本文介绍了如何在WEB应用中使用Shiro进行身份认证。
在web.xml文件中配置一个Servlet ContextListener的监听器和Filter过滤器。
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/login.do</url-pattern>
</filter-mapping>
JSP页面提交用户名和口令。
<FORM name="form1" action="login.do" method="POST">
<TABLE cellSpacing=0 cellPadding=0 align=center
border=0>
<TBODY>
<TR>
<TD width=250>
<TABLE cellSpacing=3 cellPadding=0 border=0>
<TBODY>
<TR>
<TD width=90><IMG height=29
src="images/title_yhm.gif" width=90></TD>
<TD><INPUT class=logininput name=loginName>
</TD>
</TR>
<TR>
<TD width=90><IMG height=27
src="images/title_mima.gif" width=90></TD>
<TD><INPUT class=logininput type=password
name=password></TD>
</TR>
<TR>
<TD width=90></TD>
<TD align="right"></TD>
</TR>
</TBODY>
</TABLE>
</TD>
<TD vAlign=top>
<TABLE cellSpacing=6 cellPadding=0 border=0>
<TBODY>
<TR>
<TD><IMG style="CURSOR: hand"
onclick=doSubmit() height=35
src="images/button_login.gif" width=77
border=0></TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
</TBODY>
</TABLE>
</FORM>
Shiro的配置文件,/WEB-INF/Shiro.ini。
main]
ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
ds.serverName = 127.0.0.1
ds.user = root
ds.password = 123456
ds.databaseName = shiro
ds.url = jdbc:mysql://127.0.0.1:3306/shiro
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM user_credence_information WHERE username = ?
jdbcRealm.dataSource = $ds
shiro.loginUrl = /login.jsp
[users]
# format: username = password, role1, role2, ..., roleN
[roles]
# format: roleName = permission1, permission2, ..., permissionN
[urls]
# The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but
# the 'authc' filter must still be specified for it so it can process that url's
# login submissions. It is 'smart' enough to allow those requests through as specified by the
# shiro.loginUrl above.
/success.jsp = authc
服务端认证程序。
public class LoginController implements Controller {
private static final Log log = LogFactory.getLog(LoginController.class);
protected ErrMg error;
public ModelAndView doReturnError(HttpServletRequest request,
HttpServletResponse response, ErrMg message, String errpath) {
request.setAttribute("Error_Message", message);
return new ModelAndView(errpath);
}
public ModelAndView handleRequest(HttpServletRequest request,
HttpServletResponse response) throws Exception {
String loginName = request.getParameter("loginName");
String loginPwd = request.getParameter("password");
log.info("用户认证开始:" + loginName + " , " + loginPwd);
String userid = null;
String username = null;
error = new ErrMg();
AuthenticationToken token = new UsernamePasswordToken(loginName,
loginPwd);
Subject currentUser = SecurityUtils.getSubject();
try {
currentUser.login(token);
userid = (String)currentUser.getPrincipal();
log.info( "User [" + currentUser.getPrincipal() + "] logged in successfully." );
log.info("用户认证完毕:" + loginName + " , " + userid);
HttpSession session = request.getSession(true);
session.setAttribute("USERINFORMATION", userid);
session.setAttribute("USERNAME", userid);
return new ModelAndView("success.jsp");
} catch (UnknownAccountException uae) {
log.info("用户认证失败:" + "username wasn't in the system.");
error.setErrorMessage("username wasn't in the system.");
} catch (IncorrectCredentialsException ice) {
log.info("用户认证失败:" + "password didn't match.");
error.setErrorMessage("password didn't match.");
} catch (LockedAccountException lae) {
log.info("用户认证失败:" + "account for that username is locked - can't login.");
error.setErrorMessage("account for that username is locked - can't login.");
} catch (AuthenticationException ae) {
log.info("用户认证失败:" + "unexpected condition.");
error.setErrorMessage("unexpected condition.");
}
return this.doReturnError(request, response, error, "error.jsp");
}
}