web.xml中:
<!--指定Spring的config文件地址 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/shiro-conf.xml
/WEB-INF/context-component.xml
</param-value>
</context-param>
<!--Shiro Filter -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!-- 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 -->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<!--<url-pattern>*.do</url-pattern>-->
<url-pattern>/*</url-pattern>
</filter-mapping>
applicationContext.xml
<!-- 为安全检查使用Shiro 的注解(例如,@RequiresRoles,@RequiresPermissions 等等)。 -->
<!--以下两个bean的配置是为了在Controller层使用元注释控制权限 -->
<!--如果使用spring-mvc一定要不要放在webroot的配置文件中 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
<!--交由shiro管理bean的生命周期-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
shiro-conf.xml
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/login.do"/>
<property name="filters">
<map>
<entry key="authc" value-ref="authcFilter"/>
<entry key="user" value-ref="userFilter"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/login.do = authc
<!--方便测试-->
<!--/** =anon-->
**.do = user
</value>
</property>
</bean>
<!-- Shiro Filter -->
<bean id="authcFilter" class="cn.com.a.credit.common.security.shiro.CredirAuthenticationFilter"/>
<bean id="userFilter" class="cn.com.a.credit.common.security.shiro.CreditUserFilter"/>
<!-- Shiro's main business-tier object for web-enabled applications -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realms">
<list>
<ref bean="shiroDbRealm"/>
</list>
</property>
<!--<property name="cacheManager" ref="shiroEhcacheManager"/>-->
<property name="rememberMeManager" ref="rememberMeManager"/>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!--项目自定义的Realm -->
<!--为防止bean注入时的先后依赖问题,shiroDbRealm里面依赖的dao都需要用depends-on声明-->
<bean id="shiroDbRealm" class="cn.com.a.credit.common.security.shiro.ShiroDbRealm" depends-on="userDao,operationLogDao">
<property name="credentialsDigest" ref="credentialsDigest"/>
</bean>
<!-- 用户授权信息Cache, 采用EhCache -->
<!--TODO 需要时再打开下面注释-->
<!--<bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">-->
<!--<property name="cacheManagerConfigFile" value="classpath:ehcache-shiro.xml"/>-->
<!--</bean>-->
<!--rememberMe管理器 -->
<bean id="rememberMeManager"
class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<property name="cookie" ref="rememberMeCookie"/>
</bean>
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMeClub"/>
<property name="httpOnly" value="true"/>
<!-- 300天 -->
<property name="maxAge" value="25920000"/>
</bean>
注意,shiro处于filter级别,过滤的时候spring-mvc.xml中配置的bean还没有被初始出来。
需要在appliactionContext中添加如下代码,再扫描一次。
<context:component-scan base-package="cn.com.sgcc.credit.core"/>
参考:http://blog.csdn.net/cenkunjj/article/details/51078101
这位作者尝试把 mvc的配置文件写到web.xml中一次。原理一样