本文共 5051 字，大约阅读时间需要 16 分钟。

        在之前的博客，我们都是用shiro.ini保存用户、角色、权限信息，本篇文章我们将这些信息保存到数据库，通过自定义Realm完成身份验证和权限验证。

  去掉用户、角色、权限信息，添加Realm信息的shiro.ini文件信息如下：

[main]authc.loginUrl=/loginroles.unauthorizedUrl=/unauthorized.jspperms.unauthorizedUrl=/unauthorized.jspmyRealm=com.tgb.realm.MyRealmsecurityManager.realms=$myRealm[urls]/login=anon/admin=authc/student=roles[teacher]/teacher=perms["user:create"]

  首先和大家展示下LoginServlet和MyRealm的代码实现，然后结合代码讲解下面的三种验证过程。

  LoginServlet：

package com.tgb.servlet;import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.subject.Subject;public class LoginServlet extends HttpServlet {	private static final long serialVersionUID = 1L;	@Override	protected void doGet(HttpServletRequest req, HttpServletResponse resp)			throws ServletException, IOException {		System.out.println("login doget");		req.getRequestDispatcher("login.jsp").forward(req, resp);	}	@Override	protected void doPost(HttpServletRequest req, HttpServletResponse resp)			throws ServletException, IOException {		System.out.println("login dopost");		String userName = req.getParameter("userName");		String password = req.getParameter("password");		Subject subject = SecurityUtils.getSubject();		UsernamePasswordToken token = new UsernamePasswordToken(userName,				password);		try {			subject.login(token);			resp.sendRedirect("success.jsp");		} catch (Exception e) {			e.printStackTrace();			req.setAttribute("errorInfo", "用户名或密码错误");			req.getRequestDispatcher("login.jsp").forward(req, resp);		}	}}

package com.tgb.realm;import java.sql.Connection;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import com.tgb.dao.UserDao;import com.tgb.entity.User;import com.tgb.util.DbUtil;public class MyRealm extends AuthorizingRealm {	private UserDao userDao = new UserDao();	private DbUtil dbUtil = new DbUtil();	/**	 * 为当前登录的用户授予权限	 */	@Override	protected AuthorizationInfo doGetAuthorizationInfo(			PrincipalCollection principals) {		String userName = (String) principals.getPrimaryPrincipal();		SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();		Connection con = null;		try {			con = dbUtil.getCon();			authorizationInfo.setRoles(userDao.getRoles(con, userName));			authorizationInfo.setStringPermissions(userDao.getPermissions(con,					userName));		} catch (Exception e) {			e.printStackTrace();		} finally {			try {				dbUtil.closeCon(con);			} catch (Exception e) {			}		}		return authorizationInfo;	}	/**	 * 验证当前登录的用户	 */	@Override	protected AuthenticationInfo doGetAuthenticationInfo(			AuthenticationToken token) throws AuthenticationException {		String userName = (String) token.getPrincipal();		Connection con = null;		try {			con = dbUtil.getCon();			User user = userDao.getByUserName(con, userName);			if (user != null) {				AuthenticationInfo authcInfo = new SimpleAuthenticationInfo(						user.getUserName(), user.getPassword(), "xx");				return authcInfo;			} else {				return null;			}		} catch (Exception e) {			e.printStackTrace();		} finally {			try {				dbUtil.closeCon(con);			} catch (Exception e) {				e.printStackTrace();			}		}		return null;	}}

   success.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"	pageEncoding="UTF-8"%><%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags"%>
    	welcome!	
    
     		welcome admin user!	
    	
    
     		welcome student:create user!
     	
    

   用户名不存在验证

   用户名存在、密码不正确验证

   用户名、密码正确验证

转载地址：http://cokui.baihongyu.com/