《一头扎进Shiro》第05讲
内容:
shiro集成web
(1)简单跳转的讨论
(2)用户身份角色验证
(3)用户身份权限验证
步骤1 基础配置
pom.xml配置
<dependency><groupId>javax.servlet</groupId><artifactId>servlet-api</artifactId><version>2.5</version><scope>provided</scope></dependency><dependency><groupId>javax.servlet.jsp</groupId><artifactId>jsp-api</artifactId><version>2.2</version><scope>provided</scope></dependency><dependency><groupId>javax.servlet</groupId><artifactId>jstl</artifactId><version>1.2</version></dependency><dependency><groupId>log4j</groupId><artifactId>log4j</artifactId><version>1.2.17</version></dependency><dependency><groupId>commons-logging</groupId><artifactId>commons-logging</artifactId><version>1.2</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.4.0</version></dependency><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-api</artifactId><version>1.7.25</version></dependency><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-web</artifactId><version>1.4.0</version></dependency>
web.xml配置
<listener><listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class></listener><filter><filter-name>ShiroFilter</filter-name><filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class></filter><filter-mapping><filter-name>ShiroFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><servlet><servlet-name>loginServlet</servlet-name><servlet-class>com.java1234.login.LoginServlet</servlet-class></servlet><servlet-mapping><servlet-name>loginServlet</servlet-name><url-pattern>/login</url-pattern></servlet-mapping>
shiro.ini配置文件
[main]authc.loginUrl=/loginroles.unauthorizedUrl=/unauthorized.jspperms.unauthorizedUrl=/unauthorized.jsp[users]java1234=123456,adminjack=123,teachermarry=234json=345[roles]admin=user:*teacher=student:*[urls]/login=anon/admin=authc/student=roles[teacher]/teacher=perms["user:create"]
LoginServlet .java
package com.java1234.login;import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.IncorrectCredentialsException;import org.apache.shiro.authc.UnknownAccountException;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;public class LoginServlet extends HttpServlet{//doGet 请求时展示登录页面@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp)throws ServletException, IOException {System.out.println("login doGet()方法执行了");req.getRequestDispatcher("login.jsp").forward(req, resp);}//doPost 时进行登录,登录时收集 username/password 参数,然后提交给 Subject 进行登录。//如果有错误再返回到登录页面;否则跳转到登录成功页面@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp)throws ServletException, IOException {System.out.println("login dopost");String userName=req.getParameter("username");String password=req.getParameter("password");Subject subject=SecurityUtils.getSubject();UsernamePasswordToken token=new UsernamePasswordToken(userName, password);try{subject.login(token);resp.sendRedirect("success.jsp");}catch(Exception e){e.printStackTrace();req.setAttribute("errorInfo", "用户名或者密码错误");req.getRequestDispatcher("login.jsp").forward(req, resp);}}}
AdminServlet.java
package com.java1234.login;import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;public class AdminServlet extends HttpServlet{//doGet 请求时展示登录页面@Overrideprotected void doGet(HttpServletRequest req, HttpServletResponse resp)throws ServletException, IOException {System.out.println("admin do get");}@Overrideprotected void doPost(HttpServletRequest req, HttpServletResponse resp)throws ServletException, IOException {System.out.println("admin do post");}}
login.jsp
<body><form action="login" method="post">姓名:<input type="text" name="username"><br>密码:<input type="password" name="password"><br><input type="submit" value="登录"></form></body>
success.jsp
<body>欢迎你</body>
unauthorized.jsp
<body>身份验证未通过或者权限不足。</body>
测试项目
(1)测试链接跳转
打开浏览器在地址栏里面输入:
http://127.0.0.1:8080/shiro06/admin,会自动跳转到登录界面
authc.loginUrl=/login 默认是/login.jsp;
anon拦截器表示匿名访问(即不需要登录即可访问);
authc 拦截器表示需要身份认证通过后才能访问;
也就是说如果设置成authc 那么就要登录才能访问,否则直接跳转到默认页面(登录页面)。
(2) 测试 角色和权限
首先用java1234=123456,admin登录
然后打开浏览器在地址栏里面输入:
http://127.0.0.1:8080/shiro06/student,会跳转到unauthorized.jsp界面 显示角色或者权限不足,
原因在于java1234用户的没有/student=roles[teacher] url所指定的角色,所以登陆之后想要跳转到/student链接,权限不足。
然而Jack用户就可以跳转到该链接。
同理 拥有user的create权限的用户登陆以后就可以跳转到/teacher链接 比如admin。
素颜马尾好姑娘i
柔情只为你懂
系统管理员
小鱼儿
还没有评论,来说两句吧...