Shiro系列之的登录验证功能实现

目前在企业级项目里做权限安全方面喜欢使用Apache开源的Shiro框架或者Spring框架的子框架Spring Security。

Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码学和会话管理。

Shiro框架具有轻便&＃xff0c;开源的优点&＃xff0c;所以本博客介绍基于Shiro的登录验证实现。

在maven里加入shiro需要的jar

org.apache.shiroshiro-all1.2.3



在web.xml加上Shiro过滤器配置&＃xff1a;

shiroFilterorg.springframework.web.filter.DelegatingFilterProxytargetFilterLifecycletrueshiroFilter/*

编写shiro的ShiroRealm类&＃xff1a;

package org.muses.jeeplatform.core.security.shiro;import javax.annotation.Resource;import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.muses.jeeplatform.model.entity.User;
import org.muses.jeeplatform.service.UserService;/*** &＃64;description 基于Shiro框架的权限安全认证和授权* &＃64;author Nicky* &＃64;date 2017年3月12日*/
public class ShiroRealm extends AuthorizingRealm {/**注解引入业务类**/&＃64;ResourceUserService userService;/*** 登录信息和用户验证信息验证(non-Javadoc)* &＃64;see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(AuthenticationToken)*/&＃64;Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {String username &＃61; (String)token.getPrincipal(); //得到用户名 String password &＃61; new String((char[])token.getCredentials()); //得到密码User user &＃61; userService.findByUsername(username);/**检测是否有此用户 **/if(user &＃61;&＃61; null){throw new UnknownAccountException();//没有找到账号异常}/**检验账号是否被锁定 **/if(Boolean.TRUE.equals(user.getLocked())){throw new LockedAccountException();//抛出账号锁定异常}/**AuthenticatingRealm使用CredentialsMatcher进行密码匹配**/if(null !&＃61; username && null !&＃61; password){return new SimpleAuthenticationInfo(username, password, getName());}else{return null;}}/*** 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用,负责在应用程序中决定用户的访问控制的方法(non-Javadoc)* &＃64;see AuthorizingRealm#doGetAuthorizationInfo(PrincipalCollection)*/&＃64;Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection pc) {String username &＃61; (String)pc.getPrimaryPrincipal();SimpleAuthorizationInfo authorizationInfo &＃61; new SimpleAuthorizationInfo();authorizationInfo.setRoles(userService.getRoles(username));authorizationInfo.setStringPermissions(userService.getPermissions(username));System.out.println("Shiro授权");return authorizationInfo;}&＃64;Overridepublic void clearCachedAuthorizationInfo(PrincipalCollection principals) {super.clearCachedAuthorizationInfo(principals);}&＃64;Overridepublic void clearCachedAuthenticationInfo(PrincipalCollection principals) {super.clearCachedAuthenticationInfo(principals);}&＃64;Overridepublic void clearCache(PrincipalCollection principals) {super.clearCache(principals);}}

在Spring框架里集成Shiro&＃xff0c;加入配置

/static/** &＃61; anon/upload/** &＃61; anon/plugins/** &＃61; anon/code &＃61; anon/login &＃61; anon/logincheck &＃61; anon/** &＃61; authc


登录验证控制类实现&＃xff1a;

package org.muses.jeeplatform.web.controller;import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;import javax.servlet.http.HttpServletRequest;import net.sf.json.JSONArray;
import net.sf.json.JSONObject;import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.session.Session;
import org.apache.shiro.subject.Subject;
import org.muses.jeeplatform.core.Constants;
import org.muses.jeeplatform.model.entity.Menu;
import org.muses.jeeplatform.model.entity.Permission;
import org.muses.jeeplatform.model.entity.Role;
import org.muses.jeeplatform.model.entity.User;
import org.muses.jeeplatform.service.MenuService;
import org.muses.jeeplatform.service.UserService;
import org.muses.jeeplatform.utils.Tools;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.servlet.ModelAndView;/*** &＃64;description 登录操作的控制类&＃xff0c;使用Shiro框架&＃xff0c;做好了登录的权限安全认证&＃xff0c;* getRemortIP()方法获取用户登录时的ip并保存到数据库* &＃64;author Nicky* &＃64;date 2017年3月15日*/
&＃64;Controller
public class LoginController extends BaseController {&＃64;AutowiredUserService userService;&＃64;AutowiredMenuService menuService;/*** 获取登录用户的IP* &＃64;throws Exception */public void getRemortIP(String username) { HttpServletRequest request &＃61; this.getRequest();Map map &＃61; new HashMap();String ip &＃61; "";if (request.getHeader("x-forwarded-for") &＃61;&＃61; null) { ip &＃61; request.getRemoteAddr(); }else{ip &＃61; request.getHeader("x-forwarded-for"); }map.put("username", username);map.put("loginIp", ip);userService.saveIP(map);} /*** 访问后台登录页面* &＃64;return* &＃64;throws Exception*/&＃64;RequestMapping(value&＃61;"/login",produces&＃61;"text/html;charset&＃61;UTF-8")public ModelAndView toLogin()throws ClassNotFoundException{ModelAndView mv &＃61; this.getModelAndView();mv.setViewName("admin/frame/login");return mv;}/*** 基于Shiro框架的登录验证,页面发送JSON请求数据&＃xff0c;* 服务端进行登录验证之后&＃xff0c;返回Json响应数据&＃xff0c;"success"表示验证成功* &＃64;param request* &＃64;return* &＃64;throws Exception*/&＃64;RequestMapping(value&＃61;"/logincheck", produces&＃61;"application/json;charset&＃61;UTF-8")&＃64;ResponseBodypublic String loginCheck(HttpServletRequest request)throws AuthenticationException{JSONObject obj &＃61; new JSONObject();String errInfo &＃61; "";//错误信息String logindata[] &＃61; request.getParameter("LOGINDATA").split(",");if(logindata !&＃61; null && logindata.length &＃61;&＃61; 3){//获取Shiro管理的SessionSubject subject &＃61; SecurityUtils.getSubject();Session session &＃61; subject.getSession();String codeSession &＃61; (String)session.getAttribute(Constants.SESSION_SECURITY_CODE);String code &＃61; logindata[2]; /**检测页面验证码是否为空&＃xff0c;调用工具类检测**/if(Tools.isEmpty(code)){errInfo &＃61; "nullcode";}else{String username &＃61; logindata[0];String password &＃61; logindata[1];if(Tools.isNotEmpty(codeSession) && codeSession.equalsIgnoreCase(code)){//Shiro框架SHA加密String passwordsha &＃61; new SimpleHash("SHA-1",username,password).toString();System.out.println(passwordsha);//检测用户名和密码是否正确User user &＃61; userService.doLoginCheck(username,passwordsha);if(user !&＃61; null){if(Boolean.TRUE.equals(user.getLocked())){errInfo &＃61; "locked";}else{//Shiro添加会话session.setAttribute("username", username);session.setAttribute(Constants.SESSION_USER, user);//删除验证码Sessionsession.removeAttribute(Constants.SESSION_SECURITY_CODE);//保存登录IPgetRemortIP(username);/**Shiro加入身份验证**/Subject sub &＃61; SecurityUtils.getSubject();UsernamePasswordToken token &＃61; new UsernamePasswordToken(username,password);sub.login(token);}}else{//账号或者密码错误errInfo &＃61; "uerror";}if(Tools.isEmpty(errInfo)){errInfo &＃61; "success";}}else{//缺少参数errInfo&＃61;"codeerror";}}}obj.put("result", errInfo);return obj.toString();}/*** 后台管理系统主页* &＃64;return* &＃64;throws Exception*/&＃64;RequestMapping(value&＃61;"/admin/index")public ModelAndView toMain() throws AuthenticationException{ModelAndView mv &＃61; this.getModelAndView();/**获取Shiro管理的Session**/Subject subject &＃61; SecurityUtils.getSubject();Session session &＃61; subject.getSession();User user &＃61; (User)session.getAttribute(Constants.SESSION_USER);if(user !&＃61; null){...//业务实现}else{//会话失效&＃xff0c;返回登录界面mv.setViewName("admin/frame/login");}mv.setViewName("admin/frame/index");return mv;}/*** 注销登录* &＃64;return*/&＃64;RequestMapping(value&＃61;"/logout")public ModelAndView logout(){ModelAndView mv &＃61; this.getModelAndView();/**Shiro管理Session**/Subject sub &＃61; SecurityUtils.getSubject();Session session &＃61; sub.getSession();session.removeAttribute(Constants.SESSION_USER);session.removeAttribute(Constants.SESSION_SECURITY_CODE);/**Shiro销毁登录**/Subject subject &＃61; SecurityUtils.getSubject();subject.logout();/**返回后台系统登录界面**/mv.setViewName("admin/frame/login");return mv;}}

前端Ajax和JQeury校验实现&＃xff1a;

/**客户端校验**/function checkValidity() {if ($("#username").val() &＃61;&＃61; "") {$("#username").tips({side : 2,msg : &＃39;用户名不得为空&＃39;,bg : &＃39;#AE81FF&＃39;,time : 3});$("#username").focus();return false;}if ($("#password").val() &＃61;&＃61; "") {$("#password").tips({side : 2,msg : &＃39;密码不得为空&＃39;,bg : &＃39;#AE81FF&＃39;,time : 3});$("#password").focus();return false;}if ($("#code").val() &＃61;&＃61; "") {$("#code").tips({side : 1,msg : &＃39;验证码不得为空&＃39;,bg : &＃39;#AE81FF&＃39;,time : 3});$("#code").focus();return false;}return true;}/**服务器校验**/function loginCheck(){if(checkValidity()){var username &＃61; $("#username").val();var password &＃61; $("#password").val();var code &＃61; username&＃43;","&＃43;password&＃43;","&＃43;$("#code").val();$.ajax({type: "POST",//请求方式为POSTurl: &＃39;logincheck&＃39;,//检验urldata: {LOGINDATA:code,tm:new Date().getTime()},//请求数据dataType:&＃39;json&＃39;,//数据类型为JSON类型cache: false,//关闭缓存success: function(data){//响应成功if("success" &＃61;&＃61; data.result){$("#login").tips({side : 1,msg : &＃39;正在登录 , 请稍后 ...&＃39;,bg : &＃39;#68B500&＃39;,time : 10});window.location.href&＃61;"admin/index";}else if("uerror" &＃61;&＃61; data.result){$("#username").tips({side : 1,msg : "用户名或密码有误",bg : &＃39;#FF5080&＃39;,time : 15});$("#username").focus();}else if("codeerror" &＃61;&＃61; data.result){$("#code").tips({side : 1,msg : "验证码输入有误",bg : &＃39;#FF5080&＃39;,time : 15});$("#code").focus();}else if("locked" &＃61;&＃61; data.result){alert(&＃39;您的账号被锁定了&＃xff0c;呜呜&＃39;);}else{$("#username").tips({side : 1,msg : "缺少参数",bg : &＃39;#FF5080&＃39;,time : 15});$("#username").focus();}}});}}


登录成功&＃xff0c;Session会话过期&＃xff0c;需要重新登录&＃xff0c;保证系统安全性

本博客只提供基于Shiro的登录验证实现&＃xff0c;具体代码可以去我的github下载&＃xff1a;https://github.com/u014427391/jeeplatform
欢迎star