().toString();//盐量随机 9 String encryptPwd = new SimpleHash("md5",password,salt,2).toString(); //md5加密算法,加密2次 10 try { 11 PreparedStatement pstmt = conn.prepareStatement(sql); 12 pstmt.setString(1, name); 13 pstmt.setString(2, encryptPwd); 14 pstmt.setString(3, salt); 15 pstmt.execute(); 16 } catch (Exception e) { 17 e.printStackTrace(); 18 } 19 }
增加一个getUser()方法,其中不仅包括加密后的密码,还有盐。
1 /** 2 * 获取用户 3 * @return 4 */ 5 public User getUser(String username) { 6 String sql = "SELECT * FROM user WHERE name = ?"; 7 User user = null; 8 try { 9 PreparedStatement pstmt = conn.prepareStatement(sql); 10 pstmt.setString(1,username); 11 ResultSet rs = pstmt.executeQuery(); 12 if(rs.next()) { 13 user = new User(); 14 user.setId(rs.getInt("id")); 15 user.setName(rs.getString("name")); 16 user.setPassword(rs.getString("password")); 17 user.setSalt(rs.getString("salt")); 18 } 19 } catch (Exception e) { 20 e.printStackTrace(); 21 } 22 return user; 23 }
对DatabaseRealm进行相应的修改,得到传入的用户名密码以后,从数据库中获取对应的密码和盐,对输入密码加盐之后与数据库中的密码比对,最后将用户名密码封装到认证信息中。
1 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { 2 //获取账号密码 3 UsernamePasswordToken upt = (UsernamePasswordToken) token; 4 String username = token.getPrincipal().toString(); 5 String password = new String(upt.getPassword()); 6 String encryptPassword = ""; 7 //获取数据库中的密码 8 User user = new Dao().getUser(username); 9 if(user != null) { 10 String passwordInDB = user.getPassword(); 11 String salt = user.getSalt(); 12 //将传入的密码进行加盐 13 encryptPassword = new SimpleHash("md5",password,user.getSalt(),2).toString(); 14 System.out.println("盐:"+user.getSalt()); 15 System.out.println("加密后的密码:"+encryptPassword); 16 System.out.println("原密码:"+user.getPassword()); 17 } 18 //如果为空就是账号不存在,如果不相同就是密码错误,但是都抛出AuthenticationException,而不抛出具体错误原因,以防给破解者提供帮助信息 19 if (null == user || !encryptPassword.equals(user.getPassword())) { 20 System.out.println("抛了异常!"); 21 throw new AuthenticationException(); 22 } 23 //认证信息里存放账号和密码,getName()是当前Realm的继承方法,通常返回当前类名:DatabaseRealm 24 SimpleAuthenticationInfo sai = new SimpleAuthenticationInfo(username,password,getName()); 25 return sai; 26 }
11.Shiro整合SSM
先贴一个项目结构目录。
- 创建maven工程。这个就不细说了。
- 在pom.xml中导入对应坐标。
1 <?xml version="1.0" encoding="UTF-8"?> 2 3 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 5 <modelVersion>4.0.0</modelVersion> 6 7 <groupId>vi</groupId> 8 <artifactId>shiro</artifactId> 9 <version>1.0-SNAPSHOT</version> 10 <packaging>war</packaging> 11 12 <name>shiro Maven Webapp</name> 13 <!-- FIXME change it to the project's website --> 14 <url>http://www.example.com</url> 15 16 <properties> 17 <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> 18 <maven.compiler.source>1.7</maven.compiler.source> 19 <maven.compiler.target>1.7</maven.compiler.target> 20 21 <!-- lib verion --> 22 <junit.version>4.11</junit.version> 23 <spring.version>5.1.9.RELEASE</spring.version> 24 <mybatis.spring.version>1.2.2</mybatis.spring.version> 25 <mysql.connector.version>5.1.47</mysql.connector.version> 26 <slf4j.version>1.6.6</slf4j.version> 27 <log4j.version>1.2.12</log4j.version> 28 <druid.version>1.0.5</druid.version> 29 <jstl.version>1.2</jstl.version> 30 <commons.fileupload.version>1.3.1</commons.fileupload.version> 31 <shiro.version>1.4.0</shiro.version> 32 </properties> 33 34 <dependencies> 35 <dependency> 36 <groupId>junit</groupId> 37 <artifactId>junit</artifactId> 38 <version>4.12</version> 39 </dependency> 40 41 <!-- mysql-connector --> 42 <dependency> 43 <groupId>mysql</groupId> 44 <artifactId>mysql-connector-java</artifactId> 45 <version>${mysql.connector.version}</version> 46 </dependency> 47 48 <!-- DruidDataSource --> 49 <dependency> 50 <groupId>com.alibaba</groupId> 51 <artifactId>druid</artifactId> 52 <version>${druid.version}</version> 53 </dependency> 54 55 <!-- shiro --> 56 <dependency> 57 <groupId>org.apache.shiro</groupId> 58 <artifactId>shiro-spring</artifactId> 59 <version>${shiro.version}</version> 60 </dependency> 61 <dependency> 62 <groupId>org.apache.shiro</groupId> 63 <artifactId>shiro-ehcache</artifactId> 64 <version>${shiro.version}</version> 65 </dependency> 66 <dependency> 67 <groupId>org.apache.shiro</groupId> 68 <artifactId>shiro-core</artifactId> 69 <version>${shiro.version}</version> 70 </dependency> 71 <dependency> 72 <groupId>org.apache.shiro</groupId> 73 <artifactId>shiro-web</artifactId> 74 <version>${shiro.version}</version> 75 </dependency> 76 <dependency> 77 <groupId>org.apache.shiro</groupId> 78 <artifactId>shiro-quartz</artifactId> 79 <version>${shiro.version}</version> 80 </dependency> 81 <!-- shiro --> 82 83 <!-- log start --> 84 <dependency> 85 <groupId>log4j</groupId> 86 <artifactId>log4j</artifactId> 87 <version>${log4j.version}</version> 88 </dependency> 89 <dependency> 90 <groupId>org.slf4j</groupId> 91 <artifactId>slf4j-api</artifactId> 92 <version>${slf4j.version}</version> 93 </dependency> 94 <dependency> 95 <groupId>org.slf4j</groupId> 96 <artifactId>slf4j-log4j12</artifactId> 97 <version>${slf4j.version}</version> 98 </dependency> 99 <!-- log end --> 100 101 <dependency> 102 <groupId>commons-logging</groupId> 103 <artifactId>commons-logging</artifactId> 104 <version>1.1.3</version> 105 </dependency> 106 107 <dependency> 108 <groupId>javax.servlet</groupId> 109 <artifactId>jstl</artifactId> 110 <version>${jstl.version}</version> 111 </dependency> 112 113 <dependency> 114 <groupId>javax.servlet</groupId> 115 <artifactId>javax.servlet-api</artifactId> 116 <version>4.0.1</version> 117 </dependency> 118 119 <!--Spring --> 120 <dependency> 121 <groupId>org.springframework</groupId> 122 <artifactId>spring-core</artifactId> 123 <version>${spring.version}</version> 124 </dependency> 125 126 <dependency> 127 <groupId>org.springframework</groupId> 128 <artifactId>spring-webmvc</artifactId> 129 <version>${spring.version}</version> 130 </dependency> 131 132 <dependency> 133 <groupId>org.springframework</groupId> 134 <artifactId>spring-context</artifactId> 135 <version>${spring.version}</version> 136 </dependency> 137 138 <dependency> 139 <groupId>org.springframework</groupId> 140 <artifactId>spring-web</artifactId> 141 <version>${spring.version}</version> 142 </dependency> 143 144 <dependency> 145 <groupId>org.springframework</groupId> 146 <artifactId>spring-jdbc</artifactId> 147 <version>${spring.version}</version> 148 </dependency> 149 150 <dependency> 151 <groupId>org.springframework</groupId> 152 <artifactId>spring-test</artifactId> 153 <version>${spring.version}</version> 154 </dependency> 155 <!--Spring end --> 156 157 <dependency> 158 <groupId>org.mybatis</groupId> 159 <artifactId>mybatis</artifactId> 160 <version>3.5.2</version> 161 </dependency> 162 163 <dependency> 164 <groupId>org.mybatis</groupId> 165 <artifactId>mybatis-spring</artifactId> 166 <version>2.0.2</version> 167 </dependency> 168 </dependencies> 169 170 <build> 171 <finalName>shiro</finalName> 172 <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) --> 173 <plugins> 174 <plugin> 175 <artifactId>maven-clean-plugin</artifactId> 176 <version>3.1.0</version> 177 </plugin> 178 <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging --> 179 <plugin> 180 <artifactId>maven-resources-plugin</artifactId> 181 <version>3.0.2</version> 182 </plugin> 183 <plugin> 184 <artifactId>maven-compiler-plugin</artifactId> 185 <version>3.8.0</version> 186 </plugin> 187 <plugin> 188 <artifactId>maven-surefire-plugin</artifactId> 189 <version>2.22.1</version> 190 </plugin> 191 <plugin> 192 <artifactId>maven-war-plugin</artifactId> 193 <version>3.2.2</version> 194 </plugin> 195 <plugin> 196 <artifactId>maven-install-plugin</artifactId> 197 <version>2.5.2</version> 198 </plugin> 199 <plugin> 200 <artifactId>maven-deploy-plugin</artifactId> 201 <version>2.8.2</version> 202 </plugin> 203 </plugins> 204 </pluginManagement> 205 </build> 206 </project>
3.配置web.xml。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 3 xmlns="http://java.sun.com/xml/ns/javaee" 4 xmlns:web="http://java.sun.com/xml/ns/javaee" 5 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> 6 7 <!-- spring的配置文件--> 8 <context-param> 9 <param-name>contextConfigLocation</param-name> 10 <param-value> 11 classpath:applicationContext.xml 12 </param-value> 13 </context-param> 14 <listener> 15 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 16 </listener> 17 18 19 <!-- spring mvc核心:分发servlet --> 20 <servlet> 21 <servlet-name>mvc-dispatcher</servlet-name> 22 <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 23 <!-- spring mvc的配置文件 --> 24 <init-param> 25 <param-name>contextConfigLocation</param-name> 26 <param-value>classpath:springMVC.xml</param-value> 27 </init-param> 28 <load-on-startup>1</load-on-startup> 29 </servlet> 30 <servlet-mapping> 31 <servlet-name>mvc-dispatcher</servlet-name> 32 <url-pattern>/</url-pattern> 33 </servlet-mapping> 34 35 <!-- Shiro配置 --> 36 <filter> 37 <filter-name>shiroFilter</filter-name> 38 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 39 <init-param> 40 <param-name>targetFilterLifecycle</param-name> 41 <param-value>true</param-value> 42 </init-param> 43 </filter> 44 <filter-mapping> 45 <filter-name>shiroFilter</filter-name> 46 <url-pattern>/*</url-pattern> 47 </filter-mapping> 48 49 </web-app>
4.Spring配置文件
applicationContext.xml
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xmlns:context="http://www.springframework.org/schema/context" 5 xmlns:util="http://www.springframework.org/schema/util" 6 xsi:schemaLocation="http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd 7 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 8 http://www.springframework.org/schema/util 9 http://www.springframework.org/schema/util/spring-util.xsd"> 10 <context:component-scan base-package="com.vi.service"/> 11 12 <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource"> 13 <property name="driverClassName" value="com.mysql.jdbc.Driver"/> 14 <property name="url" value="jdbc:mysql://localhost:3306/shiro?characterEncoding=UTF-8&serverTimezone=UTC"/> 15 <property name="username" value="root"/> 16 <property name="password" value="root"/> 17 </bean> 18 19 <bean id="sqlSession" class="org.mybatis.spring.SqlSessionFactoryBean"> 20 <property name="typeAliasesPackage" value="com.vi.entity"/> 21 <property name="dataSource" ref="dataSource"/> 22 <property name="mapperLocations" value="classpath:mapper/*Mapper.xml"/> 23 </bean> 24 25 <bean class="org.mybatis.spring.mapper.MapperScannerConfigurer"> 26 <property name="basePackage" value="com.vi.mapper"/> 27 </bean> 28 29 <!-- 提供shiro的相关配置 --> 30 <bean id="databaseRealm" class="com.vi.Realm.DatabaseRealm"/> 31 32 <!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 --> 33 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 34 <!-- 调用我们配置的权限管理器 --> 35 <property name="securityManager" ref="securityManager"/> 36 <!-- 配置我们的登录请求地址 --> 37 <property name="loginUrl" value="/login"/> 38 <!-- 如果您请求的资源不再您的权限范围,则跳转到/403请求地址 --> 39 <property name="unauthorizedUrl" value="/unauthorized"/> 40 <!-- 退出 --> 41 <property name="filters"> 42 <util:map> 43 <entry key="logout" value-ref="logoutFilter"/> 44 </util:map> 45 </property> 46 <!-- 权限配置 --> 47 <property name="filterChainDefinitions"> 48 <value> 49 <!-- anon表示此地址不需要任何权限即可访问 --> 50 /login=anon 51 /index=anon 52 /static/**=anon 53 /doLogout=logout 54 <!--所有的请求(除去配置的静态资源请求或请求地址为anon的请求)都要通过登录验证,如果未登录则跳到/login --> 55 /** = authc 56 </value> 57 </property> 58 </bean> 59 60 <!-- 退出过滤器 --> 61 <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> 62 <property name="redirectUrl" value="/index"/> 63 </bean> 64 65 <!-- 会话ID生成器 --> 66 <bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/> 67 68 <!--会话Cookie模板,关闭浏览器立即失效--> 69 <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> 70 <constructor-arg value="sid"/> 71 <property name="httpOnly" value="true"/> 72 <property name="maxAge" value="-1"/> 73 </bean> 74 75 <!--会话DAO--> 76 <bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"> 77 <property name="sessionIdGenerator" ref="sessionIdGenerator"/> 78 </bean> 79 80 <!--会话调度验证器,每30分钟执行一次验证,设定会话超时保存--> 81 <bean name="sessionValidationSchduler" 82 class="org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler"> 83 <property name="interval" value="1800000"/> 84 <property name="sessionManager" ref="sessionManager"/> 85 </bean> 86 87 <!--会话管理器--> 88 <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> 89 <!--全局会话超时时间,默认30分钟,单位毫秒--> 90 <property name="globalSessionTimeout" value="1800000"/> 91 <property name="deleteInvalidSessions" value="true"/> 92 <property name="sessionValidationSchedulerEnabled" value="true"/> 93 <property name="sessionValidationScheduler" ref="sessionValidationSchduler"/> 94 <property name="sessionDAO" ref="sessionDAO"/> 95 <property name="sessionIdCookieEnabled" value="true"/> 96 <property name="sessionIdCookie" ref="sessionIdCookie"/> 97 </bean> 98 99 <!--安全管理器--> 100 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> 101 <property name="realm" ref="databaseRealm"/> 102 <property name="sessionManager" ref="sessionManager"/> 103 </bean> 104 105 <!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) --> 106 <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> 107 <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/> 108 <property name="arguments" ref="securityManager"/> 109 </bean> 110 111 <!--保证了Shiro内部LifeCycle函数的bean执行--> 112 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> 113 114 </beans>
简单说一下这个配置
<context:component-scan base-package="com.vi.service"/>
扫描base-package中配置的包,在这个包下面,可以使用@Autowired对变量进行自动注入,由Spring为我们提供实例。
当然,即使是没有被扫描的包,如果某个类在applicationContext.xml中注册了,也可以使用@Autowired进行自动注入。
<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource">
配置数据源。
<bean id="sqlSession" class="org.mybatis.spring.SqlSessionFactoryBean">
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
这两个bean是对Mybatis的整合。让Mybatis可以使用我们上面配置的数据源,同时也配置了实体类,Mapper接口,Mapper.xml的位置,进而为我们提供之后需要的CRUD功能。
下面的部分就是Shiro的配置了。
<!-- 提供shiro的相关配置 -->
<bean id="databaseRealm" class="com.vi.Realm.DatabaseRealm"/>
这个是由我们自定义的Realm类,Shiro的认证和授权就是在这里进行的,代码是我们完成的,但是调用却是由Shiro自己进行。
1 <!-- 配置shiro的过滤器工厂类,id- shiroFilter要和我们在web.xml中配置的过滤器一致 --> 2 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 3 <!-- 调用我们配置的权限管理器 --> 4 <property name="securityManager" ref="securityManager"/> 5 <!-- 配置我们的登录请求地址 --> 6 <property name="loginUrl" value="/login"/> 7 <!-- 如果您请求的资源不再您的权限范围,则跳转到/403请求地址 --> 8 <property name="unauthorizedUrl" value="/unauthorized"/> 9 <!-- 退出 --> 10 <property name="filters"> 11 <util:map> 12 <entry key="logout" value-ref="logoutFilter"/> 13 </util:map> 14 </property> 15 <!-- 权限配置 --> 16 <property name="filterChainDefinitions"> 17 <value> 18 <!-- anon表示此地址不需要任何权限即可访问 --> 19 /login=anon 20 /index=anon 21 /static/**=anon 22 /doLogout=logout 23 <!--所有的请求(除去配置的静态资源请求或请求地址为anon的请求)都要通过登录验证,如果未登录则跳到/login --> 24 /** = authc 25 </value> 26 </property> 27 </bean>
这个shiroFilter的命名必须和web.xml中的shiroFilter过滤器保持一致。
这里详细配置了我们需要的权限,登录请求地址,错误跳转地址等。同时还引用了securityManager
<!--安全管理器-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="databaseRealm"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>
securityManager中配置了两个属性,databaseRealm,用于认证和授权,另一个则是sessionManager,这个xml中有很多bean都是会话管理器的成员,这个具体的作用我还不清楚T_T。
<!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
这一步的作用,相当于帮我们写了:
DefaultSecurityManager securityManager = new DefaultSecurityManager(); SecurityUtils.setSecurityManager(securityManager);
做了准备环境的工作。
5.
springMVC.xml
a. springmvc的基本配置
b. 增加了对shiro的支持
这样可以在控制器Controller上,使用像@RequireRole 这样的注解,来表示某个方法必须有相关的角色才能访问
c. 指定了异常处理类DefaultExceptionHandler,这样当访问没有权限的资源的时候,就会跳到统一的页面去显示错误信息
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xmlns:context="http://www.springframework.org/schema/context" 5 xmlns:mvc="http://www.springframework.org/schema/mvc" 6 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 7 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd 8 http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd"> 9 <context:component-scan base-package="com.vi.controller"> 10 <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/> 11 </context:component-scan> 12 13 <mvc:annotation-driven/> 14 15 <mvc:default-servlet-handler/> 16 17 <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> 18 <property name="prefix" value="/WEB-INF/jsp/"/> 19 <property name="suffix" value=".jsp"/> 20 </bean> 21 22 <!--启用shiro注解--> 23 <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> 24 <property name="proxyTargetClass" value="true"/> 25 </bean> 26 <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> 27 <property name="securityManager" ref="securityManager"/> 28 </bean> 29 30 <!--控制器异常处理--> 31 <bean id="exceptionHandlerExceptionResolver" class="org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver"> 32 33 </bean> 34 35 <bean class="com.vi.exception.DefaultExceptionHandler"/> 36 </beans>
6.log4j.properties
显示数据库的SQL
# Global logging configuration
log4j.rootLogger=ERROR, stdout
# MyBatis logging configuration...
log4j.logger.com.how2java=TRACE
# Console output...
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%5p [%t] - %m%n
7.
PageController.java
因为使用 ssm,所以jsp通常都会放在WEB-INF/jsp 下面,而这个位置是无法通过浏览器直接访问的,所以就会专门做这么一个类,便于访问这些jsp。
比如要访问WEB-INF/jsp/index.jsp文件,那么就通过/index 这个路径来访问。
这个类还有两点需要注意:
1. /login 只支持get方式。 post方式是后续用来进行登录行为的,这里的get方式仅仅用于显示登录页面
2. 权限注解:
通过注解: @RequiresRoles("productManager") 指明了 访问 deleteProduct 需要角色"productManager"
通过注解:@RequiresPermissions("deleteOrder") 指明了 访问 deleteOrder 需要权限"deleteOrder"
1 /** 2 * 专门用于显示页面的控制器 3 */ 4 @Controller 5 @RequestMapping("") 6 public class PageController { 7 8 @RequestMapping("/index") 9 public String index() { 10 return "index"; 11 } 12 13 @RequiresRoles("productManager") 14 @RequestMapping("/deleteProduct") 15 public String deleteProduct() { 16 return "deleteProduct"; 17 } 18 19 @RequestMapping("/listProduct") 20 public String listProduct(){ 21 return "listProduct"; 22 } 23 24 @RequiresPermissions("deleteOrder") 25 @RequestMapping("/deleteOrder") 26 public String deleteOrder() { 27 return "deleteOrder"; 28 } 29 @RequestMapping(value = "/login",method = RequestMethod.GET) 30 public String login() { 31 return "login"; 32 } 33 34 @RequestMapping("/unauthorized") 35 public String noperms() { 36 return "unauthorized"; 37 } 38 }
8.jsp
index.jsp, listProduct.jsp,deleteOrder.jsp,login.jsp,unauthorized.jsp
9.User相关
User.java,UserMapper.java,UserMapper.xml,UserService.java,UserServiceImpl.java
10.Role相关
Role.java,RoleMapper.java,RoleMapper.xml,RoleService.java,RoleServiceImpl.java
10.Permission相关
Permission.java,PermissionMapper.java,PermissionMapper.xml,PermissionService.java,PermissionServiceImpl.java
11.LoginController.java
1 @Controller 2 public class LoginController { 3 4 /** 5 * 登录方法 6 * @param name 7 * @param password 8 * @return 9 */ 10 @RequestMapping(value = "/login", method = RequestMethod.POST) 11 public String login(String name, String password, Model model) { 12 UsernamePasswordToken token = new UsernamePasswordToken(name, password); 13 Subject subject = SecurityUtils.getSubject(); 14 try { 15 subject.login(token); 16 Session session = subject.getSession(); 17 session.setAttribute("subject", subject); 18 return "redirect:index"; 19 } catch (AuthenticationException e) { 20 //认证失败 21 model.addAttribute("error", "登录失败"); 22 return "login"; 23 } 24 } 25 }
12.DefaultExceptionHandler.java
最后是异常处理,当发生UnauthorizedException 异常的时候,就表示访问了无授权的资源,那么就会跳转到unauthorized.jsp,而在unauthorized.jsp 中就会把错误信息通过变量 ex 取出来。
DefaultExceptionHandler 的使用,是声明在 springMVC.xml 的最后几行
/** * 对异常进行统一的处理 */ @ControllerAdvice public class DefaultExceptionHandler { @ExceptionHandler({UnauthorizedException.class}) @ResponseStatus(HttpStatus.UNAUTHORIZED) public ModelAndView processUnauthenticatedExcetpion(NativeWebRequest request, UnauthorizedException e) { ModelAndView mv = new ModelAndView(); mv.addObject("ex", e); mv.setViewName("unauthorized"); return mv; } }