Spring整合Shiro做权限控制模块详细案例分析

1.引入Shiro的Maven依赖

<!-- Spring 整合Shiro需要的依赖 -->

	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-core</artifactId>
		<version>1.2.1</version>
	</dependency>
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-web</artifactId>
		<version>1.2.1</version>
	</dependency>
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-ehcache</artifactId>
		<version>1.2.1</version>
	</dependency>
	<dependency>
		<groupId>org.apache.shiro</groupId>
		<artifactId>shiro-spring</artifactId>
		<version>1.2.1</version>
	</dependency>
	<!-- 除此之外还有一些东西也不可少spring, spring-mvc, ibatis等 spring.3.1.2 spring-mvc.3.1.2 
		ibatis.2.3.4 cglib.2.2 -->

2.web.xml中配置

 <!-- 配置shiro的核心拦截器 -->
    <filter>  
        <filter-name>shiroFilter</filter-name>  
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
    </filter>  
    <filter-mapping>  
        <filter-name>shiroFilter</filter-name>  
        <url-pattern>/*</url-pattern>  
    </filter-mapping> 

3.    编写自己的UserRealm类继承自Realm，主要实现认证和授权的管理操作

package com.jay.demo.shiro;

import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.LockedAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;

import com.jay.demo.bean.Permission;
import com.jay.demo.bean.Role;
import com.jay.demo.bean.User;
import com.jay.demo.service.UserService;

public class UserRealm extends AuthorizingRealm{
	
	@Autowired
	private UserService userService;

	/**
	 * 授权操作
	 */
	@Override
	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//		String username = (String) getAvailablePrincipal(principals);
		String username = (String) principals.getPrimaryPrincipal();
		
		Set<Role> roleSet =  userService.findUserByUsername(username).getRoleSet();
		//角色名的集合
		Set<String> roles = new HashSet<String>();
		//权限名的集合
		Set<String> permissions = new HashSet<String>();
		
		Iterator<Role> it = roleSet.iterator();
		while(it.hasNext()){
			roles.add(it.next().getName());
			for(Permission per:it.next().getPermissionSet()){
				permissions.add(per.getName());
			}
		}

		
		SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
		
		authorizationInfo.addRoles(roles);
		authorizationInfo.addStringPermissions(permissions);
		
		
		return authorizationInfo;
	}

	/**
	 * 身份验证操作
	 */
	@Override
	protected AuthenticationInfo doGetAuthenticationInfo(
			AuthenticationToken token) throws AuthenticationException {
		
		String username = (String) token.getPrincipal();
		User user = userService.findUserByUsername(username);
		
		if(user==null){
			//木有找到用户
			throw new UnknownAccountException("没有找到该账号");
		}
		/* if(Boolean.TRUE.equals(user.getLocked())) {  
	            throw new LockedAccountException(); //帐号锁定  
	        } */
		
		/**
		 * 交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配，如果觉得人家的不好可以在此判断或自定义实现  
		 */
		SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(),getName());
		
		
		return info;
	}
	
	@Override
	public String getName() {
		return getClass().getName();
	}

}

4.在Spring的applicationContext.xml中进行Shiro的相关配置

1、添加shiroFilter定义 

Xml代码  

1. <!-- Shiro Filter -->  
2. <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
3.     <property name="securityManager"<