Java ApacheShiro+;身份验证问题
我正在为我的Web应用程序使用ApacheShiro,我很难让它按预期的方式工作 我需要的是Shiro框架的授权部分,但我不能遵循这些指南中的任何一个,因为它们都不同,我只是不能让它在我的应用程序中工作 以下是我想使用Shiro框架的目的:Java ApacheShiro+;身份验证问题,java,jsp,servlets,shiro,Java,Jsp,Servlets,Shiro,我正在为我的Web应用程序使用ApacheShiro,我很难让它按预期的方式工作 我需要的是Shiro框架的授权部分,但我不能遵循这些指南中的任何一个,因为它们都不同,我只是不能让它在我的应用程序中工作 以下是我想使用Shiro框架的目的: 将现有login.jsp定义为我的登录页面 定义登录尝试成功时显示的*.jsp页面 登录未成功时,用户将停留在login.jsp,但会显示一条关于登录尝试失败的错误消息 当用户未登录时,不应访问所有其他*.jsp页面exect login.jsp 现在,
- 将现有login.jsp定义为我的登录页面
- 定义登录尝试成功时显示的*.jsp页面
- 登录未成功时,用户将停留在login.jsp,但会显示一条关于登录尝试失败的错误消息
- 当用户未登录时,不应访问所有其他*.jsp页面exect login.jsp
- 登录表单
参数调用login.java(servlet)action
- 成功登录->页面portal.jsp将显示
- 无需登录即可调用页面…/portal.jsp->这在我的应用程序的最终版本中不可能实现
[main]
# define login page
authc.loginUrl = /SSP/login.jsp
# name of request parameter with username;
authc.usernameParam = username
# name of request parameter with password;
authc.passwordParam = password
# redirect after successful login
authc.successUrl = /SSP/portal.jsp
[urls]
# enable authc filter for all application pages
/SSP/**=authc
my web.xml的shiro部分如下所示:
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
编辑:
shiro.ini中的这句话似乎起了作用:
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
但是现在我有一个问题,应用程序没有使用我自己的登录类
login.java:
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String url = "/login.jsp";
// Get Login credentials from Login form
username = request.getParameter("username");
password = request.getParameter("password");
//SecurityManager securityManager = Startup.getSecurityManager();
//2. Get the current Subject:
Subject currentUser = SecurityUtils.getSubject();
//3. Login:
if (!currentUser.isAuthenticated()) {
// create UsernamePasswordToken
UsernamePasswordToken token = new UsernamePasswordToken("cn=" + username + ",ou=People,dc=maxcrc,dc=com", password);
try {
currentUser.login(token);
token.clear();
url = "/portal.jsp";
System.out.println("User [" + currentUser.getPrincipal() +"] logged succesfully");
//4. Create User Session
Session session = currentUser.getSession();
// get user_id
user_id = get_users_id(username);
// create new object of User class
User new_user = new User(user_id, username);
// Set HTTP Session Parameters
session.setAttribute("user", username);
session.setAttribute("user_id", user_id);
session.setAttribute("obj_user", new_user);
session.setAttribute("currentUser", currentUser);
} catch (UnknownAccountException uae) {
System.out.println("There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
System.out.println("Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
System.out.println("The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it.");
}
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
System.out.println("ERROR: " + ae);
}
// Done, redirect User to applications main page
request.getRequestDispatcher(url).forward(request, response);
}
}
如何使用自己的类(参见上面的login.java代码段)进行身份验证?
编辑结束
有人能举例说明如何:
- 启用授权
- 在成功登录尝试后启用页面重定向
- 允许停留在登录页面,但在登录尝试失败后显示错误消息
- 仅当用户登录时才可访问应用程序的所有其他页面
authc=com.mycompany.ssp。我自己的authFilter
不知道它是不是应该是这样的,但现在似乎可以工作了
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String url = "/login.jsp";
// Get Login credentials from Login form
username = request.getParameter("username");
password = request.getParameter("password");
//SecurityManager securityManager = Startup.getSecurityManager();
//2. Get the current Subject:
Subject currentUser = SecurityUtils.getSubject();
//3. Login:
if (!currentUser.isAuthenticated()) {
// create UsernamePasswordToken
UsernamePasswordToken token = new UsernamePasswordToken("cn=" + username + ",ou=People,dc=maxcrc,dc=com", password);
try {
currentUser.login(token);
token.clear();
url = "/portal.jsp";
System.out.println("User [" + currentUser.getPrincipal() +"] logged succesfully");
//4. Create User Session
Session session = currentUser.getSession();
// get user_id
user_id = get_users_id(username);
// create new object of User class
User new_user = new User(user_id, username);
// Set HTTP Session Parameters
session.setAttribute("user", username);
session.setAttribute("user_id", user_id);
session.setAttribute("obj_user", new_user);
session.setAttribute("currentUser", currentUser);
} catch (UnknownAccountException uae) {
System.out.println("There is no user with username of " + token.getPrincipal());
} catch (IncorrectCredentialsException ice) {
System.out.println("Password for account " + token.getPrincipal() + " was incorrect!");
} catch (LockedAccountException lae) {
System.out.println("The account for username " + token.getPrincipal() + " is locked. " + "Please contact your administrator to unlock it.");
}
// ... catch more exceptions here (maybe custom ones specific to your application?
catch (AuthenticationException ae) {
System.out.println("ERROR: " + ae);
}
// Done, redirect User to applications main page
request.getRequestDispatcher(url).forward(request, response);
}
}