当前常用流行的安全框架主要有两种:一个是Apache Shiro;另一个是Springsource。
现在介绍一下apache shiro:
既然是安全框架,解决的肯定是权限的 控制。所谓权限是指:用户和系统之间的关系,即,某一组或一类用户在系统中所具有的不同的功能。在这为了更能诠释其关系,我们引用了角色,一个用户至少有 一个角色,不同的角色在系统之中具有不同的功能,用户不能直接和系统建立关系,只能通过角色来体现。如在数据库中有四个表来体现:用户表,角色表,权限 表,及用户的group表。用户和角色是多对多关系,角色和权限是一对多关系。
在项目中使用步骤如下:
一、在web.xml中配置
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
二、建立Dbrealm
@Component
public class ShiroDbRealm extends AuthorizingRealm{
@Resource
private UserService userService;
//登录认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
User user = userService.findByLoginName(token.getUsername());
if(user != null) {
return new SimpleAuthenticationInfo(user.getLoginname(),
user.getPassword(),getName());
}
return null;
}
//权限认证
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principalCollection) {
String loginName =
(String) principalCollection.fromRealm(getName()).iterator().next();
User user = userService.findByLoginName(loginName);
if(user != null) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//添加Group
info.setRoles(user.getGroupNameSet());
for(Group g : user.getGroupList()) {
//添加permission
info.addStringPermissions(g.getPermissionStringList());
}
return info;
}
return null;
}
}
三、在applicationContext-shiro.xml配置
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="shiroDbRealm" />
<property name="cacheManager" ref="cacheManager" />
</bean>
<!-- 項目自定义Realm -->
<bean id="shiroDbRealm" class="com.kaishengit.services.account.ShiroDbRealm" />
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/user!input.jspx" />
<property name="successUrl" value="/main.jspx" />
<property name="unauthorizedUrl" value="/403.jsp" />
<property name="filterChainDefinitions">
<value>
/user!login.jspx = anon
/user.jsp = roles[user]
/** = authc
</value>
</property>
</bean>
<bean id="cacheManager"
class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
四、登录和退出
try {
SecurityUtils.getSubject().login(
new UsernamePasswordToken(user.getLoginname(), user.getPassword()));
} catch (AuthenticationException e) {
msg = "用户名或密码错误!";
return INPUT;
}
//exit
SecurityUtils.getSubject().logout();
五、标签
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
Hello, <shiro:principal/>, how are you today?
<shiro:hasRole name="administrator">
<a href="admin.jsp">Administer the system</a>
</shiro:hasRole>
<shiro:hasAnyRoles name=“developer, manager,administrator">
You are either a developer, manager, or administrator.
</shiro:lacksRole>
<shiro:hasPermission name="user:create">
<a href="createUser.jsp">Create a new User</a>
</shiro:hasPermission>