erp12---shiro框架使用

时间：2017-06-11 20:18:35 阅读：216 评论：0 收藏：0 [点我收藏+]

标签：ring space pid 权限设置 res import rac dos url

一、知识点：

1、认证：用户身份识别，常被称为用户登录，判断用户是否登录，如果未登录则拦截其请求；

授权：访问控制，当用户登录之后，判断其身份是否有权限访问相应的资源，如果没有权限则拦截

2、

认证：

anon--不认证也可以访问

authc--必须认证才可以访问

authcBasic，user

授权：

perms--指定资源需要哪些权限才可以访问

roles，sll，rest，port

authentication --认证

authorization --授权

authentication 认证

authorization 授权

二、erp整合shiro

1、pom.xml依赖

	<!-- shiro -->
	<!-- apache shiro dependencies -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>${shiro.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-web</artifactId>
            <version>${shiro.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>${shiro.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-aspectj</artifactId>
            <version>${shiro.version}</version>
        </dependency>

2、web.xml配置shiro过滤器

配置在struts过滤器前面

		
	<filter>
		<filter-name>shiroFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>shiroFilter</filter-name>
		<url-pattern>*.action</url-pattern>
		<url-pattern>*.html</url-pattern>
		<url-pattern>*</url-pattern>
	</filter-mapping>

或者urlpattern直接：<url-pattern>/*</url-pattern>

3、添加spring配置文件

applicationContext_shiro.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
						http://www.springframework.org/schema/beans/spring-beans.xsd"> 
						
	
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">		<!-- 			shiro框架的中央枢纽 -->
		<property name="securityManager" ref="securityManager" />

	<!-- 			如果访问页面或请求是没有当前登录人，会跳转到login.html中 -->	
		<property name="loginUrl" value="/login.html" /> 

    <!-- 		如果当前登录人访问的页面或请求没有权限时，跳转到error.html -->
		<property name="unauthorizedUrl" value="/error.html" /> 

		<property name="filterChainDefinitions">
			<value>					
				/error.html = anon								
				/*.html = authc					
			</value>
		</property>

	</bean>
	
            <!-- 			shiro框架的中央枢纽 -->
	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		
	</bean>
	
	
</beans>

其中bean对象的id要和web.xml里面的过滤器的名字要一样（shiroFilter）

三、认证：

1、用shiro框架改造登录方法：

//1、获取令牌

Md5Hash md5 = new Md5Hash(pwd, username, 2);

UsernamePasswordToken token = new UsernamePasswordToken(username,md5.toString());

//2、获取主题

Subject subject = SecurityUtils.getSubject();

//3、开始认证

try {

subject.login(token);

write(ajaxReturn(true, "登陆成功"));

} catch (AuthenticationException e) {

write(ajaxReturn(false, "登录失败，请重新登录"));

e.printStackTrace();

}

2、创建一个AuthorizingRealm的子类

private IEmpBiz empBiz;

public void setEmpBiz(IEmpBiz empBiz) {

this.empBiz = empBiz;

}

/**

* 认证

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) throws AuthenticationException {

UsernamePasswordToken token = (UsernamePasswordToken)arg0;

String username = token.getUsername();

String pwd=new String(token.getPassword());

Emp emp = empBiz.findEmpByUsernameAndPwd(username, pwd);

if (emp!=null) {

//参数一：主角参数二：密码参数三：realName

SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(emp, pwd,getName());//已经放到了session中

return info;

}

return null;//如果这里return 的是null，loginAction中的checkUser里就会抛异常

}

3、配置ApplicationContext_shiro.xml添加如下代码

    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		<property name="realm" ref="erpRealm" ></property>	
	</bean>
	
	
	<bean id="erpRealm" class="cn.itcast.erp.realm.ErpRealm" >
		<property name="empBiz" ref="empBiz" ></property>
	</bean>

将数据源和登录代码连接在一起

4、shiro的session管理

取数据：

Subject subject = SecurityUtils.getSubject();

Emp emp = (Emp) subject.getPrincipal();

销毁session数据：

Subject subject = SecurityUtils.getSubject();

subject.logout();

四、授权

1、完整的配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
						http://www.springframework.org/schema/beans/spring-beans.xsd"> 
						
<!-- 	当实例化一个bean是,spring保证该Bean所依赖的其他bean已经初始化 -->
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean" depends-on="myPermsFilter">
<!-- 			shiro框架的中央枢纽 -->
		<property name="securityManager" ref="securityManager" />	
<!-- 			如果访问页面或请求是没有当前登录人，会跳转到login.html中 -->
		<property name="loginUrl" value="/login.html" /> 
<!-- 		如果当前登录人访问的页面或请求没有权限时，跳转到error.html -->
		<property name="unauthorizedUrl" value="/error.html" /> 
		
		<property name="filters">
		 <map>
		  <entry key="perms" value-ref="myPermsFilter"></entry>
		 </map>
		</property>
		
		<property name="filterChainDefinitions">
			<value>					
				/error.html = anon
				/login_*.action=anon
									
				/emp_updatePwd.action= perms[]
				/pwd.html=perms["重置密码"]	
				/emp_updatePwd_reset.action=perms["重置密码"]
										
				/orders.html= perms["采购申请","采购订单查询","采购审核","采购确认","采购入库","销售订单录入","销售订单查询","销售订单出库"]	
				/orders_add.action= perms["采购申请","销售订单录入"]	
				/goods_list.action= perms["采购申请","销售订单录入","库存查询","库存变动记录"]						
				/supplier_list.action= perms["采购申请","销售订单录入"]
				
				/orders_listByPage.action= perms["采购申请","采购订单查询","采购审核","采购确认","采购入库","销售订单录入","销售订单查询","销售订单出库"]
				
				/orders_doCheck.action=perms["采购审核"]
				/orders_doStart.action=perms["采购确认"]	
				/store_mylist.action= perms["采购入库","销售订单出库"]
				/orderdetail_doInstore.action=perms["采购入库"]
				/orderdetail_doOutstore.action=perms["销售订单出库"]
				
				/storedetail.html= perms["库存查询"]
				
				
				
				/store_*.action= perms["仓库"]
				
				/goods_get.action= perms["库存查询","库存变动记录"]
				/store_list.action= perms["库存查询","库存变动记录"]
				/store_get.action= perms["库存查询","库存变动记录"]
				/storedetail_listByPage.action= perms["库存查询"]
				/storeoper_listByPage.action= perms["库存查询"]
			
				/storeoper.html= perms["库存变动记录"]
				/storeoper_listByPage.action= perms["库存变动记录"]
				/emp_list.action= perms["库存变动记录"]
				/emp_get.action= perms["库存变动记录"]
					
				/store.html= perms["仓库"]
				
	
				/orderReport.html= perms["销售统计表"]
				/report_orderReport*.action= perms["销售统计表"]
				/orderTrend.html= perms["销售趋势分析"]
				/report_orderTrend*.action= perms["销售趋势分析"]
								
				/roleMenuSet.html=perms["角色权限设置"]
				/role_list.action=perms["角色权限设置"]
				/role_readRoleMenus.action=perms["角色权限设置"]
				/role_updateRoleMenus.action=perms["角色权限设置"]
								
				/empRoleSet.html=perms["用户角色设置"]
				/emp_list.action=perms["用户角色设置"]
				/emp_readEmpRoles.action=perms["用户角色设置"]
				/emp_updateEmpRoles.action=perms["用户角色设置"]
				/role.html= perms["角色设置"]
				/role_*.action= perms["角色设置"]			
				/goodstype.html= perms["商品类型"]						
				/goodstype_*.action= perms["商品类型"]	
									
				/goods.html= perms["商品"]						
				/goods_*.action= perms["商品"]
				/supplier.html = perms["供应商","客户"]						
				/supplier_*.action = perms["供应商","客户"]
				
				
				/emp.html= perms["员工"]								
				/emp_*.action= perms["员工"]
				/dep_list.action=perms["员工"]
				
				/dep.html= perms["部门"]		
				/dep_*.action= perms["部门"]		
				
			</value>
		</property>
	</bean>
	
	<!-- 			shiro框架的中央枢纽 -->
	<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
		<property name="realm" ref="erpRealm"></property>
	</bean>
	
	<bean id="erpRealm" class="cn.itcast.erp.realm.ErpRealm">
	 <property name="empBiz" ref="empBiz"></property>
	 <property name="menuBiz" ref="menuBiz"></property>
	</bean>
	
	<bean id="myPermsFilter" class="cn.itcast.erp.filter.MyPermsFilter">
	</bean>
	
</beans>

2、授权代码：

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
		SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
		Emp emp = (Emp) principals.getPrimaryPrincipal();
		List<Menu> list = menuBiz.getMenuListByEmpuuid(emp.getUuid());
		
		for (Menu menu : list) {
			info.addStringPermission("部门");
		}
		return info;
	}

3、自定义过滤器

package cn.itcast.myerp.filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
public class myPermsFilter extends AuthorizationFilter {
	
	
	@Override
	protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
			throws Exception {
		Subject subject = getSubject(request, response);
		String [] perms=(String[]) mappedValue;
		
		if (perms!=null&&perms.length>0) {
			
			for(int i=0;i<perms.length;i++){
				if (subject.isPermitted(perms[i])) {
					return true;
				}
			}
			return false;
		}else {
			return false;
		}
	}
	
}