關於專案的安全保護,我一直想找一個簡單配置就能達到目的的方法,自從接觸了shiro,這個目標總算達成了,以下結合我使用shiro的經驗,談談比較輕便地整合該功能。
首先我們先了解一下shiro是什麼。
apache shiro 是一個功能強大和易於使用的Java安全框架,為開發人員提供一個直觀而全面的的解決方案的認證,授權,加密,會話管理。
其實按照我個人的理解,就是個過濾器,按照配置(或者註解)的規則進行許可權驗證。
我的專案基於maven管理依賴jar包,首先把apache shiro相關需要用到的jar引入:
<!-- shiro --> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.1</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>1.2.1</version> </dependency>
其中shiro-web和shiro-spring必須,如果要快取許可權的話,就引入shiro-ehcache,後邊會詳細說道shiro-ehcache的使用。
看一下login.action裡是如何實現使用者登入寫入的,獲取使用者表單資訊以及查詢資料庫驗證就不說了,直接上關鍵程式碼:
//驗證使用者資訊後進行token寫入,這裡為了簡單,我把使用者的id和姓名作為token的username和password UsernamePasswordToken token = new UsernamePasswordToken(m.getId() .toString(), m.getUsername()); Subject subject1 = SecurityUtils.getSubject(); subject1.login(token); subject1.getSession();
既然是個過濾器,那我們就看一下這個過濾器的寫法:
package com.airfey.tech.nuo.action.shiro.filter; import java.io.IOException; import java.security.Principal; import javax.annotation.Resource; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.subject.Subject; import com.airfey.tech.nuo.common.security.MD5; import com.airfey.tech.nuo.core.domain.Manager; import com.airfey.tech.nuo.core.service.ManagerService; public class shiroFilter implements Filter {
//管理員使用者service @Resource private ManagerService managerService; @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Subject subjects = SecurityUtils.getSubject(); HttpServletRequest requestHttp = (HttpServletRequest) request; HttpServletResponse responseHttp = (HttpServletResponse) response; Principal principal = requestHttp.getUserPrincipal(); if (null != principal) {
//principal.getName()裡儲存的是使用者的id,就是上邊登入處token裡的資訊 System.out.println(principal.getName()); Manager m = managerService.findOne(Long.parseLong(principal .getName())); if (null != m && 1 == m.getAudit()) { UsernamePasswordToken token = new UsernamePasswordToken( m.getId(), m.getId());//作為例子,這裡我只是把使用者id放進了token,你可以修改成其它複雜點的資訊 Subject subject1 = SecurityUtils.getSubject(); subject1.login(token); subject1.getSession(); } else { if (subjects != null) { subjects.logout(); } } } chain.doFilter(requestHttp, responseHttp); } @Override public void destroy() { } }
至此,可以說登入和過濾器已經完成了。然後就進行web.xml和spring檔案以及許可權驗證的實現。
1、在web.xml里加入shiro的過濾器配置:
<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
此過濾器要位於所有過濾器的前面。
2、許可權驗證程式碼實現,我們寫一個realm類整合shiro的AuthorizingRealm
package com.airfey.tech.nuo.action.shiro.realm; import javax.annotation.Resource; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.cache.Cache; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; public class ShiroRealm extends AuthorizingRealm { @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals) { if (principals == null) { throw new AuthorizationException( "PrincipalCollection method argument cannot be null."); } String username = (String) getAvailablePrincipal(principals); System.out.println("-------------------" + username);//輸出的其實是使用者id SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); // 增加預設角色 info.addRole("ROLE_USER");
/*以下可以從資料庫獲取使用者的角色以及許可權資訊,獲取到的資訊新增入info即可,具體獲取資料庫的程式碼我就省略了*/ // // 增加自定義角色 // if (null != userInfo.getRoleList()) { // for (RoleInfo roleInfo : userInfo.getRoleList()) { // if (null != roleInfo.getName() // && !"".equals(roleInfo.getName())) { // info.addRole(roleInfo.getName()); // } // } // } // if (null != userInfo.getModuleInfo()) { // for (ModuleInfo moduleInfo : userInfo.getModuleInfo()) { // if (null != moduleInfo.getGuid() // && !"".equals(moduleInfo.getGuid())) { // info.addStringPermission(moduleInfo.getGuid()); // } // } // } return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; String userName = token.getUsername(); if (userName != null && !"".equals(userName)) { return new SimpleAuthenticationInfo(token.getPrincipal(), token.getPassword(), token.getUsername()); } return null; } /** * 清空使用者關聯許可權認證,待下次使用時重新載入。 * * @param principal */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection( principal, getName()); clearCachedAuthorizationInfo(principals); } /** * 清空所有關聯認證 */ public void clearAllCachedAuthorizationInfo() { Cache<Object, AuthorizationInfo> cache = getAuthorizationCache(); if (cache != null) { for (Object key : cache.keys()) { cache.remove(key); } } } }
3、applicationContext.xml的配置 (這裡只保留了shiro相關的資訊)
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.0.xsd"> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="successUrl" value="/manage/index.do" /> <property name="loginUrl" value="/manage/login.do" /> <property name="unauthorizedUrl" value="/manage/401.html" /> <property name="filters"> <map> <entry key="authc" value-ref="shiro"></entry> </map> </property> <property name="filterChainDefinitions"> <value> /manage/admin.html = authc,perms[shiro_admin:view] /manage/user.html=authc,perms[shiro_user:view] /manage/login.do=anon /manage/401.html=anon
/manage/js/**=anon
/manage/img/**=anon
/manage/kindeditor/**=anon /manage/**=authc,roles["ROLE_USER"] /**=anon </value> </property> </bean> <bean id="shiro" class="com.airfey.tech.nuo.action.shiro.filter.shiroFilter"> </bean> <bean id="shiroRealm" class="com.airfey.tech.nuo.action.shiro.realm.ShiroRealm" /> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroRealm" /> <property name="cacheManager" ref="shiroEhcacheManager" /> </bean> <!-- 使用者授權資訊Cache, 採用EhCache,需要的話就配置上此資訊 --> <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> </beans>
驗證規則裡如下讓靜態檔案比如js img 目錄配置上anon
/manage/admin.html = authc,perms[shiro_admin:view]
/manage/user.html=authc,perms[shiro_user:view]
/manage/login.do=anon
/manage/401.html=anon
/manage/js/**=anon
/manage/img/**=anon
/manage/kindeditor/**=anon
/manage/**=authc,roles["ROLE_USER"]
/**=anon
結束,收工。好久不寫這麼長的博文了,敲起來真費勁。原創文章,文中難免有遺漏或者錯誤之處,請指正。