1shiro框架是什么:是一个权限控制的框架
2shiro框架有什么作用:权限管理,管理那些资源是否需要登录才能访问、控制某些资源需要那些权限才能访问
3shiro框架怎样使用:
1在web.xml配置shiro的Filter,拦截指定的URL(注意只有被shiroFilter拦截到的URL才能被shiro管理)
<!-- Shiro filter--> <filter> <filter-name>shiroFilter</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
2在shiro的配置文件里配置shiroFilter:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:cache="http://www.springframework.org/schema/cache" xmlns:task="http://www.springframework.org/schema/task" default-lazy-init="true" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.2.xsd http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.2.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/cache http://www.springframework.org/schema/cache/spring-cache-3.2.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd"> <!-- shiro配置begin --> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/admin/login.jsp" /> <property name="successUrl" value="/index.jsp" /> <property name="unauthorizedUrl" value="/error.jsp" /> <property name="filterChainDefinitions"> <value> /admin/login.jsp = authc /admin/* = authc /validateCode = anon /* =anon </value> </property> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroDbRealm" /> </bean> <!-- 項目自定义的Realm --> <bean id="shiroDbRealm" class="com.framework.authority.realm.MyRealm" > <property name="authorizationCacheName" value="authorization" /> </bean> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager" /> <property name="arguments" ref="securityManager" /> </bean> </beans>
3自定义Realm:
package com.framework.authority.realm; import javax.security.auth.Subject; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; public class MyRealm extends AuthorizingRealm { public MyRealm() { super(); //To change body of overridden methods use File | Settings | File Templates. } //验证用户的准确性--验证登录 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException { //获取登录信息 System.out.println("-------------------验证用户的准确性-----------------------"); UsernamePasswordToken userToken = (UsernamePasswordToken) authcToken; String userName=String.valueOf(userToken.getUsername()); String password=String.copyValueOf(userToken.getPassword()); System.out.println("用户名:---->"+userName); System.out.println("密码:-------------->"+password); userToken.setRememberMe(true); if(userName.equals("jeremy")&&password.equals("123")){ //这个是什么来的???--验证登录信息对象 SimpleAuthenticationInfo info=new SimpleAuthenticationInfo(userName,password,getName()); System.out.println("getName:-------------->"+getName()); return info; } return null; } //为用户添加角色和权限---验证权限, protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { System.out.println("----------------验证用户的角色与权限--------------------"); String userName=principals.asList().get(0).toString(); if(userName.equals("jeremy")){ SimpleAuthorizationInfo info=new SimpleAuthorizationInfo(); info.addRole("youke"); return info; } return null; } }
4登录测试(登录提交的页面不用交给任何控制器处理,让shiroFilter来调用Realm来处理)
<%@ page language="java" contentType="text/html; charset=utf-8" pageEncoding="utf-8"%> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> <form action="login.jsp" method="POST"> userName:<input id="username" name="username"><br> password:<input id="password" name="password"><br> <input type="submit" id="submit" value="submit"> </form> </body> </html>
shiro框架的运行流程:
request(url)---->shiroFilter是否是shiroURL--是-->FormAuthenticationFilter判断是当前URL的权限----没有权限-->longinURL--登录-->FormAuthenticationFilter(调用executeLogin()方法)---ModularRealmAuthenticator.doAuthenticate()---调用自定义的Realm---->doAuthenticationInfo()---->doAuthorizationInfo()--->????
以上流程纯属个人猜测---》》