您當前位置：首頁 > php開源 > php教程 > Shiro系列之Shiro+Spring MVC整合(Integration)

Shiro系列之Shiro+Spring MVC整合(Integration)

來源：程序員人生發布時間：2016-04-05 08:00:41 閱讀次數：3058次

Shiro系列之Shiro+Spring MVC整合

第1步，Shiro Filter

在web.xml文件中增加以下代碼，確保Web項目中需要權限管理的URL都可以被Shiro攔截過濾。

<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

通常將這段代碼中的filter-mapping放在所有filter-mapping之前，以到達shiro是第1個對web要求進行攔截過濾之目的。這里的fileter-name應當要和第2步中配置的java bean的id1致。

第2步，配置各種Java Bean

在root-context.xml文件中配置Shiro

<?xml version="1.0" encoding="UTF⑻"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">   <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="com.mysql.jdbc.Driver" /> <property name="url" value="jdbc:mysql://127.0.0.1:3306/etao_java" /> <property name="username" value="root" /> <property name="password" value="cope9020" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>  <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.Md5CredentialsMatcher"></bean>  <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager"></bean>  <bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm"> <property name="credentialsMatcher" ref="credentialsMatcher"></property> <property name="permissionsLookupEnabled" value="true"></property> <property name="dataSource" ref="dataSource"></property> <property name="authenticationQuery" value="SELECT password FROM sec_user WHERE user_name = ?"></property> <property name="userRolesQuery" value="SELECT role_name from sec_user_role left join sec_role using(role_id) left join sec_user using(user_id) WHERE user_name = ?"></property> <property name="permissionsQuery" value="SELECT permission_name FROM sec_role_permission left join sec_role using(role_id) left join sec_permission using(permission_id) WHERE role_name = ?"></property> </bean>  <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="jdbcRealm"></property> <property name="cacheManager" ref="cacheManager"></property> </bean>  <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  <property name="securityManager" ref="securityManager"></property>  <property name="loginUrl" value="/security/login"></property>    <property name="unauthorizedUrl" value="/"></property> <property name="filterChainDefinitions"> <value> /security/*=anon /tag=authc </value> </property> </bean>   </beans>

上述代碼中已對每一個java bean的用處做了詳細的注釋說明，這里僅對FilterChain過濾鏈的定義詳細論述1下：

測試用例中對/security/*的訪問是不需要認證控制的，這主要是用于用戶登錄和退出的
測試用例中對/tag的訪問是需要認證控制的，就是說只有通過認證的用戶才可以訪問該資源。如果用戶直接在地址欄中訪問http://localhost:8880/learning/tag，系統會自動跳轉至登錄頁面，要求用戶先進行身份認證。

完成這兩步以后，我們可以Run1下程序，如果可以看到以下頁面，就表明我們的配置文件沒有毛病，Shiro和Spring MVC的整合已完成了。后繼的步驟可以視為是對整合后的框進行的1個測試。

第3步，編寫登錄頁面和后臺代碼

<%@ page language="java" contentType="text/html; charset=UTF⑻" pageEncoding="UTF⑻"%> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF⑻"> <title>Login Page</title> </head> <body> <h1>login page</h1> <form id="" action="dologin" method="post"> <label>User Name</label> <input tyep="text" name="userName" maxLength="40" /> <label>Password</label><input type="password" name="password" /> <input type="submit" value="login" /> </form> <%--用于輸入后臺返回的驗證毛病信息 --%> <P><c:out value="${message }" /></P> </body> </html>

后臺登錄代碼

/** * 實際的登錄代碼 * 如果登錄成功，跳轉至首頁；登錄失敗，則將失敗信息反饋對用戶 * * @param request * @param model * @return */ @RequestMapping(value = "/dologin") public String doLogin(HttpServletRequest request, Model model) { String msg = ""; String userName = request.getParameter("userName"); String password = request.getParameter("password"); System.out.println(userName); System.out.println(password); UsernamePasswordToken token = new UsernamePasswordToken(userName, password); token.setRememberMe(true); Subject subject = SecurityUtils.getSubject(); try { subject.login(token); if (subject.isAuthenticated()) { return "redirect:/"; } else { return "login"; } } catch (IncorrectCredentialsException e) { msg = "登錄密碼毛病. Password for account " + token.getPrincipal() + " was incorrect."; model.addAttribute("message", msg); System.out.println(msg); } catch (ExcessiveAttemptsException e) { msg = "登錄失敗次數過量"; model.addAttribute("message", msg); System.out.println(msg); } catch (LockedAccountException e) { msg = "帳號已被鎖定. The account for username " + token.getPrincipal() + " was locked."; model.addAttribute("message", msg); System.out.println(msg); } catch (DisabledAccountException e) { msg = "帳號已被禁用. The account for username " + token.getPrincipal() + " was disabled."; model.addAttribute("message", msg); System.out.println(msg); } catch (ExpiredCredentialsException e) { msg = "帳號已過期. the account for username " + token.getPrincipal() + " was expired."; model.addAttribute("message", msg); System.out.println(msg); } catch (UnknownAccountException e) { msg = "帳號不存在. There is no user with username of " + token.getPrincipal(); model.addAttribute("message", msg); System.out.println(msg); } catch (UnauthorizedException e) { msg = "您沒有得到相應的授權！" + e.getMessage(); model.addAttribute("message", msg); System.out.println(msg); } return "login"; }

如果輸入不存在的用戶名或是毛病的密碼界面上會有相應的提示信息。