shiro在springmvc里面的集成使用



shiro在springmvc里面的集成使用。

原文地址:http://peihexian.iteye.com/blog/2155516

需要在项目里面引入的maven依赖:

 

Xml代码  收藏代码
  1. <dependency>
  2.          <groupId>commons-collections</groupId>
  3.          <artifactId>commons-collections</artifactId>
  4.          <version>3.2.1</version>
  5.      </dependency>
  7.      <dependency>
  8.          <groupId>net.sf.ehcache</groupId>
  9.          <artifactId>ehcache-core</artifactId>
  10.          <version>2.6.9</version>
  11.      </dependency>
  13.      <dependency>
  14.          <groupId>org.apache.shiro</groupId>
  15.          <artifactId>shiro-spring</artifactId>
  16.          <version>1.2.3</version>
  17.      </dependency>
  19.      <dependency>
  20.          <groupId>org.apache.shiro</groupId>
  21.          <artifactId>shiro-ehcache</artifactId>
  22.          <version>1.2.3</version>
  23.      </dependency>
  25.      <dependency>
  26.          <groupId>org.apache.shiro</groupId>
  27.          <artifactId>shiro-quartz</artifactId>
  28.          <version>1.2.3</version>
  29.      </dependency>

 

如果项目是hibernate的,以前的时候ehcache可能不是单例的,因为shiro里面也使用到了ehcache做缓存,和hibernate的ehcache缓存配置有冲突,所以需要对hibernate的ehcache部分做些调整,调整如下:

 

Xml代码  收藏代码
  1. <bean id=”sessionFactory”
  2.          class=”org.springframework.orm.hibernate4.LocalSessionFactoryBean”>
  3.        <property name=”dataSource” ref=”dataSource”></property>
  4.        <property name=”hibernateProperties”>
  5.            <props>
  6.                <prop key=”hibernate.dialect”>org.hibernate.dialect.MySQLDialect</prop>
  7.                <prop key=”hibernate.show_sql”>true</prop>
  8.                <prop key=”hibernate.hbm2ddl.auto”>update</prop>
  9.                <!–
  10.                <prop key=”hibernate.cache.region.factory_class”>org.hibernate.cache.EhCacheRegionFactory</prop>
  11.                –>
  12.                <prop key=”hibernate.cache.region.factory_class”>
  13.                    org.hibernate.cache.SingletonEhCacheRegionFactory
  14.                </prop>
  15.                <prop key=”hibernate.cache.provider_class”>net.sf.ehcache.hibernate.SingletonEhCacheProvider</prop>
  16.                <prop key=”hibernate.cache.use_second_level_cache”>true</prop>
  17.                <prop key=”hibernate.cache.use_query_cache”>true</prop>
  18.                <prop key=”hibernate.cache.use_structured_entries”>true</prop>
  19.                <prop key=”hibernate.cache.provider_configuration_file_resource_path”>WEB-INF/classes/ehcache.xml</prop>
  20.                <prop key=”hibernate.current_session_context_class”>org.springframework.orm.hibernate4.SpringSessionContext</prop>
  21.            </props>
  22.        </property>
  23.        <property name=”packagesToScan”>
  24.            <list>
  25.                <value>com.xxx.entity</value>
  26.            </list>
  27.        </property>
  28.    </bean>

 

上面红色的文字部分是需要调整的内容。

 

 

既然用到了ehcache,ehcahce.xml文件里面的配置内容如下:

 

Xml代码  收藏代码
  1. <?xml version=”1.0″ encoding=”UTF-8″?>
  2. <ehcache>
  3.     <diskStore path=”java.io.tmpdir” />
  5.     <defaultCache maxElementsInMemory=”10000″ eternal=”false”
  6.                   timeToIdleSeconds=”120″ timeToLiveSeconds=”120″ overflowToDisk=”true” />
  7.     <cache name=”org.hibernate.cache.UpdateTimestampsCache”
  8.            maxElementsInMemory=”5000″ eternal=”true” overflowToDisk=”true” />
  9.     <cache name=”org.hibernate.cache.StandardQueryCache”
  10.            maxElementsInMemory=”10000″ eternal=”false” timeToLiveSeconds=”120″
  11.            overflowToDisk=”true” />
  12.     <!– 登录记录缓存 锁定10分钟 –>
  13.     <cache name=”passwordRetryCache”
  14.            maxEntriesLocalHeap=”2000″
  15.            eternal=”false”
  16.            timeToIdleSeconds=”3600″
  17.            timeToLiveSeconds=”0″
  18.            overflowToDisk=”false”
  19.            statistics=”true”>
  20.     </cache>
  22.     <cache name=”authorizationCache”
  23.            maxEntriesLocalHeap=”2000″
  24.            eternal=”false”
  25.            timeToIdleSeconds=”3600″
  26.            timeToLiveSeconds=”0″
  27.            overflowToDisk=”false”
  28.            statistics=”true”>
  29.     </cache>
  31.     <cache name=”authenticationCache”
  32.            maxEntriesLocalHeap=”2000″
  33.            eternal=”false”
  34.            timeToIdleSeconds=”3600″
  35.            timeToLiveSeconds=”0″
  36.            overflowToDisk=”false”
  37.            statistics=”true”>
  38.     </cache>
  40.     <cache name=”shiro-activeSessionCache”
  41.            maxEntriesLocalHeap=”2000″
  42.            eternal=”false”
  43.            timeToIdleSeconds=”3600″
  44.            timeToLiveSeconds=”0″
  45.            overflowToDisk=”false”
  46.            statistics=”true”>
  47.     </cache>
  48. </ehcache>

 

 

然后是web.xml文件里面加过滤器,注意要写在springmvc的filter前面

 

Xml代码  收藏代码
  1. <!– shiro 安全过滤器 –>
  2. <!– The filter-name matches name of a ’shiroFilter’ bean inside applicationContext.xml –>
  3. <filter>
  4.     <filter-name>shiroFilter</filter-name>
  5.     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  6.     <async-supported>true</async-supported>
  7.     <init-param>
  8.         <param-name>targetFilterLifecycle</param-name>
  9.         <param-value>true</param-value>
  10.     </init-param>
  11. </filter>
  13. <!– Make sure any request you want accessible to Shiro is filtered. /* catches all –>
  14. <!– requests.  Usually this filter mapping is defined first (before all others) to –>
  15. <!– ensure that Shiro works in subsequent filters in the filter chain:             –>
  16. <filter-mapping>
  17.     <filter-name>shiroFilter</filter-name>
  18.     <url-pattern>/*</url-pattern>
  19. </filter-mapping>

 

 

然后就是shiro相关的spring配置参数文件了

Xml代码  收藏代码
  1. <?xml version=”1.0″ encoding=”UTF-8″?>
  2. <beans xmlns=”http://www.springframework.org/schema/beans”
  3.        xmlns:util=”http://www.springframework.org/schema/util”
  4.        xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
  5.        xsi:schemaLocation=”
  6.        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  7.        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd”>
  9.     <!– 缓存管理器 使用Ehcache实现–>
  10.     <bean id=”cacheManager” class=”org.apache.shiro.cache.ehcache.EhCacheManager”>
  11.         <property name=”cacheManagerConfigFile” value=”classpath:ehcache.xml”/>
  12.     </bean>
  14.     <bean id=”passwordHelper” class=”com.shinowit.framework.security.PasswordHelper”>
  15.     </bean>
  17.     <!– 凭证匹配器 –>
  18.     <bean id=”credentialsMatcher”
  19.           class=”com.shinowit.framework.security.credentials.RetryLimitSimpleCredentialsMatcher”>
  20.         <constructor-arg ref=”cacheManager”/>
  21.         <property name=”passwordHelper” ref=”passwordHelper”/>
  22.     </bean>
  25.     <bean id=”shiro_user_dao” class=”com.shinowit.framework.security.dao.UserDAO”>
  26.         <property name=”jt” ref=”jdbcTemplate”/>
  27.     </bean>
  29.     <!– Realm实现 –>
  30.     <bean id=”userRealm” class=”com.shinowit.framework.security.realm.UserRealm”>
  31.         <property name=”userDAO” ref=”shiro_user_dao”/>
  32.         <property name=”credentialsMatcher” ref=”credentialsMatcher”/>
  33.         <!–密码校验接口–>
  34.         <property name=”cachingEnabled” value=”true”/>
  35.         <property name=”authenticationCachingEnabled” value=”true”/>
  36.         <property name=”authenticationCacheName” value=”authenticationCache”/>
  37.         <property name=”authorizationCachingEnabled” value=”true”/>
  38.         <property name=”authorizationCacheName” value=”authorizationCache”/>
  39.     </bean>
  41.     <!– 会话ID生成器 –>
  42.     <bean id=”sessionIdGenerator” class=”org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator”/>
  44.     <!– 会话Cookie模板 –>
  45.     <bean id=”sessionIdCookie” class=”org.apache.shiro.web.servlet.SimpleCookie”>
  46.         <constructor-arg value=”sid”/>
  47.         <property name=”httpOnly” value=”true”/>
  48.         <property name=”maxAge” value=”180000″/>
  49.     </bean>
  51.     <bean id=”rememberMeCookie” class=”org.apache.shiro.web.servlet.SimpleCookie”>
  52.         <constructor-arg value=”rememberMe”/>
  53.         <property name=”httpOnly” value=”true”/>
  54.         <property name=”maxAge” value=”2592000″/>
  55.         <!– 30天 –>
  56.     </bean>
  58.     <!– rememberMe管理器 –>
  59.     <bean id=”rememberMeManager” class=”org.apache.shiro.web.mgt.CookieRememberMeManager”>
  60.         <property name=”cipherKey”
  61.                   value=”#{T(org.apache.shiro.codec.Base64).decode(’4AvVhmFLUs0KTA3Kprsdag==’)}”/>
  62.         <property name=”cookie” ref=”rememberMeCookie”/>
  63.     </bean>
  65.     <!– 会话DAO –>
  66.     <bean id=”sessionDAO” class=”org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO”>
  67.         <property name=”activeSessionsCacheName” value=”shiro-activeSessionCache”/>
  68.         <property name=”sessionIdGenerator” ref=”sessionIdGenerator”/>
  69.     </bean>
  71.     <!– 会话验证调度器 –>
  72.     <bean id=”sessionValidationScheduler” class=”org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler”>
  73.         <property name=”sessionValidationInterval” value=”1800000″/>
  74.         <property name=”sessionManager” ref=”sessionManager”/>
  75.     </bean>
  77.     <!– 会话管理器 –>
  78.     <bean id=”sessionManager” class=”org.apache.shiro.web.session.mgt.DefaultWebSessionManager”>
  79.         <property name=”globalSessionTimeout” value=”1800000″/>
  80.         <property name=”deleteInvalidSessions” value=”true”/>
  81.         <property name=”sessionValidationSchedulerEnabled” value=”true”/>
  82.         <property name=”sessionValidationScheduler” ref=”sessionValidationScheduler”/>
  83.         <property name=”sessionDAO” ref=”sessionDAO”/>
  84.         <property name=”sessionIdCookieEnabled” value=”true”/>
  85.         <property name=”sessionIdCookie” ref=”sessionIdCookie”/>
  86.     </bean>
  88.     <!– 安全管理器 –>
  89.     <bean id=”securityManager” class=”org.apache.shiro.web.mgt.DefaultWebSecurityManager”>
  90.         <property name=”realm” ref=”userRealm”/>
  91.         <property name=”sessionManager” ref=”sessionManager”/>
  92.         <property name=”cacheManager” ref=”cacheManager”/>
  93.         <property name=”rememberMeManager” ref=”rememberMeManager”/>
  94.     </bean>
  96.     <!– 相当于调用SecurityUtils.setSecurityManager(securityManager) –>
  97.     <bean class=”org.springframework.beans.factory.config.MethodInvokingFactoryBean”>
  98.         <property name=”staticMethod” value=”org.apache.shiro.SecurityUtils.setSecurityManager”/>
  99.         <property name=”arguments” ref=”securityManager”/>
  100.     </bean>
  102.     <!–下面的loginUrl有两个必要条件,一个登陆校验失败以后会强制客户端redirect到这个url,
  103.     另外一个是登陆的表单(含有用户名及密码)必须action到这个url–>
  104.     <!– 自定义的能够接收校验码的身份验证过滤器
  105.      跳转问题太他妈诡异了,不用了,自己写代码控制如何跳转了
  106.     <bean id=”formAuthenticationFilter” class=”com.shinowit.framework.security.filter.ValidFormAuthenticationFilter”>
  107.         <property name=”usernameParam” value=”loginName”/>
  108.         <property name=”passwordParam” value=”loginPass”/>
  109.         <property name=”loginUrl” value=”/login/”/>
  110.     </bean>
  111. –>
  113.     <!– Shiro的Web过滤器 –>
  114.     <bean id=”shiroFilter” class=”org.apache.shiro.spring.web.ShiroFilterFactoryBean”>
  115.         <property name=”securityManager” ref=”securityManager”/>
  116.         <property name=”loginUrl” value=”/login/”/>
  117.         <property name=”unauthorizedUrl” value=”/unauthorized.jsp”/>
  118.         <property name=”filters”>
  119.             <map>
  120.                 <entry key=”authc”>
  121.                     <bean class=”org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter”/>
  122.                 </entry>
  123.             </map>
  124.             <!–
  125.             <util:map>
  126.                 <entry key=”authc” value-ref=”formAuthenticationFilter”/>
  127.             </util:map>
  128.             –>
  129.         </property>
  130.         <property name=”filterChainDefinitions”>
  131.             <value>
  132.                 /index.jsp = anon
  133.                 /validcode.jsp = anon
  134.                 /login/ = anon
  135.                 /static/** = anon
  136.                 /js/** = anon
  137.                 /img/** = anon
  138.                 /unauthorized.jsp = anon
  139.                 #/login/checklogin = authc
  140.                 /login/checklogin = anon
  141.                 /login/logoutlogout = logout
  142.                 /** = user
  143.             </value>
  144.         </property>
  145.     </bean>
  147.     <!– Shiro生命周期处理器–>
  148.     <bean id=”lifecycleBeanPostProcessor” class=”org.apache.shiro.spring.LifecycleBeanPostProcessor”/>
  151. </beans>

 

 

下面就是各种自己封装的java代码了

 

自定义的可以保存校验码的token类

Java代码  收藏代码
  1. package com.xxx.framework.security.token;
  3. import org.apache.shiro.authc.UsernamePasswordToken;
  5. /**
  6.  * Created on 2014/11/11.
  7.  */
  8. public class CustomUsernamePasswordToken extends UsernamePasswordToken {
  10.     //用于存储用户输入的校验码
  11.     private String validCode;
  14.     public CustomUsernamePasswordToken(String username, char[] password,boolean rememberMe, String host, String validCode) {
  15.         //调用父类的构造函数
  16.         super(username,password,rememberMe,host);
  17.         this.validCode=validCode;
  18.     }
  20.     public String getValidCode() {
  21.         return validCode;
  22.     }
  24.     public void setValidCode(String validCode) {
  25.         this.validCode = validCode;
  26.     }
  27. }

 


 

提供正确的登录用户信息的基于jdbc的realm

Java代码  收藏代码
  1. package com.xxx.framework.security.realm;
  3. import com.xxx.entity.SysUserEntity;
  4. import com.xxx.framework.security.dao.UserDAO;
  5. import com.xxx.framework.security.exception.ValidCodeException;
  6. import com.xxx.framework.security.token.CustomUsernamePasswordToken;
  7. import org.apache.log4j.Logger;
  8. import org.apache.shiro.SecurityUtils;
  9. import org.apache.shiro.authc.*;
  10. import org.apache.shiro.authz.AuthorizationInfo;
  11. import org.apache.shiro.authz.SimpleAuthorizationInfo;
  12. import org.apache.shiro.realm.AuthorizingRealm;
  13. import org.apache.shiro.subject.PrincipalCollection;
  16. public class UserRealm extends AuthorizingRealm {
  17.     private static Logger logger = Logger.getLogger(UserRealm.class);
  19.     private UserDAO userDAO;
  21.     public void setUserDAO(UserDAO userDAO) {
  22.         this.userDAO = userDAO;
  23.     }
  25.     @Override
  26.     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
  27.         String username = (String) principals.getPrimaryPrincipal();
  29.         SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
  30.         authorizationInfo.setRoles(userDAO.getUserRoles(username));
  31.         authorizationInfo.setStringPermissions(userDAO.findPermissions(username));
  33.         return authorizationInfo;
  34.     }
  36.     @Override
  37.     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
  39.         CustomUsernamePasswordToken login_token = (CustomUsernamePasswordToken) token;
  41.         //校验码判断逻辑
  42.         //取得用户输入的校验码
  43.         String userInputValidCode = login_token.getValidCode();
  45.         //取得真实的正确校验码
  46.         String realRightValidCode = (String) SecurityUtils.getSubject().getSession().getAttribute(“rand”);
  48.         if (null == userInputValidCode || !userInputValidCode.equalsIgnoreCase(realRightValidCode)) {
  49.             logger.debug(“验证码输入错误”);
  50.             throw new ValidCodeException(“验证码输入不正确”);
  51.         }
  53.         //以上校验码验证通过以后,查数据库
  54.         String username = (String) token.getPrincipal();
  55.         SysUserEntity user = userDAO.findByUsername(username);
  57.         if (user == null) {
  58.             throw new UnknownAccountException();//没找到帐号
  59.         }
  61.         if (Boolean.FALSE.equals(user.getValid())) {
  62.             throw new LockedAccountException(); //帐号锁定
  63.         }
  65.         //交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
  66.         SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
  67.                 user.getLoginName(), //用户名
  68.                 user.getLoginPass(), //密码
  69.                 getName()  //realm name
  70.         );
  71.         return authenticationInfo;
  72.     }
  74.     @Override
  75.     public void clearCachedAuthorizationInfo(PrincipalCollection principals) {
  76.         super.clearCachedAuthorizationInfo(principals);
  77.     }
  79.     @Override
  80.     public void clearCachedAuthenticationInfo(PrincipalCollection principals) {
  81.         super.clearCachedAuthenticationInfo(principals);
  82.     }
  84.     @Override
  85.     public void clearCache(PrincipalCollection principals) {
  86.         super.clearCache(principals);
  87.     }
  89.     public void clearAllCachedAuthorizationInfo() {
  90.         getAuthorizationCache().clear();
  91.     }
  93.     public void clearAllCachedAuthenticationInfo() {
  94.         getAuthenticationCache().clear();
  95.     }
  97.     public void clearAllCache() {
  98.         clearAllCachedAuthenticationInfo();
  99.         clearAllCachedAuthorizationInfo();
  100.     }
  102. }

 

一个简单的自定义的处理校验码异常的类

 

Java代码  收藏代码
  1. package com.xxx.framework.security.exception;
  3. import org.apache.shiro.authc.AuthenticationException;
  5. /**
  6.  * Created on 2014/11/11.
  7.  */
  8. public class ValidCodeException extends AuthenticationException {
  10.     public ValidCodeException(String msg){
  11.         super(msg);
  12.     }
  13. }

 

查询用户信息及权限信息的dao

 

Java代码  收藏代码
  1. package com.xxx.framework.security.dao;
  3. import com.xxx.entity.SysUserEntity;
  4. import org.springframework.jdbc.core.BeanPropertyRowMapper;
  5. import org.springframework.jdbc.core.JdbcTemplate;
  7. import java.util.HashSet;
  8. import java.util.List;
  9. import java.util.Set;
  11. /**
  12.  * Created on 2014/11/10.
  13.  */
  14. public class UserDAO {
  16.     private JdbcTemplate jt;
  18.     public void setJt(JdbcTemplate jt) {
  19.         this.jt = jt;
  20.     }
  22.     public Set<String> getUserRoles(String loginName) {
  23.         String sql = ”select role from sys_user u, sys_role r,sys_user_to_role ur where u.login_name=? and u.user_code=ur.user_code and r.role_code=ur.role_code”;
  24.         return new HashSet(jt.queryForList(sql, String.class, loginName));
  25.     }
  27.     public Set<String> findPermissions(String loginName) {
  28.         String sql = ”select permission from sys_user u, sys_role r, sys_menu p, sys_user_to_role ur, sys_role_to_menu rp where u.login_name=? and u.user_code=ur.user_code and r.role_code=ur.role_code and r.role_code=rp.role_code and p.menu_id=rp.menu_id”;
  29.         return new HashSet(jt.queryForList(sql, String.class, loginName));
  30.     }
  32.     public SysUserEntity findByUsername(String loginName) {
  33.         String sql = ”select id, user_code,login_name, login_pass, valid from sys_user where login_name=?”;
  34.         List<SysUserEntity> userList = jt.query(sql, new BeanPropertyRowMapper(SysUserEntity.class), loginName);
  35.         if (userList.size() == 0) {
  36.             return null;
  37.         }
  38.         return userList.get(0);
  39.     }
  40. }

 

这个翻译过来叫啥合适呢?反正就是根据自定义的加密规则去进行密码匹配验证的类,爱JB叫啥叫啥吧

Java代码  收藏代码
  1. package com.xxx.framework.security.credentials;
  3. import com.xxx.framework.security.PasswordHelper;
  4. import com.xxx.framework.security.token.CustomUsernamePasswordToken;
  5. import org.apache.shiro.authc.AuthenticationInfo;
  6. import org.apache.shiro.authc.AuthenticationToken;
  7. import org.apache.shiro.authc.ExcessiveAttemptsException;
  8. import org.apache.shiro.authc.credential.SimpleCredentialsMatcher;
  9. import org.apache.shiro.cache.Cache;
  10. import org.apache.shiro.cache.CacheManager;
  12. import java.util.concurrent.atomic.AtomicInteger;
  14. public class RetryLimitSimpleCredentialsMatcher extends SimpleCredentialsMatcher {
  16.     private Cache<String, AtomicInteger> passwordRetryCache;
  18.     private PasswordHelper passwordHelper;
  20.     public RetryLimitSimpleCredentialsMatcher(CacheManager cacheManager) {
  21.         passwordRetryCache = cacheManager.getCache(“passwordRetryCache”);
  22.     }
  24.     public void setPasswordHelper(PasswordHelper passwordHelper) {
  25.         this.passwordHelper = passwordHelper;
  26.     }
  28.     @Override
  29.     public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
  30.         CustomUsernamePasswordToken login_token = (CustomUsernamePasswordToken) token;
  32.         String username = (String) token.getPrincipal();
  33.         //retry count + 1
  34.         AtomicInteger retryCount = passwordRetryCache.get(username);
  35.         if (retryCount == null) {
  36.             retryCount = new AtomicInteger(0);
  37.             passwordRetryCache.put(username, retryCount);
  38.         }
  39.         if (retryCount.incrementAndGet() > 5) {
  40.             //if retry count > 5 throw
  41.             throw new ExcessiveAttemptsException();
  42.         }
  45.         String user_input_login_pass = passwordHelper.encryptPassword(login_token.getUsername(), String.valueOf(login_token.getPassword()));
  46.         Object db_login_password = getCredentials(info);
  47.         //将密码加密与系统加密后的密码校验,内容一致就返回true,不一致就返回false
  48.         boolean matches = super.equals(user_input_login_pass, db_login_password);
  50.         if (matches) {
  51.             //clear retry count
  52.             passwordRetryCache.remove(username);
  53.         }
  54.         return matches;
  55.     }
  56. }

 

 

用户信息实体类

 

Java代码  收藏代码
  1. package com.xxx.entity;
  3. import javax.persistence.*;
  4. import java.util.List;
  6. /**
  7.  * Created on 2014/11/7.
  8.  * 系统用户信息
  9.  */
  10. @Entity
  11. @Table(name = ”sys_user”)
  12. public class SysUserEntity {
  14.     @GeneratedValue(strategy =GenerationType.IDENTITY)
  15.     @Column(name = ”id”,insertable = false,updatable = false)
  16.     private Integer id;
  18.     @Id
  19.     @Column(name = ”user_code”,length = 6)
  20.     private String userCode;
  22.     @Column(name = ”login_name”,length = 40,nullable = false,unique = true)
  23.     private String loginName;
  25.     @Column(name = ”login_pass”,length = 50)
  26.     private String loginPass;
  28.     @Column(name = ”address”,length = 200)
  29.     private String address;
  31.     @Column(name = ”telphone”,length = 30)
  32.     private String telPhone;
  34.     @Column(name = ”qq”,length = 15)
  35.     private String qq;
  37.     @Column(name = ”email”,length = 40)
  38.     private String email;
  40.     @Column(name = ”mobile”,length = 30)
  41.     private String mobile;
  43.     @Column(name = ”sort_id”)
  44.     private Short sortId;
  46.     @Column(name = ”valid”)
  47.     private Boolean valid;
  49.     @ManyToMany(fetch = FetchType.LAZY)
  50.     @JoinTable(name=”sys_user_to_role”,joinColumns = { @JoinColumn(name = ”user_code”) }, inverseJoinColumns = { @JoinColumn(name = ”role_code”)})
  51.     private List<SysRoleEntity> roleList;
  53.     public Integer getId() {
  54.         return id;
  55.     }
  57.     public void setId(Integer id) {
  58.         this.id = id;
  59.     }
  61.     public String getUserCode() {
  62.         return userCode;
  63.     }
  65.     public void setUserCode(String userCode) {
  66.         this.userCode = userCode;
  67.     }
  69.     public String getLoginName() {
  70.         return loginName;
  71.     }
  73.     public void setLoginName(String loginName) {
  74.         this.loginName = loginName;
  75.     }
  77.     public String getLoginPass() {
  78.         return loginPass;
  79.     }
  81.     public void setLoginPass(String loginPass) {
  82.         this.loginPass = loginPass;
  83.     }
  85.     public String getAddress() {
  86.         return address;
  87.     }
  89.     public void setAddress(String address) {
  90.         this.address = address;
  91.     }
  93.     public String getTelPhone() {
  94.         return telPhone;
  95.     }
  97.     public void setTelPhone(String telPhone) {
  98.         this.telPhone = telPhone;
  99.     }
  101.     public String getQq() {
  102.         return qq;
  103.     }
  105.     public void setQq(String qq) {
  106.         this.qq = qq;
  107.     }
  109.     public String getEmail() {
  110.         return email;
  111.     }
  113.     public void setEmail(String email) {
  114.         this.email = email;
  115.     }
  117.     public String getMobile() {
  118.         return mobile;
  119.     }
  121.     public void setMobile(String mobile) {
  122.         this.mobile = mobile;
  123.     }
  125.     public Short getSortId() {
  126.         return sortId;
  127.     }
  129.     public void setSortId(Short sortId) {
  130.         this.sortId = sortId;
  131.     }
  133.     public Boolean getValid() {
  134.         return valid;
  135.     }
  137.     public void setValid(Boolean valid) {
  138.         this.valid = valid;
  139.     }
  141.     public List<SysRoleEntity> getRoleList() {
  142.         return roleList;
  143.     }
  145.     public void setRoleList(List<SysRoleEntity> roleList) {
  146.         this.roleList = roleList;
  147.     }
  149. }

 

 

还有一个md5工具类

Java代码  收藏代码
  1. package com.xxx.framework.security;
  3. import java.security.MessageDigest;
  5. public class PasswordHelper {
  8.     /**
  9.      * 根据用户名与密码做md5单向hash加密
  10.      *
  11.      * @param username 用户名
  12.      * @param password 用户密码明文
  13.      * @return md5(username+password)
  14.      */
  16.     public String encryptPassword(String username, String password) {
  18.         String inStr = username + password;
  20.         MessageDigest md5 = null;
  21.         try {
  22.             md5 = MessageDigest.getInstance(“MD5″);
  23.         } catch (Exception e) {
  24.             System.out.println(e.toString());
  25.             e.printStackTrace();
  26.             return ”";
  27.         }
  28.         char[] charArray = inStr.toCharArray();
  29.         byte[] byteArray = new byte[charArray.length];
  31.         for (int i = 0; i < charArray.length; i++)
  32.             byteArray[i] = (byte) charArray[i];
  33.         byte[] md5Bytes = md5.digest(byteArray);
  34.         StringBuffer hexValue = new StringBuffer();
  35.         for (int i = 0; i < md5Bytes.length; i++) {
  36.             int val = ((int) md5Bytes[i]) & 0xff;
  37.             if (val < 16)
  38.                 hexValue.append(“0″);
  39.             hexValue.append(Integer.toHexString(val));
  40.         }
  41.         return hexValue.toString();
  43.     }
  44. }

 

 

好了,我们的springmvc controller类是这么写的

 

Java代码  收藏代码
  1. package com.xxx.web.login;
  3. import com.xxx.entity.SysUserEntity;
  4. import com.xxx.framework.dao.BaseDAO;
  5. import com.xxx.framework.security.PasswordHelper;
  6. import com.xxx.framework.security.exception.ValidCodeException;
  7. import com.xxx.framework.security.token.CustomUsernamePasswordToken;
  8. import org.apache.log4j.Logger;
  9. import org.apache.shiro.SecurityUtils;
  10. import org.apache.shiro.authc.ExcessiveAttemptsException;
  11. import org.apache.shiro.authc.IncorrectCredentialsException;
  12. import org.apache.shiro.authc.UnknownAccountException;
  13. import org.apache.shiro.authz.annotation.RequiresUser;
  14. import org.apache.shiro.subject.Subject;
  15. import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
  16. import org.apache.shiro.web.util.WebUtils;
  17. import org.springframework.stereotype.Controller;
  18. import org.springframework.web.bind.annotation.RequestMapping;
  19. import org.springframework.web.bind.annotation.RequestMethod;
  20. import org.springframework.web.bind.annotation.RequestParam;
  21. import org.springframework.web.bind.annotation.ResponseBody;
  23. import javax.annotation.Resource;
  24. import javax.servlet.http.HttpServletRequest;
  25. import javax.servlet.http.HttpSession;
  26. import java.util.HashMap;
  27. import java.util.Map;
  29. @Controller
  30. @RequestMapping(value = ”/login”)
  31. public class LoginController {
  33.     private static final Logger logger = Logger.getLogger(LoginController.class);
  35.     @Resource
  36.     private BaseDAO<SysUserEntity> sys_user_dao;
  38.     @RequestMapping(value = ”/”, method = RequestMethod.GET)
  39.     public String login() {
  40.         return ”/login/login”;
  41.     }
  43.     @RequestMapping(value = ”/checklogin”, method = RequestMethod.POST)
  44.     @ResponseBody
  45.     public Map<String, Object> checkLogin(SysUserEntity login_user,HttpServletRequest request,@RequestParam(“validCode”)String validCode) {
  46.         Map<String, Object> result = new HashMap<String, Object>();
  47.         result.put(“msg”, ”用户名或者密码错误!”);
  48.         result.put(“success”, ”true”);
  49.         result.put(“status”, false);
  51.         boolean rememberMe = WebUtils.isTrue(request, FormAuthenticationFilter.DEFAULT_REMEMBER_ME_PARAM);
  52.         String host = request.getRemoteHost();
  54.         //构造登陆令牌环
  55.         CustomUsernamePasswordToken token = new CustomUsernamePasswordToken(login_user.getLoginName(), login_user.getLoginPass().toCharArray(), rememberMe,host,validCode);
  57.         try{
  58.             //发出登陆请求
  59.             SecurityUtils.getSubject().login(token);
  60.             //登陆成功
  61.             HttpSession session = request.getSession(true);
  62.             try {
  63.                 SysUserEntity user = sys_user_dao.findOneEntityByHql(“from SysUserEntity where loginName=?”, login_user.getLoginName());
  64.                 if (null != user) {
  65.                     //根据输入的用户名和密码确实查到了用户信息
  66.                     session.removeAttribute(“rand”);
  67.                     session.setAttribute(“current_login_user”, user);
  68.                     result.put(“msg”, ”登录成功!”);
  69.                     result.put(“status”, true);
  70.                     result.put(“main_url”, ”http://” + request.getServerName() + ”:” + request.getServerPort() + request.getContextPath() + ”/main”);
  71.                 }
  72.             } catch (Exception e) {
  73.                 logger.error(e.getMessage(), e);
  74.             }
  75.             return  result;
  76.         }catch (UnknownAccountException e){
  77.             result.put(“msg”, ”账号不存在!”);
  78.         }catch (IncorrectCredentialsException e){
  79.             result.put(“msg”, ”用户名/密码错误!”);
  80.         }catch (ExcessiveAttemptsException e) {
  81.             result.put(“msg”, ”账户错误次数过多,暂时禁止登录!”);
  82.         }catch (ValidCodeException e){
  83.             result.put(“msg”, ”验证码输入错误!”);
  84.         }catch (Exception e){
  85.             result.put(“msg”, ”未知错误!”);
  86.         }
  87.         return result;
  88.     }
  90.     @RequestMapping(value=”/logout”)
  91.     public String logout(){
  92.         Subject currentUser = SecurityUtils.getSubject();
  93.         if (SecurityUtils.getSubject().getSession() != null)
  94.         {
  95.             currentUser.logout();
  96.         }
  97.         return ”redirect:/login/”;
  98.     }
  100.     @Resource
  101.     private PasswordHelper passwordHelper;
  103.     @RequestMapping(value = ”/fuck”)
  104.     @ResponseBody
  105.     public Map<String, Object> fuck() {
  106.         Map<String, Object> result = new HashMap<String, Object>();
  107.         result.put(“msg”, ”用户名或者密码错误!”);
  108.         result.put(“success”, ”true”);
  109.         result.put(“status”, false);
  111.         SysUserEntity user = sys_user_dao.findById(SysUserEntity.class, ”0001″);
  112.         user.setLoginPass(“a”);
  113.         String new_pass = passwordHelper.encryptPassword(user.getLoginName(), user.getLoginPass());
  114.         user.setLoginPass(new_pass);
  116.         sys_user_dao.update(user);
  118.         return result;
  119.     }
  121. }

 

哦,对了,里面那个fuck那个url是用来改密码的,因为数据库里面的密码是加密的,不这么整总也不可能知道对的md5值是多少。

 

但愿没有忘记什么内容,挺墨迹的,不过能跑起来以后后边关于权限和安全的处理就简单多了,写写注解或者标签就搞定了,很爽。