tonwei139 发表于 2017-1-10 10:05:37

Spring3与安全框架apache shiro的整合

  shiro是一个很不错的安全框架,相对Spring security 来说要简单易用的多,使用shiro来做web的权限子系统是不错的选择。
  下面记录一下shiro和Spring整合的过程:
Applicationcontext-shiro.xml代码  


[*]<?xml version="1.0" encoding="UTF-8"?>  
[*]<beans xmlns="http://www.springframework.org/schema/beans"  
[*]       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
[*]       xmlns:util="http://www.springframework.org/schema/util"  
[*]       xsi:schemaLocation="  
[*]       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd  
[*]       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">  
[*]  
[*]    <description>Shiro 配置</description>  
[*]    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
[*]        <property name="securityManager" ref="securityManager" />  
[*]        <property name="loginUrl" value="/login.jsp" />  
[*]        <property name="successUrl" value="/index.jsp" />  
[*]        <property name="unauthorizedUrl" value="/login.do" />  
[*]        <property name="filterChainDefinitions">  
[*]            <value>  
[*]                /login.jsp = anon  
[*]                /login.do = anon  
[*]                /** = authc  
[*]               </value>  
[*]        </property>  
[*]    </bean>  
[*]  
[*]    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
[*]        <!--设置自定义realm-->  
[*]        <property name="realm" ref="monitorRealm" />  
[*]    </bean>  
[*]  
[*]    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />  
[*]      
[*]    <!--自定义Realm 继承自AuthorizingRealm-->  
[*]    <bean id="monitorRealm" class="***module.system.security.MonitorRealm"></bean>  
[*]    <!-- securityManager -->  
[*]    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">  
[*]        <property name="staticMethod"  
[*]            value="org.apache.shiro.SecurityUtils.setSecurityManager" />  
[*]        <property name="arguments" ref="securityManager" />  
[*]    </bean>  
[*]      
[*]    <!-- Enable Shiro Annotations for Spring-configured beans.  Only run after -->  
[*]    <!-- the lifecycleBeanProcessor has run: -->  
[*]    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>  
[*]    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">  
[*]    <property name="securityManager" ref="securityManager"/>  
[*]      
[*]</bean>  
[*]</beans>  

  将shiro的配置文件引入到web.xml中:
  并在web.xml中加入如下代码:
Xml代码  


[*]<!-- Shiro Security filter -->  
[*]    <filter>  
[*]        <filter-name>shiroFilter</filter-name>  
[*]        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
[*]        <init-param>  
[*]            <param-name>targetFilterLifecycle</param-name>  
[*]            <param-value>true</param-value>  
[*]        </init-param>  
[*]    </filter>  
[*]  
[*]    <filter-mapping>  
[*]        <filter-name>shiroFilter</filter-name>  
[*]        <url-pattern>*.do</url-pattern>  
[*]    </filter-mapping>  
[*]    <filter-mapping>  
[*]        <filter-name>shiroFilter</filter-name>  
[*]        <url-pattern>*.jsp</url-pattern>  
[*]    </filter-mapping>  

  实现自己的Realm
Java代码  


[*]@Service("monitorRealm")  
[*]public class MonitorRealm extends AuthorizingRealm {  
[*]      
[*]    @Autowired UserService userService;  
[*]    @Autowired RoleService roleService;  
[*]    @Autowired LoginLogService loginLogService;  
[*]      
[*]    public MonitorRealm(){  
[*]        super();  
[*]  
[*]    }  
[*]      
[*]    @Override  
[*]    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {  
[*]        /*这里编写授权代码*/  
[*]          
[*]    }  
[*]  
[*]    @Override  
[*]    protected AuthenticationInfo doGetAuthenticationInfo(  
[*]            AuthenticationToken authcToken) throws AuthenticationException {  
[*]    /*这里编写认证代码*/  
[*]    }  
[*]      
[*]    public void clearCachedAuthorizationInfo(String principal) {  
[*]        SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());  
[*]        clearCachedAuthorizationInfo(principals);  
[*]    }  
[*]  
[*]}  

  登录时的代码示例:
Java代码  


[*]Subject currentUser = SecurityUtils.getSubject();  
[*]        if(!currentUser.isAuthenticated()){  
[*]            UsernamePasswordToken token;  
[*]            if(null == rememberMe)  
[*]                token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()),false,request.getRemoteAddr());  
[*]            else token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()), true, request.getRemoteAddr());  
[*]            try {  
[*]                currentUser.login(token);  
[*]            } catch ( AuthenticationException ae ) {  
[*]                request.setAttribute("message", "用户名或密码错误!");  
[*]                return "login";  
[*]            }  
[*]        }  

  执行currentUser.login(token);这句代码时,shiro会自动调用用户实现的Realm的doGetAuthenticationInfo进行身份认证。
  登出时的代码示例:
Java代码  


[*]Subject currentUser = SecurityUtils.getSubject();  
[*]        if (currentUser != null) {  
[*]            currentUser.logout();  
[*]        }  
[*]        HttpSession session = request.getSession(false);  
[*]        if( session != null ) {  
[*]            session.invalidate();  
[*]        }  
[*]        return "login";  

  在对用户(角色)进行授权时会执行Realm里的doGetAuthorizationInfo方法。
  OK简单的集成完成了,如果用cas或者Springsecurity恐怕没这么简单利索 哈哈。
  

 
  类似功能链接:http://kdboy.iteye.com/blog/1103794
  其它链接:
  http://kdboy.iteye.com/blog/1154644
  http://kdboy.iteye.com/blog/1154652
  http://kdboy.iteye.com/blog/1155450
  http://kdboy.iteye.com/blog/1169631
  http://kdboy.iteye.com/blog/1169637
  官方名词解释:http://shiro.apache.org/terminology.html
  官方权限解释:http://shiro.apache.org/permissions.html
页: [1]
查看完整版本: Spring3与安全框架apache shiro的整合