<!--shiro 的web过滤器-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<!--loginUrl认证提交地址 ,如果没有认证将会请求此地址进行认证,
请求地址由formAuthenticationFilter进行表单认证-->
<property name="loginUrl" value="/login.action"></property>
<!--认证成功后,跳转路径 建议不配置,认证成功后自动到上一个请求路径-->
<!--<property name="successUrl" value="/first.action"></property>-->
<!--通过unauthorizedUrl指定没有权限操作时跳转页面-->
<property name="unauthorizedUrl" value="/refuse.jsp"></property>
<!--过滤器定义,从上到下顺序执行,一般将/** 放在最下面-->
<property name="filterChainDefinitions">
<value>
<!--/**=anon 所有url都可以匿名访问-->
<!--/**=anon-->
<!--静态资源进行匿名访问-->
/images/**=anon
/js/**=anon
/styles/**=anon
<!--logoutFilter 退出自动清除session-->
/logout.action=logout
<!-- /** = authc 所有url都必须认证通过才可以访问-->
/** = authc
<!-- /** = anon所有url都可以匿名访问 -->
</value>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="customRealm"></property>
</bean>
<bean id="customRealm" class="cn.tencent.shiro.shiro.CustomRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"></property>
</bean>
<!--凭证匹配器-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="md5"></property>
<property name="hashIterations" value="1"></property>
</bean>
自定义Realm
public class CustomRealm extends AuthorizingRealm {
//注入service
@Autowired
private SysService sysService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
// 设置realm的名称
@Override
public void setName(String name) {
super.setName("customRealm");
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//1 从token中取出用户名
String userCode = (String) token.getPrincipal();
//2 数据库中获取
SysUser sysUser = sysService.findSysUserByUserCode(userCode);
if (sysUser == null) {
return null;
}
String password = sysUser.getPassword();
String salt = sysUser.getSalt();
ActiveUser activeUser = new ActiveUser();
activeUser.setUserid(sysUser.getId());
activeUser.setUsercode(sysUser.getUsercode());
activeUser.setUsername(sysUser.getUsername());
List<SysPermission> menuLists = null;
try {
menuLists = sysService.findMenuListByUserId(sysUser.getId());
} catch (Exception e) {
e.printStackTrace();
}
activeUser.setMenus(menuLists);
// password
// 如果查询到了,返回AuthenticationInfo
// 如果密码不匹配,抛出IncorrectCredentialsException
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(activeUser,
sysUser.getPassword(), ByteSource.Util.bytes(salt), this.getName());
return simpleAuthenticationInfo;
}
}
login.action处理
@RequestMapping(value = "login.action")
public String login(HttpServletRequest request) throws Exception {
//登录失败从request中获取认证异常信息 shiroLoginFailure 就是shiro异常类的全限定名
String exceptionClassName = (String) request.getAttribute("shiroLoginFailure");
//根据shiro返回的异常类型路径判断,抛出指定异常信息
if (exceptionClassName != null) {
if (UnknownAccountException.class.getName().equals(exceptionClassName)) {
throw new CustomException("账号不存在");
} else if (IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {
throw new CustomException("账号密码错误");
} else {
throw new Exception();
}
}
////此方法不处理登陆成功(认证成功),shiro认证成功会自动跳转到上一个请求路径
//login.jsp界面
return "login";
}
