SpringMVC + Mybatis + Shiro 权限整合
详细见参考文章:
基于Spring + Spring MVC + Mybatis 高性能web构建 http://blog.csdn.net/zoutongyuan/article/details/41379851
SpringMVC整合Shiro http://blog.csdn.net/jadyer/article/details/12208847
shiro+redis+springMvc整合配置及说明 http://blog.csdn.net/siqilou/article/details/44194165
Shiro的注解授权不起作用 http://segmentfault.com/q/1010000002719527, 在servlet.xml加入
基于Spring + Spring MVC + Mybatis 高性能web构建 http://blog.csdn.net/zoutongyuan/article/details/41379851
SpringMVC整合Shiro http://blog.csdn.net/jadyer/article/details/12208847
shiro+redis+springMvc整合配置及说明 http://blog.csdn.net/siqilou/article/details/44194165
Shiro的注解授权不起作用 http://segmentfault.com/q/1010000002719527, 在servlet.xml加入
|
1 2 |
Xml代码 <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/> |
, 否则controller无法使用注解.
shiro安全框架扩展教程–异常退出没有清除缓存信息处理方案 http://blog.csdn.net/shadowsick/article/details/17265625
这个方法可能避免使用sessionValidationScheduler, 就是避免使用, 就能使用高版本的quartz了.
配置会话监听:
|
1 2 3 4 5 6 7 8 |
Java代码 package com.pandy.core.security.session; import org.apache.shiro.session.Session; import org.apache.shiro.session.SessionListener; public class CoreSessionListener implements SessionListener { ...... } |
|
1 2 3 4 5 6 7 8 9 |
Xml代码 <!-- 会话管理器 --> <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="sessionListeners"> <list> <bean id="sessionListener" class="com.pandy.core.security.session.CoreSessionListener"/> </list> </property> </bean> |
一些配置参考:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
Xml代码 <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd" default-lazy-init="true"> <description>Shiro Configuration</description> <!-- Shiro's main business-tier object for web-enabled applications --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroDbRealm" /> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- 項目自定义的Realm --> <bean id="shiroDbRealm" class="cn.ssms.realm.ShiroDbRealm"> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/tologin.html" /> <property name="successUrl" value="/view/index.html" /> <property name="unauthorizedUrl" value="/error/noperms.jsp" /> <property name="filterChainDefinitions"> <value> /index.html = authc /login.html = anon /tologin.html = anon /logout.html = anon /** = authc </value> </property> </bean> <!-- 用户授权信息Cache --> <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" /> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!-- AOP式方法级权限检查 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> </beans> |
Realm类:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
Java代码 package cn.ssms.realm; import java.util.HashSet; import java.util.Set; import javax.annotation.PostConstruct; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.IncorrectCredentialsException; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.cache.Cache; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import cn.ssms.model.User; import cn.ssms.service.UserService; import cn.ssms.util.CipherUtil; import cn.ssms.util.EncryptUtils; public class ShiroDbRealm extends AuthorizingRealm { private static Logger logger = LoggerFactory.getLogger(ShiroDbRealm.class); private static final String ALGORITHM = "MD5"; @Autowired private UserService userService; public ShiroDbRealm() { super(); } /** * 认证回调函数, 登录时调用. */ @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; System.out.println(token.getUsername()); User user = userService.findUserByLoginName(token.getUsername()); System.out.println(user); if (user != null) { return new SimpleAuthenticationInfo(user.getName(), user.getPassword(), getName()); }else{ throw new AuthenticationException(); } } /** * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用. */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { /* 这里编写授权代码 */ Set<String> roleNames = new HashSet<String>(); Set<String> permissions = new HashSet<String>(); roleNames.add("admin"); roleNames.add("zhangsan"); permissions.add("user.do?myjsp"); permissions.add("login.do?main"); permissions.add("login.do?logout"); SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames); info.setStringPermissions(permissions); return info; } /** * 更新用户授权信息缓存. */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName()); clearCachedAuthorizationInfo(principals); } /** * 清除所有用户授权信息缓存. */ public void clearAllCachedAuthorizationInfo() { Cache<Object, AuthorizationInfo> cache = getAuthorizationCache(); if (cache != null) { for (Object key : cache.keys()) { cache.remove(key); } } } // @PostConstruct // public void initCredentialsMatcher() {//MD5加密 // HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(ALGORITHM); // setCredentialsMatcher(matcher); // } } |
UserService实现类
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
Java代码 @Service("userService") public class UserServiceImpl implements UserService { @Autowired private UserMapper userMapper; public User getUserById(int id) { return userMapper.selectByPrimaryKey(id); } public User findUserByLoginName(String username) { System.out.println("findUserByLoginName call!"); return userMapper.findUserByLoginName(username); } } |
