虽然Apache Shiro的核心设计目标允许它用于保护任何基于JVM的应用程序(如命令行应用程序,服务器守护程序,Web应用程序等),但本指南将着重讨论最常见的用例:确保运行的Web应用程序一个Servlet容器,比如Tomcat或者Jetty。 先决条件 预计将在本地开发机器上安装以下工具,以便跟随本教程。
- Java SDK 7
- Maven 3
- 您最喜爱的IDE,如IntelliJ IDEA或Eclipse,甚至是一个简单的文本编辑器来查看文件并进行更改。
<dependencies>
<!-- shiro -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
</dependencies>配置build
<build>
<finalName>shiro-web-test</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
</resource>
</resources>
<plugins>
<!-- jetty插件 -->
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<!--<version>9.0.0.v20130308</version> -->
<version>9.2.7.v20150116</version>
<configuration>
<scanIntervalSeconds>3</scanIntervalSeconds>
<webApp>
<contextPath>/</contextPath>
</webApp>
<httpConnector>
<port>8080</port>
</httpConnector>
<reload>automatic</reload>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.18.1</version>
<configuration>
<skipTests>true</skipTests>
<testFailureIgnore>true</testFailureIgnore>
</configuration>
</plugin>
</plugins>
</build>添加shiro.ini文件(src/main/resources/shiro.ini)
# =======================
# Shiro INI configuration
# =======================
[main]
# Objects and their properties are defined here,
# Such as the securityManager, Realms and anything
# else needed to build the SecurityManager
[users]
admin = secret
lonestarr = vespa, goodguy, schwartz
darkhelmet = ludicrousspeed, badguy, schwartz
[roles]
admin = *
schwartz = lightsaber:*
goodguy = winnebago:drive:eagle5
[urls]
/user/** = authc
/login = anon配置web.xml
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>该
<listener>声明定义了一个ServletContextListener启动SecurityManagerWeb应用程序时启动Shiro环境(包括Shiro )的应用程序。默认情况下,这个侦听器会自动知道为我们的WEB-INF/shiro.ini文件寻找Shiro配置。该
<filter>声明定义了主人ShiroFilter。此过滤器将过滤所有对Web应用程序的请求,以便Shiro在允许请求到达应用程序之前执行必要的身份和访问控制操作。该
<filter-mapping>声明确保所有请求类型均由ShiroFilter。通常filter-mapping声明不指定<dispatcher>元素,但Shiro需要定义所有元素,以便可以过滤可能为Web应用程序执行的所有不同请求类型。
创建登陆页面
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Insert title here</title>
</head>
<body>
<form action="/login" method="post">
用户名:<input name="username" type="text"/>
密码:<input name="password" type="text"/>
<input type="submit" value="登陆" />
</form>
</body>
</html>创建登陆servlet
package com.coder306;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
public class Login extends HttpServlet {
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String username = req.getParameter("username");
String password = req.getParameter("password");
IniSecurityManagerFactory iniSecurityManagerFactory = new IniSecurityManagerFactory("classpath:shiro.ini");
SecurityManager securityManager = iniSecurityManagerFactory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
Subject subject = SecurityUtils.getSubject();
if(!subject.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(username,password);
try {
subject.login(token);
resp.sendRedirect("/user/index.jsp");
}catch (UnknownAccountException uae) {
resp.sendRedirect("/login.jsp");
}catch (IncorrectCredentialsException ice) {
resp.sendRedirect("/login.jsp");
}catch (LockedAccountException lae) {
resp.sendRedirect("/login.jsp");
}
}else {
resp.sendRedirect("/user/index.jsp");
}
}
}web.xml配置servlet
<servlet>
<servlet-class>com.coder306.Login</servlet-class>
<servlet-name>login</servlet-name>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>运行webapp
mvn jetty:run