spring-shiro.xml文件
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd" default-lazy-init="true">
<description>Shiro安全配置(SpringMVC整合Shiro,Shiro是一个强大易用的Java安全框架,提供了认证、授权、加密和会话管理等功能)</description>
<!-- Shiro默认会使用Servlet容器的Session,可通过sessionMode属性来指定使用Shiro原生Session --> <!-- 即<property name="sessionMode" value="native"/>,详细说明见官方文档 --> <!-- 这里主要是设置自定义的单jdbcRealm应用,若有多个Realm,可使用'realms'属性代替 --> <!-- Shiro's main business-tier object for web-enabled applications --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="jdbcRealm" /> <property name="cacheManager" ref="shiroEhcacheManager" /> </bean> <!-- 继承自AuthorizingRealm的自定义Realm,即指定Shiro验证用户登录的类为自定义的jdbcRealm.java --> <!-- 自定义的Realm --> <bean id="jdbcRealm" class="cn.**.JdbcRealm"> <property name="authorizationCachingEnabled" value="true" /> <property name="cacheManager" ref="shiroEhcacheManager" /> <!--<property name="credentialsMatcher" ref="hashedCredentialsMatcher" />--> </bean> <!-- 密码保存方式 --> <bean id="hashedCredentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5" /> <property name="storedCredentialsHexEncoded" value="true" /> <property name="hashIterations" value="1" /> </bean> <!-- 用户授权信息Cache, 采用EhCache --> <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:spring/ehcache-shiro.xml" /> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <!-- 未授权时要跳转的连接 --> <property name="unauthorizedUrl" value="/sys/turn403" /> <property name="filterChainDefinitions"> <value> /login = authc /logout = logout /js/** = anon /css/** = anon /img/** = anon /easyui/** = anon /jquery/** = anon /jquery-jbox/** = anon /jquery-ztree/** = anon /treeTable/** = anon /user/main = authc </value> </property> </bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!-- AOP式方法级权限检查 spring aop 支持shiro的注解功能 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> </beans>
参考 jdbcRealm.java
public class jdbcRealm extends AuthorizingRealm { @Override public void setName(String name) { super.setName("customRealm"); } @Override protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken token) throws AuthenticationException {
}
// 用于授权 @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals) { String userCode = (String) principals.getPrimaryPrincipal(); //模拟从数据库获取到数据 List permissions = new ArrayList(); permissions.add("user:create");//用户的创建 permissions.add("items:add");//商品添加权限 SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); simpleAuthorizationInfo.addStringPermissions(permissions);
return simpleAuthorizationInfo; }
}