首先创建一个实体类:
Customer:
1 package com.petcare.pojo.base;
2
3 import java.sql.Date;
4 import java.sql.Timestamp;
5
6 /**
7 * Created by frank on 2017/5/7.
8 */
9
10 public class Customer {
11 private Long customerId;
12 private String account;
13 private String passwd;
14 private String customerName;
15 private String wechat;
16 private String mobile;
17
18 public Long getCustomerId() {
19 return customerId;
20 }
21 public void setCustomerId(Long customerId) {
22 this.customerId = customerId;
23 }
24 public String getAccount() {
25 return account;
26 }
27 public void setAccount(String account) {
28 this.account = account;
29 }
30 public String getPasswd() {
31 return passwd;
32 }
33 public void setPasswd(String passwd) {
34 this.passwd = passwd;
35 }
36 public String getCustomerName() {
37 return customerName;
38 }
39 public void setCustomerName(String customerName) {
40 this.customerName = customerName;
41 }
42 public String getWechat() {
43 return wechat;
44 }
45 public void setWechat(String wechat) {
46 this.wechat = wechat;
47 }
48 public String getMobile() {
49 return mobile;
50 }
51 public void setMobile(String mobile) {
52 this.mobile = mobile;
53 }
54
55 @Override
56 public boolean equals(Object o) {
57 if (this == o) return true;
58 if (o == null || getClass() != o.getClass()) return false;
59
60 Customer customer = (Customer) o;
61
62 if (customerId != customer.customerId) return false;
63 if (account != null ? !account.equals(customer.account) : customer.account != null) return false;
64 if (passwd != null ? !passwd.equals(customer.passwd) : customer.passwd != null) return false;
65 if (customerName != null ? !customerName.equals(customer.customerName) : customer.customerName != null)
66 return false;
67 if (wechat != null ? !wechat.equals(customer.wechat) : customer.wechat != null) return false;
68 if (mobile != null ? !mobile.equals(customer.mobile) : customer.mobile != null) return false;
69 if (homephone != null ? !homephone.equals(customer.homephone) : customer.homephone != null) return false;
70 if (customerSex != null ? !customerSex.equals(customer.customerSex) : customer.customerSex != null)
71 return false;
72 if (customerBirth != null ? !customerBirth.equals(customer.customerBirth) : customer.customerBirth != null)
73 return false;
74 if (address != null ? !address.equals(customer.address) : customer.address != null) return false;
75 if (createSeid != null ? !createSeid.equals(customer.createSeid) : customer.createSeid != null) return false;
76 if (createTime != null ? !createTime.equals(customer.createTime) : customer.createTime != null) return false;
77 if (updateTime != null ? !updateTime.equals(customer.updateTime) : customer.updateTime != null) return false;
78
79 return true;
80 }
81
82 @Override
83 public int hashCode() {
84 int result = (int) (customerId ^ (customerId >>> 32));
85 result = 31 * result + (account != null ? account.hashCode() : 0);
86 result = 31 * result + (passwd != null ? passwd.hashCode() : 0);
87 result = 31 * result + (customerName != null ? customerName.hashCode() : 0);
88 result = 31 * result + (wechat != null ? wechat.hashCode() : 0);
89 result = 31 * result + (mobile != null ? mobile.hashCode() : 0);
90 result = 31 * result + (homephone != null ? homephone.hashCode() : 0);
91 result = 31 * result + (customerSex != null ? customerSex.hashCode() : 0);
92 result = 31 * result + (customerBirth != null ? customerBirth.hashCode() : 0);
93 result = 31 * result + (address != null ? address.hashCode() : 0);
94 result = 31 * result + (createSeid != null ? createSeid.hashCode() : 0);
95 result = 31 * result + (createTime != null ? createTime.hashCode() : 0);
96 result = 31 * result + (updateTime != null ? updateTime.hashCode() : 0);
97 return result;
98 }
99 }
controller层;
1 @Controller
2 public class LoginController {
3
4 private Logger log = LoggerFactory.getLogger(getClass());
5
6 public static final AjaxResponse ACCOUNT_NOT_EXIST = new AjaxResponse(-100101, "账号不存在");
7 public static final AjaxResponse PASSWORD_NOT_PASSED = new AjaxResponse(-100102, "您输入密码错误");
8 public static final AjaxResponse SYSTEM_BUSY = new AjaxResponse(-100000, "系统繁忙");
9 public static final AjaxResponse ACCOUNT_LOCKED = new AjaxResponse(-100103, "您的帐号被锁定");
10
11
12 @Autowired
13 private CustomerService customerService;
14
15 @RequestMapping(value = "/login", method = RequestMethod.GET)
16 public String loginPage(){
17 return "/login";
18 }
19
20 @RequestMapping(value = "/login", method = RequestMethod.POST)
21 @ResponseBody
22 public AjaxResponse login(String u , String p, HttpSession session){
23
24 // 封装令牌
25 UsernamePasswordToken token = new UsernamePasswordToken(u,p);
26 Subject subject = null;
27 try {
28 subject = SecurityUtils.getSubject();
29 // 用令牌登陆,如果登陆失败,则抛出异常
30 subject.login(token);
31 token.clear();
32 } catch (AccountNotExistException ex) {
33 return ACCOUNT_NOT_EXIST;
34 } catch (PasswordWrongException ex) {
35 return PASSWORD_NOT_PASSED;
36 }
37 catch (AccountLockedException ex) {
38 return ACCOUNT_LOCKED;
39 }
40 catch (Exception ex) {
41 log.error("login error happend.", ex);
42 return SYSTEM_BUSY;
43 }
44
45 Customer c = customerService.getBaseCustomer(u);
46
47 // 保存会话
48 session.setAttribute(Const.SESSION_SUBJECT, subject); // shiro已登录用户
49 session.setAttribute(Const.SESSION_USER_KEY,c );// 登陆用户
50 return AjaxResponse.OK;
51
52 }
53 }
UsernamePasswordToken源码:
package org.apache.shiro.authc;
/**
* Constructs a new UsernamePasswordToken encapsulating the username and password submitted
* during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and a
* <tt>rememberMe</tt> default of <tt>false</tt>.
*
* @param username the username submitted for authentication
* @param password the password character array submitted for authentication
*/
public UsernamePasswordToken(final String username, final char[] password) {
this(username, password, false, null);
} /**
* Constructs a new UsernamePasswordToken encapsulating the username and password submitted
* during an authentication attempt, with a <tt>null</tt> {@link #getHost() host} and
* a <tt>rememberMe</tt> default of <tt>false</tt>
* <p/>
* <p>This is a convience constructor and maintains the password internally via a character
* array, i.e. <tt>password.toCharArray();</tt>. Note that storing a password as a String
* in your code could have possible security implications as noted in the class JavaDoc.</p>
*
* @param username the username submitted for authentication
* @param password the password string submitted for authentication
*/
public UsernamePasswordToken(final String username, final String password) {
this(username, password != null ? password.toCharArray() : null, false, null);
}
getSubject()源码:
1 package org.apache.shiro;
2
3 import org.apache.shiro.mgt.SecurityManager;
4 import org.apache.shiro.subject.Subject;
5 import org.apache.shiro.util.ThreadContext;
6
7
8 /**
9 * Accesses the currently accessible {@code Subject} for the calling code depending on runtime environment.
10 *
11 * @since 0.2
12 */
13 public abstract class SecurityUtils {
14
15 /**
16 * ONLY used as a 'backup' in VM Singleton environments (that is, standalone environments), since the
17 * ThreadContext should always be the primary source for Subject instances when possible.
18 */
19 private static SecurityManager securityManager;
20
21 /**
22 * Returns the currently accessible {@code Subject} available to the calling code depending on
23 * runtime environment.
24 * <p/>
25 * This method is provided as a way of obtaining a {@code Subject} without having to resort to
26 * implementation-specific methods. It also allows the Shiro team to change the underlying implementation of
27 * this method in the future depending on requirements/updates without affecting your code that uses it.
28 *
29 * @return the currently accessible {@code Subject} accessible to the calling code.
30 * @throws IllegalStateException if no {@link Subject Subject} instance or
31 * {@link SecurityManager SecurityManager} instance is available with which to obtain
32 * a {@code Subject}, which which is considered an invalid application configuration
33 * - a Subject should <em>always</em> be available to the caller.
34 */
35 public static Subject getSubject() {
36 Subject subject = ThreadContext.getSubject();
37 if (subject == null) {
38 subject = (new Subject.Builder()).buildSubject();
39 ThreadContext.bind(subject);
40 }
41 return subject;
42 }
43 }
login源码:
1 /**
2 * Performs a login attempt for this Subject/user. If unsuccessful,
3 * an {@link AuthenticationException} is thrown, the subclass of which identifies why the attempt failed.
4 * If successful, the account data associated with the submitted principals/credentials will be
5 * associated with this {@code Subject} and the method will return quietly.
6 * <p/>
7 * Upon returning quietly, this {@code Subject} instance can be considered
8 * authenticated and {@link #getPrincipal() getPrincipal()} will be non-null and
9 * {@link #isAuthenticated() isAuthenticated()} will be {@code true}.
10 *
11 * @param token the token encapsulating the subject's principals and credentials to be passed to the
12 * Authentication subsystem for verification.
13 * @throws org.apache.shiro.authc.AuthenticationException
14 * if the authentication attempt fails.
15 * @since 0.9
16 */
17 void login(AuthenticationToken token) throws AuthenticationException;
clear源码:
1 /*--------------------------------------------
2 | M E T H O D S |
3 ============================================*/
4
5 /**
6 * Clears out (nulls) the username, password, rememberMe, and inetAddress. The password bytes are explicitly set to
7 * <tt>0x00</tt> before nulling to eliminate the possibility of memory access at a later time.
8 */
9 public void clear() {
10 this.username = null;
11 this.host = null;
12 this.rememberMe = false;
13
14 if (this.password != null) {
15 for (int i = 0; i < password.length; i++) {
16 this.password[i] = 0x00;
17 }
18 this.password = null;
19 }
20
21 }
四个异常类,此时产生一个疑问,怎么验证数据那,此时需要一个配置我文件spring-shiro:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <beans xmlns="http://www.springframework.org/schema/beans"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jee="http://www.springframework.org/schema/jee"
4 xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
5 xmlns:context="http://www.springframework.org/schema/context"
6 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
7 default-lazy-init="true">
8
9 <!-- 安全管理器 -->
10 <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
11 <property name="realm" ref="shiroDBRealm" />
12 <!--<property name="cacheManager" ref="cacheManager" />-->
13 </bean>
14 <!--<bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />-->
15
16 <!-- shiro过滤器 -->
17 <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
18 <property name="securityManager" ref="securityManager" />
19 <property name="loginUrl" value="/login.action" />
20 <property name="successUrl" value="/welcome.action" />
21 <property name="unauthorizedUrl" value="/login.action" />
22 <property name="filterChainDefinitions">
23 <value>
24 </value>
25 </property>
26 </bean>
27 <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
28
29 <!-- 验证数据类 -->
30 <bean id="shiroDBRealm" class="com.petcare.admin.security.shiro.ShiroDBRealm" />
31
32 </beans>
类shiroDBRealm:
1 /**
2 * Specl.com Inc.
3 * Copyright (c) 2010-2011 All Rights Reserved.
4 */
5 package com.petcare.admin.security.shiro;
6
7 import com.petcare.admin.service.CustomerService;
8 import com.petcare.pojo.base.Customer;
9 import org.apache.commons.lang.StringUtils;
10 import org.apache.shiro.authc.*;
11 import org.apache.shiro.authz.AuthorizationInfo;
12 import org.apache.shiro.authz.SimpleAuthorizationInfo;
13 import org.apache.shiro.realm.AuthorizingRealm;
14 import org.apache.shiro.subject.PrincipalCollection;
15 import org.slf4j.Logger;
16 import org.slf4j.LoggerFactory;
17
18 import javax.annotation.Resource;
19
20
21
22 /**
23 * 权限数据访问类。
24 *
25 *
26 */
27 public class ShiroDBRealm extends AuthorizingRealm {
28
29 private Logger log = LoggerFactory.getLogger(this.getClass());
30
31 /**
32 * 账号访问层。
33 */
34 @Resource
35 private CustomerService customerService;
36
37 /**
38 * 认证方法。
39 */
40 protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
41
42 log.debug("do authentication ,token data [{}]", authcToken);
43
44 UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
45
46 if (token.getUsername() == null) {
47 return null;
48 }
49
50 // 根据账户名获得账户
51 Customer customer = customerService.getBaseCustomer(token.getUsername());
52
53 // 当账号密码不存在
54 if (customer == null) {
55 log.debug("customer not exist.");
56 throw new AccountNotExistException();
57 }
58
59 // 当密码错误
60 if (!StringUtils.equals(customer.getPasswd(), new String(token.getPassword()))) {
61 log.debug("password not equals.");
62 throw new PasswordWrongException();
63 }
64
65 // if(customer.getIsDelete()==1) {
66 // log.debug("customer is locked.");
67 // throw new AccountLockedException();
68 // }
69 return new SimpleAuthenticationInfo(customer.getAccount(), customer.getPasswd(), getName());
70 }
71
72 /**
73 * 授权方法。
74 */
75 protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
76
77 log.debug("do authortization , principals data [{}]", principals);
78
79 // String username = (String) principals.fromRealm(getName()).iterator().next();
80 //
81 // // 根据账户名获得账户
82 // CustomerAccount account = customerAccountDao.getAccountByUsername(username);
83 //
84 // if (account == null) {
85 // log.debug("account not exist.");
86 // throw new AccountNotExistException();
87 // }
88
89 // 封装授权信息
90 SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
91 // 将用户的角色字符,进行授权
92 // info.addRoles(account.getRoleStringList());
93 // 将用户的权限字符,进行授权
94 // info.addStringPermissions(account.getPermissionStringList());
95 return info;
96 }
97 }
web.xml:
有待修改:
1 <!-- listeners -->
2 <listener>
3 <listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>
4 </listener>
5 <listener>
6 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
7 </listener>
8
9
10 <!-- shiro,find spring bean by filter name is 'shiroFilter' -->
11 <filter>
12 <filter-name>shiroFilter</filter-name>
13 <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
14 <init-param>
15 <param-name>targetFilterLifecycle</param-name>
16 <param-value>true</param-value>
17 </init-param>
18 </filter>