`
a137268431
  • 浏览: 146232 次
文章分类
社区版块
存档分类
最新评论

SpringMVC整合Shiro

 
阅读更多

这里用的是SpringMVC-3.2.4和Shiro-1.2.2,示例代码如下


转载于:http://blog.csdn.net/jadyer/article/details/12208847

首先是web.xml

[html]view plaincopyprint?
  1. <?xmlversion="1.0"encoding="UTF-8"?>
  2. <web-appversion="2.5"
  3. xmlns="http://java.sun.com/xml/ns/javaee"
  4. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  5. xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
  6. http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  7. <!--指定Spring的配置文件-->
  8. <!--否则Spring会默认从WEB-INF下寻找配置文件,contextConfigLocation属性是Spring内部固定的-->
  9. <!--通过ContextLoaderListener的父类ContextLoader的第120行发现CONFIG_LOCATION_PARAM固定为contextConfigLocation-->
  10. <context-param>
  11. <param-name>contextConfigLocation</param-name>
  12. <param-value>classpath:applicationContext.xml</param-value>
  13. </context-param>
  15. <!--防止发生java.beans.Introspector内存泄露,应将它配置在ContextLoaderListener的前面-->
  16. <!--详细描述见http://blog.csdn.net/jadyer/article/details/11991457-->
  17. <listener>
  18. <listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>
  19. </listener>
  21. <!--实例化Spring容器-->
  22. <!--应用启动时,该监听器被执行,它会读取Spring相关配置文件,其默认会到WEB-INF中查找applicationContext.xml-->
  23. <listener>
  24. <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  25. </listener>
  27. <!--解决乱码问题-->
  28. <filter>
  29. <filter-name>SpringEncodingFilter</filter-name>
  30. <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
  31. <init-param>
  32. <param-name>encoding</param-name>
  33. <param-value>UTF-8</param-value>
  34. </init-param>
  35. <init-param>
  36. <param-name>forceEncoding</param-name>
  37. <param-value>true</param-value>
  38. </init-param>
  39. </filter>
  40. <filter-mapping>
  41. <filter-name>SpringEncodingFilter</filter-name>
  42. <url-pattern>/*</url-pattern>
  43. </filter-mapping>
  45. <!--配置Shiro过滤器,先让Shiro过滤系统接收到的请求-->
  46. <!--这里filter-name必须对应applicationContext.xml中定义的<beanid="shiroFilter"/>-->
  47. <!--使用[/*]匹配所有请求,保证所有的可控请求都经过Shiro的过滤-->
  48. <!--通常会将此filter-mapping放置到最前面(即其他filter-mapping前面),以保证它是过滤器链中第一个起作用的-->
  49. <filter>
  50. <filter-name>shiroFilter</filter-name>
  51. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  52. <init-param>
  53. <!--该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理-->
  54. <param-name>targetFilterLifecycle</param-name>
  55. <param-value>true</param-value>
  56. </init-param>
  57. </filter>
  58. <filter-mapping>
  59. <filter-name>shiroFilter</filter-name>
  60. <url-pattern>/*</url-pattern>
  61. </filter-mapping>
  63. <!--SpringMVC核心分发器-->
  64. <servlet>
  65. <servlet-name>SpringMVC</servlet-name>
  66. <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
  67. <init-param>
  68. <param-name>contextConfigLocation</param-name>
  69. <param-value>classpath:applicationContext.xml</param-value>
  70. </init-param>
  71. <load-on-startup>1</load-on-startup>
  72. </servlet>
  73. <servlet-mapping>
  74. <servlet-name>SpringMVC</servlet-name>
  75. <url-pattern>/</url-pattern>
  76. </servlet-mapping>
  78. <!--默认欢迎页-->
  79. <!--Servlet2.5中可直接在此处执行Servlet应用,如<welcome-file>servlet/InitSystemParamServlet</welcome-file>-->
  80. <!--这里使用了SpringMVC提供的<mvc:view-controller>标签,实现了首页隐藏的目的,详见applicationContext.xml-->
  81. <!--
  82. <welcome-file-list>
  83. <welcome-file>login.jsp</welcome-file>
  84. </welcome-file-list>
  85. -->
  87. <error-page>
  88. <error-code>405</error-code>
  89. <location>/WEB-INF/405.html</location>
  90. </error-page>
  91. <error-page>
  92. <error-code>404</error-code>
  93. <location>/WEB-INF/404.jsp</location>
  94. </error-page>
  95. <error-page>
  96. <error-code>500</error-code>
  97. <location>/WEB-INF/500.jsp</location>
  98. </error-page>
  99. <error-page>
  100. <error-code>java.lang.Throwable</error-code>
  101. <location>/WEB-INF/500.jsp</location>
  102. </error-page>
  103. </web-app>
下面是用于显示Request method 'GET' not supported的//WebRoot//WEB-INF//405.html

[html]view plaincopyprint?
  1. <!DOCTYPEHTMLPUBLIC"-//W3C//DTDHTML4.01Transitional//EN">
  2. <html>
  3. <head>
  4. <title>405.html</title>
  5. <metahttp-equiv="content-type"content="text/html;charset=UTF-8">
  6. </head>
  7. <body>
  8. <fontcolor="blue">
  9. Requestmethod'GET'notsupported
  10. <br/><br/>
  11. ThespecifiedHTTPmethodisnotallowedfortherequestedresource.
  12. </font>
  13. </body>
  14. </html>
下面是允许匿名用户访问的//WebRoot//login.jsp

[html]view plaincopyprint?
  1. <%@pagelanguage="java"pageEncoding="UTF-8"%>
  3. <scripttype="text/javascript">
  4. <!--
  5. functionreloadVerifyCode(){
  6. document.getElementById('verifyCodeImage').setAttribute('src','${pageContext.request.contextPath}/mydemo/getVerifyCodeImage');
  7. }
  8. //-->
  9. </script>
  11. <divstyle="color:red;font-size:22px;">${message_login}</div>
  13. <formaction="<%=request.getContextPath()%>/mydemo/login"method="POST">
  14. 姓名:<inputtype="text"name="username"/><br/>
  15. 密码:<inputtype="text"name="password"/><br/>
  16. 验证:<inputtype="text"name="verifyCode"/>
  17. &nbsp;&nbsp;
  18. <imgid="verifyCodeImage"onclick="reloadVerifyCode()"src="<%=request.getContextPath()%>/mydemo/getVerifyCodeImage"/><br/>
  19. <inputtype="submit"value="确认"/>
  20. </form>
下面是用户登录后显示的//WebRoot//main.jsp

[html]view plaincopyprint?
  1. <%@pagelanguage="java"pageEncoding="UTF-8"%>
  2. 普通用户可访问<ahref="<%=request.getContextPath()%>/mydemo/getUserInfo"target="_blank">用户信息页面</a>
  3. <br/>
  4. <br/>
  5. 管理员可访问<ahref="<%=request.getContextPath()%>/admin/listUser.jsp"target="_blank">用户列表页面</a>
  6. <br/>
  7. <br/>
  8. <ahref="<%=request.getContextPath()%>/mydemo/logout"target="_blank">Logout</a>
下面是只有管理员才允许访问的//WebRoot//admin//listUser.jsp

[html]view plaincopyprint?
  1. <%@pagelanguage="java"pageEncoding="UTF-8"%>
  2. ThisislistUser.jsp
  3. <br/>
  4. <br/>
  5. <ahref="<%=request.getContextPath()%>/mydemo/logout"target="_blank">Logout</a>
下面是普通的登录用户所允许访问的//WebRoot//user//info.jsp

[html]view plaincopyprint?
  1. <%@pagelanguage="java"pageEncoding="UTF-8"%>
  2. 当前登录的用户为${currUser}
  3. <br/>
  4. <br/>
  5. <ahref="<%=request.getContextPath()%>/mydemo/logout"target="_blank">Logout</a>
下面是//src//log4j.properties

[ruby]view plaincopyprint?
  1. #useRootforGobalConfig
  2. log4j.rootLogger=DEBUG,CONSOLE
  4. log4j.logger.java.sql=DEBUG
  5. log4j.logger.org.apache.shiro=DEBUG
  6. log4j.logger.org.apache.commons=DEBUG
  7. log4j.logger.org.springframework=DEBUG
  9. #useConsoleAppenderforConsoleOut
  10. log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
  11. log4j.appender.CONSOLE.Threshold=DEBUG
  12. log4j.appender.CONSOLE.Target=System.out
  13. log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
  14. log4j.appender.CONSOLE.layout.ConversionPattern=[%d{yyyyMMddHH:mm:ss}][%t][%C{1}.%M]%m%n
下面是//src//applicationContext.xml

[html]view plaincopyprint?
  1. <?xmlversion="1.0"encoding="UTF-8"?>
  2. <beansxmlns="http://www.springframework.org/schema/beans"
  3. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4. xmlns:mvc="http://www.springframework.org/schema/mvc"
  5. xmlns:context="http://www.springframework.org/schema/context"
  6. xsi:schemaLocation="http://www.springframework.org/schema/beans
  7. http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
  8. http://www.springframework.org/schema/mvc
  9. http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
  10. http://www.springframework.org/schema/context
  11. http://www.springframework.org/schema/context/spring-context-3.2.xsd">
  12. <!--它背后注册了很多用于解析注解的处理器,其中就包括<context:annotation-config/>配置的注解所使用的处理器-->
  13. <!--所以配置了<context:component-scanbase-package="">之后,便无需再配置<context:annotation-config>-->
  14. <context:component-scanbase-package="com.jadyer"/>
  16. <!--启用SpringMVC的注解功能,它会自动注册HandlerMapping、HandlerAdapter、ExceptionResolver的相关实例-->
  17. <mvc:annotation-driven/>
  19. <!--配置SpringMVC的视图解析器-->
  20. <!--其viewClass属性的默认值就是org.springframework.web.servlet.view.JstlView-->
  21. <beanclass="org.springframework.web.servlet.view.InternalResourceViewResolver">
  22. <propertyname="prefix"value="/"/>
  23. <propertyname="suffix"value=".jsp"/>
  24. </bean>
  26. <!--默认访问跳转到登录页面(即定义无需Controller的url<->view直接映射)-->
  27. <mvc:view-controllerpath="/"view-name="forward:/login.jsp"/>
  29. <!--由于web.xml中设置是:由SpringMVC拦截所有请求,于是在读取静态资源文件的时候就会受到影响(说白了就是读不到)-->
  30. <!--经过下面的配置,该标签的作用就是:所有页面中引用"/js/**"的资源,都会从"/resources/js/"里面进行查找-->
  31. <!--我们可以访问http://IP:8080/xxx/js/my.css和http://IP:8080/xxx/resources/js/my.css对比出来-->
  32. <mvc:resourcesmapping="/js/**"location="/resources/js/"/>
  33. <mvc:resourcesmapping="/css/**"location="/resources/css/"/>
  34. <mvc:resourcesmapping="/WEB-INF/**"location="/WEB-INF/"/>
  36. <!--SpringMVC在超出上传文件限制时,会抛出org.springframework.web.multipart.MaxUploadSizeExceededException-->
  37. <!--该异常是SpringMVC在检查上传的文件信息时抛出来的,而且此时还没有进入到Controller方法中-->
  38. <beanclass="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
  39. <propertyname="exceptionMappings">
  40. <props>
  41. <!--遇到MaxUploadSizeExceededException异常时,自动跳转到/WEB-INF/error_fileupload.jsp页面-->
  42. <propkey="org.springframework.web.multipart.MaxUploadSizeExceededException">WEB-INF/error_fileupload</prop>
  43. <!--处理其它异常(包括Controller抛出的)-->
  44. <propkey="java.lang.Throwable">WEB-INF/500</prop>
  45. </props>
  46. </property>
  47. </bean>
  49. <!--继承自AuthorizingRealm的自定义Realm,即指定Shiro验证用户登录的类为自定义的ShiroDbRealm.java-->
  50. <beanid="myRealm"class="com.jadyer.realm.MyRealm"/>
  52. <!--Shiro默认会使用Servlet容器的Session,可通过sessionMode属性来指定使用Shiro原生Session-->
  53. <!--即<propertyname="sessionMode"value="native"/>,详细说明见官方文档-->
  54. <!--这里主要是设置自定义的单Realm应用,若有多个Realm,可使用'realms'属性代替-->
  55. <beanid="securityManager"class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
  56. <propertyname="realm"ref="myRealm"/>
  57. </bean>
  59. <!--Shiro主过滤器本身功能十分强大,其强大之处就在于它支持任何基于URL路径表达式的、自定义的过滤器的执行-->
  60. <!--Web应用中,Shiro可控制的Web请求必须经过Shiro主过滤器的拦截,Shiro对基于Spring的Web应用提供了完美的支持-->
  61. <beanid="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
  62. <!--Shiro的核心安全接口,这个属性是必须的-->
  63. <propertyname="securityManager"ref="securityManager"/>
  64. <!--要求登录时的链接(可根据项目的URL进行替换),非必须的属性,默认会自动寻找Web工程根目录下的"/login.jsp"页面-->
  65. <propertyname="loginUrl"value="/"/>
  66. <!--登录成功后要跳转的连接(本例中此属性用不到,因为登录成功后的处理逻辑在LoginController里硬编码为main.jsp了)-->
  67. <!--<propertyname="successUrl"value="/system/main"/>-->
  68. <!--用户访问未对其授权的资源时,所显示的连接-->
  69. <!--若想更明显的测试此属性可以修改它的值,如unauthor.jsp,然后用[玄玉]登录后访问/admin/listUser.jsp就看见浏览器会显示unauthor.jsp-->
  70. <propertyname="unauthorizedUrl"value="/"/>
  71. <!--Shiro连接约束配置,即过滤链的定义-->
  72. <!--此处可配合我的这篇文章来理解各个过滤连的作用http://blog.csdn.net/jadyer/article/details/12172839-->
  73. <!--下面value值的第一个'/'代表的路径是相对于HttpServletRequest.getContextPath()的值来的-->
  74. <!--anon:它对应的过滤器里面是空的,什么都没做,这里.do和.jsp后面的*表示参数,比方说login.jsp?main这种-->
  75. <!--authc:该过滤器下的页面必须验证后才能访问,它是Shiro内置的一个拦截器org.apache.shiro.web.filter.authc.FormAuthenticationFilter-->
  76. <propertyname="filterChainDefinitions">
  77. <value>
  78. /mydemo/login=anon
  79. /mydemo/getVerifyCodeImage=anon
  80. /main**=authc
  81. /user/info**=authc
  82. /admin/listUser**=authc,perms[admin:manage]
  83. </value>
  84. </property>
  85. </bean>
  87. <!--保证实现了Shiro内部lifecycle函数的bean执行-->
  88. <beanid="lifecycleBeanPostProcessor"class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
  90. <!--开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证-->
  91. <!--配置以下两个bean即可实现此功能-->
  92. <!--EnableShiroAnnotationsforSpring-configuredbeans.OnlyrunafterthelifecycleBeanProcessorhasrun-->
  93. <!--由于本例中并未使用Shiro注解,故注释掉这两个bean(个人觉得将权限通过注解的方式硬编码在程序中,查看起来不是很方便,没必要使用)-->
  94. <!--
  95. <beanclass="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"depends-on="lifecycleBeanPostProcessor"/>
  96. <beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
  97. <propertyname="securityManager"ref="securityManager"/>
  98. </bean>
  99. -->
  100. </beans>
下面是自定义的Realm类----MyRealm.java

[java]view plaincopyprint?
  1. packagecom.jadyer.realm;
  3. importorg.apache.commons.lang3.builder.ReflectionToStringBuilder;
  4. importorg.apache.commons.lang3.builder.ToStringStyle;
  5. importorg.apache.shiro.SecurityUtils;
  6. importorg.apache.shiro.authc.AuthenticationException;
  7. importorg.apache.shiro.authc.AuthenticationInfo;
  8. importorg.apache.shiro.authc.AuthenticationToken;
  9. importorg.apache.shiro.authc.SimpleAuthenticationInfo;
  10. importorg.apache.shiro.authc.UsernamePasswordToken;
  11. importorg.apache.shiro.authz.AuthorizationInfo;
  12. importorg.apache.shiro.authz.SimpleAuthorizationInfo;
  13. importorg.apache.shiro.realm.AuthorizingRealm;
  14. importorg.apache.shiro.session.Session;
  15. importorg.apache.shiro.subject.PrincipalCollection;
  16. importorg.apache.shiro.subject.Subject;
  18. /**
  19. *自定义的指定Shiro验证用户登录的类
  20. *@see在本例中定义了2个用户:jadyer和玄玉,jadyer具有admin角色和admin:manage权限,玄玉不具有任何角色和权限
  21. *@createSep29,20133:15:31PM
  22. *@author玄玉<http://blog.csdn.net/jadyer>
  23. */
  24. publicclassMyRealmextendsAuthorizingRealm{
  25. /**
  26. *为当前登录的Subject授予角色和权限
  27. *@see经测试:本例中该方法的调用时机为需授权资源被访问时
  28. *@see经测试:并且每次访问需授权资源时都会执行该方法中的逻辑,这表明本例中默认并未启用AuthorizationCache
  29. *@see个人感觉若使用了Spring3.1开始提供的ConcurrentMapCache支持,则可灵活决定是否启用AuthorizationCache
  30. *@see比如说这里从数据库获取权限信息时,先去访问Spring3.1提供的缓存,而不使用Shior提供的AuthorizationCache
  31. */
  32. @Override
  33. protectedAuthorizationInfodoGetAuthorizationInfo(PrincipalCollectionprincipals){
  34. //获取当前登录的用户名,等价于(String)principals.fromRealm(this.getName()).iterator().next()
  35. StringcurrentUsername=(String)super.getAvailablePrincipal(principals);
  36. //List<String>roleList=newArrayList<String>();
  37. //List<String>permissionList=newArrayList<String>();
  38. ////从数据库中获取当前登录用户的详细信息
  39. //Useruser=userService.getByUsername(currentUsername);
  40. //if(null!=user){
  41. ////实体类User中包含有用户角色的实体类信息
  42. //if(null!=user.getRoles()&&user.getRoles().size()>0){
  43. ////获取当前登录用户的角色
  44. //for(Rolerole:user.getRoles()){
  45. //roleList.add(role.getName());
  46. ////实体类Role中包含有角色权限的实体类信息
  47. //if(null!=role.getPermissions()&&role.getPermissions().size()>0){
  48. ////获取权限
  49. //for(Permissionpmss:role.getPermissions()){
  50. //if(!StringUtils.isEmpty(pmss.getPermission())){
  51. //permissionList.add(pmss.getPermission());
  52. //}
  53. //}
  54. //}
  55. //}
  56. //}
  57. //}else{
  58. //thrownewAuthorizationException();
  59. //}
  60. ////为当前用户设置角色和权限
  61. //SimpleAuthorizationInfosimpleAuthorInfo=newSimpleAuthorizationInfo();
  62. //simpleAuthorInfo.addRoles(roleList);
  63. //simpleAuthorInfo.addStringPermissions(permissionList);
  64. SimpleAuthorizationInfosimpleAuthorInfo=newSimpleAuthorizationInfo();
  65. //实际中可能会像上面注释的那样从数据库取得
  66. if(null!=currentUsername&&"jadyer".equals(currentUsername)){
  67. //添加一个角色,不是配置意义上的添加,而是证明该用户拥有admin角色
  68. simpleAuthorInfo.addRole("admin");
  69. //添加权限
  70. simpleAuthorInfo.addStringPermission("admin:manage");
  71. System.out.println("已为用户[jadyer]赋予了[admin]角色和[admin:manage]权限");
  72. returnsimpleAuthorInfo;
  73. }elseif(null!=currentUsername&&"玄玉".equals(currentUsername)){
  74. System.out.println("当前用户[玄玉]无授权");
  75. returnsimpleAuthorInfo;
  76. }
  77. //若该方法什么都不做直接返回null的话,就会导致任何用户访问/admin/listUser.jsp时都会自动跳转到unauthorizedUrl指定的地址
  78. //详见applicationContext.xml中的<beanid="shiroFilter">的配置
  79. returnnull;
  80. }
  83. /**
  84. *验证当前登录的Subject
  85. *@see经测试:本例中该方法的调用时机为LoginController.login()方法中执行Subject.login()时
  86. */
  87. @Override
  88. protectedAuthenticationInfodoGetAuthenticationInfo(AuthenticationTokenauthcToken)throwsAuthenticationException{
  89. //获取基于用户名和密码的令牌
  90. //实际上这个authcToken是从LoginController里面currentUser.login(token)传过来的
  91. //两个token的引用都是一样的,本例中是org.apache.shiro.authc.UsernamePasswordToken@33799a1e
  92. UsernamePasswordTokentoken=(UsernamePasswordToken)authcToken;
  93. System.out.println("验证当前Subject时获取到token为"+ReflectionToStringBuilder.toString(token,ToStringStyle.MULTI_LINE_STYLE));
  94. //Useruser=userService.getByUsername(token.getUsername());
  95. //if(null!=user){
  96. //AuthenticationInfoauthcInfo=newSimpleAuthenticationInfo(user.getUsername(),user.getPassword(),user.getNickname());
  97. //this.setSession("currentUser",user);
  98. //returnauthcInfo;
  99. //}else{
  100. //returnnull;
  101. //}
  102. //此处无需比对,比对的逻辑Shiro会做,我们只需返回一个和令牌相关的正确的验证信息
  103. //说白了就是第一个参数填登录用户名,第二个参数填合法的登录密码(可以是从数据库中取到的,本例中为了演示就硬编码了)
  104. //这样一来,在随后的登录页面上就只有这里指定的用户和密码才能通过验证
  105. if("jadyer".equals(token.getUsername())){
  106. AuthenticationInfoauthcInfo=newSimpleAuthenticationInfo("jadyer","jadyer",this.getName());
  107. this.setSession("currentUser","jadyer");
  108. returnauthcInfo;
  109. }elseif("玄玉".equals(token.getUsername())){
  110. AuthenticationInfoauthcInfo=newSimpleAuthenticationInfo("玄玉","xuanyu",this.getName());
  111. this.setSession("currentUser","玄玉");
  112. returnauthcInfo;
  113. }
  114. //没有返回登录用户名对应的SimpleAuthenticationInfo对象时,就会在LoginController中抛出UnknownAccountException异常
  115. returnnull;
  116. }
  119. /**
  120. *将一些数据放到ShiroSession中,以便于其它地方使用
  121. *@see比如Controller,使用时直接用HttpSession.getAttribute(key)就可以取到
  122. */
  123. privatevoidsetSession(Objectkey,Objectvalue){
  124. SubjectcurrentUser=SecurityUtils.getSubject();
  125. if(null!=currentUser){
  126. Sessionsession=currentUser.getSession();
  127. System.out.println("Session默认超时时间为["+session.getTimeout()+"]毫秒");
  128. if(null!=session){
  129. session.setAttribute(key,value);
  130. }
  131. }
  132. }
  133. }
下面是处理用户登录的LoginController.java

[java]view plaincopyprint?
  1. packagecom.jadyer.controller;
  3. importjava.awt.Color;
  4. importjava.awt.image.BufferedImage;
  5. importjava.io.IOException;
  7. importjavax.imageio.ImageIO;
  8. importjavax.servlet.http.HttpServletRequest;
  9. importjavax.servlet.http.HttpServletResponse;
  11. importorg.apache.commons.lang3.StringUtils;
  12. importorg.apache.commons.lang3.builder.ReflectionToStringBuilder;
  13. importorg.apache.commons.lang3.builder.ToStringStyle;
  14. importorg.apache.shiro.SecurityUtils;
  15. importorg.apache.shiro.authc.AuthenticationException;
  16. importorg.apache.shiro.authc.ExcessiveAttemptsException;
  17. importorg.apache.shiro.authc.IncorrectCredentialsException;
  18. importorg.apache.shiro.authc.LockedAccountException;
  19. importorg.apache.shiro.authc.UnknownAccountException;
  20. importorg.apache.shiro.authc.UsernamePasswordToken;
  21. importorg.apache.shiro.subject.Subject;
  22. importorg.apache.shiro.web.util.WebUtils;
  23. importorg.springframework.stereotype.Controller;
  24. importorg.springframework.web.bind.annotation.RequestMapping;
  25. importorg.springframework.web.bind.annotation.RequestMethod;
  26. importorg.springframework.web.servlet.view.InternalResourceViewResolver;
  28. importcom.jadyer.util.VerifyCodeUtil;
  30. /**
  31. *本例中用到的jar文件如下
  32. *@seeaopalliance.jar
  33. *@seecommons-lang3-3.1.jar
  34. *@seecommons-logging-1.1.2.jar
  35. *@seelog4j-1.2.17.jar
  36. *@seeshiro-all-1.2.2.jar
  37. *@seeslf4j-api-1.7.5.jar
  38. *@seeslf4j-log4j12-1.7.5.jar
  39. *@seespring-aop-3.2.4.RELEASE.jar
  40. *@seespring-beans-3.2.4.RELEASE.jar
  41. *@seespring-context-3.2.4.RELEASE.jar
  42. *@seespring-core-3.2.4.RELEASE.jar
  43. *@seespring-expression-3.2.4.RELEASE.jar
  44. *@seespring-jdbc-3.2.4.RELEASE.jar
  45. *@seespring-oxm-3.2.4.RELEASE.jar
  46. *@seespring-tx-3.2.4.RELEASE.jar
  47. *@seespring-web-3.2.4.RELEASE.jar
  48. *@seespring-webmvc-3.2.4.RELEASE.jar
  49. *@createSep30,201311:10:06PM
  50. *@author玄玉<http://blog.csdn.net/jadyer>
  51. */
  52. @Controller
  53. @RequestMapping("mydemo")
  54. publicclassLoginController{
  55. /**
  56. *获取验证码图片和文本(验证码文本会保存在HttpSession中)
  57. */
  58. @RequestMapping("/getVerifyCodeImage")
  59. publicvoidgetVerifyCodeImage(HttpServletRequestrequest,HttpServletResponseresponse)throwsIOException{
  60. //设置页面不缓存
  61. response.setHeader("Pragma","no-cache");
  62. response.setHeader("Cache-Control","no-cache");
  63. response.setDateHeader("Expires",0);
  64. StringverifyCode=VerifyCodeUtil.generateTextCode(VerifyCodeUtil.TYPE_NUM_ONLY,4,null);
  65. //将验证码放到HttpSession里面
  66. request.getSession().setAttribute("verifyCode",verifyCode);
  67. System.out.println("本次生成的验证码为["+verifyCode+"],已存放到HttpSession中");
  68. //设置输出的内容的类型为JPEG图像
  69. response.setContentType("image/jpeg");
  70. BufferedImagebufferedImage=VerifyCodeUtil.generateImageCode(verifyCode,90,30,3,true,Color.WHITE,Color.BLACK,null);
  71. //写给浏览器
  72. ImageIO.write(bufferedImage,"JPEG",response.getOutputStream());
  73. }
  76. /**
  77. *用户登录
  78. */
  79. @RequestMapping(value="/login",method=RequestMethod.POST)
  80. publicStringlogin(HttpServletRequestrequest){
  81. StringresultPageURL=InternalResourceViewResolver.FORWARD_URL_PREFIX+"/";
  82. Stringusername=request.getParameter("username");
  83. Stringpassword=request.getParameter("password");
  84. //获取HttpSession中的验证码
  85. StringverifyCode=(String)request.getSession().getAttribute("verifyCode");
  86. //获取用户请求表单中输入的验证码
  87. StringsubmitCode=WebUtils.getCleanParam(request,"verifyCode");
  88. System.out.println("用户["+username+"]登录时输入的验证码为["+submitCode+"],HttpSession中的验证码为["+verifyCode+"]");
  89. if(StringUtils.isEmpty(submitCode)||!StringUtils.equals(verifyCode,submitCode.toLowerCase())){
  90. request.setAttribute("message_login","验证码不正确");
  91. returnresultPageURL;
  92. }
  93. UsernamePasswordTokentoken=newUsernamePasswordToken(username,password);
  94. token.setRememberMe(true);
  95. System.out.println("为了验证登录用户而封装的token为"+ReflectionToStringBuilder.toString(token,ToStringStyle.MULTI_LINE_STYLE));
  96. //获取当前的Subject
  97. SubjectcurrentUser=SecurityUtils.getSubject();
  98. try{
  99. //在调用了login方法后,SecurityManager会收到AuthenticationToken,并将其发送给已配置的Realm执行必须的认证检查
  100. //每个Realm都能在必要时对提交的AuthenticationTokens作出反应
  101. //所以这一步在调用login(token)方法时,它会走到MyRealm.doGetAuthenticationInfo()方法中,具体验证方式详见此方法
  102. System.out.println("对用户["+username+"]进行登录验证..验证开始");
  103. currentUser.login(token);
  104. System.out.println("对用户["+username+"]进行登录验证..验证通过");
  105. resultPageURL="main";
  106. }catch(UnknownAccountExceptionuae){
  107. System.out.println("对用户["+username+"]进行登录验证..验证未通过,未知账户");
  108. request.setAttribute("message_login","未知账户");
  109. }catch(IncorrectCredentialsExceptionice){
  110. System.out.println("对用户["+username+"]进行登录验证..验证未通过,错误的凭证");
  111. request.setAttribute("message_login","密码不正确");
  112. }catch(LockedAccountExceptionlae){
  113. System.out.println("对用户["+username+"]进行登录验证..验证未通过,账户已锁定");
  114. request.setAttribute("message_login","账户已锁定");
  115. }catch(ExcessiveAttemptsExceptioneae){
  116. System.out.println("对用户["+username+"]进行登录验证..验证未通过,错误次数过多");
  117. request.setAttribute("message_login","用户名或密码错误次数过多");
  118. }catch(AuthenticationExceptionae){
  119. //通过处理Shiro的运行时AuthenticationException就可以控制用户登录失败或密码错误时的情景
  120. System.out.println("对用户["+username+"]进行登录验证..验证未通过,堆栈轨迹如下");
  121. ae.printStackTrace();
  122. request.setAttribute("message_login","用户名或密码不正确");
  123. }
  124. //验证是否登录成功
  125. if(currentUser.isAuthenticated()){
  126. System.out.println("用户["+username+"]登录认证通过(这里可以进行一些认证通过后的一些系统参数初始化操作)");
  127. }else{
  128. token.clear();
  129. }
  130. returnresultPageURL;
  131. }
  134. /**
  135. *用户登出
  136. */
  137. @RequestMapping("/logout")
  138. publicStringlogout(HttpServletRequestrequest){
  139. SecurityUtils.getSubject().logout();
  140. returnInternalResourceViewResolver.REDIRECT_URL_PREFIX+"/";
  141. }
  142. }
下面是处理普通用户访问的UserController.java

[java]view plaincopyprint?
  1. packagecom.jadyer.controller;
  3. importjavax.servlet.http.HttpServletRequest;
  5. importorg.springframework.stereotype.Controller;
  6. importorg.springframework.web.bind.annotation.RequestMapping;
  8. @Controller
  9. @RequestMapping("mydemo")
  10. publicclassUserController{
  11. @RequestMapping(value="/getUserInfo")
  12. publicStringgetUserInfo(HttpServletRequestrequest){
  13. StringcurrentUser=(String)request.getSession().getAttribute("currentUser");
  14. System.out.println("当前登录的用户为["+currentUser+"]");
  15. request.setAttribute("currUser",currentUser);
  16. return"/user/info";
  17. }
  18. }
最后是用于生成登录验证码的VerifyCodeUtil.java

[java]view plaincopyprint?
  1. packagecom.jadyer.util;
  3. importjava.awt.Color;
  4. importjava.awt.Font;
  5. importjava.awt.Graphics;
  6. importjava.awt.image.BufferedImage;
  7. importjava.util.Random;
  9. /**
  10. *验证码生成器
  11. *@see--------------------------------------------------------------------------------------------------------------
  12. *@see可生成数字、大写、小写字母及三者混合类型的验证码
  13. *@see支持自定义验证码字符数量,支持自定义验证码图片的大小,支持自定义需排除的特殊字符,支持自定义干扰线的数量,支持自定义验证码图文颜色
  14. *@see--------------------------------------------------------------------------------------------------------------
  15. *@see另外,给Shiro加入验证码有多种方式,也可以通过继承修改FormAuthenticationFilter类,通过Shiro去验证验证码
  16. *@see而这里既然使用了SpringMVC,也为了简化操作,就使用此工具生成验证码,并在Controller中处理验证码的校验
  17. *@see--------------------------------------------------------------------------------------------------------------
  18. *@createSep29,20134:23:13PM
  19. *@author玄玉<http://blog.csdn.net/jadyer>
  20. */
  21. publicclassVerifyCodeUtil{
  22. /**
  23. *验证码类型为仅数字,即0~9
  24. */
  25. publicstaticfinalintTYPE_NUM_ONLY=0;
  27. /**
  28. *验证码类型为仅字母,即大小写字母混合
  29. */
  30. publicstaticfinalintTYPE_LETTER_ONLY=1;
  32. /**
  33. *验证码类型为数字和大小写字母混合
  34. */
  35. publicstaticfinalintTYPE_ALL_MIXED=2;
  37. /**
  38. *验证码类型为数字和大写字母混合
  39. */
  40. publicstaticfinalintTYPE_NUM_UPPER=3;
  42. /**
  43. *验证码类型为数字和小写字母混合
  44. */
  45. publicstaticfinalintTYPE_NUM_LOWER=4;
  47. /**
  48. *验证码类型为仅大写字母
  49. */
  50. publicstaticfinalintTYPE_UPPER_ONLY=5;
  52. /**
  53. *验证码类型为仅小写字母
  54. */
  55. publicstaticfinalintTYPE_LOWER_ONLY=6;
  57. privateVerifyCodeUtil(){}
  59. /**
  60. *生成随机颜色
  61. */
  62. privatestaticColorgenerateRandomColor(){
  63. Randomrandom=newRandom();
  64. returnnewColor(random.nextInt(255),random.nextInt(255),random.nextInt(255));
  65. }
  68. /**
  69. *生成图片验证码
  70. *@paramtype验证码类型,参见本类的静态属性
  71. *@paramlength验证码字符长度,要求大于0的整数
  72. *@paramexcludeString需排除的特殊字符
  73. *@paramwidth图片宽度(注意此宽度若过小,容易造成验证码文本显示不全,如4个字符的文本可使用85到90的宽度)
  74. *@paramheight图片高度
  75. *@paraminterLine图片中干扰线的条数
  76. *@paramrandomLocation每个字符的高低位置是否随机
  77. *@parambackColor图片颜色,若为null则表示采用随机颜色
  78. *@paramforeColor字体颜色,若为null则表示采用随机颜色
  79. *@paramlineColor干扰线颜色,若为null则表示采用随机颜色
  80. *@return图片缓存对象
  81. */
  82. publicstaticBufferedImagegenerateImageCode(inttype,intlength,StringexcludeString,intwidth,intheight,intinterLine,booleanrandomLocation,ColorbackColor,ColorforeColor,ColorlineColor){
  83. StringtextCode=generateTextCode(type,length,excludeString);
  84. returngenerateImageCode(textCode,width,height,interLine,randomLocation,backColor,foreColor,lineColor);
  85. }
  88. /**
  89. *生成验证码字符串
  90. *@paramtype验证码类型,参见本类的静态属性
  91. *@paramlength验证码长度,要求大于0的整数
  92. *@paramexcludeString需排除的特殊字符(无需排除则为null)
  93. *@return验证码字符串
  94. */
  95. publicstaticStringgenerateTextCode(inttype,intlength,StringexcludeString){
  96. if(length<=0){
  97. return"";
  98. }
  99. StringBufferverifyCode=newStringBuffer();
  100. inti=0;
  101. Randomrandom=newRandom();
  102. switch(type){
  103. caseTYPE_NUM_ONLY:
  104. while(i<length){
  105. intt=random.nextInt(10);
  106. //排除特殊字符
  107. if(null==excludeString||excludeString.indexOf(t+"")<0){
  108. verifyCode.append(t);
  109. i++;
  110. }
  111. }
  112. break;
  113. caseTYPE_LETTER_ONLY:
  114. while(i<length){
  115. intt=random.nextInt(123);
  116. if((t>=97||(t>=65&&t<=90))&&(null==excludeString||excludeString.indexOf((char)t)<0)){
  117. verifyCode.append((char)t);
  118. i++;
  119. }
  120. }
  121. break;
  122. caseTYPE_ALL_MIXED:
  123. while(i<length){
  124. intt=random.nextInt(123);
  125. if((t>=97||(t>=65&&t<=90)||(t>=48&&t<=57))&&(null==excludeString||excludeString.indexOf((char)t)<0)){
  126. verifyCode.append((char)t);
  127. i++;
  128. }
  129. }
  130. break;
  131. caseTYPE_NUM_UPPER:
  132. while(i<length){
  133. intt=random.nextInt(91);
  134. if((t>=65||(t>=48&&t<=57))&&(null==excludeString||excludeString.indexOf((char)t)<0)){
  135. verifyCode.append((char)t);
  136. i++;
  137. }
  138. }
  139. break;
  140. caseTYPE_NUM_LOWER:
  141. while(i<length){
  142. intt=random.nextInt(123);
  143. if((t>=97||(t>=48&&t<=57))&&(null==excludeString||excludeString.indexOf((char)t)<0)){
  144. verifyCode.append((char)t);
  145. i++;
  146. }
  147. }
  148. break;
  149. caseTYPE_UPPER_ONLY:
  150. while(i<length){
  151. intt=random.nextInt(91);
  152. if((t>=65)&&(null==excludeString||excludeString.indexOf((char)t)<0)){
  153. verifyCode.append((char)t);
  154. i++;
  155. }
  156. }
  157. break;
  158. caseTYPE_LOWER_ONLY:
  159. while(i<length){
  160. intt=random.nextInt(123);
  161. if((t>=97)&&(null==excludeString||excludeString.indexOf((char)t)<0)){
  162. verifyCode.append((char)t);
  163. i++;
  164. }
  165. }
  166. break;
  167. }
  168. returnverifyCode.toString();
  169. }
  171. /**
  172. *已有验证码,生成验证码图片
  173. *@paramtextCode文本验证码
  174. *@paramwidth图片宽度(注意此宽度若过小,容易造成验证码文本显示不全,如4个字符的文本可使用85到90的宽度)
  175. *@paramheight图片高度
  176. *@paraminterLine图片中干扰线的条数
  177. *@paramrandomLocation每个字符的高低位置是否随机
  178. *@parambackColor图片颜色,若为null则表示采用随机颜色
  179. *@paramforeColor字体颜色,若为null则表示采用随机颜色
  180. *@paramlineColor干扰线颜色,若为null则表示采用随机颜色
  181. *@return图片缓存对象
  182. */
  183. publicstaticBufferedImagegenerateImageCode(StringtextCode,intwidth,intheight,intinterLine,booleanrandomLocation,ColorbackColor,ColorforeColor,ColorlineColor){
  184. //创建内存图像
  185. BufferedImagebufferedImage=newBufferedImage(width,height,BufferedImage.TYPE_INT_RGB);
  186. //获取图形上下文
  187. Graphicsgraphics=bufferedImage.getGraphics();
  188. //画背景图
  189. graphics.setColor(null==backColor?generateRandomColor():backColor);
  190. graphics.fillRect(0,0,width,height);
  191. //画干扰线
  192. Randomrandom=newRandom();
  193. if(interLine>0){
  194. intx=0,y=0,x1=width,y1=0;
  195. for(inti=0;i<interLine;i++){
  196. graphics.setColor(null==lineColor?generateRandomColor():lineColor);
  197. y=random.nextInt(height);
  198. y1=random.nextInt(height);
  199. graphics.drawLine(x,y,x1,y1);
  200. }
  201. }
  202. //字体大小为图片高度的80%
  203. intfsize=(int)(height*0.8);
  204. intfx=height-fsize;
  205. intfy=fsize;
  206. //设定字体
  207. graphics.setFont(newFont("Default",Font.PLAIN,fsize));
  208. //写验证码字符
  209. for(inti=0;i<textCode.length();i++){
  210. fy=randomLocation?(int)((Math.random()*0.3+0.6)*height):fy;
  211. graphics.setColor(null==foreColor?generateRandomColor():foreColor);
  212. //将验证码字符显示到图象中
  213. graphics.drawString(textCode.charAt(i)+"",fx,fy);
  214. fx+=fsize*0.9;
  215. }
  216. graphics.dispose();
  217. returnbufferedImage;
  218. }
  219. }
分享到:
| 如何在eclipse jee中创建Maven project并 ...
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics