web.xml

在/WEB-INF/web.xml里添加下面代码

<listener>

           <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>

     </listener>



     <filter>

           <filter-name>ShiroFilter</filter-name>

           <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

           <init-param>

                <param-name>configPath</param-name>

                <param-value>/WEB-INF/Shiro.ini</param-value>

           </init-param>

     </filter>



     <filter-mapping>

           <filter-name>ShiroFilter</filter-name>

           <url-pattern>/*</url-pattern>

           <dispatcher>REQUEST</dispatcher>

           <dispatcher>FORWARD</dispatcher>

           <dispatcher>INCLUDE</dispatcher>

           <dispatcher>ERROR</dispatcher>

     </filter-mapping>

shiro.ini

上面的 param-value 里面的参数就是写这个文件的路径我放在/WEB-INF/下面,所以就是/WEB-INF/Shiro.ini,如果是放在resources下面,那么就是classpath:Shiro.ini

[main]

authc.loginUrl=/login

#unauthorizedUrl认证未通过

roles.unauthorizedUrl=/unauthorized.jsp

perms.unauthorizedUrl=/unauthorized.jsp

[users]

java1234=123456,admin

jack=123,teacher

marry=123

json=345

[roles]

admin=user:*, studnet:*

teacher=student:*

[urls]

#anno 可以匿名访问

/login=anon

/admin=authc

/student=roles[teacher]

/teacher=perms["user:create"]

[main]

/login=anon,可以匿名访问
/admin=authc,必须登录才能访问
authc.loginUrl=/login,访问必需登录才能访问的url,自动跳转至登录页面
roles.unauthorizedUrl=/unauthorized.jsp,角色认证不通过,也就是说当前登录的这个账号的角色,并不能访问这个url时跳转的页面
perms.unauthorizedUrl=/unauthorized.jsp,权限不足,也就是说当前登录这个账号的角色拥有的权限,不足以访问这个url时,跳转的页面

[users]

java1234=123456,admin,用户名=密码,角色

[roles]

角色拥有的权限
admin=user:*, studnet:*,admin角色拥有的权限

[urls]

/login=anon,匿名可以访问
/admin=authc,必须登录之后才能访问
/student=roles[teacher],登录之后的账号的角色,必须是teacher,才能访问
/teacher=perms["user:create"],登录之后的账号的角色,必须拥有"user:create"权限,才能访问

login.jsp

编写一个登陆的jsp页面

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
    <form action="/login" method="post">
        用户名:<input type="text" name="username"/><br>
        密码:<input type="password" name="password"/><br>
        <input type="submit" value="登录">
    </form>

</body>
</html>

loginServlet

提交登录的处理方式

@WebServlet("/login")
public class LoginServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        System.out.println("login doGet");
        req.getRequestDispatcher("/login.jsp").forward(req, resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        System.out.println("login doPost");
        String username = req.getParameter("username");
        String password = req.getParameter("password");
        // 使用Shiro
        Subject subject = SecurityUtils.getSubject();   //主体,当前用户
        UsernamePasswordToken token = new UsernamePasswordToken(username, password);    //当前用户登录的令牌(用户名和密码)
        try {
            subject.login(token);   //进行登录方法验证,成功继续执行,不成功抛出异常
            resp.sendRedirect("success.jsp");
        } catch (AuthenticationException e) {
            e.printStackTrace();
            req.setAttribute("errorInfo", "用户名或者密码错误");
            req.getRequestDispatcher("/login.jsp").forward(req, resp);
        }
    }
}