惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Forbes - Security
Forbes - Security
T
Tailwind CSS Blog
Hugging Face - Blog
Hugging Face - Blog
Blog — PlanetScale
Blog — PlanetScale
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
Y
Y Combinator Blog
U
Unit 42
I
InfoQ
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
V
Visual Studio Blog
B
Blog RSS Feed
Vercel News
Vercel News
F
Fortinet All Blogs
Know Your Adversary
Know Your Adversary
T
Troy Hunt's Blog
博客园 - 【当耐特】
MongoDB | Blog
MongoDB | Blog
大猫的无限游戏
大猫的无限游戏
A
About on SuperTechFans
Jina AI
Jina AI
小众软件
小众软件
T
Threatpost
有赞技术团队
有赞技术团队
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Microsoft Azure Blog
Microsoft Azure Blog
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
Scott Helme
Scott Helme
B
Blog
腾讯CDC
Last Week in AI
Last Week in AI
P
Proofpoint News Feed
S
Schneier on Security
N
News and Events Feed by Topic
Microsoft Security Blog
Microsoft Security Blog
K
Kaspersky official blog
G
Google Developers Blog
T
Tor Project blog
PCI Perspectives
PCI Perspectives
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
Latest news
Latest news
Google DeepMind News
Google DeepMind News
MyScale Blog
MyScale Blog
罗磊的独立博客

博客园 - 碧血黄沙-java、c#

nginx反向代理tomcat应用,struts2网站程序redirect时导致请求地址错误的解决方法 开源一个最近写的spring与mongodb结合的demo(spring-mongodb-demo) java的struts2项目实现网站首页只显示域名不显示index.do的做法 用WPF开发仿QQ概念版之--------MessageWindow开发以及Demo下载 用WPF开发仿QQ概念版之--------Loading预加载界面(闪屏窗体) 用WPF开发仿QQ概念版之--------登录界面 纪念一下我在2009年开发的一款网站客户端软件[winform] 参考XNA官方Platformer模版,修改Platformer为横版可以滚动的小游戏 Xna小游戏开发【飞机空间大战】 Airfey Radio网络电台播放器V2.0绿色单文件版本发布(大小仅296KB) 一种开发软件的新思路,给Web页面穿个马甲,用web页面做软件UI,用C#(或者C++等其它语言)代码做功能 Airfey Radio网络电台播放器V2.0版本发布(2010.4.18最新更新) Airfey Radio网络电台播放器V1.0.0.0版本发布(2010.1.29更新)此版本不再更新,转入2.0版本开发 网络电台播放器即将开放下载,敬请期待!!! 在WinForm里面使用多线程修改主线程上的一个Label的值 在几千条记录里,存在着些相同的记录,如何能用SQL语句,删除掉重复的呢? 发布Winform自定义控件snMessageBox,基于系统的MesssageBox实现重绘,需要源码者请留下邮箱 [原创]WinForm中重绘滚动条以及用重绘的滚动条控制ListBox的滚动 高仿QQMusic播放器,浅谈WinForm关于UI的制作
基于spring框架的apache shiro简单集成
碧血黄沙-java、c# · 2013-07-11 · via 博客园 - 碧血黄沙-java、c#

关于项目的安全保护,我一直想找一个简单配置就能达到目的的方法,自从接触了shiro,这个目标总算达成了,以下结合我使用shiro的经验,谈谈比较轻便地集成该功能。

首先我们先了解一下shiro是什么。

apache shiro 是一个功能强大易于使用Java安全框架,为开发人员提供一个直观而全面的解决方案认证,授权加密会话管理

其实按照我个人的理解,就是个过滤器,按照配置(或者注解)的规则进行权限验证。

我的项目基于maven管理依赖jar包,首先把apache shiro相关需要用到的jar引入:

<!-- shiro -->
            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-web</artifactId>
                <version>1.2.1</version>
            </dependency>
            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-spring</artifactId>
                <version>1.2.1</version>
            </dependency>

            <dependency>
                <groupId>org.apache.shiro</groupId>
                <artifactId>shiro-ehcache</artifactId>
                <version>1.2.1</version>
            </dependency>

其中shiro-web和shiro-spring必须,如果要缓存权限的话,就引入shiro-ehcache,后边会详细说道shiro-ehcache的使用。

看一下login.action里是如何实现用户登录写入的,获取用户表单信息以及查询数据库验证就不说了,直接上关键代码:


            //验证用户信息后进行token写入,这里为了简单,我把用户的id和姓名作为token的username和password
            UsernamePasswordToken token = new UsernamePasswordToken(m.getId()
                    .toString(), m.getUsername());
            Subject subject1 = SecurityUtils.getSubject();
            subject1.login(token);
            subject1.getSession();
    

既然是个过滤器,那我们就看一下这个过滤器的写法:

package com.airfey.tech.nuo.action.shiro.filter;

import java.io.IOException;
import java.security.Principal;

import javax.annotation.Resource;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;

import com.airfey.tech.nuo.common.security.MD5;
import com.airfey.tech.nuo.core.domain.Manager;
import com.airfey.tech.nuo.core.service.ManagerService;

public class shiroFilter implements Filter {
//管理员用户service @Resource
private ManagerService managerService; @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Subject subjects = SecurityUtils.getSubject(); HttpServletRequest requestHttp = (HttpServletRequest) request; HttpServletResponse responseHttp = (HttpServletResponse) response; Principal principal = requestHttp.getUserPrincipal(); if (null != principal) {
//principal.getName()里保存的是用户的id,就是上边登录处token里的信息 System.out.println(principal.getName()); Manager m
= managerService.findOne(Long.parseLong(principal .getName())); if (null != m && 1 == m.getAudit()) { UsernamePasswordToken token = new UsernamePasswordToken( m.getId(), m.getId());//作为例子,这里我只是把用户id放进了token,你可以修改成其它复杂点的信息 Subject subject1 = SecurityUtils.getSubject(); subject1.login(token); subject1.getSession(); } else { if (subjects != null) { subjects.logout(); } } } chain.doFilter(requestHttp, responseHttp); } @Override public void destroy() { } }

至此,可以说登录和过滤器已经完成了。然后就进行web.xml和spring文件以及权限验证的实现。

1、在web.xml里加入shiro的过滤器配置:

<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

此过滤器要位于所有过滤器的前面。

 2、权限验证代码实现,我们写一个realm类集成shiro的AuthorizingRealm

package com.airfey.tech.nuo.action.shiro.realm;

import javax.annotation.Resource;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;

public class ShiroRealm extends AuthorizingRealm {

    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(
            PrincipalCollection principals) {
        if (principals == null) {
            throw new AuthorizationException(
                    "PrincipalCollection method argument cannot be null.");
        }
        String username = (String) getAvailablePrincipal(principals);
        System.out.println("-------------------" + username);//输出的其实是用户id

        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
        // 增加默认角色
        info.addRole("ROLE_USER");
/*以下可以从数据库获取用户的角色以及权限信息,获取到的信息添加入info即可,具体获取数据库的代码我就省略了*/
// // 增加自定义角色 // if (null != userInfo.getRoleList()) { // for (RoleInfo roleInfo : userInfo.getRoleList()) { // if (null != roleInfo.getName() // && !"".equals(roleInfo.getName())) { // info.addRole(roleInfo.getName()); // } // } // } // if (null != userInfo.getModuleInfo()) { // for (ModuleInfo moduleInfo : userInfo.getModuleInfo()) { // if (null != moduleInfo.getGuid() // && !"".equals(moduleInfo.getGuid())) { // info.addStringPermission(moduleInfo.getGuid()); // } // } // } return info; } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken authcToken) throws AuthenticationException { UsernamePasswordToken token = (UsernamePasswordToken) authcToken; String userName = token.getUsername(); if (userName != null && !"".equals(userName)) { return new SimpleAuthenticationInfo(token.getPrincipal(), token.getPassword(), token.getUsername()); } return null; } /** * 清空用户关联权限认证,待下次使用时重新加载。 * * @param principal */ public void clearCachedAuthorizationInfo(String principal) { SimplePrincipalCollection principals = new SimplePrincipalCollection( principal, getName()); clearCachedAuthorizationInfo(principals); } /** * 清空所有关联认证 */ public void clearAllCachedAuthorizationInfo() { Cache<Object, AuthorizationInfo> cache = getAuthorizationCache(); if (cache != null) { for (Object key : cache.keys()) { cache.remove(key); } } } }

3、applicationContext.xml的配置 (这里只保留了shiro相关的信息)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:aop="http://www.springframework.org/schema/aop" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa-1.0.xsd">
    
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <property name="securityManager" ref="securityManager" />
        <property name="successUrl" value="/manage/index.do" />
        <property name="loginUrl" value="/manage/login.do" />
        <property name="unauthorizedUrl" value="/manage/401.html" />
        <property name="filters">
            <map>
                <entry key="authc" value-ref="shiro"></entry>
            </map>
        </property>
        <property name="filterChainDefinitions">
            <value>
                /manage/admin.html = authc,perms[shiro_admin:view]
                /manage/user.html=authc,perms[shiro_user:view]
                /manage/login.do=anon
                /manage/401.html=anon
/manage/js/**=anon
/manage/img/**=anon
/manage/kindeditor/**=anon /manage/**=authc,roles["ROLE_USER"] /**=anon
</value> </property> </bean> <bean id="shiro" class="com.airfey.tech.nuo.action.shiro.filter.shiroFilter"> </bean> <bean id="shiroRealm" class="com.airfey.tech.nuo.action.shiro.realm.ShiroRealm" /> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="shiroRealm" /> <property name="cacheManager" ref="shiroEhcacheManager" /> </bean> <!-- 用户授权信息Cache, 采用EhCache,需要的话就配置上此信息 --> <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> </beans>

验证规则里如下让静态文件比如js img 目录配置上anon

/manage/admin.html = authc,perms[shiro_admin:view]

/manage/user.html=authc,perms[shiro_user:view]

/manage/login.do=anon

/manage/401.html=anon

/manage/js/**=anon

/manage/img/**=anon

/manage/kindeditor/**=anon

/manage/**=authc,roles["ROLE_USER"]

/**=anon

结束,收工。好久不写这么长的博文了,敲起来真费劲。原创文章,文中难免有遗漏或者错误之处,请指正。