Spring Security和Shiro的比較和使用
這個文章是我找了幾個博客總結到一塊成爲這個文章。
首先,先說比較吧!
這個博客地址是:http://www.cnblogs.com/aoeiuv/p/5868128.html
Shiro
首先Shiro較之 Spring Security,Shiro在保持強大功能的同時,還在簡單性和靈活性方面擁有巨大優勢。
Shiro是一個強大而靈活的開源安全框架,能夠非常清晰的處理認證、授權、管理會話以及密碼加密。如下是它所具有的特點:
- 易於理解的 Java Security API;
- 簡單的身份認證(登錄),支持多種數據源(LDAP,JDBC,Kerberos,ActiveDirectory 等);
- 對角色的簡單的籤權(訪問控制),支持細粒度的籤權;
- 支持一級緩存,以提升應用程序的性能;
- 內置的基於 POJO 企業會話管理,適用於 Web 以及非 Web 的環境;
- 異構客戶端會話訪問;
- 非常簡單的加密 API;
- 不跟任何的框架或者容器捆綁,可以獨立運行。
Spring Security
除了不能脫離Spring,shiro的功能它都有。而且Spring Security對Oauth、OpenID也有支持,Shiro則需要自己手動實現。Spring Security的權限細粒度更高(筆者還未發現高在哪裏)。
注:
OAuth在"客戶端"與"服務提供商"之間,設置了一個授權層(authorization layer)。"客戶端"不能直接登錄"服務提供商",只能登錄授權層,以此將用戶與客戶端區分開來。"客戶端"登錄授權層所用的令牌(token),與用戶的密碼不同。用戶可以在登錄的時候,指定授權層令牌的權限範圍和有效期。
"客戶端"登錄授權層以後,"服務提供商"根據令牌的權限範圍和有效期,向"客戶端"開放用戶儲存的資料。
OpenID 系統的第一部分是身份驗證,即如何通過 URI 來認證用戶身份。目前的網站都是依靠用戶名和密碼來登錄認證,這就意味着大家在每個網站都需要註冊用戶名和密碼,即便你使用的是同樣的密碼。如果使用 OpenID ,你的網站地址(URI)就是你的用戶名,而你的密碼安全的存儲在一個 OpenID 服務網站上(你可以自己建立一個 OpenID 服務網站,也可以選擇一個可信任的 OpenID 服務網站來完成註冊)。
與OpenID同屬性的身份識別服務商還有ⅥeID,ClaimID,CardSpace,Rapleaf,Trufina ID Card等,其中ⅥeID通用賬戶的應用最爲廣泛。
綜述
個人認爲現階段需求,權限的操作粒度能控制在路徑及按鈕上,數據粒度通過sql實現。Shrio簡單夠用。
至於OAuth,OpenID 站點間統一登錄功能,現租戶與各個產品間單點登錄已經通過cookies實現,所以Spring Security的這兩個功能可以不考慮。
SpringSide網站的權限也是用Shrio做的。
---------------------------------------------------------------------------------------------------------------------
接着我們來說shiro的使用吧!
源博客地址是:http://peirenlei.iteye.com/blog/2086639
---------------------------------------------------------------------------------------------------------------------
我們採用下面的邏輯創建權限表結構(不是絕對的,根據需要修改)
一個用戶可以有多種角色(normal,manager,admin等等)
一個角色可以有多個用戶(user1,user2,user3等等)
一個角色可以有多個權限(save,update,delete,query等等)
一個權限只屬於一個角色(delete只屬於manager角色)
我們創建四張表:
t_user用戶表:設置了3個用戶
-------------------------------
id + username + password
---+----------------+----------
1 + tom + 000000
2 + jack + 000000
3 + rose + 000000
---------------------------------
t_role角色表:設置3個角色
--------------
id + rolename
---+----------
1 + admin
2 + manager
3 + normal
--------------
t_user_role用戶角色表:tom是admin和normal角色,jack是manager和normal角色,rose是normal角色
---------------------
user_id + role_id
-----------+-----------
1 + 1
1 + 3
2 + 2
2 + 3
3 + 3
---------------------
t_permission權限表:admin角色可以刪除,manager角色可以添加和更新,normal角色可以查看
-----------------------------------
id + permissionname + role_id
----+------------------------+-----------
1 + add + 2
2 + del + 1
3 + update + 2
4 + query + 3
-----------------------------------
建立對應的POJO:
Java代碼
- package com.cn.pojo;
-
- import java.util.HashSet;
- import java.util.List;
- import java.util.Set;
-
- import javax.persistence.Entity;
- import javax.persistence.GeneratedValue;
- import javax.persistence.GenerationType;
- import javax.persistence.Id;
- import javax.persistence.JoinColumn;
- import javax.persistence.JoinTable;
- import javax.persistence.ManyToMany;
- import javax.persistence.Table;
- import javax.persistence.Transient;
-
- import org.hibernate.validator.constraints.NotEmpty;
-
- @Entity
- @Table(name="t_user")
- public class User {
-
- private Integer id;
- @NotEmpty(message="用戶名不能爲空")
- private String username;
- @NotEmpty(message="密碼不能爲空")
- private String password;
- private List<Role> roleList;//一個用戶具有多個角色
-
- @Id
- @GeneratedValue(strategy=GenerationType.IDENTITY)
- public Integer getId() {
- return id;
- }
- public void setId(Integer id) {
- this.id = id;
- }
- public String getUsername() {
- return username;
- }
- public void setUsername(String username) {
- this.username = username;
- }
- public String getPassword() {
- return password;
- }
- public void setPassword(String password) {
- this.password = password;
- }
- @ManyToMany
- @JoinTable(name="t_user_role",joinColumns={@JoinColumn(name="user_id")},inverseJoinColumns={@JoinColumn(name="role_id")})
- public List<Role> getRoleList() {
- return roleList;
- }
- public void setRoleList(List<Role> roleList) {
- this.roleList = roleList;
- }
-
- @Transient
- public Set<String> getRolesName(){
- List<Role> roles=getRoleList();
- Set<String> set=new HashSet<String>();
- for (Role role : roles) {
- set.add(role.getRolename());
- }
- return set;
- }
-
- }
Java代碼
- package com.cn.pojo;
-
- import java.util.ArrayList;
- import java.util.List;
-
- import javax.persistence.Entity;
- import javax.persistence.GeneratedValue;
- import javax.persistence.GenerationType;
- import javax.persistence.Id;
- import javax.persistence.JoinColumn;
- import javax.persistence.JoinTable;
- import javax.persistence.ManyToMany;
- import javax.persistence.OneToMany;
- import javax.persistence.Table;
- import javax.persistence.Transient;
-
- @Entity
- @Table(name="t_role")
- public class Role {
-
- private Integer id;
- private String rolename;
- private List<Permission> permissionList;//一個角色對應多個權限
- private List<User> userList;//一個角色對應多個用戶
-
- @Id
- @GeneratedValue(strategy=GenerationType.IDENTITY)
- public Integer getId() {
- return id;
- }
- public void setId(Integer id) {
- this.id = id;
- }
- public String getRolename() {
- return rolename;
- }
- public void setRolename(String rolename) {
- this.rolename = rolename;
- }
- @OneToMany(mappedBy="role")
- public List<Permission> getPermissionList() {
- return permissionList;
- }
- public void setPermissionList(List<Permission> permissionList) {
- this.permissionList = permissionList;
- }
- @ManyToMany
- @JoinTable(name="t_user_role",joinColumns={@JoinColumn(name="role_id")},inverseJoinColumns={@JoinColumn(name="user_id")})
- public List<User> getUserList() {
- return userList;
- }
- public void setUserList(List<User> userList) {
- this.userList = userList;
- }
-
- @Transient
- public List<String> getPermissionsName(){
- List<String> list=new ArrayList<String>();
- List<Permission> perlist=getPermissionList();
- for (Permission per : perlist) {
- list.add(per.getPermissionname());
- }
- return list;
- }
- }
Java代碼
- package com.cn.pojo;
-
- import javax.persistence.Entity;
- import javax.persistence.GeneratedValue;
- import javax.persistence.GenerationType;
- import javax.persistence.Id;
- import javax.persistence.JoinColumn;
- import javax.persistence.ManyToOne;
- import javax.persistence.Table;
-
- @Entity
- @Table(name="t_permission")
- public class Permission {
-
- private Integer id;
- private String permissionname;
- private Role role;//一個權限對應一個角色
-
- @Id
- @GeneratedValue(strategy=GenerationType.IDENTITY)
- public Integer getId() {
- return id;
- }
- public void setId(Integer id) {
- this.id = id;
- }
- public String getPermissionname() {
- return permissionname;
- }
- public void setPermissionname(String permissionname) {
- this.permissionname = permissionname;
- }
- @ManyToOne
- @JoinColumn(name="role_id")
- public Role getRole() {
- return role;
- }
- public void setRole(Role role) {
- this.role = role;
- }
-
- }
使用SHIRO的步驟:
1,導入jar
2,配置web.xml
3,建立dbRelm
4,在Spring中配置
pom.xml中配置如下:
Xml代碼
- <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>com.hyx</groupId>
- <artifactId>springmvc</artifactId>
- <packaging>war</packaging>
- <version>0.0.1-SNAPSHOT</version>
- <name>springmvc Maven Webapp</name>
- <url>http://maven.apache.org</url>
- <dependencies>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>3.8.1</version>
- <scope>test</scope>
- </dependency>
- <!-- SpringMVC核心jar -->
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-webmvc</artifactId>
- <version>3.2.4.RELEASE</version>
- </dependency>
- <!-- springmvc連接數據庫需要的jar -->
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-jdbc</artifactId>
- <version>3.2.4.RELEASE</version>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-orm</artifactId>
- <version>3.2.4.RELEASE</version>
- </dependency>
- <!-- ************************************ -->
- <!-- Hibernate相關jar -->
- <dependency>
- <groupId>org.hibernate</groupId>
- <artifactId>hibernate-core</artifactId>
- <version>4.2.5.Final</version>
- </dependency>
- <dependency>
- <groupId>org.hibernate</groupId>
- <artifactId>hibernate-ehcache</artifactId>
- <version>4.2.5.Final</version>
- </dependency>
- <dependency>
- <groupId>net.sf.ehcache</groupId>
- <artifactId>ehcache</artifactId>
- <version>2.7.2</version>
- </dependency>
- <dependency>
- <groupId>commons-dbcp</groupId>
- <artifactId>commons-dbcp</artifactId>
- <version>1.4</version>
- </dependency>
- <dependency>
- <groupId>mysql</groupId>
- <artifactId>mysql-connector-java</artifactId>
- <version>5.1.26</version>
- </dependency>
- <!-- javax提供的annotation -->
- <dependency>
- <groupId>javax.inject</groupId>
- <artifactId>javax.inject</artifactId>
- <version>1</version>
- </dependency>
- <!-- **************************** -->
-
- <!-- hibernate驗證 -->
- <dependency>
- <groupId>org.hibernate</groupId>
- <artifactId>hibernate-validator</artifactId>
- <version>5.0.1.Final</version>
- </dependency>
- <!-- 用於對@ResponseBody註解的支持 -->
- <dependency>
- <groupId>org.codehaus.jackson</groupId>
- <artifactId>jackson-mapper-asl</artifactId>
- <version>1.9.13</version>
- </dependency>
- <!-- 提供對c標籤的支持 -->
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>jstl</artifactId>
- <version>1.2</version>
- </dependency>
- <!-- servlet api -->
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- <version>2.5</version>
- </dependency>
-
- <!--Apache Shiro所需的jar包-->
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- <version>1.2.2</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-web</artifactId>
- <version>1.2.2</version>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-spring</artifactId>
- <version>1.2.2</version>
- </dependency>
- </dependencies>
-
- <build>
- <finalName>springmvc</finalName>
- <!-- maven的jetty服務器插件 -->
- <plugins>
- <plugin>
- <groupId>org.mortbay.jetty</groupId>
- <artifactId>jetty-maven-plugin</artifactId>
- <configuration>
- <scanIntervalSeconds>10</scanIntervalSeconds>
- <webApp>
- <contextPath>/</contextPath>
- </webApp>
- <!-- 修改jetty的默認端口 -->
- <connectors>
- <connector implementation="org.eclipse.jetty.server.nio.SelectChannelConnector">
- <port>80</port>
- <maxIdleTime>60000</maxIdleTime>
- </connector>
- </connectors>
- </configuration>
- </plugin>
- </plugins>
- </build>
- </project>
web.xml中的配置:
Xml代碼
- <?xml version="1.0" encoding="UTF-8" ?>
- <web-app version="2.5"
- xmlns="http://java.sun.com/xml/ns/javaee"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
- http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
- <display-name>Archetype Created Web Application</display-name>
-
- <!-- spring-orm-hibernate4的OpenSessionInViewFilter -->
- <filter>
- <filter-name>opensessioninview</filter-name>
- <filter-class>org.springframework.orm.hibernate4.support.OpenSessionInViewFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>opensessioninview</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- <!-- 配置springmvc servlet -->
- <servlet>
- <servlet-name>springmvc</servlet-name>
- <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>springmvc</servlet-name>
- <!-- / 表示所有的請求都要經過此serlvet -->
- <url-pattern>/</url-pattern>
- </servlet-mapping>
-
- <!-- spring的監聽器 -->
- <context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>classpath:applicationContext*.xml</param-value>
- </context-param>
- <listener>
- <listener-class>
- org.springframework.web.context.ContextLoaderListener
- </listener-class>
- </listener>
-
- <!-- Shiro配置 -->
- <filter>
- <filter-name>shiroFilter</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>shiroFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- </web-app>
Java代碼
- package com.cn.service;
-
- import java.util.List;
-
- import javax.inject.Inject;
-
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.authc.AuthenticationInfo;
- import org.apache.shiro.authc.AuthenticationToken;
- import org.apache.shiro.authc.SimpleAuthenticationInfo;
- import org.apache.shiro.authc.UsernamePasswordToken;
- import org.apache.shiro.authz.AuthorizationInfo;
- import org.apache.shiro.authz.SimpleAuthorizationInfo;
- import org.apache.shiro.realm.AuthorizingRealm;
- import org.apache.shiro.subject.PrincipalCollection;
- import org.springframework.stereotype.Service;
- import org.springframework.transaction.annotation.Transactional;
-
- import com.cn.pojo.Role;
- import com.cn.pojo.User;
-
- @Service
- @Transactional
- public class MyShiro extends AuthorizingRealm{
-
- @Inject
- private UserService userService;
- /**
- * 權限認證
- */
- @Override
- protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
- //獲取登錄時輸入的用戶名
- String loginName=(String) principalCollection.fromRealm(getName()).iterator().next();
- //到數據庫查是否有此對象
- User user=userService.findByName(loginName);
- if(user!=null){
- //權限信息對象info,用來存放查出的用戶的所有的角色(role)及權限(permission)
- SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
- //用戶的角色集合
- info.setRoles(user.getRolesName());
- //用戶的角色對應的所有權限,如果只使用角色定義訪問權限,下面的四行可以不要
- List<Role> roleList=user.getRoleList();
- for (Role role : roleList) {
- info.addStringPermissions(role.getPermissionsName());
- }
- return info;
- }
- return null;
- }
-
- /**
- * 登錄認證;
- */
- @Override
- protected AuthenticationInfo doGetAuthenticationInfo(
- AuthenticationToken authenticationToken) throws AuthenticationException {
- //UsernamePasswordToken對象用來存放提交的登錄信息
- UsernamePasswordToken token=(UsernamePasswordToken) authenticationToken;
- //查出是否有此用戶
- User user=userService.findByName(token.getUsername());
- if(user!=null){
- //若存在,將此用戶存放到登錄認證info中
- return new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());
- }
- return null;
- }
-
- }
在spring的配置文件中配置,爲了區別spring原配置和shiro我們將shiro的配置獨立出來。
applicationContext-shiro.xml
Xml代碼
- <?xml version="1.0" encoding="UTF-8" ?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:aop="http://www.springframework.org/schema/aop"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:context="http://www.springframework.org/schema/context"
- xsi:schemaLocation="
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
- http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
-
- <!-- 配置權限管理器 -->
- <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
- <!-- ref對應我們寫的realm MyShiro -->
- <property name="realm" ref="myShiro"/>
- <!-- 使用下面配置的緩存管理器 -->
- <property name="cacheManager" ref="cacheManager"/>
- </bean>
-
- <!-- 配置shiro的過濾器工廠類,id- shiroFilter要和我們在web.xml中配置的過濾器一致 -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <!-- 調用我們配置的權限管理器 -->
- <property name="securityManager" ref="securityManager"/>
- <!-- 配置我們的登錄請求地址 -->
- <property name="loginUrl" value="/login"/>
- <!-- 配置我們在登錄頁登錄成功後的跳轉地址,如果你訪問的是非/login地址,則跳到您訪問的地址 -->
- <property name="successUrl" value="/user"/>
- <!-- 如果您請求的資源不再您的權限範圍,則跳轉到/403請求地址 -->
- <property name="unauthorizedUrl" value="/403"/>
- <!-- 權限配置 -->
- <property name="filterChainDefinitions">
- <value>
- <!-- anon表示此地址不需要任何權限即可訪問 -->
- /static/**=anon
- <!-- perms[user:query]表示訪問此連接需要權限爲user:query的用戶 -->
- /user=perms[user:query]
- <!-- roles[manager]表示訪問此連接需要用戶的角色爲manager -->
- /user/add=roles[manager]
- /user/del/**=roles[admin]
- /user/edit/**=roles[manager]
- <!--所有的請求(除去配置的靜態資源請求或請求地址爲anon的請求)都要通過登錄驗證,如果未登錄則跳到/login-->
- /** = authc
- </value>
- </property>
- </bean>
-
-
- <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" />
- <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
-
- </beans>
用於登錄,登出,權限跳轉的控制:
Java代碼
- package com.cn.controller;
-
- import javax.validation.Valid;
-
- import org.apache.shiro.SecurityUtils;
- import org.apache.shiro.authc.AuthenticationException;
- import org.apache.shiro.authc.UsernamePasswordToken;
- import org.springframework.stereotype.Controller;
- import org.springframework.ui.Model;
- import org.springframework.validation.BindingResult;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.bind.annotation.RequestMethod;
- import org.springframework.web.servlet.mvc.support.RedirectAttributes;
-
- import com.cn.pojo.User;
-
- @Controller
- public class HomeController {
-
- @RequestMapping(value="/login",method=RequestMethod.GET)
- public String loginForm(Model model){
- model.addAttribute("user", new User());
- return "/login";
- }
-
- @RequestMapping(value="/login",method=RequestMethod.POST)
- public String login(@Valid User user,BindingResult bindingResult,RedirectAttributes redirectAttributes){
- try {
- if(bindingResult.hasErrors()){
- return "/login";
- }
- //使用權限工具進行用戶登錄,登錄成功後跳到shiro配置的successUrl中,與下面的return沒什麼關係!
- SecurityUtils.getSubject().login(new UsernamePasswordToken(user.getUsername(), user.getPassword()));
- return "redirect:/user";
- } catch (AuthenticationException e) {
- redirectAttributes.addFlashAttribute("message","用戶名或密碼錯誤");
- return "redirect:/login";
- }
- }
-
- @RequestMapping(value="/logout",method=RequestMethod.GET)
- public String logout(RedirectAttributes redirectAttributes ){
- //使用權限管理工具進行用戶的退出,跳出登錄,給出提示信息
- SecurityUtils.getSubject().logout();
- redirectAttributes.addFlashAttribute("message", "您已安全退出");
- return "redirect:/login";
- }
-
- @RequestMapping("/403")
- public String unauthorizedRole(){
- return "/403";
- }
- }
三個主要的JSP:
login.jsp:
Html代碼
- <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
- <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <title>My JSP 'MyJsp.jsp' starting page</title>
- </head>
-
- <body>
- <h1>登錄頁面----${message }</h1>
- <img alt="" src="/static/img/1.jpg">
- <form:form action="/login" commandName="user" method="post">
- 用戶名:<form:input path="username"/> <form:errors path="username" cssClass="error"/> <br/>
- 密 碼:<form:password path="password"/> <form:errors path="password" cssClass="error" /> <br/>
- <form:button name="button">submit</form:button>
- </form:form>
- </body>
- </html>
user.jsp:
Html代碼
- <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
- <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
- <%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <title>用戶列表</title>
- </head>
- <body>
- <h1>${message }</h1>
- <h1>用戶列表--<a href="/user/add">添加用戶</a>---<a href="/logout">退出登錄</a> </h1>
- <h2>權限列表</h2>
- <shiro:authenticated>用戶已經登錄顯示此內容</shiro:authenticated>
- <shiro:hasRole name="manager">manager角色登錄顯示此內容</shiro:hasRole>
- <shiro:hasRole name="admin">admin角色登錄顯示此內容</shiro:hasRole>
- <shiro:hasRole name="normal">normal角色登錄顯示此內容</shiro:hasRole>
-
- <shiro:hasAnyRoles name="manager,admin">**manager or admin 角色用戶登錄顯示此內容**</shiro:hasAnyRoles>
- <shiro:principal/>-顯示當前登錄用戶名
- <shiro:hasPermission name="add">add權限用戶顯示此內容</shiro:hasPermission>
- <shiro:hasPermission name="user:query">query權限用戶顯示此內容<shiro:principal/></shiro:hasPermission>
- <shiro:lacksPermission name="user:del"> 不具有user:del權限的用戶顯示此內容 </shiro:lacksPermission>
- <ul>
- <c:forEach items="${userList }" var="user">
- <li>用戶名:${user.username }----密碼:${user.password }----<a href="/user/edit/${user.id}">修改用戶</a>----<a href="javascript:;" class="del" ref="${user.id }">刪除用戶</a></li>
- </c:forEach>
- </ul>
- <img alt="" src="/static/img/1.jpg">
- <script type="text/javascript" src="http://cdn.staticfile.org/jquery/1.9.1/jquery.min.js"></script>
- <script>
- $(function(){
- $(".del").click(function(){
- var id=$(this).attr("ref");
- $.ajax({
- type:"delete",
- url:"/user/del/"+id,
- success:function(e){
-
- }
- });
- });
- });
- </script>
- </body>
- </html>
403.jsp:
Html代碼
- <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
- <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <title>權限錯誤</title>
- </head>
-
- <body>
- <h1>對不起,您沒有權限請求此連接!</h1>
- <img alt="" src="/static/img/1.jpg">
-
- </body>
- </html>
----------------------------------------------------------------------------------------------------------------
OK,到這裏shiro就結束了!現在我們來看Spring Security的。
源:http://hotstrong.iteye.com/blog/1160153
----------------------------------------------------------------------------------------------------------------
使用Spring Security實現權限管理
1、技術目標
- 瞭解並創建Security框架所需數據表
- 爲項目添加Spring Security框架
- 掌握Security框架配置
- 應用Security框架爲項目的CRUD操作綁定權限
注意:本文所用項目爲"影片管理",參看
http://hotstrong.iteye.com/blog/1156785
2、權限管理需求描述
- 爲系統中的每個操作定義權限,如定義4個權限:
1)超級權限,可以使用所有操作
2)添加影片權限
3)修改影片權限
4)刪除影片權限
- 爲系統設置管理員帳號、密碼
- 爲系統創建權限組,每個權限組可以配置多個操作權限,如創建2個權限組:
1)"Administrator"權限組,具有超級權限
2)"影片維護"權限組,具有添加影片、修改影片權限
- 可將管理員加入權限組,管理員登錄後具備權限組所對應操作權限
- 管理員可不屬於某權限組,可爲管理員直接分配權限
3、使用準備
3.1)在數據庫中創建6張表
t_admin 管理員帳號表
t_role權限表
t_group 權限組表
t_group_role權限組對應權限表
t_group_user管理員所屬權限組表
t_user_role管理員對應權限表
建表SQL語句如下:
Sql代碼
- SET FOREIGN_KEY_CHECKS=0;
- ------------------------------
- -- 創建管理員帳號表t_admin
- -- ----------------------------
- CREATE TABLE `t_admin` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `passwd` varchar(12) NOT NULL DEFAULT '' COMMENT '用戶密碼',
- `nickname` varchar(20) NOT NULL DEFAULT '' COMMENT '用戶名字',
- `phoneno` varchar(32) NOT NULL DEFAULT '' COMMENT '電話號碼',
- PRIMARY KEY (`id`)
- ) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8;
-
- -- ----------------------------
- -- 添加3個管理帳號
- -- ----------------------------
- INSERT INTO `t_admin` VALUES ('1', 'admin', 'admin', '');
- INSERT INTO `t_admin` VALUES ('4', '123456', 'test', '');
- INSERT INTO `t_admin` VALUES ('5', '111111', '111111', '');
-
- -- ----------------------------
- -- 創建權限表t_role
- -- ----------------------------
- CREATE TABLE `t_role` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `role` varchar(40) NOT NULL DEFAULT '',
- `descpt` varchar(40) NOT NULL DEFAULT '' COMMENT '角色描述',
- `category` varchar(40) NOT NULL DEFAULT '' COMMENT '分類',
- PRIMARY KEY (`id`)
- ) ENGINE=InnoDB AUTO_INCREMENT=60 DEFAULT CHARSET=utf8;
-
- -- ----------------------------
- -- 加入4個操作權限
- -- ----------------------------
- INSERT INTO `t_role` VALUES ('1', 'ROLE_ADMIN', '系統管理員', '系統管理員');
- INSERT INTO `t_role` VALUES ('2', 'ROLE_UPDATE_FILM', '修改', '影片管理');
- INSERT INTO `t_role` VALUES ('3', 'ROLE_DELETE_FILM', '刪除', '影片管理');
- INSERT INTO `t_role` VALUES ('4', 'ROLE_ADD_FILM', '添加', '影片管理');
-
- -- ----------------------------
- -- 創建權限組表
- -- ----------------------------
- CREATE TABLE `t_group` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `groupname` varchar(50) NOT NULL DEFAULT '',
- PRIMARY KEY (`id`)
- ) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=utf8;
-
- -- ----------------------------
- -- 添加2個權限組
- -- ----------------------------
- INSERT INTO `t_group` VALUES ('1', 'Administrator');
- INSERT INTO `t_group` VALUES ('2', '影片維護');
-
- -- ----------------------------
- -- 創建權限組對應權限表t_group_role
- -- ----------------------------
- CREATE TABLE `t_group_role` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `groupid` bigint(20) unsigned NOT NULL,
- `roleid` bigint(20) unsigned NOT NULL,
- PRIMARY KEY (`id`),
- UNIQUE KEY `groupid2` (`groupid`,`roleid`),
- KEY `roleid` (`roleid`),
- CONSTRAINT `t_group_role_ibfk_1` FOREIGN KEY (`groupid`) REFERENCES `t_group` (`id`),
- CONSTRAINT `t_group_role_ibfk_2` FOREIGN KEY (`roleid`) REFERENCES `t_role` (`id`)
- ) ENGINE=InnoDB AUTO_INCREMENT=83 DEFAULT CHARSET=utf8;
-
- -- ----------------------------
- -- 加入權限組與權限的對應關係
- -- ----------------------------
- INSERT INTO `t_group_role` VALUES ('1', '1', '1');
- INSERT INTO `t_group_role` VALUES ('2', '2', '2');
- INSERT INTO `t_group_role` VALUES ('4', '2', '4');
-
- -- ----------------------------
- -- 創建管理員所屬權限組表t_group_user
- -- ----------------------------
- CREATE TABLE `t_group_user` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `userid` bigint(20) unsigned NOT NULL,
- `groupid` bigint(20) unsigned NOT NULL,
- PRIMARY KEY (`id`),
- KEY `userid` (`userid`),
- KEY `groupid` (`groupid`),
- CONSTRAINT `t_group_user_ibfk_2` FOREIGN KEY (`groupid`) REFERENCES `t_group` (`id`),
- CONSTRAINT `t_group_user_ibfk_3` FOREIGN KEY (`userid`) REFERENCES `t_admin` (`id`)
- ) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=utf8;
-
- -- ----------------------------
- -- 將管理員加入權限組
- -- ----------------------------
- INSERT INTO `t_group_user` VALUES ('1', '1', '1');
- INSERT INTO `t_group_user` VALUES ('2', '4', '2');
-
- -- ----------------------------
- -- 創建管理員對應權限表t_user_role
- -- 設置該表可跳過權限組,爲管理員直接分配權限
- -- ----------------------------
- CREATE TABLE `t_user_role` (
- `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
- `userid` bigint(20) unsigned NOT NULL,
- `roleid` bigint(20) unsigned NOT NULL,
- PRIMARY KEY (`id`),
- KEY `userid` (`userid`),
- KEY `roleid` (`roleid`),
- CONSTRAINT `t_user_role_ibfk_1` FOREIGN KEY (`userid`) REFERENCES `t_admin` (`id`),
- CONSTRAINT `t_user_role_ibfk_2` FOREIGN KEY (`roleid`) REFERENCES `t_role` (`id`)
- ) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8;
-
3.2)在項目中新增如下jar包(security框架所需jar包):
注意:以下jar包本文已提供下載
spring-security-config-3.1.0.RC2.jar
spring-security-core-3.1.0.RC2.jar
spring-security-taglibs-3.1.0.RC2.jar
spring-security-web-3.1.0.RC2.jar
3.3)創建如下包,放置登錄驗證過濾器代碼:
com.xxx.security
3.4)在src下創建Spring配置文件applicationContext-security.xml,內容如下:
Xml代碼
- <?xml version="1.0" encoding="UTF-8"?>
-
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:b="http://www.springframework.org/schema/beans" xmlns:beans="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
- <!-- 這裏進行配置 -->
-
- </beans:beans>
3.5)在web.xml中加入security配置,如下:
Xml代碼
- <?xml version="1.0" encoding="UTF-8"?>
- <web-app version="2.5"
- xmlns="http://java.sun.com/xml/ns/javaee"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
- http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
- <welcome-file-list>
- <welcome-file>index.jsp</welcome-file>
- </welcome-file-list>
-
- <context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>/WEB-INF/applicationContext-*.xml,classpath*:applicationContext-*.xml</param-value>
- </context-param>
-
- <!-- 配置Spring Security -->
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- <filter>
- <filter-name>struts2</filter-name>
- <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>struts2</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <listener>
- <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
- </listener>
- </web-app>
4、站點根路徑下創建登錄頁面login.jsp,代碼如下:
Html代碼
- <%@ page language="java" contentType="text/html; charset=UTF-8"
- pageEncoding="UTF-8"%>
- <%@ taglib prefix="s" uri="/struts-tags"%>
- <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path;
- %>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>後臺登錄</title>
- </head>
- <body onload="document.loginForm.j_username.focus();">
- <!-- 登錄表單 -->
- <form name="loginForm" action="<c:url value='/j_spring_security_check'/>" method="post">
- <!-- 登錄失敗後,顯示之前的登錄名 -->
- 用戶名:<input type='text' name='j_username' class="txtinput"
- value='<c:if test="${not empty param.login_error}" >
- <c:out value="${SPRING_SECURITY_LAST_USERNAME}"/></c:if>' />
- <br />
- 密碼:<input type='password' name='j_password' class="txtinput" />
- <br />
-
- <input type="checkbox" name="_spring_security_remember_me" />
- 保存登錄信息
- <input name="submit" type="submit" value="提交" />
- <input name="reset" type="reset" value="重置" />
-
- </form>
- <br />
- <!-- 顯示登錄失敗原因 -->
- <c:if test="${not empty param.error}">
- <font color="red"> 登錄失敗<br />
- <br />
- 原因: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />. </font>
- </c:if>
- </body>
- </html>
5、站點根路徑下創建註銷頁面loggedout.jsp,代碼如下:
Html代碼
- <%@page session="false" %>
- <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
- <%@ page pageEncoding="UTF-8"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path;
- %>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
- <title>登出</title>
- </head>
- <body>
- 你已經退出。
- <a href="<c:url value='/login.jsp'/>">點擊這裏登錄</a>
- </body>
- </html>
6、站點根路徑下創建HttpSession超時提示頁面timeout.jsp,代碼如下:
Html代碼
- <%@page session="false" %>
- <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
- <%@ page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path;
- %>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <title>用戶失效</title>
- </head>
- <body>
- 你的登錄已經失效,請重新登錄。
- <br />
- <a href="<c:url value='/login.jsp'/>" >
- 點擊這裏登錄</a>
- </body>
- </html>
7、在com.xxx.security包下創建登錄驗證過濾器,該過濾器可用於在管理員登錄時進行日誌記錄等相關操作,包括兩個類:
- LoginUsernamePasswordAuthenticationFilter
- LoginSuccessHandler
7.1)LoginUsernamePasswordAuthenticationFilter代碼如下:
Java代碼
- package com.xxx.security;
- import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
-
- public class LoginUsernamePasswordAuthenticationFilter extends
- UsernamePasswordAuthenticationFilter {
-
- }
7.2)LoginSuccessHandler代碼如下:
Java代碼
- package com.xxx.security;
-
- import java.io.IOException;
- import javax.servlet.ServletException;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
-
- /**
- * 處理管理員登錄日誌
- *
- */
- public class LoginSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler{
-
- @Override
- public void onAuthenticationSuccess(HttpServletRequest request,
- HttpServletResponse response, Authentication authentication) throws IOException,
- ServletException {
-
- UserDetails userDetails = (UserDetails)authentication.getPrincipal();
-
- //輸出登錄提示信息
- System.out.println("管理員 " + userDetails.getUsername() + " 登錄");
-
- super.onAuthenticationSuccess(request, response, authentication);
- }
-
- }
8、在applicationContext-security.xml中加入權限管理配置,如下:
Xml代碼
- <?xml version="1.0" encoding="UTF-8"?>
-
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:b="http://www.springframework.org/schema/beans" xmlns:beans="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
- <http >
- <!-- 不攔截login.jsp -->
- <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
- <!--僅攔截到manager下面的內容,具備access對應權限的-->
- <intercept-url pattern="/manager/**" access="ROLE_ADMIN,ROLE_UPDATE_FILM,ROLE_DELETE_FILM,ROLE_ADD_FILM" />
- <!-- 設置登錄過濾器 -->
- <custom-filter before="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter" />
- <!-- 登錄表單設置 -->
- <form-login login-page="/login.jsp"
- default-target-url="/manager/films.jsp"
- authentication-failure-url="/login.jsp?error=true" />
-
- <!-- 登出操作後跳轉到該頁面 -->
- <logout logout-success-url="/loggedout.jsp"
- delete-cookies="JSESSIONID" />
- <remember-me />
-
- <!-- SESSION超時後跳轉到該頁面 -->
- <session-management invalid-session-url="/timeout.jsp">
- </session-management>
- </http>
-
- <authentication-manager alias="authenticationManager">
- <authentication-provider>
- <!--
- 直接使用SQL語句查詢登錄帳號對應權限,
- users-by-username-query:查詢登錄用戶是否存在
- authorities-by-username-query:查詢登錄用戶權限(登錄用戶可以不屬於任何組,從t_user_role表中獲取權限)
- group-authorities-by-username-query:查詢登錄用戶所在組的權限
- -->
- <jdbc-user-service data-source-ref="dataSource"
- group-authorities-by-username-query="SELECT g.id,g.groupname,role.role
- FROM t_group AS g
- LEFT OUTER JOIN t_group_role AS grouprole ON (g.id = grouprole.groupid)
- LEFT OUTER JOIN t_role AS role ON (role.id = grouprole.roleid)
- LEFT OUTER JOIN t_group_user AS groupuser on (g.id = groupuser.groupid)
- LEFT OUTER JOIN t_admin ON (t_admin.id = groupuser.userid)
- WHERE t_admin.nickname = ?"
- users-by-username-query="SELECT t_admin.nickname AS username,t_admin.passwd as password,'true' AS enabled
- FROM t_admin
- WHERE t_admin.nickname = ?"
- authorities-by-username-query="SELECT t_admin.nickname AS username,role.role as authorities
- FROM t_admin
- LEFT OUTER JOIN t_user_role AS userrole ON(t_admin.id = userrole.userid)
- LEFT OUTER JOIN t_role AS role ON (userrole.roleid = role.id)
- WHERE t_admin.nickname = ?" />
- </authentication-provider>
- </authentication-manager>
-
- <!-- 自定義消息 -->
- <b:bean id="messageSource"
- class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
- <b:property name="basename"
- value="classpath:org/springframework/security/messages" />
- </b:bean>
-
- <!-- 定製登錄過濾器 -->
- <beans:bean id="loginSuccessHandler" class="com.xxx.security.LoginSuccessHandler">
- <b:property name="defaultTargetUrl">
- <!-- 登錄成功後轉發到該頁面 -->
- <b:value>/manager/films.jsp</b:value>
- </b:property>
- </beans:bean>
- <beans:bean id="authenticationProcessingFilter" class="com.xxx.security.LoginUsernamePasswordAuthenticationFilter">
- <beans:property name="authenticationSuccessHandler" ref="loginSuccessHandler"></beans:property>
- <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler"></beans:property>
- <beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
- </beans:bean>
- <beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
- <beans:property name="defaultFailureUrl">
- <!-- 登錄失敗後轉發到該頁面 -->
- <beans:value>/login.jsp?error=true</beans:value>
- </beans:property>
- </beans:bean>
-
- </beans:beans>
注:
Spring Security 默認action="j_spring_security_check",讓很多人不理解這個請求之後會跳轉到哪裏去,
這裏我們就看
配置文件裏這個<http></http>標籤,這個標籤裏面最基本的是intercept-url,用來設置訪問權限的。
<http></http>標籤裏面有個form-login 標籤,這個標籤有很多屬性,大概情況如下:
form-login屬性詳解
1. login-page 自定義登錄頁url,默認爲/login
2. login-processing-url 登錄請求攔截的url,也就是form表單提交時指定的action
3. default-target-url 默認登錄成功後跳轉的url
4. always-use-default-target 是否總是使用默認的登錄成功後跳轉url
5. authentication-failure-url 登錄失敗後跳轉的url
6. username-parameter 用戶名的請求字段 默認爲userName
7. password-parameter 密碼的請求字段 默認爲password
8. authentication-success-handler-ref 指向一個AuthenticationSuccessHandler用於處理認證成功的請求,不能和default-target-url還有always-use-default-target同時使用
9. authentication-success-forward-url 用於authentication-failure-handler-ref
10. authentication-failure-handler-ref 指向一個AuthenticationFailureHandler用於處理失敗的認證請求
11. authentication-failure-forward-url 用於authentication-failure-handler-ref
12. authentication-details-source-ref 指向一個AuthenticationDetailsSource,在認證過濾器中使用
9、爲影片頁面films.jsp定製操作權限,定製後,不同的帳號登錄會看到不同的操作,
比如,帳號"admin"屬於權限組"Administrator",具備權限"ROLE_ADMIN",登錄後
可以看到所有操作,帳號"test"屬於權限組"影片維護",具備權限"ROLE_UPDATE_FILM"
和"ROLE_ADD_FILM",登錄後只能看到"添加影片信息"和"修改"操作
films.jsp頁面權限分佈圖:
films.jsp代碼如下:
Html代碼
- <%@ page language="java" contentType="text/html; charset=utf-8"
- pageEncoding="utf-8" %>
- <%@taglib uri="/struts-tags" prefix="s" %>
- <%@ taglib prefix="security"
- uri="http://www.springframework.org/security/tags"%>
- <%
- String path = request.getContextPath();
- String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
- %>
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <title>信息操作</title>
- </head>
- <body>
- <s:form action="/film/findFilm" method="post">
- <s:submit value=" 獲取所有影片信息 "></s:submit>
- </s:form>
- <!-- 添加影片操作,登錄帳號具備ROLE_ADMIN權限或者ROLE_ADD_FILM權限可以執行 -->
- <security:authorize ifAnyGranted="ROLE_ADMIN,ROLE_ADD_FILM">
- <a href="<%=basePath %>manager/insertFilm.jsp">添加影片信息</a><br />
- </security:authorize>
-
- <s:if test="filmList != null">
- <table border="1" width="40%">
- <tr>
- <th>序號</th><th>影片名</th><th>操作</th>
- </tr>
- <%-- 遍歷影片信息 --%>
- <s:iterator var="film" value="filmList" status="st">
- <tr>
- <td><s:property value="#st.index+1" /></td>
- <td><s:property value="fname" /></td>
- <td>
-
- <!-- 修改影片操作,登錄帳號具備ROLE_ADMIN權限或者ROLE_UPDATE_FILM權限可以執行 -->
- <security:authorize ifAnyGranted="ROLE_ADMIN,ROLE_UPDATE_FILM">
- <s:url id="detailUrl" value="/film/detailFilm">
- <s:param name="id" value="%{id}"/>
- </s:url>
- <s:a href="%{detailUrl}">[修改]</s:a>
- </security:authorize>
- <!-- 刪除影片操作,登錄帳號具備ROLE_ADMIN權限或者ROLE_DELETE_FILM權限可以執行 -->
- <security:authorize ifAnyGranted="ROLE_ADMIN,ROLE_DELETE_FILM">
- <s:url id="deleteUrl" value="/film/deleteFilm">
- <s:param name="id" value="%{id}"/>
- </s:url>
- <s:a href="%{deleteUrl}">[刪除]</s:a>
- </security:authorize>
- </td>
- </tr>
- </s:iterator>
- </table>
- </s:if>
- </body>
- </html>
Shrio在線教程:
http://www.sojson.com/jc/shiro.html
Shiro + Redis 源碼
http://www.sojson.com/shiro