Shiro的permission管理，用户的认证和授权

Shiro的permission管理，用户的认证和授权demo步骤：
1.web.xml中配置：

<display-name>shirodemo</display-name>    <welcome-file-list>        <welcome-file>index.jsp</welcome-file>    </welcome-file-list>    <context-param>        <param-name>contextConfigLocation</param-name>        <param-value>classpath:applicationContext.xml,classpath:spring-shiro.xml</param-value>    </context-param>    <!-- apache shiro权限 在web.xml中添加shiro过滤器 -->    <filter>        <filter-name>shiroFilter</filter-name>        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>        <init-param>            <param-name>targetFilterLifecycle</param-name>            <param-value>true</param-value>        </init-param>    </filter>    <filter-mapping>        <filter-name>shiroFilter</filter-name>        <url-pattern>*.do</url-pattern>    </filter-mapping>    <filter-mapping>        <filter-name>shiroFilter</filter-name>        <url-pattern>*.jsp</url-pattern>    </filter-mapping>

2.spring-shiro.xml

<description>shiro权限管理配置</description><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">    <!-- shiro通过一个filter控制权限-->    <property name="securityManager"   ref="securityManager" />    <property name="loginUrl" value="/login.jsp" />         <!-- 登陆页 -->     <property name="successUrl" value="/login.jsp" />          <!-- 登陆成功之后跳转的页面 -->    <property name="unauthorizedUrl"         value="/error/noperms.jsp" />          <!-- 用户在请求无权限的资源时，跳转到这个url -->    <property name="filterChainDefinitions">     <!-- 配置访问url资源需要用户拥有什么权限 配置的优先级由上至下-->        <value>            /login.jsp* = anon            /login.do* = anon            /index.jsp*= anon            /error/noperms.jsp*= anon            /*.jsp* = authc            /*.do* = authc        </value>    </property>    </bean>    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">        <!--设置自定义realm -->        <property name="realm" ref="monitorRealm" />    </bean>    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />    <!--自定义Realm 继承自AuthorizingRealm -->    <bean id="monitorRealm" class="com.shiro.service.MonitorRealm"></bean>    <!-- securityManager -->    <bean        class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">        <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager" />        <property name="arguments" ref="securityManager" />    </bean>    <!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->    <!-- the lifecycleBeanProcessor has run: -->    <bean        class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"        depends-on="lifecycleBeanPostProcessor" /><bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">       <property name="securityManager" ref="securityManager" /></bean>

3.spring-mvc.xml增加自动扫描

<!--# 自动扫描controller包下的所有类，使其认为spring mvc的控制器 --> <context:component-scan  base-package="com.shiro.controller" />

4.applicationContext.xml增加自动扫描配置

 <!--自动扫描dao和service包(自动注入)-->    <context:component-scan base-package="com.shiro.dao,com.shiro.service" />

5.LoginController.java

  package com.shiro.controller;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpSession;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.servlet.ModelAndView;import com.shiro.Utils.EncryptUtils;import com.shiro.model.User;@Controller@RequestMapping(value = "login")public class LoginController {    /*     * @Autowired User user;     * 用户登录     */    @RequestMapping(params = "main")    public ModelAndView login(User user,HttpSession session, HttpServletRequest request) {        ModelAndView modelView = new ModelAndView();        //认证：验证用户身份的过程        //收集了实体/凭据信息之后,        //我们可以通过SecurityUtils工具类,获取当前的用户        Subject currentUser = SecurityUtils.getSubject();        UsernamePasswordToken token = new UsernamePasswordToken(user.getUsercode(), EncryptUtils.encryptMD5(user.getPassword()));        //“记住我”的功能。        token.setRememberMe(true);        try {            //然后通过调用login方法提交认证            currentUser.login(token);        } catch (AuthenticationException e) {            modelView.addObject("message", "login errors");            modelView.setViewName("/login");            e.printStackTrace();        }        //使用subject.isAuthenticated()判断用户是否已验证返回true/false.        if(currentUser.isAuthenticated()){            user.setUserName("张三");            session.setAttribute("userinfo", user);            modelView.setViewName("/main");        }else{            modelView.addObject("message", "登陆名或密码错误！");            modelView.setViewName("/login");        }        return modelView;    }    /**     * 退出登录     */    @RequestMapping(params = "logout")    public String logout() {        Subject currentUser = SecurityUtils.getSubject();        try {            currentUser.logout();        } catch (AuthenticationException e) {            e.printStackTrace();        }        return "/login";    }    @RequestMapping(params = "myjsp")    public ModelAndView login2() {        System.out.println("sss");        ModelAndView modelView = new ModelAndView();        modelView.addObject("message", "登录成功!");        modelView.setViewName("/my");        return modelView;    }    @RequestMapping(params = "test")    public ModelAndView login3() {        System.out.println("sss");        ModelAndView modelView = new ModelAndView();        modelView.addObject("message", "登录成功!");        modelView.setViewName("/test");        return modelView;    }}

6.UserController.java

package com.shiro.controller;import org.apache.shiro.SecurityUtils;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;@Controller@RequestMapping(value="user")public class UserController {    /**     * 跳转到myjsp页面     */    @RequestMapping(params = "myjsp")    public String home() {        Subject currentUser = SecurityUtils.getSubject();        //对比是否有权限，permissions中有此"user.do?myjsp"         //则有权，无 则无权        if(currentUser.isPermitted("user.do?myjsp")){            return "my";        }else{            return "error/noperms";        }    }    @RequestMapping(params = "notmyjsp")    public String nopermission() {        Subject currentUser = SecurityUtils.getSubject();        if(currentUser.isPermitted("user.do?notmyjsp")){            return "notmyjsp";        }else{            return "error/noperms";        }    }}

7.service层下的MonitorRealm.java

package com.shiro.service;import java.util.HashSet;import java.util.Set;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.SimplePrincipalCollection;import org.springframework.stereotype.Service;import com.shiro.Utils.EncryptUtils;import com.shiro.model.User;@Service("monitorRealm")public class MonitorRealm extends AuthorizingRealm {    /*     * @Autowired UserService userService;     * @Autowired RoleService roleService;     * @Autowired LoginLogService loginLogService;     */    public MonitorRealm() {        super();    }     /**     * 授权信息     * 用户权限源（shiro调用此方法获取用户权限，     * 至于从何处获取权限项，由我们定义。）     */    @Override    protected AuthorizationInfo doGetAuthorizationInfo(            PrincipalCollection principals) {        /* 这里编写授权代码 */        Set<String> roleNames = new HashSet<String>();        Set<String> permissions = new HashSet<String>();        roleNames.add("111111");        permissions.add("user.do?myjsp");        permissions.add("login.do?main");        permissions.add("login.do?logout");        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames);        info.setStringPermissions(permissions);      //将用户权限返回给shiro        return info;    }    /**     * 认证信息     */    @Override    protected AuthenticationInfo doGetAuthenticationInfo(            AuthenticationToken authcToken) throws AuthenticationException {        /* 这里编写认证代码 */        UsernamePasswordToken token = (UsernamePasswordToken) authcToken;//        User user = securityApplication.findby(upToken.getUsername());        User user = new User();        user.setUsercode(token.getUsername());        user.setUserName("admin");        user.setPassword(EncryptUtils.encryptMD5("admin"));//        if (user != null) {        //比对成功则返回info，比对失败则抛出对应信息的异常AuthenticationException        return new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(), getName());    }    public void clearCachedAuthorizationInfo(String principal) {        SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());        clearCachedAuthorizationInfo(principals);    }}

8.MD5加密EncryptUtils.java

 package com.shiro.Utils;import org.apache.shiro.crypto.hash.Md5Hash;public class EncryptUtils {    public static final String encryptMD5(String source) {        if (source == null) {            source = "";        }        Md5Hash md5 = new Md5Hash(source);        return md5.toString();    }}

9.model实体类 User.java

public class User {    private String usercode;    private String userName;    private String password;}

10.eclipse结构图