Spring3与安全框架apache shiro的整合

shiro是一个很不错的安全框架，相对Spring security 来说要简单易用的多，使用shiro来做web的权限子系统是不错的选择。

下面记录一下shiro和Spring整合的过程：

 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">

    <description>Shiro 配置</description>
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="loginUrl" value="/login.jsp" />
        <property name="successUrl" value="/index.jsp" />
        <property name="unauthorizedUrl" value="/login.do" />
        <property name="filterChainDefinitions">
            <value>
                /login.jsp = anon
                /login.do = anon
                /** = authc
               </value>
        </property>
    </bean>

    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <!--设置自定义realm-->
        <property name="realm" ref="monitorRealm" />
    </bean>

    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

    <!--自定义Realm 继承自AuthorizingRealm-->
    <bean id="monitorRealm" class="***module.system.security.MonitorRealm"></bean>
    <!-- securityManager -->
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod"
            value="org.apache.shiro.SecurityUtils.setSecurityManager" />
        <property name="arguments" ref="securityManager" />
    </bean>

    <!-- Enable Shiro Annotations for Spring-configured beans.  Only run after -->
    <!-- the lifecycleBeanProcessor has run: -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager"/>

</bean>
</beans>

 

 

 

 

 

将shiro的配置文件引入到web.xml中：

 

 

 

 

 

 

 

并在web.xml中加入如下代码：

 

 

 

 

 

 

 

 

 

<!-- Shiro Security filter -->
    <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>*.do</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>*.jsp</url-pattern>
    </filter-mapping>

 

 

 

实现自己的Realm

 

 

 

@Service("monitorRealm")
public class MonitorRealm extends AuthorizingRealm {

    @Autowired UserService userService;
    @Autowired RoleService roleService;
    @Autowired LoginLogService loginLogService;

    public MonitorRealm(){
        super();

    }

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        /*这里编写授权代码*/

    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken authcToken) throws AuthenticationException {
    /*这里编写认证代码*/
    }

    public void clearCachedAuthorizationInfo(String principal) {
        SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());
        clearCachedAuthorizationInfo(principals);
    }

}

 

 

 

登录时的代码示例：

 

 

 

Subject currentUser = SecurityUtils.getSubject();
        if(!currentUser.isAuthenticated()){
            UsernamePasswordToken token;
            if(null == rememberMe)
                token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()),false,request.getRemoteAddr());
            else token = new UsernamePasswordToken(user.getUsername(), EncryptUtils.encodeMD5String(user.getPassword()), true, request.getRemoteAddr());
            try {
                currentUser.login(token);
            } catch ( AuthenticationException ae ) {
                request.setAttribute("message", "用户名或密码错误！");
                return "login";
            }
        }

 

 执行currentUser.login(token);这句代码时，shiro会自动调用用户实现的Realm的doGetAuthenticationInfo进行身份认证。

 

登出时的代码示例：

 

 

 

Subject currentUser = SecurityUtils.getSubject();
        if (currentUser != null) {
            currentUser.logout();
        }
        HttpSession session = request.getSession(false);
        if( session != null ) {
            session.invalidate();
        }
        return "login";

 

 在对用户（角色）进行授权时会执行Realm里的doGetAuthorizationInfo方法。

 

 

 

OK简单的集成完成了，如果用cas或者Springsecurity恐怕没这么简单利索 哈哈。

 

 

 

 

类似功能链接：http://kdboy.iteye.com/blog/1103794

其它链接：

http://kdboy.iteye.com/blog/1154644

http://kdboy.iteye.com/blog/1154652

http://kdboy.iteye.com/blog/1155450

http://kdboy.iteye.com/blog/1169631

http://kdboy.iteye.com/blog/1169637

官方名词解释：http://shiro.apache.org/terminology.html

官方权限解释：http://shiro.apache.org/permissions.html