我有一个应用程序(JSP + EJB3 + JPA)。我想用Shiro来保护它。帐户,角色和权限必须是动态的。即在应用程序内部可修改。密码在SHA1中加密 这是我的代码。
Shiro.ini:
[main]
customSecurityRealm=cismaa.ssae.supervision.ihm.security.SecurityRealm
# any object property is automatically configurable in Shiro.ini file
customSecurityRealm.jndiDataSourceName=UtilisateurService
customSecurityRealm.authenticationQuery = select password, from utilisateur where name = ?
sha1Matcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
sha1Matcher.hashAlgorithmName=SHA-1
customSecurityRealm.credentialsMatcher = $sha1Matcher
securityManager.realms = $customSecurityRealm
authc.loginUrl = /loginservlet
# name of request parameter with username; if not present filter assumes 'username'
authc.usernameParam = login
# name of request parameter with password; if not present filter assumes 'password'
authc.passwordParam = password
# redirect after successful login
authc.successUrl = /menuficheservlet
# replace form authentication filter with verbose filter
authc = cismaa.ssae.supervision.ihm.security.VerboseFormAuthenticationFilter
# request parameter with login error information; if not present filter assumes 'shiroLoginFailure'
authc.failureKeyAttribute=simpleShiroApplicationLoginFailure
[urls]
/layout/unicorn/resources/** = anon
/** = authc
SecurityRealm:
public class SecurityRealm extends JdbcRealm {
@EJB
private IUtilisateurService users;
private Utilisateur util;
public SecurityRealm() {
super();
/*InitialContext ic;
try {
ic = new InitialContext();
users = (IUtilisateurService) ic.lookup("UtilisateurService");
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}*/
}
protected String jndiDataSourceName;
public String getJndiDataSourceName() {
return jndiDataSourceName;
}
public void setJndiDataSourceName(String jndiDataSourceName) {
this.jndiDataSourceName = jndiDataSourceName;
this.users = getDataSourceFromJNDI(jndiDataSourceName);
}
private IUtilisateurService getDataSourceFromJNDI(String jndiDataSourceName) {
try {
InitialContext ic = new InitialContext();
return (IUtilisateurService) ic.lookup(jndiDataSourceName);
} catch (NamingException e) {
throw new AuthorizationException(e);
}
}
private String getPasswordForUser(String email) throws AuthenticationException {
util = users.findbyEmail(email);
if(util == null) {
throw new AuthenticationException("Utilisateur " + email + " introuvable");
}
return util.getMotDePasseUtilisateur();
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String email = upToken.getUsername();
// Null username is invalid
if (email == null) {
throw new AccountException("Null usernames are not allowed by this realm.");
}
String password = getPasswordForUser(email);
if (password == null) {
throw new UnknownAccountException("No account found for user [" + email + "]");
}
return new SimpleAuthenticationInfo(email, password, getName());
}
@Override
protected Set<String> getRoleNamesForUser(Connection conn, String email)
throws SQLException {
Role roles = util.getRole();
Set<String> rolesName = new HashSet<String>();
rolesName.add(roles.getNomRole());
return rolesName;
}
}
Web.xml中
<!-- SHIRO !-->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
当我尝试连接到我的应用程序时,没有任何事情发生。我可以看到应用程序的所有内容。
我错过了什么?
答案 0 :(得分:1)
在shiro手册中,它表示不鼓励隐含的领域分配,可能会被删除,因此可能已经删除了。尝试将以下行添加到shiro.ini:
securityManager.realms = $customSecurityRealm
手动:http://shiro.apache.org/realm.html#Realm-ImplicitAssignment