Shiro —— Spring 环境下的使用
一、使用
1.搭建基础环境
(1)导入 Spring 和 Shiro 的 Jar 包
- 正常导入 spring jar包
- 导入日志包
- log4j-1.2.15.jar
- slf4j-api-1.6.1.jar
- slf4j-log4j12-1.6.1.jar
- 导入 shiro 包
- shiro-core-1.2.2.jar
- shiro-ehcache-1.2.2.jar
- shiro-spring-1.2.2.jar
- shiro-web-1.2.2.jar
(2)配置文件
- web.xml
- 读取所有配置文件
- springmvc 的 DispatcherServlet 配置
- shiroFilter 的配置(该配置参考的是:shiro-root-1.2.2\samples\spring\src\main\webapp\WEB-INF\web.xml)
- 见文章末的两个 web.xml
- spring-shiro.xml
- 该配置参考:shiro-root-1.2.2\samples\spring\src\main\webapp\WEB-INF\applicationContext.xml
- 此次实验在 shiro.xml 文件中采用的缓存管理器是 ehcache 。需要额外导入ehcache jar包和配置文件。
- ehcache 使用的 Hibernate 下的。
- ehcache-core-2.4.3.jar(hibernate-release-4.2.4.Final\lib\optional\ehcache\) 和 ehcache.xml(hibernate-release-4.2.4.Final\project\etc\)
- 见文章末的两个 spring-shiro.xml
- 注意:(1)缓存的配置(2)自定义Realm
- spring.xml 正常配置即可。
- springmvc.xml 正常配置即可。
(3)检测
- 添加自定义 Realm,需要继承自 AuthorizingRealm(即包含认证,也包含授权的 Realm)
- 添加了一个空的自定义的 Realm ,没有添加认证和授权逻辑。
- 启动项目,检测能否正常启动,检测配置是否正确。
2.登录
(1)添加登录页面
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
</head>
<body>
<h4>
Login Page
</h4> <form action="shiro-login" method="post">
<input name="userName" type="text"/>
<input name="password" type="password"/>
<input type="submit" value="submit">
</form>
</body>
</html>
login.jsp
(2)对应 Handler 方法
@RequestMapping("/shiro-login")
public String login(String userName, String password) {
System.out.println("userName:" + userName + ", password:" + password);
Subject currentUser = SecurityUtils.getSubject();
if(!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(userName, password);
token.setRememberMe(true);
try {
currentUser.login(token);
} catch(UnknownAccountException uae) {
System.out.println("用户名不正确!");
} catch(IncorrectCredentialsException ice) {
System.out.println("密码不匹配!");
} catch(LockedAccountException lae) {
System.out.println("账户被锁定!");
} catch(AuthenticationException ae) {
System.out.println("认证失败!");
}
} return "success";
}
这里参考的是官方的 demo :shiro-root-1.2.2\samples\quickstart\src\main\java\Quickstart.java
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/ import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory; /**
* Simple Quickstart application showing how to use Shiro's API.
*
* @since 0.9 RC2
*/
public class Quickstart { private static final transient Logger log = LoggerFactory.getLogger(Quickstart.class); public static void main(String[] args) { // The easiest way to create a Shiro SecurityManager with configured
// realms, users, roles and permissions is to use the simple INI config.
// We'll do that by using a factory that can ingest a .ini file and
// return a SecurityManager instance: // Use the shiro.ini file at the root of the classpath
// (file: and url: prefixes load from files and urls respectively):
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = factory.getInstance(); // for this simple example quickstart, make the SecurityManager
// accessible as a JVM singleton. Most applications wouldn't do this
// and instead rely on their container configuration or web.xml for
// webapps. That is outside the scope of this simple quickstart, so
// we'll just do the bare minimum so you can continue to get a feel
// for things.
SecurityUtils.setSecurityManager(securityManager); // Now that a simple Shiro environment is set up, let's see what you can do: // get the currently executing user:
Subject currentUser = SecurityUtils.getSubject(); // Do some stuff with a Session (no need for a web or EJB container!!!)
Session session = currentUser.getSession();
session.setAttribute("someKey", "aValue");
String value = (String) session.getAttribute("someKey");
if (value.equals("aValue")) {
log.info("-->Retrieved the correct value! [" + value + "]");
} // let's login the current user so we can check against roles and permissions:
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken("lonestarr", "vespa");
token.setRememberMe(true);
try {
currentUser.login(token);
} catch (UnknownAccountException uae) {
log.info("-->There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
log.info("-->Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
log.info("The account for username " + token.getPrincipal() + " is locked. " +
"Please contact your administrator to unlock it.");
}
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
//unexpected condition? error?
}
} //say who they are:
//print their identifying principal (in this case, a username):
log.info("-->User [" + currentUser.getPrincipal() + "] logged in successfully."); //test a role:
if (currentUser.hasRole("schwartz")) {
log.info("-->May the Schwartz be with you!");
} else {
log.info("Hello, mere mortal.");
} //test a typed permission (not instance-level)
if (currentUser.isPermitted("lightsaber:weild")) {
log.info("-->You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters only.");
} //a (very powerful) Instance Level permission:
if (currentUser.isPermitted("winnebago:drive:eagle5")) {
log.info("-->You are permitted to 'drive' the winnebago with license plate (id) 'eagle5'. " +
"Here are the keys - have fun!");
} else {
log.info("Sorry, you aren't allowed to drive the 'eagle5' winnebago!");
} //all done - log out!
currentUser.logout(); System.exit(0);
}
}
Quickstart.java
说明一下:
官方 demo 演示的是一个 java 项目,而不是一个 web 项目,不同点是:web 项目下,shiro 的大管家是由容器去创建的,而不需要我们手动去获取。
(3)检测能否正常运行,若能,则证明登录测试成功。
3.认证
(1)实现自定义 Realm 的 认证方法。
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("开始认证!");
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
Object credentials = "123456";
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username, credentials, this.getName());
return info;
}
或
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("开始认证!");
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername(); User user = new User();
user.setId(1000);
user.setUserName(username);
user.setPassword("123456");
user.getRoleNames().add("admin"); return new SimpleAuthenticationInfo(user, user.getPassword(), this.getName());
}
说明一下:
其中 username 是从页面获取到的,而密码是通过查询数据库获取的。注意标红加粗的地方。
实现的参考:org.apache.shiro.realm.jdbc.JdbcRealm
(2)测试,此时密码不为 "123456"能否登录。测试认证是否成功。
4.授权
(1)实现自定义 Realm 的授权方法。
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("开始授权!");
String username = (String)this.getAvailablePrincipal(principalCollection);
System.out.println("userName:" + username); Set<String> roleNames = new HashSet<>();
roleNames.add("admin"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames); return info;
}
或:User 对象已经包含角色信息,不需要再次查询数据库。
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("开始授权!");
User user = (User) principalCollection.getPrimaryPrincipal();
Set<String> roleNames = user.getRoleNames();
return new SimpleAuthorizationInfo(roleNames);
}
实现的参考:org.apache.shiro.realm.jdbc.JdbcRealm
(2)测试,添加对应的页面,然后在 Shiro 配置文件中配置访问对应的页面需要什么样的角色才能访问。
5.认证和授权的资源数据从数据库中获取
(1)受保护资源和需要角色权限间的关系存在在 shiro.xml 文件中。
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<value>
/user.jsp = authc
/admin.jsp = roles[admin]
/** = anon
</value>
</property>
</bean>
(2)要想改为从数据库中获取,思路就是:filterChainDefinitions 属性值能从 Java 文件中获取。
参看:filterChainDefinitions 属性的官方使用
public void setFilterChainDefinitions(String definitions) {
Ini ini = new Ini();
ini.load(definitions);
Section section = ini.getSection("urls");
if(CollectionUtils.isEmpty(section)) {
section = ini.getSection("");
} this.setFilterChainDefinitionMap(section);
} public void setFilterChainDefinitionMap(Map<String, String> filterChainDefinitionMap) {
this.filterChainDefinitionMap = filterChainDefinitionMap;
}
实际上放的是一个 Map。那么来看看具体的 Map 存放的是怎么的一些数据格式?在标红的代码处打个断点,可以看到如下内容:
可以看到, Map 内容的就是在 shiro.xml 通过属性 filterChainDefinitions 定义的值。
(3)具体操作
/**
* @author solverpeng
* @create 2016-09-21-18:59
*/
public class FilterChainDefinitionMapBuilder {
public Map<String, String> getFilterChainDefinitionMap() {
Map<String, String> filterChainDefinitionMap = new HashMap<>();
filterChainDefinitionMap.put("/admin.jsp", "roles[admin],authc");
filterChainDefinitionMap.put("/user.jsp", "authc");
filterChainDefinitionMap.put("/**", "anon");
return filterChainDefinitionMap;
} }
更改配置:
<bean id="filterChainDefinitionMapBuilder" class="com.nucsoft.shiro.shiro.FilterChainDefinitionMapBuilder"/> <bean id="filterChainDefinitionMap" factory-bean="filterChainDefinitionMapBuilder" factory-method="getFilterChainDefinitionMap"/> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitionMap" ref="filterChainDefinitionMap"/>
</bean>
此时,资源信息可以通过 Java 方法来处理,而此时,这些数据就可以从数据库中获取。
6.盐值加密
加密指的是对密码的加密,用户注册时,将密码使用一定的加密方式存放到数据库中,用户登录的时候,同样以相同的加密方式进行比对。
在什么地方进行的对比?
注意:不是在自定义认证的时候对比的。在 MyRealm 中
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("开始认证!");
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername(); User user = new User();
user.setId(1000);
user.setUserName(username);
user.setPassword("42e56621cf3adc9ecc261936188d31d7");
user.getRoleNames().add("admin"); String hashedCredentials = user.getPassword();
ByteSource credentialsSalt = ByteSource.Util.bytes("abcd");
String realmName = getName();
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, hashedCredentials, credentialsSalt,
realmName);
return info;
}
的这个方法的作用,只是根据传入的 Token 获取到 username,从而到数据库中查询对应的 User 对象,以及盐值信息,然后返回封装这些信息的 SimpleAuthenticationInfo 的对象。
密码的对比是在这之后对比的,来看返回后,返回到了 org.apache.shiro.realm.AuthenticatingRealm#getAuthenticationInfo 这个方法
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info = getCachedAuthenticationInfo(token);
if (info == null) {
//otherwise not cached, perform the lookup:
info = doGetAuthenticationInfo(token);
log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
if (token != null && info != null) {
cacheAuthenticationInfoIfPossible(token, info);
}
} else {
log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
} if (info != null) {
assertCredentialsMatch(token, info);
} else {
log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token);
} return info;
}
其中第一处标红的地方是调用我们自定义 Realm 的 doGetAuthenticationInfo() 方法以及返回值。
第二处标红的地方表示如果可以缓存的话,就把此登录账户进行缓存。
第三处才是真正进行比较的地方,看看方法名和参数,见名知意。 token 为表单提交过来的用户信息,而 info 是我们做认证时从数据库查询获取到的。
详细来看:org.apache.shiro.realm.AuthenticatingRealm#assertCredentialsMatch
protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) throws AuthenticationException {
CredentialsMatcher cm = getCredentialsMatcher();
if (cm != null) {
if (!cm.doCredentialsMatch(token, info)) {
//not successful - throw an exception to indicate this:
String msg = "Submitted credentials for token [" + token + "] did not match the expected credentials.";
throw new IncorrectCredentialsException(msg);
}
} else {
throw new AuthenticationException("A CredentialsMatcher must be configured in order to verify " +
"credentials during authentication. If you do not wish for credentials to be examined, you " +
"can configure an " + AllowAllCredentialsMatcher.class.getName() + " instance.");
}
}
两个核心的地方:
第一处标红是:获取凭证的匹配器(密码的匹配器),来看这个接口中封装了一下什么信息。
public interface CredentialsMatcher {
boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info);
}
只有一个 doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) 的方法。
来看它的体系:
看到了 Md5CredentialsMatcher, 然后发现它是一个过期的类,HashedCredentialsMatcher 作为对它的一个替代,需要 setHashAlgorithmName() 来指定加密方式。
这里直接对 HashedCredentialsMatcher 给出说明:
(1)加密方式:setHashAlgorithmName(String hashAlgorithmName)
(2)加密次数:setHashIterations(int hashIterations)
说了这么多,如何由我们自己指定 CreaentialsMatcher ?
我自定义的 MyRealm 是 AuthenticatingRealm 它的子类,所以想法是,在 AuthenticatingRealm 调用 getCredentialsMatcher() 之前,就将 CreaentialsMatcher set到 Realm 中。
来看具体操作:
在 MyRealm 中定义一个初始化方法:
public void initCredentialsMatcher() {
HashedCredentialsMatcher credentialsMatcher = new HashedCredentialsMatcher();
credentialsMatcher.setHashAlgorithmName("MD5");
credentialsMatcher.setHashIterations(1000);
setCredentialsMatcher(credentialsMatcher);
}
指定了加密方式,然后加密次数,然后设置到了 Realm 中。
为了保证在在 AuthenticatingRealm 调用 getCredentialsMatcher() 之前,就将 CreaentialsMatcher set到 Realm 中,在容器初始化的时候就设置。
applicationContext-shiro.xml 的配置:
<bean id="realm" class="com.nucsoft.shiro.shiro.MyRealm" init-method="initCredentialsMatcher"/>
第二处标红进行的真正的密码匹配:cm.doCredentialsMatch(token, info)
详细来看:org.apache.shiro.authc.credential.HashedCredentialsMatcher#doCredentialsMatch
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
Object tokenHashedCredentials = hashProvidedCredentials(token, info);
Object accountCredentials = getCredentials(info);
return equals(tokenHashedCredentials, accountCredentials);
}
其中 tokenHashedCredentials 是从表单提交过来的密码经同样的加密方式处理后的凭证;accountCredentials 是从数据库中取出来的凭证信息。
关注点:是怎么对表单密码进行加密处理的
详细来看:
org.apache.shiro.authc.credential.HashedCredentialsMatcher#hashProvidedCredentials(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)
protected Object hashProvidedCredentials(AuthenticationToken token, AuthenticationInfo info) {
Object salt = null;
if (info instanceof SaltedAuthenticationInfo) {
salt = ((SaltedAuthenticationInfo) info).getCredentialsSalt();
} else {
//retain 1.0 backwards compatibility:
if (isHashSalted()) {
salt = getSalt(token);
}
}
return hashProvidedCredentials(token.getCredentials(), salt, getHashIterations());
}
org.apache.shiro.authc.credential.HashedCredentialsMatcher#hashProvidedCredentials(java.lang.Object, java.lang.Object, int)
protected Hash hashProvidedCredentials(Object credentials, Object salt, int hashIterations) {
String hashAlgorithmName = assertHashAlgorithmName();
return new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
}
hashAlgorithmName:这个就是在凭证匹配器中定义的加密方式。
核心:进行加密的就是这个:
new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations)
hashAlgorithmName: 加密方式
credentials:表单提交的密码
salt:盐值
hashIterations:加密次数
用户注册的时候,向数据库存入密码的时候,可以使用此种方式对密码进行加密。
来看一个测试:
public static void main(String[] args) {
String hashAlgorithmName = "MD5";
Object credentials = "123456";
ByteSource salt = ByteSource.Util.bytes("abcd");
int hashIterations = 1000;
SimpleHash simpleHash = new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
System.out.println(simpleHash);
}
说了这么多,还没有说 自定义认证方法的盐值是如何添加的:
com.nucsoft.shiro.shiro.MyRealm#doGetAuthenticationInfo
来看:
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
System.out.println("开始认证!");
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername(); User user = new User();
user.setId(1000);
user.setUserName(username);
user.setPassword("42e56621cf3adc9ecc261936188d31d7");
user.getRoleNames().add("admin"); String hashedCredentials = user.getPassword();
ByteSource credentialsSalt = ByteSource.Util.bytes("abcd");
String realmName = getName();
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, hashedCredentials, credentialsSalt,
realmName);
return info;
}
标红的地方就是加盐值后的处理方式。
在注册的时候,随机生成盐值,同用户信息存入数据库中。
7.关于细粒度的基于注解的授权和基于标签库的授权,本篇文章不进行说明。
二、总结
介绍了 Spring 环境下 shiro 的使用,包括环境的搭建,以及是如何配置的,自定义 Realm 可以完成自定义认证和自定义授权,也可以完成凭证匹配器的设置。
以及具体是怎么完成自定义认证和授权的,也将受保护的资源与访问的权限从xml文件中转到了 java 类中,为后续从数据库中读取提供了方便。
也介绍了加密的方式:加密类型,加密次数,加密盐值,以及具体是如何加密的。并没有讲明在真实项目中是如何使用的,以后有机会写文章来说明。
三、详细配置文件
1.web.xml
(1)shiro 官方 demo 中的 web.xml
<?xml version="1.0" encoding="UTF-8"?> <!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5"> <!-- ==================================================================
Context parameters
================================================================== -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param> <!--
- Key of the system property that should specify the root directory of this
- web app. Applied by WebAppRootListener or Log4jConfigListener.
-->
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>spring-sample.webapp.root</param-value>
</context-param> <!-- ==================================================================
Servlet listeners
================================================================== -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener> <!-- ==================================================================
Filters
================================================================== -->
<!-- Shiro Filter is defined in the spring application context: -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter> <filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> <!-- ==================================================================
Servlets
================================================================== -->
<servlet>
<servlet-name>sample</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet> <servlet-mapping>
<servlet-name>sample</servlet-name>
<url-pattern>/s/*</url-pattern>
</servlet-mapping> <servlet>
<servlet-name>remoting</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet> <servlet-mapping>
<servlet-name>remoting</servlet-name>
<url-pattern>/remoting/*</url-pattern>
</servlet-mapping> <!-- ==================================================================
Welcome file list
================================================================== -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list> </web-app>
web.xml
(2)真实的环境的下 web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1"> <context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext*.xml</param-value>
</context-param> <listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener> <!-- Shiro Filter is defined in the spring application context: -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter> <filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> <servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
web.xml
2.spring-shiro.xml
(1)官方 demo 中的 applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> <!-- Sample RDBMS data source that would exist in any application - not Shiro related. -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
<property name="url" value="jdbc:hsqldb:mem:shiro-spring"/>
<property name="username" value="sa"/>
</bean>
<!-- Populates the sample database with sample users and roles. -->
<bean id="bootstrapDataPopulator" class="org.apache.shiro.samples.spring.BootstrapDataPopulator">
<property name="dataSource" ref="dataSource"/>
</bean> <!-- Simulated business-tier "Manager", not Shiro related, just an example -->
<bean id="sampleManager" class="org.apache.shiro.samples.spring.DefaultSampleManager"/> <!-- =========================================================
Shiro Core Components - Not Spring Specific
========================================================= -->
<!-- Shiro's main business-tier object for web-enabled applications
(use DefaultSecurityManager instead when there is no web environment)-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="sessionMode" value="native"/>
<property name="realm" ref="jdbcRealm"/>
</bean> <!-- Let's use some enterprise caching support for better performance. You can replace this with any enterprise
caching framework implementation that you like (Terracotta+Ehcache, Coherence, GigaSpaces, etc -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<!-- Set a net.sf.ehcache.CacheManager instance here if you already have one. If not, a new one
will be creaed with a default config:
<property name="cacheManager" ref="ehCacheManager"/> -->
<!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want
a specific Ehcache configuration to be used, specify that here. If you don't, a default
will be used.:
<property name="cacheManagerConfigFile" value="classpath:some/path/to/ehcache.xml"/> -->
</bean> <!-- Used by the SecurityManager to access security data (users, roles, etc).
Many other realm implementations can be used too (PropertiesRealm,
LdapRealm, etc. -->
<bean id="jdbcRealm" class="org.apache.shiro.samples.spring.realm.SaltAwareJdbcRealm">
<property name="name" value="jdbcRealm"/>
<property name="dataSource" ref="dataSource"/>
<property name="credentialsMatcher">
<!-- The 'bootstrapDataPopulator' Sha256 hashes the password
(using the username as the salt) then base64 encodes it: -->
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="SHA-256"/>
<!-- true means hex encoded, false means base64 encoded -->
<property name="storedCredentialsHexEncoded" value="false"/>
</bean>
</property>
</bean> <!-- =========================================================
Shiro Spring-specific integration
========================================================= -->
<!-- Post processor that automatically invokes init() and destroy() methods
for Spring-configured Shiro objects so you don't have to
1) specify an init-method and destroy-method attributes for every bean
definition and
2) even know which Shiro objects require these methods to be
called. -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after
the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean> <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated
with a Subject for security checks. -->
<bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
<property name="securityManager" ref="securityManager"/>
</bean> <!-- Define the Shiro Filter here (as a FactoryBean) instead of directly in web.xml -
web.xml uses the DelegatingFilterProxy to access this bean. This allows us
to wire things with more control as well utilize nice Spring things such as
PropertiesPlaceholderConfigurer and abstract beans or anything else we might need: -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/s/login"/>
<property name="successUrl" value="/s/index"/>
<property name="unauthorizedUrl" value="/s/unauthorized"/>
<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean
defined will be automatically acquired and available via its beanName in chain
definitions, but you can perform overrides or parent/child consolidated configuration
here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="aName" value-ref="someFilterPojo"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
/favicon.ico = anon
/logo.png = anon
/shiro.css = anon
/s/login = anon
# allow WebStart to pull the jars for the swing app:
/*.jar = anon
# everything else requires authentication:
/** = authc
</value>
</property>
</bean> </beans>
applicationContext.xml
(2)实验中的 applicationContext-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<property name="realm" ref="realm"/>
</bean> <bean id="realm" class="com.nucsoft.shiro.shiro.MyRealm"/> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml"/>
</bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitions">
<value>
/user.jsp = authc
/admin.jsp = roles[admin]
/** = anon
</value>
</property>
</bean>
</beans>
applicationContext-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<property name="realm" ref="realm"/>
</bean> <bean id="realm" class="com.nucsoft.shiro.shiro.MyRealm"/> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml"/>
</bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean> <bean id="filterChainDefinitionMapBuilder" class="com.nucsoft.shiro.shiro.FilterChainDefinitionMapBuilder"/> <bean id="filterChainDefinitionMap" factory-bean="filterChainDefinitionMapBuilder" factory-method="getFilterChainDefinitionMap"/> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<property name="filterChainDefinitionMap" ref="filterChainDefinitionMap"/>
</bean>
</beans>
applicationContext-shiro.xml
3.springmvc.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd"> <context:component-scan base-package="com.nucsoft.shiro.handler"/> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/pages/"/>
<property name="suffix" value=".jsp"/>
</bean> <mvc:annotation-driven/>
<mvc:default-servlet-handler/>
</beans>
dispatcherServlet-servlet.xml
四、shiro 中默认的过滤器名称以及使用
1.anno,匿名就可以访问,e:/admins/** = anno
2.authc,认证后可以访问,e:/user/** = authc
3.authcBasic,没有参数,表示需要通过 httpBasic 验证,如果不通过,跳转到登录页面。e:/user/** = authcBasic
4.logout
5.noSessionCreation,阻止在请求期间创建新的会话,以保证无状态的体验。
6.perms,e1:/admins/**=perms[user:add:*] ,e2:/admins/users/**=perms["user:add:*,user:modify:*"]
7.post,指定请求访问的端口,e:/admins/**=port[8080]
8.rest,根据请求的方法,e:/admins/user/**=perms[user.method],其中mothod 为 post,get,delete 等。
9.roles,角色过滤器,判断当前用户是否拥有指定的角色。
10.ssl,没有参数,表示协议为 https。
11.user,表示必须存在用户。
Shiro —— Spring 环境下的使用的更多相关文章
- Quartz —— Spring 环境下的使用
一.在 Spring 环境下 Quartz 的使用超级简单. 二.具体使用 1.添加对应的 spring-quartz 的配置文件. 2.新建要执行定时任务的目标类和目标方法,不需要继承 Job 接口 ...
- 在spring环境下集成ActiveMQ
1.参考文献 Spring集成ActiveMQ配置 Spring JMS异步发收消息 ActiveMQ 2.环境 在前面的一篇ActiveMQ入门实例中我们实现了消息的异步传送,这篇博文将如何在spr ...
- MyBatis在非Spring环境下第三方DataSource设置-Druid篇
首先在ITEye上面看到一个同标题文章,在此说明,此文并非转载自 http://iintothewind.iteye.com/blog/2069522 ,因为这篇文章根本就是错误的,照着上面做,工程可 ...
- Mybatis在非spring环境下配置文件中使用外部数据源(druidDatasource)
Spring环境下, MyBatis可以通过其本身的增强mybatis-spring提供的org.mybatis.spring.SqlSessionFactoryBean来注入第三方DataSourc ...
- MyBatis在Spring环境下的事务管理
MyBatis的设计思想很简单,可以看做是对JDBC的一次封装,并提供强大的动态SQL映射功能.但是由于它本身也有一些缓存.事务管理等功能,所以实际使用中还是会碰到一些问题--另外,最近接触了JFin ...
- Redis(十五)Redis 的一些常用技术(Spring 环境下)
一.Redis 事务与锁机制 1.Redis的基础事务 在Redis中开启事务的命令是 multi 命令, 而执行事务的命令是 exec 命令.multi 到 exec 命令之间的 Redis 命令将 ...
- 七年开发小结MyBatis 在 Spring 环境下的事务管理
MyBatis的设计思想很简单,可以看做是对JDBC的一次封装,并提供强大的动态SQL映射功能.但是由于它本身也有一些缓存.事务管理等功能,所以实际使用中还是会碰到一些问题——另外,最近接触了JFin ...
- 精讲RestTemplate第1篇-在Spring或非Spring环境下如何使用
一.什么是 RestTemplate? RestTemplate是执行HTTP请求的同步阻塞式的客户端,它在HTTP客户端库(例如JDK HttpURLConnection,Apache HttpCo ...
- Junit运行在Spring环境下
@RunWith(SpringJUnit4ClassRunner.class)让测试运行于Spring测试环境 @ContextConfiguration 用来指定加载的Spring配置文件的位置,会 ...
随机推荐
- React Native移动框架功能研究
React Native移动框架功能研究 此篇只研究React Native框架的功能. 一.React Natvie是什么 React Native是使用React(或者说JS)来开发原生APP的框 ...
- 我的ORM之四--删除
我的ORM索引 删除语法 var 影响行数 = dbr.表.Delete(条件).Execute(); 问题 1.如果没有Where条件,同样会报错.
- nim的引用和指针
nim语言的引用和其他语言的指针有点相似 可以提供一种“多对一”的关系 这就意味着不同的引用可以指向同一个内存位置 nim区分可被追踪的引用和不可被追踪的引用 不可被追踪的引用又称为指针 可被追踪的引 ...
- 渣渣小本求职复习之路每天一博客系列——Unix&Linux入门(5)
前情回顾:昨天简单地介绍了一下如何使用vi编辑器,例如命令模式和插入模式的切换,以及一些简单命令的讲解. —————————————————————————直接就开始吧———————————————— ...
- 自动备份文件到GITHUB的方法
由于一个制作着玩的项目需要制作上传文件的功能,自己又不是搞网站的,也不想去维护一个服务器. 于是开发了一个上传服务器,可以自动把我上传到服务器的数据同步到Github服务器 而github服务器又提供 ...
- Windows上帝模式,上帝应该就是这样使用Windows的
Windows上帝模式(Windows Master Control Panel)由来已久,最早是从Win7优化大湿里看到的一个选项,开启后在桌面生成一个图标,点进去后里面包含了几乎全部Windows ...
- Atitit 数据存储的数据表连接attilax总结
Atitit 数据存储的数据表连接attilax总结 1.1. 三种物理连接运算符:嵌套循环连接.合并连接以及哈希连接1 1.2. a.嵌套循环连接(nested loops join)1 1.3. ...
- fir.im Weekly - 你与优秀源码之间只差一个 Star
说起开源社区,Github 是一个不可缺少的存在.作为全球最大的同性交友网站,上面有太多优秀的开源代码库和编程大神,让无数开发者心生向往.那么如何正确的使用 Github,也许是编程学习之必要.来看下 ...
- 用例设计工具PICT — 输入组合覆盖
1 成对测试简介 成对测试(Pairwise Testing)又称结对测试.两两测试,是一种正交分析的测试技术.成对组合覆盖这一概念是Mandl于1985年在测试Aad编译程序时提出来的.是当不可能遍 ...
- angularJS自定义那些事
angularJS在数据处理方面很优秀. 使用angularJ给我感觉就像在写模板,然后对模板填入内容,只是这些内容不在是 在html页面编写,而是以数据的方式添加进去,这个也大大提高了编写的效率. ...