`
abccyz
  • 浏览: 16907 次
  • 性别: Icon_minigender_1
  • 来自: 杭州
社区版块
存档分类
最新评论

Shiro权限框架

 
阅读更多

开发系统中,少不了权限,目前java里的权限框架有SpringSecurity和Shiro(以前叫做jsecurity),对于SpringSecurity:功能太过强大以至于功能比较分散,使用起来也比较复杂,跟Spring结合的比较好。对于初学SpringSecurity者来说,曲线还是较大,需要深入学习其源码和框架,配置起来也需要费比较大的力气,扩展性也不是特别强。

对于新秀Shiro来说,好评还是比较多的,使用起来比较简单,功能也足够强大,扩展性也较好。听说连Spring的官方都不用SpringSecurity,用的是Shiro,足见Shiro的优秀。网上找到两篇介绍:http://www.infoq.com/cn/articles/apache-shirohttp://www.ibm.com/developerworks/cn/opensource/os-cn-shiro/,官网http://shiro.apache.org/,使用和配置起来还是比较简单。下面只是简单介绍下我们是如何配置和使用Shiro的(暂时只用到了Shiro的一部分,没有配置shiro.ini文件)。

首先是添加过滤器,在web.xml中:

<filter>

<filter-name>shiroFilter</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

<init-param>

<param-name>targetFilterLifecycle</param-name>

<param-value>true</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>shiroFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

权限的认证类:

publicclassShiroDbRealmextendsAuthorizingRealm{

@Inject

privateUserServiceuserService;

/**

*认证回调函数,登录时调用.

*/

protectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationTokenauthcToken)
throwsAuthenticationException{

UsernamePasswordTokentoken=(UsernamePasswordToken)authcToken;

Useruser=userService.getUserByUserId(token.getUsername());

if(user!=null){

returnnewSimpleAuthenticationInfo(user.getUserId(),user.getUserId(),getName());

}else{

returnnull;

}

}

/**

*授权查询回调函数,进行鉴权但缓存中无用户的授权信息时调用.

*/

protectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionprincipals){

StringloginName=(String)principals.fromRealm(getName()).iterator().next();

Useruser=userService.getUserByUserId(loginName);

if(user!=null){

SimpleAuthorizationInfoinfo=newSimpleAuthorizationInfo();

info.addStringPermission("common-user");

returninfo;

}else{

returnnull;

}

}

}

Spring的配置文件:

<?xmlversion="1.0"encoding="UTF-8"?>

<beans>

<description>ShiroConfiguration</description>

<beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/>

<beanid="securityManager"class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<propertyname="realm"ref="shiroDbRealm"/>

</bean>

<beanid="shiroDbRealm"class="com.company.service.common.shiro.ShiroDbRealm"/>

<beanid="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

<propertyname="securityManager"ref="securityManager"/>

<propertyname="loginUrl"value="/common/security/login"/>

<propertyname="successUrl"value="/common/security/welcome"/>

<propertyname="unauthorizedUrl"value="/common/security/unauthorized"/>

<propertyname="filterChainDefinitions">

<value>

/resources/**=anon

/manageUsers=perms[user:manage]

/**=authc

</value>

</property>

</bean>

<beanid="lifecycleBeanPostProcessor"class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<beanclass="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"depends-on="lifecycleBeanPostProcessor"/>

<beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

<propertyname="securityManager"ref="securityManager"/>

</bean>

</beans>

登录的Controller:

@Controller

@RequestMapping(value="/common/security/*")

publicclassSecurityController{

@Inject

privateUserServiceuserService;

@RequestMapping(value="/login")

publicStringlogin(StringloginName,Stringpassword,
HttpServletResponseresponse,HttpServletRequestrequest)throwsException{

Useruser=userService.getUserByLogin(loginName);

if(null!=user){

setLogin(loginInfoVO.getUserId(),loginInfoVO.getUserId());

return"redirect:/common/security/welcome";

}else{

return"redirect:/common/path?path=showLogin";

}

};

publicstaticfinalvoidsetLogin(StringuserId,Stringpassword){

SubjectcurrentUser=SecurityUtils.getSubject();

if(!currentUser.isAuthenticated()){

//collectuserprincipalsandcredentialsinaguispecificmanner

//suchasusername/passwordhtmlform,X509certificate,OpenID,etc.

//We'llusetheusername/passwordexampleheresinceitisthemostcommon.

//(doyouknowwhatmoviethisisfrom?;)

UsernamePasswordTokentoken=newUsernamePasswordToken(userId,password);

//thisisallyouhavetodotosupport'rememberme'(noconfig-builtin!):

token.setRememberMe(true);

currentUser.login(token);

}

};

@RequestMapping(value="/logout")

@ResponseBody

publicvoidlogout(HttpServletRequestrequest){

Subjectsubject=SecurityUtils.getSubject();

if(subject!=null){

subject.logout();

}

request.getSession().invalidate();

};

}

注册和获取当前登录用户:

publicstaticfinalvoidsetCurrentUser(Useruser){

SubjectcurrentUser=SecurityUtils.getSubject();

if(null!=currentUser){

Sessionsession=currentUser.getSession();

if(null!=session){

session.setAttribute(Constants.CURRENT_USER,user);

}

}

};

publicstaticfinalUsergetCurrentUser(){

SubjectcurrentUser=SecurityUtils.getSubject();

if(null!=currentUser){

Sessionsession=currentUser.getSession();

if(null!=session){

Useruser=(User)session.getAttribute(Constants.CURRENT_USER);

if(null!=user){

returnuser;

}

}

}

};

需要的jar包有3个:shiro-core.jar,shiro-spring.jar,shiro-web.jar。感觉shiro用起来比SpringSecurity简单很多

分享到:
| struts2的漏洞修复
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics