小白用shiro(1)
阿新 • • 發佈:2018-12-12
本文來自網易雲社群
作者:王飛
首先引入一段關於shiro的介紹:
開發系統中,少不了許可權,目前java裡的許可權框架有SpringSecurity和Shiro(以前叫做jsecurity),對於SpringSecurity:功能太過強大以至於功能比較分散,使用起來也比較複雜,跟Spring結合的比較好。對於初學Spring Security者來說,曲線還是較大,需要深入學習其原始碼和框架,配置起來也需要費比較大的力氣,擴充套件性也不是特別強。
對於新秀Shiro來說,好評還是比較多的,使用起來比較簡單,功能也足夠強大,擴充套件性也較好。聽說連Spring的官方都不用Spring Security,用的是Shiro,足見Shiro的優秀。網上找到兩篇介紹: http://www.infoq.com/cn/articles/apache-shiro http://www.ibm.com/developerworks/cn/opensource/os-cn-shiro/,http://itindex.net/detail/50410-apache-shiro-%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8C,官網http://shiro.apache.org/ ,使用和配置起來還是比較簡單。
下面只是簡單介紹下我們是如何配置和使用Shiro的。
pom.xml引入相關jar包
1 <!-- spring結合 --> 2 <dependency> 3 <groupId>org.apache.shiro</groupId> 4 <artifactId>shiro-spring</artifactId> 5 <version>1.4.0</version> 6 </dependency> 7 <!--快取包--> 8 <dependency> 9 <groupId>org.apache.shiro</groupId> 10 <artifactId>shiro-ehcache</artifactId> 11 <version>1.4.0</version> 12 </dependency> 13 <!--核心包--> 14 <dependency> 15 <groupId>org.apache.shiro</groupId> 16 <artifactId>shiro-core</artifactId> 17 <version>1.4.0</version> 18 </dependency>
web.xml增加過濾
1 <!-- shiro 許可權控制的過濾器 --> 2 <filter> 3 <filter-name>shiroFilter</filter-name> 4 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 5 </filter> 6 7 <filter-mapping> 8 <filter-name>shiroFilter</filter-name> 9 <url-pattern>/*</url-pattern> 10 </filter-mapping>
增加一個shiro.xml的配置檔案
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee" 4 xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" 5 xmlns:util="http://www.springframework.org/schema/util" 6 xsi:schemaLocation=" 7 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 8 http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd 9 http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd 10 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd11 http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"12 default-lazy-init="false"> 13 14 <!-- 快取管理器 使用memory實現 --> 15 16 17 <!--rememberMe 30天 --> 18 <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> 19 <constructor-arg value="COOKIE_NAME" /> 20 <property name="httpOnly" value="true" /> 21 <property name="maxAge" value="2592000" /> 22 23 </bean> 24 25 <!-- rememberMe管理器 --> 26 <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager"> 27 <property name="cipherKey" value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}" /> 28 <property name="cookie" ref="rememberMeCookie" /> 29 </bean> 30 31 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> 32 <!-- 繼承AuthorizingRealm的類--> 33 <property name="realm" ref="userRealm" /> 34 <property name="rememberMeManager" ref="rememberMeManager" /> 35 </bean> 36 37 <!-- Shiro Filter --> 38 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 39 <property name="securityManager" ref="securityManager" /> 40 <property name="loginUrl" value="/openid" /> 41 <property name="successUrl" value="/manage" /> 42 <property name="unauthorizedUrl" value="/openid" /> 43 <property name="filterChainDefinitions"> 44 <value> 45 /api/**=anon46 /res/**=anon47 /src/**=anon48 /health/**=anon49 /logout=authc50 /openid=anon51 /callback=anon52 /=authc53 /**=anon54 </value> 55 </property> 56 </bean> 57 58 59 <!-- Shiro生命週期處理器 --> 60 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> 61 62 </beans>
對bean的掃描配置
1 <!-- shiro相關的配置檔案和路徑掃描的配置必須要放在專案的mvc的配置檔案(即xxx-servlet.xml)裡 --> 2 <aop:config proxy-target-class="true" /> 3 4 <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> 5 <property name="securityManager" ref="securityManager" /> 6 </bean>
UserRealm
1 @Component 2 public class UserRealm extends AuthorizingRealm { 3 4 private Logger logger = org.slf4j.LoggerFactory.getLogger(UserRealm.class); 5 6 public final static String CREDENTIALS = "openid"; 7 8 @Autowired 9 private SessionService sessionService; 10 @Autowired 11 private PermissionService permissionService; 12 13 // 記錄是否已經設定過PemissionResover 14 private boolean hasSetPemissionResover = false; 15 16 @Override 17 public PermissionResolver getPermissionResolver() { 18 if (!hasSetPemissionResover) { 19 setPermissionResolver(new WildcardExtPermissionResolver()); 20 hasSetPemissionResover = true; 21 } 22 return super.getPermissionResolver(); 23 } 24 25 /** 26 * 獲取授權資訊 27 * 28 * @param principals 29 * @return 30 */ 31 @Override 32 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { 33 try { 34 Iterator<String> iter = principals.fromRealm(getName()).iterator(); 35 if (!iter.hasNext()) { 36 logger.info("shiro 驗證 無許可權"); 37 return null; 38 } 39 String email = iter.next(); 40 if (!Strings.isNullOrEmpty(email)) { 41 // set session 42 SessionObject so = sessionService.getSession(email); 43 if (so == null) { 44 logger.info("so 快取為空"); 45 return null; 46 } 47 SessionUtils.setSo(so); 48 49 // set auth 50 SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); 51 info.addStringPermissions(permissionService.getPermsForUser(so.getRoleId())); 52 return info; 53 } 54 logger.info("郵箱為空"); 55 return null; 56 } catch (Exception e) { 57 logger.error("shiro 許可權獲取異常:", e); 58 return null; 59 } 60 } 61 62 /** 63 * 獲取身份驗證相關資訊: 64 * 65 * @param authcToken 66 * @return 67 * @throws AuthenticationException 68 */ 69 @Override 70 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException { 71 try { 72 UsernamePasswordToken token = (UsernamePasswordToken) authcToken; 73 String email = token.getUsername(); 74 String password = new String(token.getPassword()); 75 if (!StringUtils.isEmpty(email) && CREDENTIALS.equals(password)) { 76 SessionObject so = SessionUtils.getSo(); 77 sessionService.addOrUpdateSession(so); 78 return new SimpleAuthenticationInfo(email, CREDENTIALS, getName()); 79 } 80 logger.info("登入驗證失敗,shiro 不新增許可權資訊"); 81 return null; 82 } catch (Exception e) { 83 logger.error("shiro 身份驗證異常:", e); 84 return null; 85 } 86 } 87 88 89 }
登入呼叫
UsernamePasswordToken token = new UsernamePasswordToken( "username", "password", true); SecurityUtils.getSubject().login(token);
退出呼叫
1 SecurityUtils.getSubject().logout();
許可權註解
@RequiresPermissions(value = {"ROLE_KEY"})
網易雲免費體驗館,0成本體驗20+款雲產品!
更多網易研發、產品、運營經驗分享請訪問網易雲社群。