场景
Shiro官网关于Web整合文档:
http://shiro.apache.org/web.html#Web-configuration
W3Cschool Shiro Web集成:
https://www.w3cschool.cn/shiro/c52r1iff.html
实现
项目搭建
1.打开Ecllipse-新建Maven项目--选择Webapp
2.输入项目信息
3.项目建成后默认是1.5,是没有src/main/java目录的。
4.右键项目-Properties--Java Build Path Libraties--将原来的remove掉。
5.然后再点击Add Library ..-JRE System Library
6.选择自己默认的,这里是1.8
7.修改完之后。
8.建成之后项目没有META-INF目录,这里新建一个Dynamic Web Project 将META-INF复制过来,
并且web.xml的结构也不是我们想要的,将其也复制过来。
9.复制过来可以将原来新建的删掉,将复制过来的web.xml中的display-name进行修改。
10.打开pom.xml添加依赖
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.badao.shiro</groupId>
<artifactId>ShiroWeb</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>ShiroWeb Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<!-- 添加servlet支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>javax.servlet.jsp-api</artifactId>
<version>2.3.1</version>
</dependency>
<!-- 添加jstl支持 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- 添加日志支持 -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.2</version>
</dependency>
<!-- 添加shiro支持 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.4</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.12</version>
</dependency>
</dependencies>
<build>
<finalName>ShiroWeb</finalName>
</build>
</project>11.修改Index.jsp,添加Hello Shiro,然后部署运行项目。
配置项目
1.打开web.xml
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<!-- 添加shiro支持 -->
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
<init-param>
<param-name>configPath</param-name>
<param-value>/WEB-INF/shiro.ini</param-value>
</init-param>
</filter>
<!-- 过滤所有请求 -->
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>注:
通过 configPath 指定 ini 配置文件位置,默认是先从 /WEB-INF/shiro.ini 加载,如果没有就默认加载 classpath:shiro.ini,即默认相对于 web 应用上下文根路径;
2.在WEB-INF下新建shiro.ini配置文件。
[main]
authc.loginUrl=/login
roles.unauthorizedUrl=/unauthorized.jsp
perms.unauthorizedUrl=/unauthorized.jsp
[users]
badao=123,admin
liumang=123,teacher
qizhi=123
[roles]
admin=user:*
teacher=student:*
[urls]
/login=anon
/admin=authc
/student=roles[teacher]
/teacher=perms["user:create"]然后配置用户、角色、权限等。
注:
[main]
authc.loginUrl=/login
roles.unauthorizedUrl=/unauthorized.jsp
perms.unauthorizedUrl=/unauthorized.jsp以上表示:
authc.loginUrl=/login 验证不通过时的跳转url
roles.unauthorizedUrl=/unauthorized.jsp 角色验证不通过时的跳转页面
perms.unauthorizedUrl=/unauthorized.jsp 权限验证不通过时的跳转页面
[users]
badao=123,admin
liumang=123,teacher
qizhi=123以上表示有三个用户:
badao用户密码为123,拥有admin角色。
liumang用户密码为123,拥有teacher角色。
qizhi用户密码为123,没有角色。
[roles]
admin=user:*
teacher=student:*以上表示admin角色拥有对uset的所有权限。
teacher角色拥有对student的所有权限。
[urls]
/login=anon
/admin=authc
/student=roles[teacher]
/teacher=perms["user:create"]以上表示:
访问/login时不进行限制。具体参照官方API
访问/admin时需要进行验证,如果没有,则通过请求重定向到loginurl配置(authc.loginUrl=/login)体参照官方API
/student=roles[teacher]表示拥有teacher角色的才能访问/student url
/teacher=perms["user:create"]表示拥有对user有create权限的才能访问/teacher的url
其他配置具体参照官方文档。
编写业务代码
1.编写登录的servlet以及主页的servlet并在web.xml中配置
新建LoginServlet
代码:
package com.badao.servlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
public class LoginServlet extends HttpServlet{
/**
*
*/
private static final long serialVersionUID = 1L;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
// TODO Auto-generated method stub
System.out.println("login doget");
req.getRequestDispatcher("login.jsp").forward(req, resp);
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("login dopost");
String userName=req.getParameter("userName");
String password=req.getParameter("password");
Subject subject=SecurityUtils.getSubject();
UsernamePasswordToken token=new UsernamePasswordToken(userName, password);
try{
subject.login(token);
resp.sendRedirect("success.jsp");
}catch(Exception e){
e.printStackTrace();
req.setAttribute("errorInfo", "用户名或者密码错误");
req.getRequestDispatcher("login.jsp").forward(req, resp);
}
}
}打开web.xml,添加:
<servlet>
<servlet-name>loginServlet</servlet-name>
<servlet-class>com.badao.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>loginServlet</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
2.新建login.jsp,body中添加:
<form action="login" method="post">
userName:<input type="text" name="userName"/><br/>
password:<input type="password" name="password"/><br/>
<input type="submit" value="登录"/>
</form>3.新建success.jsp,body中添加:
登录成功,欢迎你!
4.新建unauthorized.jsp,body中添加:
认证未通过,或者权限不足
5.新建AdminServlet用于权限验证测试。
package com.badao.servlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class AdminServlet extends HttpServlet{
private static final long serialVersionUID = 1L;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("admin do get");
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("admin do post");
}
}6.打开web.xml,添加:
<servlet>
<servlet-name>adminServlet</servlet-name>
<servlet-class>com.badao.servlet.AdminServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>adminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
完整web.xml代码
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>ShiroWeb</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<!-- 添加shiro支持 -->
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
<init-param>
<param-name>configPath</param-name>
<param-value>/WEB-INF/shiro.ini</param-value>
</init-param>
</filter>
<!-- 过滤所有请求 -->
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>loginServlet</servlet-name>
<servlet-class>com.badao.servlet.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>loginServlet</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>adminServlet</servlet-name>
<servlet-class>com.badao.servlet.AdminServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>adminServlet</servlet-name>
<url-pattern>/admin</url-pattern>
</servlet-mapping>
</web-app>项目结构目录
运行效果
不登录直接访问admin
登录成功
登录后访问admin
使用admin角色的badao用户访问/student
使用teacher角色的liumang用户访问/teacher
