最近使用的jeesite框架中集成了shiro框架,因此下点功夫学一下shiro框架。
一、shiro架构
先看看shiro框架的架构:
Authenticator:验证登录模块,用户的账号、密码被封装为subject对象进行验证,加密、验证等功能都在该模块中。这个模块依赖一系列realm对象用来连接数据库获取用户登录信息。
Authorizer:权限管理模块,根据用户权限对用户访问资源进行限制于拦截。同样依赖一系列realm对象链接数据库获取权限数据。
SessionManager:session管理模块,管理会话的,并不依赖于web的session,使得该框架可以应用于非web应用上。在web应用上来管理会话时长、cookie等与session相关的操作。
CacheManager:缓存管理,管理缓存数据。
二、shiro配置与结构
shiro通过一系列过滤器链拦截访问进行处理。
在web.xml中配置shiro框架的过滤器
<!-- ================================================================== Filters 代理类 ================================================================== --> <!-- Shiro Filter is defined in the spring application context: --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mappg>
在web.xml中注册时Filter代理类,Filter定义在spring的配置文件中。通过代理来找到对应的过滤器,实现过滤器与访问路径之间的解耦。
在spring配置文件中配置shiro框架,接下来我展示的这个xml是spring结合shiro所需的最少的配置,也是最核心关键的配置。
shiro的核心配置:
1.SecurityManager 安全管理器,用于验证用户登录、权限,依赖于realm(连接数据库获取数据)、cacheManager(缓存管理)
2.SessionManager 会话管理
3. lifecycleBeanPostProcessor 生命周期管理对象,管理框架中对象的生命周期
4.shiroFilter 过滤器配置,设置拦截路径以及跳转的路径
以上核心配置及其依赖的bean都要配置好,realm bean可以通过继承realm对象来自定义,只需指明位置。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans xmlns="http://www.springframework.org/schema/beans" 3 xmlns:tx="http://www.springframework.org/schema/tx" 4 xmlns:context="http://www.springframework.org/schema/context" 5 xmlns:mvc="http://www.springframework.org/schema/mvc" 6 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 7 xsi:schemaLocation=" 8 http://www.springframework.org/schema/beans 9 http://www.springframework.org/schema/beans/spring-beans.xsd 10 http://www.springframework.org/schema/context 11 http://www.springframework.org/schema/context/spring-context.xsd 12 http://www.springframework.org/schema/mvc 13 http://www.springframework.org/schema/mvc/spring-mvc.xsd 14 http://www.springframework.org/schema/tx 15 http://www.springframework.org/schema/tx/spring-tx.xsd"> 16 17 <!-- 配置业务组件的创建以及依赖注入 --> 18 <context:component-scan base-package="com.shiro.service"/> 19 <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> 20 <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> 21 </bean> 22 23 <bean id="jdbcRealm" class="com.shiro.realm.ShiroRealm"> 24 <property name="credentialsMatcher"> 25 <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> 26 <property name="hashAlgorithmName" value="MD5"/> 27 <property name="hashIterations" value="1024"/> 28 </bean> 29 </property> 30 </bean> 31 32 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> 33 <property name="cacheManager" ref="cacheManager"/> 34 <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> 35 <property name="realm" ref="jdbcRealm"/> 36 </bean> 37 38 39 <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> 40 <property name="sessionIdUrlRewritingEnabled" value="false"/> 41 </bean> 42 43 <!-- Used by the SecurityManager to access security data (users, roles, etc). 44 Many other realm implementations can be used too (PropertiesRealm, 45 LdapRealm, etc. --> 46 47 <!-- ========================================================= 48 Shiro Spring-specific integration 49 ========================================================= --> 50 <!-- Post processor that automatically invokes init() and destroy() methods 51 for Spring-configured Shiro objects so you don't have to 52 1) specify an init-method and destroy-method attributes for every bean 53 definition and 54 2) even know which Shiro objects require these methods to be 55 called. --> 56 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> 57 58 <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated 59 with a Subject for security checks. --> 60 <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> 61 <property name="securityManager" ref="securityManager"/> 62 </bean> 63 64 <!-- Enable Shiro Annotations for Spring-configured beans. Only run after 65 the lifecycleBeanProcessor has run: --> 66 <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" 67 depends-on="lifecycleBeanPostProcessor"/> 68 <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> 69 <property name="securityManager" ref="securityManager"/> 70 </bean> 71 72 <!-- Define the Shiro Filter here (as a FactoryBean) instead of directly in web.xml - 73 web.xml uses the DelegatingFilterProxy to access this bean. This allows us 74 to wire things with more control as well utilize nice Spring things such as 75 PropertiesPlaceholderConfigurer and abstract beans or anything else we might need: --> 76 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 77 <property name="securityManager" ref="securityManager"/> 78 <property name="loginUrl" value="/login"/> 79 <property name="successUrl" value="/s/index"/> 80 <property name="unauthorizedUrl" value="/s/unauthorized"/> 81 <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean 82 defined will be automatically acquired and available via its beanName in chain 83 definitions, but you can perform overrides or parent/child consolidated configuration 84 here if you like: --> 85 <!-- <property name="filters"> 86 <util:map> 87 <entry key="aName" value-ref="someFilterPojo"/> 88 </util:map> 89 </property> --> 90 <property name="filterChainDefinitions"> 91 <value> 92 /login = anon 93 /logo.png = anon 94 /login.jsp = anon 95 /logout = logout 96 /shiro.css = anon 97 # allow WebStart to pull the jars for the swing app: 98 /*.jar = anon 99 # protected using SecureRemoteInvocationExecutor 100 /remoting/** = anon 101 # everything else requires authentication: 102 /** = authc 103 </value> 104 </property> 105 </bean> 106 </beans>
三、过滤器配置详细解析
Shiro中默认的过滤器:
| 过滤器名称 | 过滤器类 | 描述 |
| anon | org.apache.shiro.web.filter.authc.AnonymousFilter | 匿名过滤器 |
| authc | org.apache.shiro.web.filter.authc.FormAuthenticationFilter | 如果继续操作,需要做对应的表单验证否则不能通过 |
| authcBasic | org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter | 基本http验证过滤,如果不通过,跳转屋登录页面 |
| logout | org.apache.shiro.web.filter.authc.LogoutFilter | 登录退出过滤器 |
| noSessionCreation | org.apache.shiro.web.filter.session.NoSessionCreationFilter | 没有session创建过滤器 |
| perms | org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter | 权限过滤器 |
| port | org.apache.shiro.web.filter.authz.PortFilter | 端口过滤器,可以设置是否是指定端口如果不是跳转到登录页面 |
| rest | org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter | http方法过滤器,可以指定如post不能进行访问等 |
| roles | org.apache.shiro.web.filter.authz.RolesAuthorizationFilter | 角色过滤器,判断当前用户是否指定角色 |
| ssl | org.apache.shiro.web.filter.authz.SslFilter | 请求需要通过ssl,如果不是跳转回登录页 |
| user | org.apache.shiro.web.filter.authc.UserFilter | 如果访问一个已知用户,比如记住我功能,走这 |