环境搭建与Spring整合(Maven项目中)
1. 导入依赖
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-all</artifactId>
<version>1.2.3</version>
</dependency>
2. 在Web.xml中配置
- 真正处理请求,判断业务的并不是这个过滤器,这是个spring的委托代理过滤器,拦截器.Tomcat中有自己的容器去管理Filter,Listener以及Servlet,并不是受Spring管理的,因此并不能通过Spring容器直接对Servlet容器进行注入。因此用来拦截请求.把请求处理委托交给Spring的过滤器工厂处理,在Spring的IOC容器中,一定要有一个bean的id是shiroFilter,对应的类型是shiroFilterFactoryBean
<!-- Shiro Security filter filter-name这个名字的值将来还会在spring中用到 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
注意:如果使用的是Struts2的话,该过滤器一定要放到struts2的过滤器之前.因为struts2的过滤器并没有放行这个说法.
Spring整合Shiro applicationContext.xml
Spring整合shiro对象步骤:
- 创建shiroFilterFactoryBean.注入SecurityManager.
- filterChainDefinitions 过滤器链
过滤器简称 | 对应的java类 |
---|---|
anon匿名访问过滤器.在这里的资源直接放行 | org.apache.shiro.web.filter.authc.AnonymousFilter |
authc 认证过滤器 | org.apache.shiro.web.filter.authc.FormAuthenticationFilter |
authcBasic | org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter |
perms 授权过滤器 | org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter |
port | org.apache.shiro.web.filter.authz.PortFilter |
rest | org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter |
roles | org.apache.shiro.web.filter.authz.RolesAuthorizationFilter |
ssl | org.apache.shiro.web.filter.authz.SslFilter |
user | org.apache.shiro.web.filter.authc.UserFilter |
logout | org.apache.shiro.web.filter.authc.LogoutFilter |
/index.jsp* = anon
/home* = anon
/sysadmin/login/login.jsp* = anon
/sysadmin/login/loginAction_logout* = anon
/login* = anon
/logout* = anon
/components/** = anon
/css/** = anon
/img/** = anon
/js/** = anon
/plugins/** = anon
/images/** = anon
/js/** = anon
/make/** = anon
/skin/** = anon
/stat/** = anon
/ufiles/** = anon
/validator/** = anon
/resource/** = anon
/** = authc
/*.* = authc
anon - 表示直接放行的资源. authc - 表示该路径下的资源需要认证
perms - 表示该路径下的资源需要授权
- 创建SecurityManager.注入realm(区域,领域)
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"></property>
</bean>
注意:因为Realm并不知道我们使用哪个数据库,要取什么数据.因此Realm需要我们自己来创建并指定
- 创建自定义Realm,注入凭证匹配器
<!--3. 创建自定义的Realm-->
<bean id="myRealm" class="com.shirodemo.realm.LoginRealm">
<!--注入凭证匹配器-->
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
- 创建凭证匹配器,注入加密算法
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<!--指定加密的算法-->
<property name="hashAlgorithmName" value="md5"/>
</bean>
完整版
<!--1. 创建shiroFilterFactoryBean-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!--认证失败跳转的页面-->
<property name="loginUrl" value="/login.jsp"/>
<!--认证成功的页面.如果代码中指定了,以代码跳转的地址为准,通常会以登录成功跳转的页面为准-->
<property name="successUrl" value="/home.jsp"/>
<!--未授权校验的页面-->
<property name="unauthorizedUrl" value="/login.jsp"/>
<!--过滤器链-->
<property name="filterChainDefinitions">
<value>
/index.jsp* = anon
/home* = anon
/sysadmin/login/login.jsp* = anon
/sysadmin/login/loginAction_logout* = anon
/login* = anon
/logout* = anon
/components/** = anon
/css/** = anon
/img/** = anon
/js/** = anon
/plugins/** = anon
/images/** = anon
/js/** = anon
/make/** = anon
/skin/** = anon
/stat/** = anon
/ufiles/** = anon
/validator/** = anon
/resource/** = anon
/** = authc
</value>
</property>
</bean>
<!--2. 创建securityManager-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"></property>
</bean>
<!--3. 创建自定义的Realm-->
<bean id="myRealm" class="com.shirodemo.realm.LoginRealm">
<!--注入凭证匹配器-->
<property name="credentialsMatcher" ref="credentialsMatcher"/>
</bean>
<!--4. 创建凭证匹配器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<!--指定加密的算法-->
<property name="hashAlgorithmName" value="md5"/>
</bean>