本項(xiàng)目由賣咸魚叔叔開發(fā)完成�,歡迎大神指點(diǎn)��,慎重抄襲����!參考了sojson提供的demo,和官方文檔介紹��。完整實(shí)現(xiàn)了用戶�、角色、權(quán)限CRUD及分頁��,還有shiro的登錄認(rèn)證+授權(quán)訪問控制�。
項(xiàng)目架構(gòu):Maven + SpringMVC + Spring + Mybatis + Shiro + Redis
數(shù)據(jù)庫:MySql
前端框架:H-ui
首先創(chuàng)建Maven項(xiàng)目
1.pom.xml 加入依賴包
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>sys</groupId>
<artifactId>sys</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>sys Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<!-- spring依賴管理 -->
<!-- spring-context 是使用spring的最基本的環(huán)境支持依賴,會(huì)傳遞依賴core、beans��、expression���、aop等基本組件���,以及commons-logging、aopalliance -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.3.2.RELEASE</version>
</dependency>
<!-- spring-context-support 提供了對(duì)其他第三方庫的內(nèi)置支持�����,如quartz等 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>4.3.2.RELEASE</version>
</dependency>
<!-- spring-orm 是spring處理對(duì)象關(guān)系映射的組件�,傳遞依賴了jdbc、tx等數(shù)據(jù)庫操作有關(guān)的組件 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.3.2.RELEASE</version>
</dependency>
<!-- spring-webmvc 是spring處理前端mvc表現(xiàn)層的組件,也即是springMVC�����,傳遞依賴了web等web操作有關(guān)的組件 -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.3.2.RELEASE</version>
</dependency>
<!-- spring-aspects 增加了spring對(duì)面向切面編程的支持���,傳遞依賴了aspectjweaver -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>4.3.2.RELEASE</version>
</dependency>
<!-- json解析, springMVC 需要用到 -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.6.0</version>
</dependency>
<!-- mybatis依賴管理 -->
<!-- mybatis依賴 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis</artifactId>
<version>3.3.0</version>
</dependency>
<!-- mybatis和spring整合 -->
<dependency>
<groupId>org.mybatis</groupId>
<artifactId>mybatis-spring</artifactId>
<version>1.2.3</version>
</dependency>
<!-- mybatis 分頁插件 -->
<dependency>
<groupId>com.github.pagehelper</groupId>
<artifactId>pagehelper</artifactId>
<version>4.1.6</version>
</dependency>
<!-- mysql驅(qū)動(dòng)包依賴 -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.37</version>
</dependency>
<!-- c3p0依賴 -->
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5</version>
</dependency>
<!-- redis java客戶端jar包 -->
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<version>2.9.0</version>
</dependency>
<!-- 文件上傳 -->
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.5</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-email</artifactId>
<version>1.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.7</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.2</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpcore</artifactId>
<version>4.4.4</version>
</dependency>
<!-- junit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
</dependency>
<!-- servlet依賴 -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<!-- jsp依賴 -->
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.2</version>
<scope>provided</scope>
</dependency>
<!-- jstl依賴 -->
<dependency>
<groupId>org.glassfish.web</groupId>
<artifactId>jstl-impl</artifactId>
<version>1.2</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>net.sf.json-lib</groupId>
<artifactId>json-lib</artifactId>
<version>2.4</version>
<classifier>jdk15</classifier>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
</dependency>
<!-- shiro依賴包 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-cas</artifactId>
<version>1.2.3</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-quartz</artifactId>
<version>1.2.3</version>
</dependency>
<!-- shiro end -->
</dependencies>
<build>
<finalName>sys</finalName>
<plugins>
<!-- 指定JDK編譯版本 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
2.SSM框架配置
beans.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd">
<!-- 數(shù)據(jù)庫連接池 -->
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
<property name="driverClass" value="com.mysql.jdbc.Driver"/>
<property name="jdbcUrl" value="jdbc:mysql://localhost:3306/sys_test?characterEncoding=UTF8&allowMultiQueries=true"/>
<property name="user" value="root"/>
<property name="password" value="root"/>
<property name="maxPoolSize" value="100"/>
<property name="minPoolSize" value="10"/>
<property name="maxIdleTime" value="60"/>
</bean>
<!-- mybatis 的 sqlSessionFactory -->
<bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean">
<property name="dataSource" ref="dataSource"/>
<property name="configLocation" value="classpath:mybatis-config.xml"></property>
</bean>
<!-- mybatis mapper接口自動(dòng)掃描��、自動(dòng)代理 -->
<bean class="org.mybatis.spring.mapper.MapperScannerConfigurer">
<property name="basePackage" value="com.sys.mapper" />
</bean>
<!-- 事務(wù)管理器 -->
<bean id="txManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource" />
</bean>
<!-- 事務(wù)傳播行為 -->
<tx:advice id="txAdvice" transaction-manager="txManager">
<tx:attributes>
<tx:method name="select*" propagation="SUPPORTS" read-only="true"/>
<tx:method name="page*" propagation="SUPPORTS" read-only="true"/>
<tx:method name="is*" propagation="SUPPORTS" read-only="true"/>
<tx:method name="*" propagation="REQUIRED" read-only="false"/>
</tx:attributes>
</tx:advice>
<!-- 織入事務(wù)增強(qiáng)功能 -->
<aop:config>
<aop:pointcut id="txPointcut" expression="execution(* com.sys.service..*.*(..))" />
<aop:advisor advice-ref="txAdvice" pointcut-ref="txPointcut" />
</aop:config>
<!-- 配置掃描spring注解(@Component����、@Controller����、@Service���、@Repository)時(shí)掃描的包��,同時(shí)也開啟了spring注解支持 -->
<!-- 這個(gè)地方只需要掃描service包即可�����,因?yàn)閏ontroller包由springMVC配置掃描��,mapper包由上面的mybatis配置掃描 -->
<context:component-scan base-package="com.sys.service"></context:component-scan>
<!-- 開啟spring aop 注解支持��,要想aop真正生效�,還需要把切面類配置成bean -->
<aop:aspectj-autoproxy/>
</beans>
dispatcher-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd">
<!-- 配置掃描spring注解時(shí)掃描的包���,同時(shí)也開啟了spring注解支持 -->
<context:component-scan base-package="com.sys" />
<!-- 開啟springMVC相關(guān)注解支持 -->
<mvc:annotation-driven />
<!-- 開啟spring aop 注解支持 -->
<aop:aspectj-autoproxy/>
<!-- 約定大于配置:約定視圖頁面的全路徑 = prefix + viewName + suffix -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<!-- 文件上傳解析器 -->
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="104857600" />
<property name="defaultEncoding" value="UTF-8" />
<property name="maxInMemorySize" value="40960" />
</bean>
<!-- 資源映射 -->
<mvc:resources location="/css/" mapping="/css/**" />
<mvc:resources location="/js/" mapping="/js/**" />
<mvc:resources location="/images/" mapping="/images/**" />
<mvc:resources location="/skin/" mapping="/skin/**" />
<mvc:resources location="/lib/" mapping="/lib/**" />
</beans>
mybatis-config.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "http://mybatis.org/dtd/mybatis-3-config.dtd">
<configuration>
<settings>
<!-- 使用log4j2作為日志實(shí)現(xiàn) -->
<setting name="logImpl" value="LOG4J2"/>
</settings>
<typeAliases>
<!-- 為指定包下的pojo類自動(dòng)起別名 -->
<package name="com.sys.pojo"/>
</typeAliases>
<mappers>
<!-- 自動(dòng)加載指定包下的映射配置文件 -->
<package name="com.sys.mapper"/>
</mappers>
</configuration>
Log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xml>
<Configuration status="OFF">
<Appenders>
<Console name="CONSOLE" target="SYSTEM_OUT">
<PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{0} - %msg%n" />
</Console>
<RollingFile name="ROLLING" fileName="/logs/ups-manager/log.log"
filePattern="/logs/log_%d{yyyy-MM-dd}_%i.log">
<PatternLayout pattern="%d %p %c{1.} [%t] %m%n"/>
<Policies>
<TimeBasedTriggeringPolicy modulate="true" interval="1"/>
<SizeBasedTriggeringPolicy size="1024 KB"/>
</Policies>
<DefaultRolloverStrategy max="100"/>
</RollingFile>
</Appenders>
<Loggers>
<Root level="debug">
<AppenderRef ref="CONSOLE" />
<AppenderRef ref="ROLLING"/>
</Root>
<!-- 控制某些包下的類的日志級(jí)別 -->
<Logger name="org.mybatis.spring" level="error">
<AppenderRef ref="CONSOLE"/>
</Logger>
</Loggers>
</Configuration>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<!-- 初始化spring容器 -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 設(shè)置post請(qǐng)求編碼和響應(yīng)編碼 -->
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<!-- 為true時(shí)也對(duì)響應(yīng)進(jìn)行編碼 -->
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<!-- 設(shè)置為/*時(shí)才會(huì)攔截所有請(qǐng)求��,和servlet有點(diǎn)區(qū)別���,servlet設(shè)置為/*只攔截所有的一級(jí)請(qǐng)求,如/xx.do,而不攔截/xx/xx.do��;servlet設(shè)置為/時(shí)才會(huì)攔截所有請(qǐng)求 -->
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:spring-shiro.xml,
classpath:beans.xml,
classpath:dispatcher-servlet.xml
</param-value>
</context-param>
<!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- 初始化springMVC容器 -->
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:dispatcher-servlet.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
3.實(shí)現(xiàn)用戶����、角色、權(quán)限頁面操作功能����,這里就不貼代碼了
4.接下來就是shiro,登錄認(rèn)證和授權(quán)只需要繼承AuthorizingRealm�����,其繼承了
AuthenticatingRealm(即身份驗(yàn)證)���,而且也間接繼承了
CachingRealm(帶有緩存實(shí)現(xiàn))����。身份認(rèn)證重寫doGetAuthenticationInfo方法�,授權(quán)重寫doGetAuthorizationInfo方法。
Shiro 默認(rèn)提供的 Realm
身份認(rèn)證流程
流程如下:
首先調(diào)用 Subject.login(token) 進(jìn)行登錄����,其會(huì)自動(dòng)委托給 Security Manager,調(diào)用之前必須通過 SecurityUtils.setSecurityManager() 設(shè)置����;
SecurityManager 負(fù)責(zé)真正的身份驗(yàn)證邏輯;它會(huì)委托給 Authenticator 進(jìn)行身份驗(yàn)證���;
Authenticator 才是真正的身份驗(yàn)證者���,Shiro API 中核心的身份認(rèn)證入口點(diǎn),此處可以自定義插入自己的實(shí)現(xiàn)���;
Authenticator 可能會(huì)委托給相應(yīng)的 AuthenticationStrategy 進(jìn)行多 Realm 身份驗(yàn)證�����,默認(rèn)
ModularRealmAuthenticator 會(huì)調(diào)用 AuthenticationStrategy 進(jìn)行多 Realm 身份驗(yàn)證���;
Authenticator 會(huì)把相應(yīng)的 token 傳入 Realm,從 Realm 獲取身份驗(yàn)證信息����,如果沒有返回 / 拋出異常表示身份驗(yàn)證失敗了。此處可以配置多個(gè) Realm���,將按照相應(yīng)的順序及策略進(jìn)行訪問���。
代碼實(shí)現(xiàn):
/**
*
*/package com.sys.shiro;import javax.annotation.Resource;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AccountException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.DisabledAccountException;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.subject.SimplePrincipalCollection;import org.apache.shiro.util.ByteSource;import com.sys.pojo.AdminUser;import com.sys.service.AdminUserService;/** * @ClassName: MyRealm
* @Description: shiro 認(rèn)證 + 授權(quán) 重寫 */public class MyRealm extends AuthorizingRealm {
@Resource
AdminUserService adminUserService;
/* (non-Javadoc)
* @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) */
/**
* 授權(quán)Realm */
@Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String account = (String)principals.getPrimaryPrincipal();
AdminUser pojo = new AdminUser();
pojo.setAccount(account);
Long userId = adminUserService.selectOne(pojo).getId();
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(); /**根據(jù)用戶ID查詢角色(role)��,放入到Authorization里.*/
info.setRoles(adminUserService.findRoleByUserId(userId)); /**根據(jù)用戶ID查詢權(quán)限(permission)��,放入到Authorization里.*/
info.setStringPermissions(adminUserService.findPermissionByUserId(userId)); return info;
} /* (non-Javadoc)
* @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken) */
/**
* 登錄認(rèn)證Realm */
@Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
String username = (String)token.getPrincipal();
String password = new String((char[])token.getCredentials());
AdminUser user = adminUserService.login(username, password); if(null==user){ throw new AccountException("帳號(hào)或密碼不正確���!");
} if(user.getIsDisabled()){ throw new DisabledAccountException("帳號(hào)已經(jīng)禁止登錄!");
} //**密碼加鹽**交給AuthenticatingRealm使用CredentialsMatcher進(jìn)行密碼匹配
return new SimpleAuthenticationInfo(user.getAccount(),user.getPassword(),ByteSource.Util.bytes("3.14159"), getName());
}
/**
* 清空當(dāng)前用戶權(quán)限信息 */
public void clearCachedAuthorizationInfo() {
PrincipalCollection principalCollection = SecurityUtils.getSubject().getPrincipals();
SimplePrincipalCollection principals = new SimplePrincipalCollection(
principalCollection, getName()); super.clearCachedAuthorizationInfo(principals);
} /**
* 指定principalCollection 清除 */
public void clearCachedAuthorizationInfo(PrincipalCollection principalCollection) {
SimplePrincipalCollection principals = new SimplePrincipalCollection(
principalCollection, getName()); super.clearCachedAuthorizationInfo(principals);
}
}
shiro的配置:
spring-shiro.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!--shiro 核心安全接口 -->
<property name="securityManager" ref="securityManager"></property>
<!--登錄時(shí)的連接 -->
<property name="loginUrl" value="/login"></property>
<!--未授權(quán)時(shí)跳轉(zhuǎn)的連接 -->
<property name="unauthorizedUrl" value="/unauthorized.jsp"></property>
<!-- 其他過濾器 -->
<property name="filters">
<map>
<!-- <entry key="rememberMe" value-ref="RememberMeFilter"></entry> -->
<entry key="kickout" value-ref="KickoutSessionControlFilter"/>
</map>
</property>
<!-- 讀取初始自定義權(quán)限內(nèi)容-->
<!-- 如果使用authc驗(yàn)證,需重寫實(shí)現(xiàn)rememberMe的過濾器,或配置formAuthenticationFilter的Bean -->
<property name="filterChainDefinitions">
<value>
/js/**=anon
/css/**=anon
/images/**=anon
/skin/**=anon
/lib/**=anon
/nodel/**=anon
/WEB-INF/jsp/**=anon
/adminUserLogin/**=anon
/**/submitLogin.do=anon /**=user,kickout
</value>
</property>
</bean>
<!-- Shiro生命周期處理器-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="MyRealm"/>
<property name="rememberMeManager" ref="rememberMeManager"/>
</bean>
<bean id="MyRealm" class="com.sys.shiro.MyRealm" >
<property name="cachingEnabled" value="false"/>
</bean>
<!-- 相當(dāng)于調(diào)用SecurityUtils.setSecurityManager(securityManager) -->
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
<!-- sessionIdCookie:maxAge=-1表示瀏覽器關(guān)閉時(shí)失效此Cookie -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="-1"/>
</bean>
<!-- 用戶信息記住我功能的相關(guān)配置 -->
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"/>
<property name="httpOnly" value="true"/>
<!-- 配置存儲(chǔ)rememberMe Cookie的domain為 一級(jí)域名 這里如果配置需要和Session回話一致更好�。-->
<property name="maxAge" value="604800"/><!-- 記住我==保留Cookie有效7天 -->
</bean>
<!-- rememberMe管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<!-- rememberMe cookie加密的密鑰 建議每個(gè)項(xiàng)目都不一樣 默認(rèn)AES算法 密鑰長度(128 256 512 位)-->
<property name="cipherKey"
value="#{T(org.apache.shiro.codec.Base64).decode('3AvVhmFLUs0KTA3Kprsdag==')}"/>
<property name="cookie" ref="rememberMeCookie"/>
</bean>
<!-- 記住我功能設(shè)置session的Filter -->
<bean id="RememberMeFilter" class="com.sys.shiro.RememberMeFilter" />
<!-- rememberMeParam請(qǐng)求參數(shù)是 boolean 類型,true 表示 rememberMe -->
<!-- shiro規(guī)定記住我功能最多得user級(jí)別的�,不能到authc級(jí)別.所以如果使用authc,需打開此配置或重寫實(shí)現(xiàn)rememberMe的過濾器 -->
<!-- <bean id="formAuthenticationFilter" class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
<property name="rememberMeParam" value="rememberMe"/>
</bean> -->
<bean id="KickoutSessionControlFilter" class="com.sys.shiro.KickoutSessionControlFilter">
</bean>
</beans>
5.登錄即密碼失敗多次后鎖定
/**
*
*/package com.sys.controller;import java.util.LinkedHashMap;import java.util.Map;import javax.annotation.Resource;import javax.servlet.http.HttpServletRequest;import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AccountException;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.DisabledAccountException;import org.apache.shiro.authc.ExcessiveAttemptsException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.bind.annotation.RequestMethod;import org.springframework.web.bind.annotation.ResponseBody;import com.sys.pojo.AdminUser;import com.sys.service.AdminUserService;import com.sys.common.JedisUtils;import com.sys.shiro.ShiroUtils;/** * @ClassName: LoginController
* @Description: 登錄*/@Controllerpublic class LoginController{ protected final static Logger logger = LogManager.getLogger(LoginController.class); protected Map<String, Object> resultMap = new LinkedHashMap<String, Object>();
@Resource
AdminUserService adminUserService;
/**
* @Description: 登錄認(rèn)證
* @param um 登錄賬號(hào)
* @param pw 登錄密碼
* @param rememberMe 記住我
* @param request
* @return
* @throws
* @author lao
* @Date 2018年1月15日下午12:24:19
* @version 1.00 */
@RequestMapping(value="/submitLogin.do",method=RequestMethod.POST)
@ResponseBody public Map<String,Object> submitLogin(String um,String pw,boolean rememberMe,HttpServletRequest request){
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(um,ShiroUtils.getStrByMD5(pw));
try{
token.setRememberMe(rememberMe);
subject.login(token);
JedisUtils.del(um);
logger.info("------------------身份認(rèn)證成功-------------------");
resultMap.put("status", 200);
resultMap.put("message", "登錄成功���!");
} catch (DisabledAccountException dax) {
logger.info("用戶名為:" + um + " 用戶已經(jīng)被禁用���!");
resultMap.put("status", 500);
resultMap.put("message", "帳號(hào)已被禁用!");
} catch (ExcessiveAttemptsException eae) {
logger.info("用戶名為:" + um + " 用戶登錄次數(shù)過多��,有暴力破解的嫌疑��!");
resultMap.put("status", 500);
resultMap.put("message", "登錄次數(shù)過多�����!");
} catch (AccountException ae) {
logger.info("用戶名為:" + token.getPrincipal() + " 帳號(hào)或密碼錯(cuò)誤���!");
String excessiveInfo = ExcessiveAttemptsInfo(um); if(null!=excessiveInfo){
resultMap.put("status", 500);
resultMap.p
