springmvc+shiro+maven 实现登录认证与权限授权管理

<!-- shiro -->  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-core</artifactId>   <version>1.2.1</version>  </dependency>  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-web</artifactId>   <version>1.2.1</version>  </dependency>  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-ehcache</artifactId>   <version>1.2.1</version>  </dependency>  <dependency>   <groupId>org.apache.shiro</groupId>   <artifactId>shiro-spring</artifactId>   <version>1.2.1</version>  </dependency> 

<!-- 配置shiro的核心拦截器 -->  <filter>   <filter-name>shiroFilter</filter-name>   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  </filter>  <filter-mapping>   <filter-name>shiroFilter</filter-name>   <url-pattern>/admin/*</url-pattern>  </filter-mapping> 

<beans xmlns="http://www.springframework.org/schema/beans"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"  xmlns:context="http://www.springframework.org/schema/context"  xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx"  xsi:schemaLocation="http://www.springframework.org/schema/beans    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd    http://www.springframework.org/schema/mvc    http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd    http://www.springframework.org/schema/context    http://www.springframework.org/schema/context/spring-context-3.2.xsd    http://www.springframework.org/schema/aop    http://www.springframework.org/schema/aop/spring-aop-3.2.xsd    http://www.springframework.org/schema/tx    http://www.springframework.org/schema/tx/spring-tx-3.2.xsd ">  <!-- web.xml中shiro的filter对应的bean -->  <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">   <!-- 管理器，必须设置 -->   <property name="securityManager" ref="securityManager" />   <!-- 拦截到，跳转到的地址,通过此地址去认证 -->   <property name="loginUrl" value="/admin/login.do" />   <!-- 认证成功统一跳转到/admin/index.do，建议不配置，shiro认证成功自动到上一个请求路径 -->   <property name="successUrl" value="/admin/index.do" />   <!-- 通过unauthorizedUrl指定没有权限操作时跳转页面 -->   <property name="unauthorizedUrl" value="/refuse.jsp" />   <!-- 自定义filter，可用来更改默认的表单名称配置 -->   <property name="filters">    <map>     <!-- 将自定义 的FormAuthenticationFilter注入shiroFilter中 -->     <entry key="authc" value-ref="formAuthenticationFilter" />    </map>   </property>   <property name="filterChainDefinitions">    <value>     <!-- 对静态资源设置匿名访问 -->     /images/** = anon     /js/** = anon     /styles/** = anon     <!-- 验证码，可匿名访问 -->     /validatecode.jsp = anon     <!-- 请求 logout.do地址，shiro去清除session -->     /admin/logout.do = logout     <!--商品查询需要商品查询权限 ，取消url拦截配置，使用注解授权方式 -->     <!-- /items/queryItems.action = perms[item:query] /items/editItems.action       = perms[item:edit] -->     <!-- 配置记住我或认证通过可以访问的地址 -->     /welcome.jsp = user     /admin/index.do = user     <!-- /** = authc 所有url都必须认证通过才可以访问 -->     /** = authc    </value>   </property>  </bean>  <!-- securityManager安全管理器 -->  <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">   <property name="realm" ref="customRealm" />   <!-- 注入缓存管理器 -->   <property name="cacheManager" ref="cacheManager" />   <!-- 注入session管理器 -->   <!-- <property name="sessionManager" ref="sessionManager" /> -->   <!-- 记住我 -->   <property name="rememberMeManager" ref="rememberMeManager" />  </bean>  <!-- 自定义realm -->  <bean id="customRealm" class="com.zhijianj.stucheck.shiro.CustomRealm">   <!-- 将凭证匹配器设置到realm中，realm按照凭证匹配器的要求进行散列 -->   <!-- <property name="credentialsMatcher" ref="credentialsMatcher" /> -->  </bean>  <!-- 凭证匹配器 -->  <bean id="credentialsMatcher"   class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">   <!-- 选用MD5散列算法 -->   <property name="hashAlgorithmName" value="md5" />   <!-- 进行一次加密 -->   <property name="hashIterations" value="1" />  </bean>  <!-- 自定义form认证过虑器 -->  <!-- 基于Form表单的身份验证过滤器，不配置将也会注册此过虑器，表单中的用户账号、密码及loginurl将采用默认值，建议配置 -->  <!-- 可通过此配置，判断验证码 -->  <bean id="formAuthenticationFilter"   class="com.zhijianj.stucheck.shiro.CustomFormAuthenticationFilter ">   <!-- 表单中账号的input名称,默认为username -->   <property name="usernameParam" value="username" />   <!-- 表单中密码的input名称,默认为password -->   <property name="passwordParam" value="password" />   <!-- 记住我input的名称,默认为rememberMe -->   <property name="rememberMeParam" value="rememberMe" />  </bean>  <!-- 会话管理器 -->  <bean id="sessionManager"   class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">   <!-- session的失效时长，单位毫秒 -->   <property name="globalSessionTimeout" value="600000" />   <!-- 删除失效的session -->   <property name="deleteInvalidSessions" value="true" />  </bean>  <!-- 缓存管理器 -->  <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">   <property name="cacheManagerConfigFile" value="classpath:shiro-ehcache.xml" />  </bean>  <!-- rememberMeManager管理器，写cookie，取出cookie生成用户信息 -->  <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">   <property name="cookie" ref="rememberMeCookie" />  </bean>  <!-- 记住我cookie -->  <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">   <!-- rememberMe是cookie的名字 -->   <constructor-arg value="rememberMe" />   <!-- 记住我cookie生效时间30天 -->   <property name="maxAge" value="2592000" />  </bean> </beans> 

public class CustomRealm extends AuthorizingRealm {  // 设置realm的名称  @Override  public void setName(String name) {   super.setName("customRealm");  }  @Autowired  private AdminUserService adminUserService;  /**   * 认证   */  @Override  protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {   // token中包含用户输入的用户名和密码   // 第一步从token中取出用户名   String userName = (String) token.getPrincipal();   // 第二步：根据用户输入的userCode从数据库查询   TAdminUser adminUser = adminUserService.getAdminUserByUserName(userName);   // 如果查询不到返回null   if (adminUser == null) {//    return null;   }   // 获取数据库中的密码   String password = adminUser.getPassword();   /**    * 认证的用户,正确的密码    */   AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(adminUser, password, this.getName());     //MD5 加密+加盐+多次加密 //<span style="color:#ff0000;">SimpleAuthenticationInfo authcInfo = new SimpleAuthenticationInfo(adminUser, password,ByteSource.Util.bytes(salt), this.getName());</span>   return authcInfo;  }  /**   * 授权,只有成功通过<span style="font-family: Arial, Helvetica, sans-serif;">doGetAuthenticationInfo方法的认证后才会执行。</span>   */  @Override  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {   // 从 principals获取主身份信息   // 将getPrimaryPrincipal方法返回值转为真实身份类型（在上边的doGetAuthenticationInfo认证通过填充到SimpleAuthenticationInfo中身份类型），   TAdminUser activeUser = (TAdminUser) principals.getPrimaryPrincipal();   // 根据身份信息获取权限信息   // 从数据库获取到权限数据   TAdminRole adminRoles = adminUserService.getAdminRoles(activeUser);   // 单独定一个集合对象   List<String> permissions = new ArrayList<String>();   if (adminRoles != null) {    permissions.add(adminRoles.getRoleKey());   }   // 查到权限数据，返回授权信息(要包括 上边的permissions)   SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();   // 将上边查询到授权信息填充到simpleAuthorizationInfo对象中   simpleAuthorizationInfo.addStringPermissions(permissions);   return simpleAuthorizationInfo;  }  // 清除缓存  public void clearCached() {   PrincipalCollection principals = SecurityUtils.getSubject().getPrincipals();   super.clearCache(principals);  } } 

<ehcache updateCheck="false" name="shiroCache">  <defaultCache    maxElementsInMemory="10000"    eternal="false"    timeToIdleSeconds="120"    timeToLiveSeconds="120"    overflowToDisk="false"    diskPersistent="false"    diskExpiryThreadIntervalSeconds="120"    /> </ehcache> 

public class CustomFormAuthenticationFilter extends FormAuthenticationFilter {  // 原FormAuthenticationFilter的认证方法  @Override  protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {   // 在这里进行验证码的校验    // 从session获取正确验证码   HttpServletRequest httpServletRequest = (HttpServletRequest) request;   HttpSession session = httpServletRequest.getSession();   // 取出session的验证码（正确的验证码）   String validateCode = (String) session.getAttribute("validateCode");    // 取出页面的验证码   // 输入的验证和session中的验证进行对比   String randomcode = httpServletRequest.getParameter("randomcode");   if (randomcode != null && validateCode != null && !randomcode.equals(validateCode)) {    // 如果校验失败，将验证码错误失败信息，通过shiroLoginFailure设置到request中    httpServletRequest.setAttribute("shiroLoginFailure", "randomCodeError");    // 拒绝访问，不再校验账号和密码    return true;   }   return super.onAccessDenied(request, response);  } } 

<%@ page language="java" contentType="text/html; charset=UTF-8"  pageEncoding="UTF-8"%> <%@ page import="java.util.Random"%> <%@ page import="java.io.OutputStream"%> <%@ page import="java.awt.Color"%> <%@ page import="java.awt.Font"%> <%@ page import="java.awt.Graphics"%> <%@ page import="java.awt.image.BufferedImage"%> <%@ page import="javax.imageio.ImageIO"%> <%  int width = 60;  int height = 32;  //create the image  BufferedImage image = new BufferedImage(width, height, BufferedImage.TYPE_INT_RGB);  Graphics g = image.getGraphics();  // set the background color  g.setColor(new Color(0xDCDCDC));  g.fillRect(0, 0, width, height);  // draw the border  g.setColor(Color.black);  g.drawRect(0, 0, width - 1, height - 1);  // create a random instance to generate the codes  Random rdm = new Random();  String hash1 = Integer.toHexString(rdm.nextInt());  // make some confusion  for (int i = 0; i < 50; i++) {   int x = rdm.nextInt(width);   int y = rdm.nextInt(height);   g.drawOval(x, y, 0, 0);  }  // generate a random code  String capstr = hash1.substring(0, 4);  //将生成的验证码存入session  session.setAttribute("validateCode", capstr);  g.setColor(new Color(0, 100, 0));  g.setFont(new Font("Candara", Font.BOLD, 24));  g.drawString(capstr, 8, 24);  g.dispose();  //输出图片  response.setContentType("image/jpeg");  out.clear();  out = pageContext.pushBody();  OutputStream strm = response.getOutputStream();  ImageIO.write(image, "jpeg", strm);  strm.close(); %> 

/**  * 到登录界面  *  * @return  * @throws Exception  */ @RequestMapping("login.do") public String adminPage(HttpServletRequest request) throws Exception {  // 如果登陆失败从request中获取认证异常信息，shiroLoginFailure就是shiro异常类的全限定名  String exceptionClassName = (String) request.getAttribute("shiroLoginFailure");  // 根据shiro返回的异常类路径判断，抛出指定异常信息  if (exceptionClassName != null) {   if (UnknownAccountException.class.getName().equals(exceptionClassName)) {    // 最终会抛给异常处理器    throw new CustomJsonException("账号不存在");   } else if (IncorrectCredentialsException.class.getName().equals(exceptionClassName)) {    throw new CustomJsonException("用户名/密码错误");   } else if ("randomCodeError".equals(exceptionClassName)) {    throw new CustomJsonException("验证码错误 ");   } else {    throw new Exception();// 最终在异常处理器生成未知错误   }  }  // 此方法不处理登陆成功（认证成功），shiro认证成功会自动跳转到上一个请求路径  // 登陆失败还到login页面  return "admin/login"; } 

AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(adminUser, password, this.getName());  return authcInfo; 

@RequestMapping("index.do") public String index(Model model) {  //从shiro的session中取activeUser  Subject subject = SecurityUtils.getSubject();  //取身份信息  TAdminUser adminUser = (TAdminUser) subject.getPrincipal();  //通过model传到页面  model.addAttribute("adminUser", adminUser);  return "admin/index"; } 

<!-- shiro头引入 --> <%@ taglib uri="http://shiro.apache.org/tags" prefix="shiro"%> 

<!-- 有curd权限才显示修改链接，没有该 权限不显示，相当 于if(hasPermission(curd)) -->     <shiro:hasPermission name="curd">      <BR />      我拥有超级的增删改查权限额     </shiro:hasPermission> 

@RequestMapping("/queryInfo.do")  @RequiresPermissions("q")//执行需要"q"权限  public ModelAndView queryItems(HttpServletRequest request) throws Exception { } 

@RequestMapping("updatePassword.do")  @ResponseBody  public String updateAdminUserPassword(String newPassword) {   // 从shiro的session中取activeUser   Subject subject = SecurityUtils.getSubject();   // 取身份信息   TAdminUser adminUser = (TAdminUser) subject.getPrincipal();   // 生成salt,随机生成   SecureRandomNumberGenerator secureRandomNumberGenerator = new SecureRandomNumberGenerator();   String salt = secureRandomNumberGenerator.nextBytes().toHex();   Md5Hash md5 = new Md5Hash(newPassword, salt, 3);   String newMd5Password = md5.toHex();   // 设置新密码   adminUser.setPassword(newMd5Password);   // 设置盐   adminUser.setSalt(salt);   adminUserService.updateAdminUserPassword(adminUser);   return newPassword;  }