shiro知识点梳理
1. 自定义Realm示例
- 自定义Realm的目的是将用户数据由配置文件转为数据库。
public class MyRealm extends AuthorizingRealm{
//权限信息
@override
protected AuthorizationInfo doGetAuthorrizationInfo(PrincipalCollection principals){
String username = getUsername(principals);
RoleService roleService = new RoleService();
PermissionService permissionService = new PermissionService();
Set<String> roles = roleService.queryRoles(username);
Set<String> perms = permissionservice.queryPerms(username);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
info.setStringPermissions(perms);
return info;
}
//认证信息
@override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException(){
//登录时发送的用户名
String username = (String) token.getPrincipan();
User user = userService.queryByUsername(username);
if(user == null){
return null;
}
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(
user.getUsername, //用户名
user.getPassword, //密码
ByteSource.Util.bytes(user.getSalt()), //盐
this.getName
);
return info;
}
}
2. 加密
String str = new Md5Hash("string", "salt", 10000).toBase64();
String str1 = new Sha256Hash("string", "salt", 10000).toBase64();
3. 记住我
3.1 默认配置
//在登录时添加
token.setRememberMe(true);
3.2 自定义cookie有效期
在srping-shiro配置文件中增加如下配置:
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimnpleCookie">
<property name="name“ value="rememberMe"></property>
<property name="httpOnly" value="true"></property>
<property name="maxAge" value="604800"></property>
</bean>
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<property name="cookie" ref="rememberMeCookie" />
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="rememberMeManager" ref="rememberMeManager"/>
</bean>
3.3 记住我标签的使用
<shiro:user>
<a href="#">退出</a>
</shiro:user>
<shiro:guest>
<a href="#">请登录</a>
</shiro:guest>
4. session使用
4.1 session对象获取
Session session = subject.getSession();
session.setTimeout(10000);
session.setAttribute("name","test");
session.getAttribute("name");
4.1 配置
<!--以下配置可以省略,如果省略将会采用shiro默认的session方案-->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<property name="name" value="sessionId"/>
<property name="httpOnly" value="true"/>
<!-- 有效期 -1 表示 会话结束cookie就失效-->
<property name="maxAge" value="-1"/>
</bean>
<bean id="sessionManager" class="org.apache.shiro.mgt.DefaultWebSessionManager">
<property name="sessionIdCookie" ref="sessionIdCookie"/>
<property name="globalSessionTimeout" value="1800000"/>
</bean>
<!--在securityManager下添加sessionManager-->
<property name="sessionManager" ref="sessionManager"/>
4.2 session监听
4.2.1 新建session监听类
public class MySessionListener extends SessionListenerAdapter{
//session 创建时触发
@override
public void onStart(Session session){
}
//session 停止时触发
@override
public void onStop(Session session){
}
//session 过期时触发
@override
public void onExpiration(Session session){
}
}
4.2.2 配置监听类
<!-- 在sessionManager 节点加入如下内容 -->
<property name="sessionListeners">
<list>
<bean class="com.xxx.xxx.MySessionListener></bean>
</list>
</property>
4.3 session检测
定时发起检测,识别过期session并停止。
在sessionManager节点加入如下配置:
<property name="sessionValidationInterval" value="15000"/>