基于spring框架的apache shiro简单集成



基于spring框架的apache shiro简单集成

关于项目的安全保护，我一直想找一个简单配置就能达到目的的方法，自从接触了shiro，这个目标总算达成了，以下结合我使用shiro的经验，谈谈比较轻便地集成该功能。

首先我们先了解一下shiro是什么。

apache shiro 是一个功能强大和易于使用的Java安全框架，为开发人员提供一个直观而全面的的解决方案的认证，授权，加密，会话管理。

其实按照我个人的理解，就是个过滤器，按照配置（或者注解）的规则进行权限验证。

我的项目基于maven管理依赖jar包，首先把apache shiro相关需要用到的jar引入：

<!-- shiro -->
            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-web</artifactId>
                <version>1.2.1</version>
            </dependency>
            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-spring</artifactId>
                <version>1.2.1</version>
            </dependency>

            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-ehcache</artifactId>
                <version>1.2.1</version>
            </dependency>

其中shiro-web和shiro-spring必须，如果要缓存权限的话，就引入shiro-ehcache，后边会详细说道shiro-ehcache的使用。

看一下login.action里是如何实现用户登录写入的，获取用户表单信息以及查询数据库验证就不说了，直接上关键代码：

            //验证用户信息后进行token写入，这里为了简单，我把用户的id和姓名作为token的username和password
            UsernamePasswordToken token = new UsernamePasswordToken(m.getId()
                    .toString(), m.getUsername());
            Subject subject1 = SecurityUtils.getSubject();
            subject1.login(token);
            subject1.getSession();
    

 

既然是个过滤器，那我们就看一下这个过滤器的写法：

package com.airfey.tech.nuo.action.shiro.filter;

import java.io.IOException;
import java.security.Principal;

import javax.annotation.Resource;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;

import com.airfey.tech.nuo.common.security.MD5;
import com.airfey.tech.nuo.core.domain.Manager;
import com.airfey.tech.nuo.core.service.ManagerService;

public class shiroFilter implements Filter {
    //管理员用户service
    @Resource
    private ManagerService managerService;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        Subject subjects = SecurityUtils.getSubject();

        HttpServletRequest requestHttp = (HttpServletRequest) request;
        HttpServletResponse responseHttp = (HttpServletResponse) response;

        Principal principal = requestHttp.getUserPrincipal();
        if (null != principal) {
            //principal.getName()里保存的是用户的id，就是上边登录处token里的信息
            System.out.println(principal.getName());
            Manager m = managerService.findOne(Long.parseLong(principal
                    .getName()));
            if (null != m && 1 == m.getAudit()) {
                UsernamePasswordToken token = new UsernamePasswordToken(
                        m.getId(), m.getId());//作为例子，这里我只是把用户id放进了token，你可以修改成其它复杂点的信息
                Subject subject1 = SecurityUtils.getSubject();
                subject1.login(token);
                subject1.getSession();
            } else {
                if (subjects != null) {
                    subjects.logout();
                }
            }
        }
        

        chain.doFilter(requestHttp, responseHttp);

    }

    @Override
    public void destroy() {

    }

}

至此，可以说登录和过滤器已经完成了。然后就进行web.xml和spring文件以及权限验证的实现。

1、在web.xml里加入shiro的过滤器配置：

<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

此过滤器要位于所有过滤器的前面。

 2、权限验证代码实现，我们写一个realm类集成shiro的AuthorizingRealm

package com.airfey.tech.nuo.action.shiro.realm;

import javax.annotation.Resource;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;

public class ShiroRealm extends AuthorizingRealm {

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(
            PrincipalCollection principals) {
        if (principals == null) {
            throw new AuthorizationException(
                    "PrincipalCollection method argument cannot be null.");
        }
        String username = (String) getAvailablePrincipal(principals);
        System.out.println("-------------------" + username);//输出的其实是用户id

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        // 增加默认角色
        info.addRole("ROLE_USER");
        /*以下可以从数据库获取用户的角色以及权限信息，获取到的信息添加入info即可，具体获取数据库的代码我就省略了*/
        // // 增加自定义角色
        // if (null != userInfo.getRoleList()) {
        // for (RoleInfo roleInfo : userInfo.getRoleList()) {
        // if (null != roleInfo.getName()
        // && !"".equals(roleInfo.getName())) {
        // info.addRole(roleInfo.getName());
        // }
        // }
        // }
        // if (null != userInfo.getModuleInfo()) {
        // for (ModuleInfo moduleInfo : userInfo.getModuleInfo()) {
        // if (null != moduleInfo.getGuid()
        // && !"".equals(moduleInfo.getGuid())) {
        // info.addStringPermission(moduleInfo.getGuid());
        // }
        // }
        // }

        return info;

    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken authcToken) throws AuthenticationException {
        UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
        String userName = token.getUsername();
        if (userName != null && !"".equals(userName)) {

            return new SimpleAuthenticationInfo(token.getPrincipal(),
                    token.getPassword(), token.getUsername());
        }
        return null;
    }

    /**
     * 清空用户关联权限认证，待下次使用时重新加载。
     * 
     * @param principal
     */
    public void clearCachedAuthorizationInfo(String principal) {
        SimplePrincipalCollection principals = new SimplePrincipalCollection(
                principal, getName());
        clearCachedAuthorizationInfo(principals);
    }

    /**
     * 清空所有关联认证
     */
    public void clearAllCachedAuthorizationInfo() {
        Cache<Object, AuthorizationInfo> cache = getAuthorizationCache();
        if (cache != null) {
            for (Object key : cache.keys()) {
                cache.remove(key);
            }
        }
    }
}

3、applicationContext.xml的配置 (这里只保留了shiro相关的信息)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.0.xsd">
    
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="successUrl" value="/manage/index.do" />
        <property name="loginUrl" value="/manage/login.do" />
        <property name="unauthorizedUrl" value="/manage/401.html" />
        <property name="filters">
            <map>
                <entry key="authc" value-ref="shiro"></entry>
            </map>
        </property>
        <property name="filterChainDefinitions">
            <value>
                /manage/admin.html = authc,perms[shiro_admin:view]
                /manage/user.html=authc,perms[shiro_user:view]
                /manage/login.do=anon
                /manage/401.html=anon
                /manage/js/**=anon 
 /manage/img/**=anon                 /manage/kindeditor/**=anon
                /manage/**=authc,roles["ROLE_USER"]
                /**=anon
            </value>
        </property>
    </bean>
    <bean id="shiro" class="com.airfey.tech.nuo.action.shiro.filter.shiroFilter">
        
    </bean>
    <bean id="shiroRealm" class="com.airfey.tech.nuo.action.shiro.realm.ShiroRealm" />
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="shiroRealm" />
        <property name="cacheManager" ref="shiroEhcacheManager" />
    </bean>

    <!-- 用户授权信息Cache, 采用EhCache，需要的话就配置上此信息 -->
    <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
        <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" />
    </bean>

    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
    <bean
        class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
        depends-on="lifecycleBeanPostProcessor">
        <property name="proxyTargetClass" value="true" />
    </bean>
    <bean
        class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager" />
    </bean>

    
</beans>

验证规则里如下让静态文件比如js img 目录配置上anon

/manage/admin.html = authc,perms[shiro_admin:view]

/manage/user.html=authc,perms[shiro_user:view]

/manage/login.do=anon

/manage/401.html=anon

/manage/js/**=anon

/manage/img/**=anon

/manage/kindeditor/**=anon

/manage/**=authc,roles["ROLE_USER"]

/**=anon

 

结束，收工。好久不写这么长的博文了，敲起来真费劲。原创文章，文中难免有遗漏或者错误之处，请指正。