Shiro权限框架与SpringMVC整合

Posted gaojinshun

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Shiro权限框架与SpringMVC整合相关的知识,希望对你有一定的参考价值。

1.Shiro整合SpringMVC

  我们学习Shiro框架肯定是要应用到Web项目上的,所以我们需要整合Shiro和SpringMVC

整合步骤:

第一步:SpringMVC框架的配置

spring-mvc.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd">
    <!-- 开启mvc注解驱动 -->
    <mvc:annotation-driven/>
    <!-- 放开静态资源的访问 -->
    <mvc:default-servlet-handler/>
   <!-- 配置视图解释器 -->
   <mvc:view-resolvers>
       <mvc:jsp prefix="/WEB-INF/views/" suffix=".jsp"/>
   </mvc:view-resolvers>
    
</beans>

  spring-context.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
    <!-- 注解组件扫描 -->
    <context:component-scan base-package="com.gjs.shiro">
        <!-- 排除不扫描的包 -->
        <context:exclude-filter type="regex" expression="pojo"/>
    </context:component-scan>

</beans>

  web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
  <display-name>shiro-springmvc-xml</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  
  <!-- 配置编码过滤器 -->
    <filter>
        <filter-name>CharacterEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>CharacterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <!-- 配置前端控制器 -->
    <servlet>
        <servlet-name>MVC</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <!-- 指定配置类 -->
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring*.xml</param-value>
        </init-param>
        
        <load-on-startup>1</load-on-startup>
    </servlet>
    
    <servlet-mapping>
        <servlet-name>MVC</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

  

  第二步:Shiro配置

  shiro.ini:

[main]
 shiroRealm=com.gjs.shiro.realm.ShiroRealm
 securityManager.realms=$shiroRealm

  ShiroRealm:

package com.gjs.shiro.realm;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;

public class ShiroRealm extends AuthorizingRealm
    /**
     * 校验
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException 
        System.out.println("校验");
        if ("admin".equals(token.getPrincipal())) 
            return new SimpleAuthenticationInfo(token.getPrincipal(), "123456", this.getName());
        
        return null;
    
    /**
     * 授权
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) 
        System.out.println("授权");
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        info.addRole("role_admin");
        info.addStringPermission("user:list");
        info.addStringPermission("user:add");
        return info;
    

  第三步:springmvc和shiro整合

  Shiro是使用Filter拦截请求的,SpringMVC是使用Servlet拦截请求的。而Filter的拦截请求优先级别高于Servlet,那么我们如何让Shiro交给SpringMVC代理?
  Spring提供了一个Filter代理类,可以让Spring容器代理Filter的操作,DelegatingFilterProxy。实现了在过滤里面可以调用Spring容器的对象,可以让我们把原来配置在web.xml的过滤器配置在Spring配置文件里面(原来shiro配置在shiro.ini的配置也可以配置在Spring配置文件里)。

  1.在web.xml添加配置:

<!-- 配置代理过滤器,用来代理指定的对象(过滤器) -->
  <filter>
      <filter-name>securityFilter</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      <!-- 指定调用容器里面的对象名,如果不指定默认使用filter-name -->
      <init-param>
          <param-name>targetBeanName</param-name>
          <param-value>securityFilter</param-value>
      </init-param>
    <!-- 将目标过滤器的生命周期交给Spring容器代理 -->
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>      
  </filter>
  <filter-mapping>
      <filter-name>securityFilter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>

  修改后:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
  <display-name>shiro-springmvc-xml</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <!-- 配置代理过滤器,用来代理指定的对象(过滤器) -->
  <filter>
      <filter-name>securityFilter</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      <!-- 指定调用容器里面的对象名,如果不指定默认使用filter-name -->
      <init-param>
          <param-name>targetBeanName</param-name>
          <param-value>securityFilter</param-value>
      </init-param>
    <!-- 将目标过滤器的生命周期交给Spring容器代理 -->
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>      
  </filter>
  <filter-mapping>
      <filter-name>securityFilter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <!-- 配置编码过滤器 -->
    <filter>
        <filter-name>CharacterEncodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>CharacterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <!-- 配置前端控制器 -->
    <servlet>
        <servlet-name>MVC</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <!-- 指定配置类 -->
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring*.xml</param-value>
        </init-param>
        
        <load-on-startup>1</load-on-startup>
    </servlet>
    
    <servlet-mapping>
        <servlet-name>MVC</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

2.创建spring-shiro.xml配置文件

这个配置文件用来配置shiro的相关配置,并创建shiro过滤器用来给spring的代理过滤器调用
配置完毕我们之前的shiro的ini配置文件就可以删掉了

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <!-- 配置shiro过滤器给spring的代理过滤器调用  name属性需与web.xml中代理过滤器配置的对象名一致 -->
    <bean name="securityFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <!-- 指定安全管理器 securityManager-->
        <property name="securityManager" ref="securityManager"/>
        <!-- 登录url -->
        <property name="loginUrl" value="/user/login"></property>
        <!-- 配置拦截过滤链 -->
        <property name="filterChainDefinitions">
            <!-- shiro过滤器枚举值在org.apache.shiro.web.filter.mgt.DefaultFilter -->
            <value>
                /user/toLogin =anon
                /**=authc
            </value>
        </property>
    </bean>
    <!-- 配置SecurityManager 安全管理器 -->
    <bean name="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
         <!-- 配置securityManager的realm对象 -->
         <property name="realms" ref="shiroRealm"></property>
    </bean>
    <!-- 配置Realm -->
    <bean name="shiroRealm" class="com.gjs.shiro.realm.ShiroRealm"/>
</beans>

  3.权限控制器标签的使用

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags"%>
<!-- 以认证跳转到主页 -->
<shiro:authenticated>
   <jsp:forward page="/index"></jsp:forward>
</shiro:authenticated>
<!-- 未认证跳转到登录页面 -->
<shiro:notAuthenticated>
   <jsp:forward page="/user/login"></jsp:forward>
</shiro:notAuthenticated>
<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>   
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
    <!-- 判断是否有指定的权限,有权限才显示 -->
   <shiro:hasPermission name="user:add">
      用户增加
   </shiro:hasPermission>
     <shiro:hasPermission name="user:edit">
      用户编辑
   </shiro:hasPermission>
     <shiro:hasPermission name="user:delete">
      用户删除
   </shiro:hasPermission>
     <shiro:hasPermission name="user:list">
      用户列表
   </shiro:hasPermission>
   
</body>
</html>

2.Shiro整合SpringMVC 基于注解

  第一步:配置webx.xml

<!-- 配置代理过滤器,用来代理指定的对象(过滤器) -->
  <filter>
      <filter-name>securityFilter</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      <!-- 指定调用容器里面的对象名,如果不指定默认使用filter-name -->
      <init-param>
          <param-name>targetBeanName</param-name>
          <param-value>securityFilter</param-value>
      </init-param>
    <!-- 将目标过滤器的生命周期交给Spring容器代理 -->
    <init-param>
        <param-name>targetFilterLifecycle</param-name>
        <param-value>true</param-value>
    </init-param>      
  </filter>
  <filter-mapping>
      <filter-name>securityFilter</filter-name>
      <url-pattern>/*</url-pattern>
  </filter-mapping>

  第二步:配置Shiro配置类

package com.gjs.rbac.config;

import java.util.LinkedHashMap;
import java.util.Map;

import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import com.gjs.rbac.realms.ShiroRealm;

@Configuration
public class ShiroConfig 
    
    //1.配置shiro过滤器  用于给spring的代理过滤器调用
    @Bean("securityFilter")
    public Object getShiroFilterFactoryBean() 
        ShiroFilterFactoryBean factoryBean = new ShiroFilterFactoryBean();
        factoryBean.setSecurityManager(this.getSecurityManager());
        factoryBean.setSuccessUrl("/toIndex");
        factoryBean.setLoginUrl("/user/login");
        
        //定义过滤器链,使用LinkedHashMap是因为它是有顺序的(添加顺序)
        Map<String, String> filterChain =new LinkedHashMap<>();
        filterChain.put("/user/toLogin", "anon");
        filterChain.put("/**", "authc");
        factoryBean.setFilterChainDefinitionMap(filterChain);
        try 
            return factoryBean.getObject();
         catch (Exception e) 
            e.printStackTrace();
        
        return null;
    
    
    //2.创建SecurityManager
    @Bean
    public SecurityManager getSecurityManager() 
        DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
        securityManager.setRealm(this.getShiroRealm());
        return securityManager;
    
    //创建自定义的Realm
    @Bean
    public ShiroRealm getShiroRealm() 
        ShiroRealm shiroRealm = new ShiroRealm();
        return shiroRealm;
    

 

以上是关于Shiro权限框架与SpringMVC整合的主要内容,如果未能解决你的问题,请参考以下文章

安全框架 - Shiro与springMVC整合的注解以及JSP标签

shiro权限框架与spring框架轻松整合

Spring Boot:整合Shiro权限框架

ssh框架整合shiro权限

(转)shiro权限框架详解06-shiro与web项目整合(下)

springboot学习笔记-5 springboot整合shiro