ssm整合shiro权限管理-干货
一、 表结构(表关系)
user、role、user_role、permission、role_permission,用户,角色,权限相互之间多对多
二、配置文件
1、spring-shiro.xml
loginUrl是认证前可以访问的URL,通常是登录页面或者登录的方法路径
successUrl是认证成功之后跳转的URL(可以是页面路径,也可以是方法)
unauthorizedUrl是经过认证后,没有权限的跳转路径
<bean id="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login"/>
<property name="successUrl" value="/userLogin" />
<property name="unauthorizedUrl" value="/login" />
<!-- 基本系统级别权限配置 -->
<property name="filterChainDefinitions">
<value>
/css/* = anon
/js/* = anon
/img/* = anon
/jsp/login.jsp = anon
/userLogin = anon <!-- 登录相关不拦截 -->
/addUser = roles[admin]
/** = authc
</value>
</property>
<!-- 自定义shiro的 Filter-->
<!--<property name="filters"> <util:map> <entrykey="login" value-ref="login"></entry>
</util:map></property> -->
</bean>
<!--安全管理器-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<!--设置自定义Realm-->
<property name="realm"ref="myRealm"/>
<!--将缓存管理器,交给安全管理器-->
<property name="cacheManager"ref="shiroEhcacheManager"/>
<!-- 注入session管理器
<propertyname="sessionManager"ref="sessionManager" />-->
<!-- 记住密码管理 -->
<!-- <propertyname="rememberMeManager"ref="rememberMeManager"/>-->
</bean>
<!-- 项目自定义的Realm -->
<bean id="myRealm" class="com.snowlink.realm.MyRealm"/>
<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile"value="classpath:shiro-cache.xml"></property>
</bean>
2、spring配置文件
Spring配置文件中其他配置按照框架正常配置,只需要引入shiro的配置文件
<!--导入shiro的配置文件 -->
<importresource="spring-shiro.xml"/>
3、spring-mvc的配置文件
在springMVC的配置文件中其他按照springMVC的正常配置,只需加入shiro的注解扫描和注解支持
<!-- 开启aop,对类代理 -->
<aop:configproxy-target-class="true"></aop:config>
<!--开启shiro注解支持 -->
<beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<propertyname="securityManager"ref="securityManager"/>
</bean>4、web.xml配置
注意:在web.xml中加入shiro的过滤器时一定要放在DispatcherServlet过滤器之前,否则要经过权限检验的路径会被springmvc的前端控制器过滤,很大可能会出错
<!--shiroFilter -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>5、Ehcache的缓存配置
<ehcacheupdateCheck="false"name="shiroCache">
<defaultCache
maxElementsInMemory="10000"
eternal="false"
timeToIdleSeconds="120"
timeToLiveSeconds="120"
overflowToDisk="false"
diskPersistent="false"
diskExpiryThreadIntervalSeconds="120"></defaultCache>
</ehcache>
6、pom.xml中需要引入的jar依赖
<!-- shiro-->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.3</version>
</dependency>
三、Shiro的执行流程和原理
ApplicationCode:应用程序代码,由开发人员负责开发
Subject:当前用户
SecurityManager:安全管理器,管理所有的用户,认证、授权等。
Realm:安全数据桥,类似于Dao,负责访问安全数据
从上图中可以看出shiro的核心控件就是SecurityManager(安全管理器)
四、ApplicationCode
通过subject(当前用户)调用login()方法,安全管理器调用Realm进行认证和授权
publicclass MyRealmextends AuthorizingRealm{
@Resource
private UserMappingUserMapping;
@Resource
private UserServiceuserService;
//授权
@Override
protected AuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionprincipalCollection) {
Cache<Object,AuthorizationInfo>shiroCache = getAuthorizationCache();
//TODO Auto-generated method stub
User loginUser = (User) principalCollection.getPrimaryPrincipal();
List<Role> roleList = userService.getRole(loginUser);
List<String> roles = new ArrayList<>();
List<String> permissions = new ArrayList<>();
if (roleList.size() > 0) {
for (Rolerole :roleList) {
List<Permission>pList =userService.getPermissions(role);
for (Permissionpermission :pList) {
permissions.add(permission.getP_name());
}
roles.add(role.getRole_name());
}
}
SimpleAuthorizationInfoinfo =new SimpleAuthorizationInfo();
info.addRoles(roles);
info.addStringPermissions(permissions);
returninfo;
}
//认证
@Override
protected AuthenticationInfodoGetAuthenticationInfo(AuthenticationTokentoken)throws AuthenticationException {
//TODO Auto-generated method stub
UsernamePasswordTokenusernamePasswordToken = (UsernamePasswordToken)token;
String username = usernamePasswordToken.getUsername();
char[]password =usernamePasswordToken.getPassword();
User user = UserMapping.findUserByName(username);
if (user ==null) {
returnnull;
}
SimpleAuthenticationInfoinfo =new SimpleAuthenticationInfo(user,user.getPassword(),this.getClass().getName());
returninfo;
}
}