- 浏览: 35154 次
- 性别:
- 来自: 深圳
文章分类
最新评论
-
djy1135:
写的很详细! 赞!!!
jsoup使用手册 -
xiaoZ5919:
noclassgc 禁用垃圾回收 不知是否是笔误?不对方法区进 ...
JVM系列三:JVM参数设置、分析
shiro权限管理
- 博客分类:
- 开源软件
最近做的项目需要加上权限控制, 最后选型用的是shiro,这个是用确实比较简单。配置文件说明
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>pscms</display-name>
<!-- Spring ApplicationContext配置文件的路径,可使用通配符,多个路径用,号分隔
此参数用于后面的Spring Context Loader -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:/applicationContext*.xml
</param-value>
</context-param>
<!-- 設定Spring Context的默认Profile -->
<context-param>
<param-name>spring.profiles.default</param-name>
<param-value>production</param-value>
</context-param>
<!--Spring的ApplicationContext 载入 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Filter 定义 -->
<!-- Character Encoding filter -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Shiro Security filter-->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- SiteMesh Web-Page Layout filter-->
<filter>
<filter-name>sitemeshFilter</filter-name>
<filter-class>com.opensymphony.sitemesh.webapp.SiteMeshFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sitemeshFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring MVC Servlet -->
<servlet>
<servlet-name>springServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>captcha</servlet-name>
<servlet-class>com.surfilter.pscms.web.CaptchaController</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>captcha</servlet-name>
<url-pattern>/captcha</url-pattern>
</servlet-mapping>
<!-- session超时定义,单位为分钟 -->
<session-config>
<session-timeout>20</session-timeout>
</session-config>
<!-- 出错页面定义 -->
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/WEB-INF/views/error/500.jsp</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/WEB-INF/views/error/500.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/views/error/404.jsp</location>
</error-page>
</web-app>
applicationContext-shiro.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd" default-lazy-init="true"> <description>Shiro Configuration</description> <!-- Shiro's main business-tier object for web-enabled applications --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroDbRealm" /> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- 項目自定义的Realm --> <bean id="shiroDbRealm" class="com.surfilter.pscms.service.account.ShiroDbRealm" depends-on="userDao,groupDao"> <property name="accountManager" ref="accountManager"/> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/loginpw" /> <property name="successUrl" value="/main/" /> <property name="filters"> <map> <entry key="authc" value-ref="authc"></entry> </map> </property> <property name="filterChainDefinitions"> <value> /loginpw = authc /logout = logout /captcha = anon /static/** = anon /mobile/** = anon /** = user </value> </property> </bean> <bean id="authc" class="com.surfilter.pscms.service.captcha.CaptchaFormAuthenticationFilter"></bean> <!-- 用户授权信息Cache --> <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" /> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- AOP式方法级权限检查 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> </beans>
spring-mvc.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"> <!-- 自动扫描且只扫描@Controller --> <context:component-scan base-package="com.surfilter.pscms" use-default-filters="false"> <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/> </context:component-scan> <bean id="permission" class="com.surfilter.pscms.entity.account.Permission" init-method="initialize"/> <bean class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter"> <property name="messageConverters"> <list> <bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter" /> <bean class="org.springframework.http.converter.StringHttpMessageConverter"> <property name="supportedMediaTypes"> <list><value>text/plain;charset=UTF-8</value></list> </property> </bean> <bean class="org.springframework.http.converter.ResourceHttpMessageConverter" /> <bean class="org.springframework.http.converter.xml.SourceHttpMessageConverter" /> <bean class="org.springframework.http.converter.xml.XmlAwareFormHttpMessageConverter" /> <bean class="org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter" /> </list> </property> </bean> <mvc:annotation-driven /> <mvc:default-servlet-handler/> <!-- 定义首页 --> <mvc:view-controller path="/" view-name="redirect:/main/"/> <!-- 定义JSP --> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/WEB-INF/views/"/> <property name="suffix" value=".jsp"/> </bean> <!-- View resolvers can also be configured with ResourceBundles or XML files. If you need different view resolving based on Locale, you have to use the resource bundle resolver. --> <!-- 这个是针对返回视图还是json值的视图配置 来分别处理同步和异步请求 --> <bean class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver"> <property name="mediaTypes"> <map> <entry key="html" value="text/html" /> <entry key="json" value="application/json" /> </map> </property> <property name="favorParameter" value="true" /> <property name="viewResolvers"> <list> <bean class="org.springframework.web.servlet.view.BeanNameViewResolver" /> <bean id="viewResolver" class="org.springframework.web.servlet.view.freemarker.FreeMarkerViewResolver"> <property name="cache" value="true" /> <property name="prefix" value="" /> <property name="suffix" value=".ftl" /> <property name="contentType" value="text/html;charset=UTF-8"></property> <property name="requestContextAttribute" value="request" /> <property name="exposeSpringMacroHelpers" value="true" /> <property name="exposeRequestAttributes" value="true" /> <property name="exposeSessionAttributes" value="true" /> </bean> </list> </property> <property name="defaultContentType" value="text/html" /> </bean> <bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver"> <property name="maxUploadSize"> <value>10485760</value> </property> <property name="maxInMemorySize"> <value>5120</value> </property> </bean> <!-- 支持 Shiro对Controller的方法级AOP安全控制 begin--> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <prop key="org.apache.shiro.authz.UnauthorizedException">error/403</prop> </props> </property> </bean> <!-- end --> <!-- 初始化加载板块列表 --> <bean id="showBoards" class="com.surfilter.pscms.bean.ShowBoards" init-method="init"></bean> </beans>
ShiroDbRealm.java继承AuthorizingRealm 重新认证和鉴权的方法
package com.surfilter.pscms.service.account; import java.io.Serializable; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.cache.Cache; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.subject.SimplePrincipalCollection; import org.springframework.beans.factory.annotation.Autowired; import com.surfilter.pscms.entity.account.User; import com.surfilter.pscms.service.captcha.CaptchaUsernamePasswordToken; import com.surfilter.pscms.service.captcha.IncorrectCaptchaException; /** * 自实现用户与权限查询. 演示关系,密码用明文存储,因此使用默认 的SimpleCredentialsMatcher. */ public class ShiroDbRealm extends AuthorizingRealm { private AccountManager accountManager; /** * 认证回调函数, 登录时调用. */ @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { CaptchaUsernamePasswordToken token = (CaptchaUsernamePasswordToken) authcToken; // 验证码 验证 String captcha = null; Object obj_captcha = SecurityUtils.getSubject().getSession() .getAttribute("RandomCode"); if (obj_captcha instanceof String) captcha = (String) obj_captcha; if (captcha != null && !captcha.equalsIgnoreCase(token.getCaptcha())) { throw new IncorrectCaptchaException("验证码错误!"); } // 用户名密码验证 User user = accountManager.findUserByLoginName(token.getUsername()); if (user != null) { SecurityUtils.getSubject().getSession().setAttribute( "loginUserInfo", user); return new SimpleAuthenticationInfo(new ShiroUser(user .getLoginName(), user.getName()), user.getPassword(), getName()); } else { return null; } } /** * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用. */ @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals) { ShiroUser shiroUser = (ShiroUser) principals.fromRealm(getName()) .iterator().next(); User user = accountManager .findUserByLoginName(shiroUser.getLoginName()); if (user != null) { SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); info.addStringPermissions(accountManager.getUserPermissions(user.getId())); return info; } else { return null; } } /** * 更新用户授权信息缓存. */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection( principal, getName()); clearCachedAuthorizationInfo(principals); } /** * 清除所有用户授权信息缓存. */ public void clearAllCachedAuthorizationInfo() { Cache<Object, AuthorizationInfo> cache = getAuthorizationCache(); if (cache != null) { for (Object key : cache.keys()) { cache.remove(key); } } } @Autowired public void setAccountManager(AccountManager accountManager) { this.accountManager = accountManager; } /** * 自定义Authentication对象,使得Subject除了携带用户的登录名外还可以携带更多信息. */ public static class ShiroUser implements Serializable { private static final long serialVersionUID = -1748602382963711884L; private String loginName; private String name; public ShiroUser(String loginName, String name) { this.loginName = loginName; this.name = name; } public String getLoginName() { return loginName; } /** * 本函数输出将作为默认的<shiro:principal/>输出. */ @Override public String toString() { return loginName; } public String getName() { return name; } } }
jsp页面中控制权限, name为相应的权限点
<shiro:hasPermission name="dict_analysis:edit">
相应的操作
</shiro:hasPermission>
控制层相应的方法用注解控制权限
@RequiresPermissions("dict_analysis:edit")
相关推荐
shiro权限管理案例加文档 shiro权限管理案例加文档 shiro权限管理案例加文档
自己整理的shiro权限管理的示例,希望对大家有帮助,现在急需积分,望支持
springboot-shiro权限管理系统 包括认证登录,权限管理,操作日志等,前端采用bootstrap UI
spring+mybatis+shiro整合。。。简单入门案例,maven项目
移动互联网场景下服务端Shiro权限管理研究.pdf
SSM和Shiro结合构建权限管理,包括表设计。前端页面展示设计。
SpringBoot+Shiro权限管理系统脚手架 项目说明: 项目基于Rest ful风格的接口开发,属于前后端分离,该项目属于后端部分,主要应用了Shiro框架,结合SpringBoot,基于对用户,角色,权限开发的权限系统脚手架 技术...
实现shiro权限管理,mysql
shiroshiro权限管理框架,本文档详细介绍了shiro权限管理框架在JavaWeb项目中的配置以及使用
Shiro权限管理 的jar包 ,一些example ,shiro资料笔记与核心单词
在shiro基本权限基础上优化登录 缓存 动态权限等功能!
基于ssm快速整合shiro权限
shiro权限管理系统示例
Springboot+shiro权限管理。这或许是流程最详细、代码最干净、配置最简单的shiro上手项目
本项目是基于Java的maven-ssm-shiro权限管理系统设计源码,包含2118个文件,其中975个JavaScript文件,472个PNG文件,247个CSS文件,83个HTML文件,63个Java文件,54个SVG文件,34个GIF文件,24个JSP文件和23个JPG...
shiro权限管理实例,内含sql脚本,运行sql 导入maven项目即可启动
springboot shiro 权限管理项目,买不了吃亏,买不了上当
shiro权限管理+generator代码生成
shiro权限
Go语言版本的权限管理服务平台, 利用shiro权限管理设计思想, 支持单用户多角色,可以具体到对某一个资源进行权限控制,比RBAC的资源管理更细粒度化。