|
|
1、apache shiro与spring集成
(1)、 需要导入shiro-all.jar包;在web.xml中添加shiro过滤器:
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
(2)、在spring配置文件中注入shiro相关类库:
<!--自定义myRealm 继承自AuthorizingRealm 登录时与数据交互 -->
<bean id="myRealm" class="com.easyoa.shiro.MyRealm" ></bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login.jsp" />
<property name="successUrl" value="/index.jsp" />
<property name="unauthorizedUrl" value="/login.jsp" />
<property name="filterChainDefinitions">
<value>
/index.jsp = anon
/login.jsp = authc
/course/** = authc, roles[admin]
</value>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--设置自定义realm-->
<property name="realm" ref="myRealm" />
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
(3)、登录系统时将页面传入的用户名和密码封装到token中:
Subject currentUser= SecurityUtil.getSubject();获取当前活动用户信息;
if(!currentUser.isAuthenticated()){
当前活动用户没有认证时,执行认证操作;首先将前台页面传入的username、password封装到token中;绝大部分使用UsernamePasswordToken;
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
如果有记住我的功能,则从页面获取rememberMe,如果选择记住我则为true,否则为false;
token.setRememberMe(true/false);
currentUser.login(token); 调用login方法将token传入shiro管理库中进行认证、授权等操作;
}
(4)、自定义realm类,该类需要继承AuthorizingRealm,并重写认证、授权方法:
@Service
public class MyRealm extends AuthorizingRealm{
public MyRealm() {
super();
//设置认证token的实现类,该处使用UsernamepasswordTken,也可自定义token,如果自定义token则需继承AuthenticationToken;
setAuthenticationTokenClass(UsernamePasswordToken.class);
//设置加密算法
/**
* 前台传入的明文与数据库中的加密数据进行比较,
* new Digest()为自定义加密类,集成simpleCredentialsMatcher类,并重写doCredentialsMatch方法
*/
setCredentialsMatcher(new Digest());
}
//授权
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
String loginName = (String) principalCollection.fromRealm(getName()).iterator().next();
Users user = usersService.getUserByName(loginName);//从数据库获取用户信息
if (null == user) {
return null;
} else {
SimpleAuthorizationInfo result = new SimpleAuthorizationInfo();
result封装用户权限,
result.addRole(roleName); 封装角色名
result.addStringPermission(permissionName); 封装权限字符串
result.addObjectPermission(Permission); 封装shiro的权限对象
return result;
}
}
/** * 更新用户授权信息缓存. */
public void clearCachedAuthorizationInfo(String principal) {
SimplePrincipalCollection principals = new SimplePrincipalCollection(
principal, getName());
clearCachedAuthorizationInfo(principals);
}
//认证
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
从数据库中获取用户信息
Users user = usersService.getUserByName(upToken.getUsername());
if (user != null) {
将从数据库中查询的用户名和密码封装到authenticationInfo对象中;shiro自动根据加密规则将前台的密码加密与之对比;
return new SimpleAuthenticationInfo(user.getUsername(), user.getPwdhash(), getName());
}
return null;
}
}
(5)、自定义加密类需要继承SimpleCredentialsMather,并重写doCredentialsMatch方法;
@Override
public boolean doCredentialsMatch(AuthenticationToken token,
AuthenticationInfo info) {
//对前台传入的明文数据加密,根据自定义加密规则加密,
Object tokencredential = this.digestObject(toBytes(token.getCredentials()), "SHA");
//从数据库获取的加密数据
Object accunt=this.getCredentials(info);
//返回对比结果
return equals(accunt,tokencredential);
} |
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2017-1-3 08:07:49
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡