Shiro的Web项目配置

一 shiro的学习

二 shiro的java客户端配置

三 关于权限的一些问题

一 shiro的学习

官网和张开涛博客

二 shiro的java客户端配置

1.在web.xml中配置shiro的过滤器

  1. <!-- shiro 安全过滤器 -->
  2. <!-- The filter-name matches name of a 'shiroFilter' bean inside  -->
  3. <filter>
  4. <filter-name>shiroFilter</filter-name>
  5. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  6. <async-supported>true</async-supported>
  7. <init-param>
  8. <param-name>targetFilterLifecycle</param-name>
  9. <param-value>true</param-value>
  10. </init-param>
  11. </filter>
  12. <filter-mapping>
  13. <filter-name>shiroFilter</filter-name>
  14. <url-pattern>/*</url-pattern>
  15. </filter-mapping>
	<!-- shiro 安全过滤器 -->
<!-- The filter-name matches name of a 'shiroFilter' bean inside -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

同时在web.xml读取shiro的配置文件

2.在spring-shiro-web.xml中配置:

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <beans xmlns="http://www.springframework.org/schema/beans"
  3. xmlns:util="http://www.springframework.org/schema/util"
  4. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  5. xmlns:context="http://www.springframework.org/schema/context"
  6. xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  7. http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
  8. <!--     为了获取adminPath的值 -->
  9. <context:property-placeholder ignore-unresolvable="true" location="classpath*:/system.properties"/>
  10. <!-- 配置安全管理中心,Shiro的主要业务层对象基于web的应用程序 -->
  11. <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
  12. <property name="realm" ref="userRealm"/>
  13. </bean>
  14. <!--     自定义的过滤器,用来验证登陆 -->
  15. <bean id="formAuthenticationCaptchaFilter" class="com.huaxia.shiro.FormAuthenticationCaptchaFilter">
  16. <property name="usernameParam" value="username"/>
  17. <property name="passwordParam" value="password"/>
  18. <property name="captchaParam" value="captcha"/>
  19. <property name="loginUrl" value="${adminPath}/login"/>
  20. </bean>
  21. <!--     自定义的过滤器 -->
  22. <bean id="userFilter" class="com.huaxia.shiro.HuaXiaUserFilter">
  23. </bean>
  24. <!-- Shiro的Web过滤器,在web.xml中配置的shiroFilter即指向此 -->
  25. <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
  26. <!--         指定一个安全管理中心,用来验证用户能否登陆和相关权限 -->
  27. <property name="securityManager" ref="securityManager"/>
  28. <!--         所有地址被重定向到该地址 -->
  29. <property name="loginUrl" value="${adminPath}/login"/>
  30. <!--         用户登录成功后的页面地址 -->
  31. <property name="successUrl" value="${adminPath}"/>
  32. <!--         过滤器链,在shiroFilter之前即开始执行 -->
  33. <property name="filters">
  34. <util:map>
  35. <entry key="authc" value-ref="formAuthenticationCaptchaFilter"/>
  36. <entry key="user" value-ref="userFilter"/>
  37. </util:map>
  38. </property>
  39. <!--         配置地址对应的过滤器 -->
  40. <property name="filterChainDefinitions">
  41. <value>
  42. ${adminPath}/login = authc
  43. /** = user
  44. </value>
  45. </property>
  46. </bean>
  47. <!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
  48. <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
  49. <!-- 下面两个bean是shiro官网推荐的配置  -->
  50. <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
  51. <property name="proxyTargetClass" value="true" />
  52. </bean>
  53. <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
  54. <property name="securityManager" ref="securityManager"/>
  55. </bean>
  56. </beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd"> <!-- 为了获取adminPath的值 -->

<context:property-placeholder ignore-unresolvable="true" location="classpath*:/system.properties"/>
&lt;!-- 配置安全管理中心,Shiro的主要业务层对象基于web的应用程序 --&gt;
&lt;bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"&gt;
&lt;property name="realm" ref="userRealm"/&gt;
&lt;/bean&gt;

<!-- 自定义的过滤器,用来验证登陆 -->

<bean id="formAuthenticationCaptchaFilter" class="com.huaxia.shiro.FormAuthenticationCaptchaFilter">

<property name="usernameParam" value="username"/>

<property name="passwordParam" value="password"/>

<property name="captchaParam" value="captcha"/>

<property name="loginUrl" value="${adminPath}/login"/>

</bean>

<!-- 自定义的过滤器 -->

<bean id="userFilter" class="com.huaxia.shiro.HuaXiaUserFilter">

</bean>

<!-- Shiro的Web过滤器,在web.xml中配置的shiroFilter即指向此 -->

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

<!-- 指定一个安全管理中心,用来验证用户能否登陆和相关权限 -->

<property name="securityManager" ref="securityManager"/>

<!-- 所有地址被重定向到该地址 -->

<property name="loginUrl" value="${adminPath}/login"/>

<!-- 用户登录成功后的页面地址 -->

<property name="successUrl" value="${adminPath}"/>

<!-- 过滤器链,在shiroFilter之前即开始执行 -->

<property name="filters">

<util:map>

<entry key="authc" value-ref="formAuthenticationCaptchaFilter"/>

<entry key="user" value-ref="userFilter"/>

</util:map>

</property>

<!-- 配置地址对应的过滤器 -->

<property name="filterChainDefinitions">

<value>

${adminPath}/login = authc

/** = user

</value>

</property>

</bean>

&lt;!-- 保证实现了Shiro内部lifecycle函数的bean执行 --&gt;
&lt;bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/&gt; &lt;!-- 下面两个bean是shiro官网推荐的配置 --&gt; &lt;bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"&gt;
&lt;property name="proxyTargetClass" value="true" /&gt;
&lt;/bean&gt;
&lt;bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"&gt;
&lt;property name="securityManager" ref="securityManager"/&gt;
&lt;/bean&gt;

</beans>

其中UserRealm的实现如下:

  1. package com.huaxia.shiro;
  2. import javax.annotation.PostConstruct;
  3. import org.apache.shiro.SecurityUtils;
  4. import org.apache.shiro.authc.AuthenticationException;
  5. import org.apache.shiro.authc.AuthenticationInfo;
  6. import org.apache.shiro.authc.AuthenticationToken;
  7. import org.apache.shiro.authc.DisabledAccountException;
  8. import org.apache.shiro.authc.LockedAccountException;
  9. import org.apache.shiro.authc.SimpleAuthenticationInfo;
  10. import org.apache.shiro.authc.UnknownAccountException;
  11. import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
  12. import org.apache.shiro.authz.AuthorizationInfo;
  13. import org.apache.shiro.authz.SimpleAuthorizationInfo;
  14. import org.apache.shiro.realm.AuthorizingRealm;
  15. import org.apache.shiro.subject.PrincipalCollection;
  16. import org.apache.shiro.util.ByteSource;
  17. import org.slf4j.Logger;
  18. import org.slf4j.LoggerFactory;
  19. import org.springframework.beans.factory.annotation.Autowired;
  20. import org.springframework.stereotype.Service;
  21. import com.google.code.kaptcha.Constants;
  22. import com.huaxia.Constant;
  23. import com.huaxia.common.utils.security.Digests;
  24. import com.huaxia.common.utils.security.Encodes;
  25. import com.huaxia.user.entity.User;
  26. import com.huaxia.user.service.UserService;
  27. @Service
  28. public class UserRealm extends AuthorizingRealm {
  29. private Logger logger = LoggerFactory.getLogger(UserRealm.class);
  30. @Autowired
  31. private UserService userService;
  32. @Override
  33. protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
  34. String username = (String)principals.getPrimaryPrincipal();
  35. SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
  36. authorizationInfo.setRoles(userService.findRoles(username));
  37. authorizationInfo.setStringPermissions(userService.findPermissions(username));
  38. return authorizationInfo;
  39. }
  40. @Override
  41. protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  42. UsernamePasswordCaptchaToken captchaToken = (UsernamePasswordCaptchaToken) token;
  43. String username = String.valueOf(token.getPrincipal());
  44. User user = userService.findByUsername(username,Constant.USER_DELFLAG);
  45. if(null != user && doCaptchValidate(captchaToken)) {
  46. if (Boolean.TRUE.equals(user.getLocked())) {
  47. throw new LockedAccountException(); //帐号锁定
  48. }
  49. if(Constant.LOGIN_STATUS_N.equals(user.getLoginStatus())){
  50. throw new DisabledAccountException();
  51. }
  52. byte[] salt = Encodes.decodeHex(user.getSalt());
  53. //交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,可以自定义实现
  54. SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
  55. user.getUserName(),
  56. user.getPassword(), //密码
  57. ByteSource.Util.bytes(salt),
  58. getName()  //realm name
  59. );
  60. //SecurityUtils.getSubject().getSession().setAttribute("user", user);
  61. SecurityUtils.getSubject().getSession().setAttribute("userId", user.getUserId());
  62. userService.updateByLogin(user);
  63. return authenticationInfo;
  64. }else{
  65. throw new UnknownAccountException();
  66. }
  67. }
  68. protected boolean doCaptchValidate(UsernamePasswordCaptchaToken token){
  69. String captcha = (String) SecurityUtils.getSubject().getSession().getAttribute(Constants.KAPTCHA_SESSION_KEY);
  70. if(captcha != null && !captcha.equalsIgnoreCase(token.getCaptcha())){
  71. throw new CaptchaException("Code error");
  72. }
  73. return true;
  74. }
  75. @PostConstruct
  76. public void initCredentialsMatcher() {
  77. HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(Digests.SHA1);
  78. matcher.setHashIterations(Constant.HASH_INTERATIONS);
  79. setCredentialsMatcher(matcher);
  80. }
  81. @Override
  82. public void clearCachedAuthorizationInfo(PrincipalCollection principals) {
  83. super.clearCachedAuthorizationInfo(principals);
  84. }
  85. @Override
  86. public void clearCachedAuthenticationInfo(PrincipalCollection principals) {
  87. super.clearCachedAuthenticationInfo(principals);
  88. }
  89. @Override
  90. public void clearCache(PrincipalCollection principals) {
  91. super.clearCache(principals);
  92. }
  93. public void clearAllCachedAuthorizationInfo() {
  94. getAuthorizationCache().clear();
  95. }
  96. public void clearAllCachedAuthenticationInfo() {
  97. getAuthenticationCache().clear();
  98. }
  99. public void clearAllCache() {
  100. clearAllCachedAuthenticationInfo();
  101. clearAllCachedAuthorizationInfo();
  102. }
  103. }
package com.huaxia.shiro;

import javax.annotation.PostConstruct;

import org.apache.shiro.SecurityUtils;

import org.apache.shiro.authc.AuthenticationException;

import org.apache.shiro.authc.AuthenticationInfo;

import org.apache.shiro.authc.AuthenticationToken;

import org.apache.shiro.authc.DisabledAccountException;

import org.apache.shiro.authc.LockedAccountException;

import org.apache.shiro.authc.SimpleAuthenticationInfo;

import org.apache.shiro.authc.UnknownAccountException;

import org.apache.shiro.authc.credential.HashedCredentialsMatcher;

import org.apache.shiro.authz.AuthorizationInfo;

import org.apache.shiro.authz.SimpleAuthorizationInfo;

import org.apache.shiro.realm.AuthorizingRealm;

import org.apache.shiro.subject.PrincipalCollection;

import org.apache.shiro.util.ByteSource;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.stereotype.Service; import com.google.code.kaptcha.Constants;

import com.huaxia.Constant;

import com.huaxia.common.utils.security.Digests;

import com.huaxia.common.utils.security.Encodes;

import com.huaxia.user.entity.User;

import com.huaxia.user.service.UserService; @Service

public class UserRealm extends AuthorizingRealm {

private Logger logger = LoggerFactory.getLogger(UserRealm.class);
@Autowired
private UserService userService; @Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username = (String)principals.getPrimaryPrincipal(); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
authorizationInfo.setRoles(userService.findRoles(username));
authorizationInfo.setStringPermissions(userService.findPermissions(username)); return authorizationInfo;
} @Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordCaptchaToken captchaToken = (UsernamePasswordCaptchaToken) token;
String username = String.valueOf(token.getPrincipal());
User user = userService.findByUsername(username,Constant.USER_DELFLAG);
if(null != user &amp;&amp; doCaptchValidate(captchaToken)) {
if (Boolean.TRUE.equals(user.getLocked())) {
throw new LockedAccountException(); //帐号锁定
}
if(Constant.LOGIN_STATUS_N.equals(user.getLoginStatus())){
throw new DisabledAccountException();
}
byte[] salt = Encodes.decodeHex(user.getSalt());
//交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,可以自定义实现
SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
user.getUserName(),
user.getPassword(), //密码
ByteSource.Util.bytes(salt),
getName() //realm name
);
//SecurityUtils.getSubject().getSession().setAttribute("user", user);
SecurityUtils.getSubject().getSession().setAttribute("userId", user.getUserId());
userService.updateByLogin(user);
return authenticationInfo;
}else{
throw new UnknownAccountException();
}
} protected boolean doCaptchValidate(UsernamePasswordCaptchaToken token){
String captcha = (String) SecurityUtils.getSubject().getSession().getAttribute(Constants.KAPTCHA_SESSION_KEY);
if(captcha != null &amp;&amp; !captcha.equalsIgnoreCase(token.getCaptcha())){
throw new CaptchaException("Code error");
}
return true;
} @PostConstruct
public void initCredentialsMatcher() {
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(Digests.SHA1);
matcher.setHashIterations(Constant.HASH_INTERATIONS);
setCredentialsMatcher(matcher);
} @Override
public void clearCachedAuthorizationInfo(PrincipalCollection principals) {
super.clearCachedAuthorizationInfo(principals);
} @Override
public void clearCachedAuthenticationInfo(PrincipalCollection principals) {
super.clearCachedAuthenticationInfo(principals);
} @Override
public void clearCache(PrincipalCollection principals) {
super.clearCache(principals);
} public void clearAllCachedAuthorizationInfo() {
getAuthorizationCache().clear();
} public void clearAllCachedAuthenticationInfo() {
getAuthenticationCache().clear();
} public void clearAllCache() {
clearAllCachedAuthenticationInfo();
clearAllCachedAuthorizationInfo();
}

}

其中formAuthenticationCaptchaFilter的实现如下:

  1. package com.huaxia.shiro;
  2. import javax.servlet.ServletRequest;
  3. import javax.servlet.ServletResponse;
  4. import javax.servlet.http.HttpServletRequest;
  5. import javax.servlet.http.HttpServletResponse;
  6. import org.apache.shiro.authc.AuthenticationToken;
  7. import org.apache.shiro.subject.Subject;
  8. import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
  9. import org.apache.shiro.web.util.WebUtils;
  10. import org.slf4j.Logger;
  11. import org.slf4j.LoggerFactory;
  12. public class FormAuthenticationCaptchaFilter extends FormAuthenticationFilter {
  13. private Logger logger = LoggerFactory.getLogger(FormAuthenticationCaptchaFilter.class);
  14. public static final String DEFAULT_CAPTCHA_PARAM = "captcha";
  15. private String captchaParam = DEFAULT_CAPTCHA_PARAM;
  16. public String getCaptchaParam() {
  17. return captchaParam;
  18. }
  19. public void setCaptchaParam(String captchaParam){
  20. this.captchaParam = captchaParam;
  21. }
  22. protected String getCaptcha(ServletRequest request) {
  23. return WebUtils.getCleanParam(request, getCaptchaParam());
  24. }
  25. protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
  26. String username = getUsername(request) == null ? "" : getUsername(request);
  27. String password = getPassword(request) == null ? "" : getPassword(request);
  28. String captcha = getCaptcha(request) == null ? "" : getCaptcha(request);
  29. boolean rememberMe = isRememberMe(request);
  30. return new UsernamePasswordCaptchaToken(username,password.toCharArray(), rememberMe, captcha);
  31. }
  32. @Override
  33. protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
  34. ServletRequest request, ServletResponse response) throws Exception {
  35. //      issueSuccessRedirect(request, response);
  36. //      we handled the success redirect directly, prevent the chain from continuing:
  37. HttpServletRequest httpServletRequest = (HttpServletRequest)request;
  38. HttpServletResponse httpServletResponse = (HttpServletResponse)response;
  39. if (!"XMLHttpRequest".equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))
  40. || request.getParameter("ajax") == null) {// 不是ajax请求
  41. httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + this.getSuccessUrl());
  42. } else {
  43. httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + this.getSuccessUrl());
  44. }
  45. return false;
  46. }
  47. }
package com.huaxia.shiro;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse; import org.apache.shiro.authc.AuthenticationToken;

import org.apache.shiro.subject.Subject;

import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;

import org.apache.shiro.web.util.WebUtils;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory; public class FormAuthenticationCaptchaFilter extends FormAuthenticationFilter {
private Logger logger = LoggerFactory.getLogger(FormAuthenticationCaptchaFilter.class);

public static final String DEFAULT_CAPTCHA_PARAM = "captcha";
private String captchaParam = DEFAULT_CAPTCHA_PARAM; public String getCaptchaParam() {
return captchaParam;
} public void setCaptchaParam(String captchaParam){
this.captchaParam = captchaParam;
} protected String getCaptcha(ServletRequest request) {
return WebUtils.getCleanParam(request, getCaptchaParam());
} protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) {
String username = getUsername(request) == null ? "" : getUsername(request);
String password = getPassword(request) == null ? "" : getPassword(request);
String captcha = getCaptcha(request) == null ? "" : getCaptcha(request);
boolean rememberMe = isRememberMe(request);
return new UsernamePasswordCaptchaToken(username,password.toCharArray(), rememberMe, captcha);
} @Override
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
ServletRequest request, ServletResponse response) throws Exception {
// issueSuccessRedirect(request, response);
// we handled the success redirect directly, prevent the chain from continuing:
HttpServletRequest httpServletRequest = (HttpServletRequest)request;
HttpServletResponse httpServletResponse = (HttpServletResponse)response; if (!"XMLHttpRequest".equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))
|| request.getParameter("ajax") == null) {// 不是ajax请求
httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + this.getSuccessUrl());
} else {
httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + this.getSuccessUrl());
} return false;
}

}

其中HuaXiaUserFilter的实现如下:

  1. package com.huaxia.shiro;
  2. import org.apache.shiro.web.filter.authc.UserFilter;
  3. import org.apache.shiro.web.filter.session.NoSessionCreationFilter;
  4. import org.apache.shiro.web.util.WebUtils;
  5. import javax.servlet.ServletRequest;
  6. import javax.servlet.ServletResponse;
  7. import javax.servlet.http.HttpServletResponse;
  8. public class HuaXiaUserFilter extends UserFilter {
  9. @Override
  10. protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
  11. /*if(!"XMLHttpRequest".equalsIgnoreCase(WebUtils.toHttp(response).getHeader("X-Requested-With"))
  12. || request.getParameter("ajax") == null ){
  13. this.saveRequestAndRedirectToLogin(request, response);
  14. }else{*/
  15. HttpServletResponse res = WebUtils.toHttp(response);
  16. res.setHeader("sessionstatus","timeout");
  17. //res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
  18. /* }*/
  19. this.saveRequestAndRedirectToLogin(request, response);
  20. return false;
  21. }
  22. }
package com.huaxia.shiro;

import org.apache.shiro.web.filter.authc.UserFilter;

import org.apache.shiro.web.filter.session.NoSessionCreationFilter;

import org.apache.shiro.web.util.WebUtils; import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletResponse; public class HuaXiaUserFilter extends UserFilter {
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception { /*if(!"XMLHttpRequest".equalsIgnoreCase(WebUtils.toHttp(response).getHeader("X-Requested-With"))
|| request.getParameter("ajax") == null ){
this.saveRequestAndRedirectToLogin(request, response);
}else{*/
HttpServletResponse res = WebUtils.toHttp(response);
res.setHeader("sessionstatus","timeout");
//res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
/* }*/
this.saveRequestAndRedirectToLogin(request, response); return false;
}

}

3.另外在Mvc的配置文件spring-mvc.xml中加入如下拦截器内容:

  1. <aop:config proxy-target-class="true"></aop:config>  
  2. <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">  
  3.     <property name="securityManager" ref="securityManager"/>  
  4. </bean>  
	<aop:config proxy-target-class="true"></aop:config>

<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

<property name="securityManager" ref="securityManager"/>

</bean>
  1.   

三 关于权限的一些问题

1.shiro如何实现验证码?

关于shiro的验证码,使用的是google的kaptcha , 在web.xml中配置sevlet如下:

  1. <servlet>  
  2.     <servlet-name>ImageServlet</servlet-name>  
  3.     <servlet-class>com.google.code.kaptcha.servlet.KaptchaServlet</servlet-class>  
  4. </servlet>  
  5.   
  6. <servlet-mapping>  
  7.     <servlet-name>ImageServlet</servlet-name>  
  8.     <url-pattern>/ImageServlet</url-pattern>  
  9. </servlet-mapping>  
	<servlet>

<servlet-name>ImageServlet</servlet-name>

<servlet-class>com.google.code.kaptcha.servlet.KaptchaServlet</servlet-class>

</servlet>
&lt;servlet-mapping&gt;
&lt;servlet-name&gt;ImageServlet&lt;/servlet-name&gt;
&lt;url-pattern&gt;/ImageServlet&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;</pre>

2.用户名密码通常保存为什么要加盐值?

由于通常密码保存使用的是md5加密,同样的密码在md5后会产生相同的加密后字符串,如果有数据库的查看权限,那么看到相同的加密后字符串,很容易猜到是相同的密码。同时根据md5对照表(或者一些网站),能够找到密码。 如果密码在加上随机盐后再进行md5,那么同样的密码在md5后的字符串是不同的,就能够避免上面两个问题。总的来说增加了破解的难度。

3.通常情况下用户-角色-权限(资源)之间的关系

用户与角色多对多:一个用户可以拥有多个角色,一个角色可以被多个用户具有

角色与权限(资源,主要指菜单,按钮等)多对多:一个角色可以拥有多个权限,一个权限可以被多个角色拥有

3.1 在首页,通常根据用户查找角色,然后根据角色列出相关的菜单栏和相关按钮

3.2 在系统配置中:

用户配置:可以增删用户,也可以配置用户的多个角色

角色配置:可以配置一个角色的多个权限

权限配置:可以增删相关的资源(菜单或者按钮)

4.shiro授权的几种方式:

4.1 在代码体中:

  1. if (currentUser.hasRole("admin"))
if (currentUser.hasRole("admin"))

4.2 在方法上:

  1. @RequiresPermissions(“account:create”)‏
  2. public void openAccount( Account acct )
@RequiresPermissions(“account:create”)‏
public void openAccount( Account acct )

4.3 在jsp页面上:

  1. <shiro:hasPermission name=“users:manage”>
  2. <a href=“manageUsers.jsp”> </a>
  3. </shiro:hasPermission>
   <shiro:hasPermission name=“users:manage”>
<a href=“manageUsers.jsp”> </a>
</shiro:hasPermission>

Shiro的官方文档整理的感觉差强人意,非常不明朗,需要结合张开涛的博客来看。有很多的地方需要学习,后续更新。

Shiro的Web项目配置(转)的更多相关文章

  1. Intellij IDEA创建的Web项目配置Tomcat并启动Maven项目

    本篇博客讲解IDEA如何配置Tomcat. 大部分是直接上图哦. 点击如图所示的地方,进行添加Tomcat配置页面 弹出页面后,按照如图顺序找到,点击+号 tomcat Service -> L ...

  2. Tomcat 中如何给 web 项目配置虚拟目录的方法

    为什么要给 web 项目配置虚拟目录? 初学 JavaWeb 时,会发现只要我们把 web 项目放到 Tomcat 的 webapps 目录下,再通过 http://localhost:8080/项目 ...

  3. 给本地web项目配置域名

    给本地的web项目配置一个域名 通常访问本地问项目时,使用localhost:port/projectname或者127.0.0.1:port/projectname来实现.我们可以通过配置tomca ...

  4. Java Web项目 配置 ueditor心得

    近期的JAVA项目,由于客户要求需要引入富文本编辑器. 参考了两款插件,一款是ckeditor,一款是ueditor. ckeditor在上传文件的时候必须配合ckfinder使用,而ckfinder ...

  5. web项目配置webAppRootKey 获得根目录 .

    log4j和web.xml配置webAppRootKey 的问题 1 在web.xml配置 <context-param>  <param-name>webAppRootKey ...

  6. 【IDEA】Intellij IDEA创建的Web项目配置Tomcat并启动Maven项目

    转载请注明出处:http://blog.csdn.net/qq_26525215本文源自[大学之旅_谙忆的博客] 本篇博客讲解IDEA如何配置Tomcat. 大部分是直接上图哦. 点击如图所示的地方, ...

  7. idea 普通 web项目配置启动【我】

    首先说这是一个普通的java web项目,没有用到maven.  检出项目: 项目是先用 乌龟svn 在 编辑器外部检出到一个目录下,然后再用 idea的 open 打开这个目录生成的.[因为直接用i ...

  8. shiro与Web项目整合-Spring+SpringMVC+Mybatis+Shiro(八)

    Jar包

  9. IDEA创建的Web项目配置Tomcat并启动Maven项目

    点击如图所示的地方,进行添加Tomcat配置页面   弹出页面后,按照如图顺序找到,点击+号     tomcat Service -> Local   注意,这里不要选错了哦,还有一个TomE ...

随机推荐

  1. js插件---评分插件Rating如何使用

    js插件---评分插件Rating如何使用 一.总结 一句话总结:form下的input和a标签,input记录值,a标签显示样式 12 <form data-am-rating> 13 ...

  2. xshell --- 查看和关闭 进程

    netstat -apn | grep 80 kill -l PID  关闭进程

  3. readonly&&declare&&unset &&export&&env环境变量

    readonly命令用于定义只读shell变量和shell函数.readonly命令的选项-p可以输出显示系统中所有定义的只读变量. 选项 -f:定义只读函数: -a:定义只读数组变量: -p:显示系 ...

  4. ST和LCA和无根树连接

    #include <stdio.h> #include <iostream> #include <string.h> #include <algorithm& ...

  5. 2048游戏分析、讨论与扩展 - Part I - 游戏分析与讨论

    2048这个游戏从刚出開始就风靡整个世界. 本技术博客的目的是想对2048涉及到相关的全部问题进行仔细的分析与讨论,得到一些大家能够接受而且理解的结果. 在这基础上,扩展2048的游戏性,使其变得更好 ...

  6. 决策树之C4.5算法学习

    决策树<Decision Tree>是一种预測模型,它由决策节点,分支和叶节点三个部分组成. 决策节点代表一个样本測试,通常代表待分类样本的某个属性,在该属性上的不同測试结果代表一个分支: ...

  7. js31---观察者模式

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/stri ...

  8. js06--利用js给数组去重

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/stri ...

  9. POJ 1654 Area 凸包面积

    水题直接码... /********************* Template ************************/ #include <set> #include < ...

  10. jQuery选择器,Ajax请求

    jQuery选择器: $("#myELement") 选择id值等于myElement的元素,id值不能重复在文档中只能有一个id值是myElement所以得到的是唯一的元素 $( ...