该demo整合Shiro的相关配置参考

数据库表格相关设计

 

表格设计得比较简单，导航栏直接由角色表auth_role的角色描述vRoleDesc(父结点)和角色相关权限中的权限描述(标记为导航结点)vPermissionDesc(展开子项)组成。 

Shiro相关设置

密码输入错误次数限制

//密码重试5次次数限制 public class RetryLimitHashedCredentialsMatcher extends HashedCredentialsMatcher{ private Cache
    
      passwordRetryCache; public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager){ passwordRetryCache=cacheManager.getCache("passwordRetryCache"); } @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { String username=(String)token.getPrincipal(); AtomicInteger retryCount=passwordRetryCache.get(username); if(retryCount==null){ retryCount=new AtomicInteger(0); passwordRetryCache.put(username, retryCount); } if(retryCount.incrementAndGet()>5){ throw new ExcessiveAttemptsException(); } boolean matches= super.doCredentialsMatch(token, info);//匹配密码 if(matches){ passwordRetryCache.remove(username); } return matches; } }
    

 

相关配置:

 

使用缓存实现为ehcache,相关配置如下:

    
     
      
     
       timeToIdleSeconds="3600"
       timeToLiveSeconds="0" overflowToDisk="false" statistics="true"> 
      
      
    

 

扩展AuthorizingRealm:用于从数据库抓取密码等相关验证信息和相关权限信息

public class UserRealm extends AuthorizingRealm{ @Autowired private UserService userService; //获取相关授权信息 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { String userName=(String)principals.getPrimaryPrincipal(); SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo(); authorizationInfo.setRoles(userService.findPermissionsByUserName(userName));//获取角色信息 authorizationInfo.setStringPermissions(userService.findPermissionsByUserName(userName));//获取权限信息 return authorizationInfo; } //获取身份验证信息 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { String userName=(String)token.getPrincipal(); User user=userService.getUserByUserName(userName);//获取身份信息(密码和密码盐) if(user==null){ throw new UnknownAccountException(); } SimpleAuthenticationInfo authenticationInfo=new SimpleAuthenticationInfo( user.getUserName(), user.getPassword(), ByteSource.Util.bytes(user.getUserName()+user.getPasswordSalt()), getName()); return authenticationInfo; } }

 

登录相关

扩展FormAuthenticationFilter:用于登录后获取用户导航栏，并将其存入session范围

public class WithNavibarFormAuthenticationFilter extends FormAuthenticationFilter { @Autowired private UserService userService; @Override protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request, ServletResponse response) throws Exception { HttpServletRequest httpReq=(HttpServletRequest)request; String userName=(String)SecurityUtils.getSubject().getPrincipal(); List navigationBar=userService.getNavigationBar(userName); httpReq.getSession().setAttribute("navibar", navigationBar); return super.onLoginSuccess(token, subject, request, response); } }

 

登录Controller实现(用户密码不匹配情况下执行)

@Controller@RequestMapping("/user")public class UserController {    @Autowired    private UserService userService;    //...    @RequestMapping("/login")    public ModelAndView login(HttpServletRequest req){        String error=null;        String exceptionClassName = (String)req.getAttribute("shiroLoginFailure");        if(UnknownAccountException.class.getName().equals(exceptionClassName)) { error = "用户名/密码错误"; } else if(IncorrectCredentialsException.class.getName().equals(exceptionClassName)) { error = "用户名/密码错误"; } else if(exceptionClassName != null) { error = "其他错误：" + exceptionClassName; } ModelAndView mav=new ModelAndView("login"); mav.addObject("error", error); return mav; } //... }

 

登录表单代码：注意提交action=”“，以及输入控件name值须与form表单过滤器中的设置对应

    
 
     
请登录
 
     用户名 
      
     密码 
      
     
 
        记住我  
     
 
     
${error}
 
     登录 
    

 

最后通过Spring注解，控制访问

@RequiresPermissions("user:list")    @RequestMapping("/list")    public ModelAndView showUserList(){ // }

 

完整shiro配置如下: