foreword
As an authorization authentication framework, Shiro's main service object should be JavaWeb. Therefore, how to integrate with the web is the key to play the role of Shiro. Here we take the most basic integration with servlet as an example.
Create a simple servlet application
Here, the basic servlet is built in the way of the article " Eclipse Creates a Maven Project Based on Servlet3.x ", which is not described in this article.
Servlet integration with Shiro
Configure listeners and filters in web.xml
First add the following content in web.xml:
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>Add a listener EnvironmentLoaderListener, which will create IniWebEnvironment by default, read the shiro.ini file in the default location, and then create DefaultWebSecurityManager by default.
Then ShiroFilter, a filter, realizes the functions of web login and authorization authentication filter for us. You can recall that when you write a login authentication function yourself, you will write a filter. When users access which paths, they must be logged in or have certain permissions. Now ShiroFilter realizes the function of this filter, we only need to configure the path.
Configure pom.xml
Since we want to integrate with shiro, we must increase our dependence on shiro, because when it comes to web, we also need to increase our dependence on shiro-web
......
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.5.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.5.3</version>
</dependency>
......Configure shiro.ini
The next step is to configure the path corresponding to the filter in shiro.ini
[main]
#登录认证的页面
authc.loginUrl=/login
#缺少权限时跳转的页面
roles.unauthorizedUrl=/unauthorized.jsp
[users]
zhang=123,role1
wang=456,role1,role2
li=123
[roles]
role1=user:create,update
role2=user:create,delete
[urls]
#请求login的时候不需要权限,游客身份即可(anon)
/login=anon
/login.jsp=anon
#请求/user/updatePwd.jsp的时候,需要身份认证(authc)
/*=authc
#请求/admin的时候,需要角色认证,必须是拥有admin角色的用户才行
/admin/*.jsp=roles[role2]The configuration is not difficult to understand. Readers can try it out by themselves. What happens if you directly access /shiroWeb/hello when you are not logged in? You can also try what happens when the user zhang accesses the page under the /admin path. The above /unauthorized.jsp page and the pages under /admin can be written by readers without any special requirements.
Shiro provides the following filters, we use anon, authc and roles among them. Others can also try it by themselves. If I have time later, I will try it one by one and show it in the article:
Session valid time
Anyone who has a certain understanding of web development knows that after logging in, the background will save a session for the user. When checking whether the user has logged in next time, it can be judged according to the sessionId. The session has a validity period. After the validity period expires, you need to log in again. We can configure the session validity period in web.xml and add this paragraph in web.xml:
<session-config>
<session-timeout>30</session-timeout>
</session-config>Here it means that the session is valid for 30 minutes. If you want to test the effect, readers can try to change it to 1 minute. After logging in, visit shiroWeb/hello again one minute later to see how it works.
summary
The integration of Shiro and the web is a very important part of developing java web applications. The application method in this paper can basically meet the needs of small Servlet applications. Usually the current javaweb development also needs to consider the integration with spring. In addition, regarding the session, Shiro uses the Servlet session by default, but the actual project development, especially the distributed application, will store the session in redis for each host of the distributed system to access, so the integration of Shiro and redis should be considered in the future.