- <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"/>
, 否则controller无法使用注解.
这个方法可能避免使用sessionValidationScheduler, 就是避免使用, 就能使用高版本的quartz了.
配置会话监听:
Java代码
- package com.pandy.core.security.session;
- import org.apache.shiro.session.Session;
- import org.apache.shiro.session.SessionListener;
- public class CoreSessionListener implements SessionListener {
- ......
- }
Xml代码
- <!-- 会话管理器 -->
- <bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
- <property name="sessionListeners">
- <list>
- <bean id="sessionListener" class="com.pandy.core.security.session.CoreSessionListener"/>
- </list>
- </property>
- </bean>
一些配置参考:
Xml代码
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"
- default-lazy-init="true">
- <description>Shiro Configuration</description>
- <!-- Shiro‘s main business-tier object for web-enabled applications -->
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <property name="realm" ref="shiroDbRealm" />
- <property name="cacheManager" ref="cacheManager" />
- </bean>
- <!-- 項目自定义的Realm -->
- <bean id="shiroDbRealm" class="cn.ssms.realm.ShiroDbRealm">
- <property name="cacheManager" ref="cacheManager" />
- </bean>
- <!-- Shiro Filter -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager" />
- <property name="loginUrl" value="/tologin.html" />
- <property name="successUrl" value="/view/index.html" />
- <property name="unauthorizedUrl" value="/error/noperms.jsp" />
- <property name="filterChainDefinitions">
- <value>
- /index.html = authc
- /login.html = anon
- /tologin.html = anon
- /logout.html = anon
- /** = authc
- </value>
- </property>
- </bean>
- <!-- 用户授权信息Cache -->
- <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
- <!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
- <!-- AOP式方法级权限检查 -->
- <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
- depends-on="lifecycleBeanPostProcessor">
- <property name="proxyTargetClass" value="true" />
- </bean>
- <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
- <property name="securityManager" ref="securityManager" />
- </bean>
- </beans>
Realm类:
Java代码
- package cn.ssms.realm;
- import java.util.HashSet;
- import java.util.Set;
- import javax.annotation.PostConstruct;
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.authc.AuthenticationInfo;
- import org.apache.shiro.authc.AuthenticationToken;
- import org.apache.shiro.authc.IncorrectCredentialsException;
- import org.apache.shiro.authc.SimpleAuthenticationInfo;
- import org.apache.shiro.authc.UsernamePasswordToken;
- import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
- import org.apache.shiro.authz.AuthorizationInfo;
- import org.apache.shiro.authz.SimpleAuthorizationInfo;
- import org.apache.shiro.cache.Cache;
- import org.apache.shiro.realm.AuthorizingRealm;
- import org.apache.shiro.subject.PrincipalCollection;
- import org.apache.shiro.subject.SimplePrincipalCollection;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import org.springframework.beans.factory.annotation.Autowired;
- import cn.ssms.model.User;
- import cn.ssms.service.UserService;
- import cn.ssms.util.CipherUtil;
- import cn.ssms.util.EncryptUtils;
- public class ShiroDbRealm extends AuthorizingRealm {
- private static Logger logger = LoggerFactory.getLogger(ShiroDbRealm.class);
- private static final String ALGORITHM = "MD5";
- @Autowired
- private UserService userService;
- public ShiroDbRealm() {
- super();
- }
- /**
- * 认证回调函数, 登录时调用.
- */
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(
- AuthenticationToken authcToken) throws AuthenticationException {
- UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
- System.out.println(token.getUsername());
- User user = userService.findUserByLoginName(token.getUsername());
- System.out.println(user);
- if (user != null) {
- return new SimpleAuthenticationInfo(user.getName(), user.getPassword(), getName());
- }else{
- throw new AuthenticationException();
- }
- }
- /**
- * 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用.
- */
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
- /* 这里编写授权代码 */
- Set<String> roleNames = new HashSet<String>();
- Set<String> permissions = new HashSet<String>();
- roleNames.add("admin");
- roleNames.add("zhangsan");
- permissions.add("user.do?myjsp");
- permissions.add("login.do?main");
- permissions.add("login.do?logout");
- SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roleNames);
- info.setStringPermissions(permissions);
- return info;
- }
- /**
- * 更新用户授权信息缓存.
- */
- public void clearCachedAuthorizationInfo(String principal) {
- SimplePrincipalCollection principals = new SimplePrincipalCollection(principal, getName());
- clearCachedAuthorizationInfo(principals);
- }
- /**
- * 清除所有用户授权信息缓存.
- */
- public void clearAllCachedAuthorizationInfo() {
- Cache<Object, AuthorizationInfo> cache = getAuthorizationCache();
- if (cache != null) {
- for (Object key : cache.keys()) {
- cache.remove(key);
- }
- }
- }
- // @PostConstruct
- // public void initCredentialsMatcher() {//MD5加密
- // HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(ALGORITHM);
- // setCredentialsMatcher(matcher);
- // }
- }
UserService实现类
Java代码
- @Service("userService")
- public class UserServiceImpl implements UserService {
- @Autowired
- private UserMapper userMapper;
- public User getUserById(int id) {
- return userMapper.selectByPrimaryKey(id);
- }
- public User findUserByLoginName(String username) {
- System.out.println("findUserByLoginName call!");
- return userMapper.findUserByLoginName(username);
- }
- }
- 框架/平台构成:
Maven+Springmvc + Mybatis + Shiro(权限)+ Tiles(模板) +ActiveMQ(消息队列) + Rest(服务) + WebService(服务)+ EHcache(缓存) + Quartz(定时调度)+ Html5(支持PC、IOS、Android)
用户权限系统:
组织结构:角色、用户、用户组、组织机构;权限点:页面、方法、按钮、数据权限、分级授权项目管理新体验:
快速出原型系统、组件树、版本控制、模块移植、协同开发、实时监控、发布管理可持续集成:
所有组件可移植、可定制、可扩充,开发成果不断积累,形成可持续发展的良性循环支持平台平台:
Windows XP、Windows 7 、Windows 10 、 Linux 、 Unix服务器容器:
Tomcat 5/6/7 、Jetty、JBoss、WebSphere 8.5
时间: 2024-12-23 00:55:36