Security 使用Shiro的动态身份验证和授权
我有一个应用程序(JSP+EJB3+JPA)。我想和Shiro一起保护它。帐户、角色和权限必须是动态的。ie可在应用程序内部修改。密码在SHA1中加密 这是我的密码 Shiro.ini:Security 使用Shiro的动态身份验证和授权,security,jakarta-ee,jpa,shiro,Security,Jakarta Ee,Jpa,Shiro,我有一个应用程序(JSP+EJB3+JPA)。我想和Shiro一起保护它。帐户、角色和权限必须是动态的。ie可在应用程序内部修改。密码在SHA1中加密 这是我的密码 Shiro.ini: [main] customSecurityRealm=cismaa.ssae.supervision.ihm.security.SecurityRealm # any object property is automatically configurable in Shiro.ini file customSe
[main]
customSecurityRealm=cismaa.ssae.supervision.ihm.security.SecurityRealm
# any object property is automatically configurable in Shiro.ini file
customSecurityRealm.jndiDataSourceName=UtilisateurService
customSecurityRealm.authenticationQuery = select password, from utilisateur where name = ?
sha1Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha1Matcher.hashAlgorithmName=SHA-1
customSecurityRealm.credentialsMatcher = $sha1Matcher
securityManager.realms = $customSecurityRealm
authc.loginUrl = /loginservlet
# name of request parameter with username; if not present filter assumes 'username'
authc.usernameParam = login
# name of request parameter with password; if not present filter assumes 'password'
authc.passwordParam = password
# redirect after successful login
authc.successUrl = /menuficheservlet
# replace form authentication filter with verbose filter
authc = cismaa.ssae.supervision.ihm.security.VerboseFormAuthenticationFilter
# request parameter with login error information; if not present filter assumes 'shiroLoginFailure'
authc.failureKeyAttribute=simpleShiroApplicationLoginFailure
[urls]
/layout/unicorn/resources/** = anon
/** = authc
证券资产:
public class SecurityRealm extends JdbcRealm {
@EJB
private IUtilisateurService users;
private Utilisateur util;
public SecurityRealm() {
super();
/*InitialContext ic;
try {
ic = new InitialContext();
users = (IUtilisateurService) ic.lookup("UtilisateurService");
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}*/
}
protected String jndiDataSourceName;
public String getJndiDataSourceName() {
return jndiDataSourceName;
}
public void setJndiDataSourceName(String jndiDataSourceName) {
this.jndiDataSourceName = jndiDataSourceName;
this.users = getDataSourceFromJNDI(jndiDataSourceName);
}
private IUtilisateurService getDataSourceFromJNDI(String jndiDataSourceName) {
try {
InitialContext ic = new InitialContext();
return (IUtilisateurService) ic.lookup(jndiDataSourceName);
} catch (NamingException e) {
throw new AuthorizationException(e);
}
}
private String getPasswordForUser(String email) throws AuthenticationException {
util = users.findbyEmail(email);
if(util == null) {
throw new AuthenticationException("Utilisateur " + email + " introuvable");
}
return util.getMotDePasseUtilisateur();
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String email = upToken.getUsername();
// Null username is invalid
if (email == null) {
throw new AccountException("Null usernames are not allowed by this realm.");
}
String password = getPasswordForUser(email);
if (password == null) {
throw new UnknownAccountException("No account found for user [" + email + "]");
}
return new SimpleAuthenticationInfo(email, password, getName());
}
@Override
protected Set<String> getRoleNamesForUser(Connection conn, String email)
throws SQLException {
Role roles = util.getRole();
Set<String> rolesName = new HashSet<String>();
rolesName.add(roles.getNomRole());
return rolesName;
}
公共类SecurityRealm扩展了JdbcRealm{
@EJB
私人IUtilisateurService用户;
私人提款人;
public SecurityRealm(){
超级();
/*初始语境;
试一试{
ic=新的InitialContext();
用户=(IUtilisateurService)ic.查找(“利用服务”);
}捕获(NamingE例外){
//TODO自动生成的捕捉块
e、 printStackTrace();
}*/
}
受保护字符串jndiDataSourceName;
公共字符串getJndiDataSourceName(){
返回jndiDataSourceName;
}
public void setJndiDataSourceName(字符串jndiDataSourceName){
this.jndiDataSourceName=jndiDataSourceName;
this.users=getDataSourceFromJNDI(jndiDataSourceName);
}
私有IUtilisateurService getDataSourceFromJNDI(字符串jndiDataSourceName){
试一试{
InitialContext ic=新的InitialContext();
返回(IUtilisateurService)ic.lookup(jndiDataSourceName);
}捕获(NamingE例外){
抛出新的授权异常(e);
}
}
私有字符串getPasswordForUser(字符串电子邮件)引发AuthenticationException{
util=users.findbyEmail(电子邮件);
如果(util==null){
抛出新的AuthenticationException(“利用者”+电子邮件+“可插入”);
}
return util.getMotdePasseUsiateur();
}
@凌驾
受保护的AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken(令牌)引发AuthenticationException{
UsernamePasswordToken upToken=(UsernamePasswordToken)令牌;
字符串email=upToken.getUsername();
//空用户名无效
如果(电子邮件==null){
抛出新AccountException(“此域不允许使用空用户名”);
}
字符串密码=getPasswordForUser(电子邮件);
如果(密码==null){
抛出新的UnknownAccountException(“未找到用户[“+电子邮件+”]”的帐户);
}
返回新的SimpleAuthenticationInfo(电子邮件、密码、getName());
}
@凌驾
受保护的设置getRoleNamesForUser(连接连接、字符串电子邮件)
抛出SQLException{
Role roles=util.getRole();
Set rolesName=new HashSet();
添加(roles.getNomRole());
返回角色名;
}
}
Web.xml
<!-- SHIRO !-->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
org.apache.shiro.web.env.EnvironmentLoaderListener
雪洛菲特
org.apache.shiro.web.servlet.ShiroFilter
雪洛菲特
/*
要求
向前地
包括
错误
当我尝试连接到我的应用程序时,没有任何事情发生。我可以看到应用程序的所有内容
我错过了什么?在shiro手册中,它说不鼓励隐式分配领域,可能会被删除,所以可能已经删除了。尝试将以下行添加到shiro.ini:
securityManager.realms = $customSecurityRealm
手动:与此行相同。什么也没发生。Shiro没有验证连接。我可以用任何字符串填写登录表单,它就通过了。你能分享你的配置的其余部分吗?你有[URL]部分吗?好的,我找到了问题。我有sécuritéavons train tag info web.XML,它覆盖了shiro.ini。我删除了它,一切正常这是我最后的配置。现在,shiro在登录Servlet时重定向每个请求。但当我继续登录时,什么也没发生,我回到我的登录页面。Shiro不要打电话给customSecurityRealm。