????[main]
????# ????????????е????????? /login
????authc.loginUrl=/login
????# ??????????????????????????? /unauthorized.jsp
????roles.unauthorizedUrl=/unauthorized.jsp
????# ?????????????????????? /unauthorized.jsp
????perms.unauthorizedUrl=/unauthorized.jsp
????[users]
????lee1=123?? admin
????lee2=456?? teacher
????lee3=789
????[roles]
????admin=user:*?? student:*
????teacher=student:*
????# ?? urls ??????? url ???????????????????
????# ? ???????????磺/admin? -> /admin1??/admin2
????# * ????????????????磺/admin* -> /admin??/admin1??/admin123
????# ** ?????·?????磺/admin/** -> /admin/??/admin/1??/admin/1/2
????[urls]
????# ??? anon ??????????anon ?????????????ο?
????/login=anon
????# ?????????????ж??? admin ??????????????
????/admin=roles[admin]
????# ???? /student ??????????? teacher
????/student=roles[teacher]
????# ???? /teacher ????? user:create
????/teacher=perms[user:create]
????LoginServlet.java
????import org.apache.shiro.SecurityUtils;
????import org.apache.shiro.authc.AuthenticationException;
????import org.apache.shiro.authc.UsernamePasswordToken;
????import org.apache.shiro.subject.Subject;
????import javax.servlet.ServletException;
????import javax.servlet.annotation.WebServlet;
????import javax.servlet.http.HttpServlet;
????import javax.servlet.http.HttpServletRequest;
????import javax.servlet.http.HttpServletResponse;
????import java.io.IOException;
????@WebServlet(urlPatterns = "/login") // ?? web 3.0
????public class LoginServlet extends HttpServlet {
????@Override
????protected void doGet(HttpServletRequest req?? HttpServletResponse resp) throws ServletException?? IOException {
????System.out.println("login doGet");
????req.getRequestDispatcher("login.jsp").forward(req?? resp);
????}
????@Override
????protected void doPost(HttpServletRequest req?? HttpServletResponse resp) throws ServletException?? IOException {
????System.out.println("login doPost");
????String username = req.getParameter("username");
????String password = req.getParameter("password");
????Subject subject = SecurityUtils.getSubject();
????UsernamePasswordToken token = new UsernamePasswordToken(username?? password);
????try {
????subject.login(token);
????resp.sendRedirect("success.jsp");
????} catch (AuthenticationException e) {
????e.printStackTrace();
????req.setAttribute("errorInfo"?? "??????????????");
????req.getRequestDispatcher("login.jsp").forward(req?? resp);
????}
????}
????}
????Default Filters
????Default Filters ?? Shiro ????????? Web ???????????????????????????ж?????????????
?????????? authc
????org.apache.shiro.web.filter.authc.FormAuthenticationFilter
????????????????????
??????“/**=authc”???????е??????????????????????
????????????usernameParam?????????????????????? username????
????passwordParam????????????????????password????
????rememberMeParam????????????????????rememberMe????
????loginUrl????????????/login.jsp????
????successUrl???????????????????????
????failureKeyAttribute????????????????洢key??shiroLoginFailure????
????authcBasic
????org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
????Basic HTTP??????????????????????
????applicationName?????????????????????application????
????logout
????org.apache.shiro.web.filter.authc.LogoutFilter
???????????????????????
????redirectUrl????????????????????/??;
???????“/logout=logout”
????user
????org.apache.shiro.web.filter.authc.UserFilter
???????????????????????????/?????????????
???????“/**=user”
????anon
????org.apache.shiro.web.filter.authc.AnonymousFilter
??????????????????????????????????
?????????????????????
???????“/static/**=anon”
?????????? roles
????org.apache.shiro.web.filter.authz.RolesAuthorizationFilter
?????????????????????????????????н????
???????????? loginUrl????????????/login.jsp????
????unauthorizedUrl??δ???????????????
???????“/admin/**=roles[admin]”
????perms
????org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter
??????????????????????????????????????
?????????roles?????
???????“/user/**=perms[“user:create”]”
????port
????org.apache.shiro.web.filter.authz.PortFilter
???????????????????????port??80????????????????
???????“/test= port[80]”???????????????????80?????????????????80?????????80????????·??/??????????
????rest
????org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter
????rest????????????????????????????????????
??????GET=read?? POST=create??PUT=update??DELETE=delete??
????HEAD=read??TRACE=read??OPTIONS=read?? MKCOL=create??
??????????????????
???????“/users=rest[user]”??????????“user:read??user:create??user:update??user:delete”?????????????????????ж??????isPermittedAll????
????ssl
????org.apache.shiro.web.filter.authz.SslFilter
????SSL???????????????Э????https?????????
????????????????https????443????
??????????port???????????
???????? noSessionCreation
????org.apache.shiro.web.filter.session.NoSessionCreationFilter
???????????????????????? subject.getSession(false)????????????
??????????? subject.getSession(true)????? DisabledSessionException????
????????? Realm
????????????????????????ж???????????????????Real???д?????????Shiro?У????????Realm???????ó????е???????????????????????????£???Realm?л????????????????л??Shiro????????????????????Realm?????????????DAO??
??????α?д????? Realm
????CustomizeRealm.java
????import com.lee.shiro.dao.UserDao;
????import com.lee.shiro.dao.impl.UserDaoImpl;
????import com.lee.shiro.entity.User;
????import org.apache.shiro.authc.AuthenticationException;
????import org.apache.shiro.authc.AuthenticationInfo;
????import org.apache.shiro.authc.AuthenticationToken;
????import org.apache.shiro.authc.SimpleAuthenticationInfo;
????import org.apache.shiro.authz.AuthorizationInfo;
????import org.apache.shiro.authz.SimpleAuthorizationInfo;
????import org.apache.shiro.realm.AuthorizingRealm;
????import org.apache.shiro.subject.PrincipalCollection;
????import java.util.Set;
????public class CustomizeRealm extends AuthorizingRealm {
????private UserDao userDao = new UserDaoImpl();
????/**
????* ??????????
????* ????? doGetAuthenticationInfo(token)
????* ?????д????
????*
????* @param principalCollection
????* @return
????*/
????@Override
????protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
????String username = (String) principalCollection.getPrimaryPrincipal();
????SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo();
????Set<String> rolesSet = userDao.getRolesByUsername(username);
????Set<String> permissionSet = userDao.getPermissionsByUsername(username);
????authInfo.setRoles(rolesSet);
????authInfo.setStringPermissions(permissionSet);
????return authInfo;
????}
????/**
????* ??????????????
????*
????* @param token
????* @return
????* @throws AuthenticationException
????*/
????@Override
????protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
????String username = (String) token.getPrincipal();
????User user = userDao.getByUsername(username);
????AuthenticationInfo authInfo = null;
????if (user != null) {
????authInfo = new SimpleAuthenticationInfo(
????user.getUsername()?? user.getPassword()?? "userRealm");
????}
????return authInfo;
????}
????}