項目結構:
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <!-- Sample RDBMS data source that would exist in any application - not Shiro related. --> <!-- <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="org.hsqldb.jdbcDriver"/> <property name="url" value="jdbc:hsqldb:mem:shiro-spring"/> <property name="username" value="sa"/> </bean> --> <!-- Populates the sample database with sample users and roles. --> <!-- <bean id="bootstrapDataPopulator" class="org.apache.shiro.samples.spring.BootstrapDataPopulator"> <property name="dataSource" ref="dataSource"/> </bean> --> <!-- Simulated business-tier "Manager", not Shiro related, just an example --> <!-- <bean id="sampleManager" class="org.apache.shiro.samples.spring.DefaultSampleManager"/> --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <!-- <property name="sessionMode" value="native"/> --> <!-- Realm,實現類 --> <property name="realm" ref="jdbcRealm"/> </bean> <bean id="jdbcRealm" class="com.shiro.bean.ShiroRealm"> <!-- 配置密碼加密使用MD5加密 --> <property name="CredentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- <bean id="jdbcRealm" class="org.apache.shiro.samples.spring.realm.SaltAwareJdbcRealm"> <property name="name" value="jdbcRealm"/> <property name="dataSource" ref="dataSource"/> <property name="credentialsMatcher"> The 'bootstrapDataPopulator' Sha256 hashes the password (using the username as the salt) then base64 encodes it: <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="SHA-256"/> true means hex encoded, false means base64 encoded <property name="storedCredentialsHexEncoded" value="false"/> </bean> </property> </bean> --> <!-- 必須要有這樣一個實例,用來管理在Spring容器當中的Shiro常見的對象 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- 啟用Shiro注解 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 網絡方面 --> <bean id="secureRemoteInvocationExecutor"
class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 配置ShiroFilter 1.shiroFilter這個bean的id必須與web.xml文件中的filter-name保持一致 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/success.jsp"/> <property name="unauthorizedUrl" value="/adb.jsp"/> <!-- shiro過濾器具體配置 --> <property name="filterChainDefinitions"> <value> /login.jsp = anon /login = anon /logout =logout /** = authc </value> </property> </bean> </beans>
spring-mvc.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> <!-- 視圖資源管理器 --> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/"></property> <property name="suffix" value=".jsp"></property> </bean> <context:component-scan base-package="*"></context:component-scan> <mvc:annotation-driven></mvc:annotation-driven> <mvc:default-servlet-handler/> </beans>
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <!-- Spring的配置聲明 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext.xml</param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- SpringMVC的配置聲明 --> <servlet> <servlet-name>SpringDispatcherServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet </servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-mvc.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>SpringDispatcherServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <!-- Filter的代理類 代理類會到IOC容器中找在filter-name當值對應的bean對象 --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
緩存設置使用默認的hibernate的緩存
登錄Action
package com.shiro.action; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; @Controller public class LoginAction { @RequestMapping("/login") public String login(@RequestParam("username") String username, @RequestParam("password")String password){ //創建subject實例 Subject subject = SecurityUtils.getSubject(); //判斷當前用戶是否登錄 if(subject.isAuthenticated()==false){ //將用戶名及密碼封裝交個UsernamePasswordToken UsernamePasswordToken token = new UsernamePasswordToken(username,password); try { subject.login(token); } catch (AuthenticationException e) { System.out.println("驗證不通過,無法登錄!"); return "error"; } } return "success"; } }
relam域的調用是由Shrio后台進行調用。
package com.shiro.bean; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.crypto.hash.SimpleHash; import org.apache.shiro.realm.AuthenticatingRealm; /** * * @author layne * *Action方法中執行subject.login(token)時會通過IOC容器調取Realm域進行數據和前端數據比對 */ public class ShiroRealm extends AuthenticatingRealm { /** * Returns all principals associated with the corresponding Subject. Each principal is an identifying piece of * information useful to the application such as a username, or user id, a given name, etc - anything useful * to the application to identify the current <code>Subject</code>. * <p/> * The returned PrincipalCollection should <em>not</em> contain any credentials used to verify principals, such * as passwords, private keys, etc. Those should be instead returned by {@link #getCredentials() getCredentials()}. * * @return all principals associated with the corresponding Subject. * * doGetAuthenticationInfo,獲取認證消息,如果數據庫沒有數據,返回null. * * AuthenticationInfo可以使用 SimpleAuthenticationInfo實現類,封裝給正確用戶名和密碼 * * token參數:需要驗證的token * */ @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token) throws AuthenticationException { /** * 1.將token轉換為UsernamePasswordToken * * 2.獲取用戶名 * * 3.查詢數據庫,進行驗證 * * 4.結果返回 * * 5.驗證不通過,拋出異常 */ //1.將token轉換為UsernamePasswordToken UsernamePasswordToken upToken = (UsernamePasswordToken)token; //2.獲取用戶名 String userName = upToken.getUsername(); //獲取用戶名后。通過查詢用戶名查詢數據庫是否有值,有值則進行密碼驗證。 SimpleAuthenticationInfo info=null; //3。查詢數據庫 //使用JDBC鏈接數據庫進行查詢 try { Class.forName("com.mysql.jdbc.Driver"); String url="jdbc:mysql://localhost:3306/test"; Connection conn=DriverManager.getConnection(url,"root",""); PreparedStatement ps = conn.prepareStatement("select * from account where name=?"); ps.setString(1, userName); ResultSet rs = ps.executeQuery(); if(rs.next()){ Object principal=userName; Object credentials=rs.getString(3); String realmName=this.getName(); //SimpleHash sh=new SimpleHash(algorithmName, source, salt, iterations); //加密類型 加密資源 鹽值加密 加密次數 //給從數據庫中拿到的密碼做MD5的加密 SimpleHash sh=new SimpleHash("MD5", credentials, null, 1024); //info = new SimpleAuthenticationInfo(principal, credentials, realmName); info = new SimpleAuthenticationInfo(principal, sh, realmName); }else{ throw new AuthenticationException(); } } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (SQLException e) { e.printStackTrace(); } return info; } }
該項目jar使用spring framerwork-4.0.0在使用4.2.3會報找不到相關的緩存class文件。