shiro整合spring
参考官网文档 http://shiro.apache.org/spring.html
1、pom.xml配置
<!-- shiro的core web spring整合的 引入 -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.3.2</version>
</dependency>
2、web.xml配置
<!-- shiro过滤器定义 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<!-- 该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理 -->
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3、spring-shiro.xml配置
在spring.xml中载入一个spring-shiro.xml
<!--载入spring-shiro.xml 配置 -->
<import resource="classpath:spring-shiro.xml"/>
spring-shiro.xml配置
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:cache="http://www.springframework.org/schema/cache"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.3.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/cache
http://www.springframework.org/schema/cache/spring-cache-4.3.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd ">
<!-- 自定义Realm -->
<bean id="myRealm" class="com.tingcream.shiroSpring.realm.MyRealm"/>
<!-- 自定义的登陆过滤器 /home=authc,userSession -->
<bean id="userSessionFilter" class="com.tingcream.shiroSpring.common.UserSessionFilter"/>
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
<!-- Shiro过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- Shiro的核心安全接口,这个属性是必须的 -->
<property name="securityManager" ref="securityManager"/>
<!-- 身份认证失败,则跳转到登录页面的配置 -->
<property name="loginUrl" value="/login"/>
<!-- 权限认证失败,则跳转到指定页面 -->
<property name="unauthorizedUrl" value="/unauthorized"/>
<!-- 自定义的访问控制filter -->
<property name="filters">
<util:map>
<entry key="userSession" value-ref="userSessionFilter"/>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/resources/**=anon
/login=anon
/home=authc,userSession
/logout=logout
/student/**=roles[student]
/teacher/**=perms[teacher:find]
/**=authc
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- 开启Shiro的权限注解 -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
</beans>
4、自定义realm
package com.tingcream.shiroSpring.realm;
import java.util.Set;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.springframework.beans.factory.annotation.Autowired;
import com.tingcream.shiroSpring.mapper.UserMapper;
import com.tingcream.shiroSpring.model.User;
public class MyRealm extends AuthorizingRealm{
@Autowired
private UserMapper userMapper ;
/**
* 对当前subject进行权限认证(授权)
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
String username=(String)principals.getPrimaryPrincipal();
SecurityUtils.getSubject().getSession();
SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo();
Set<String> roleNames=userMapper.findUserRoleNames(username);
Set<String> permNames=userMapper.findUserPermNames(username);
authorizationInfo.setRoles(roleNames);
authorizationInfo.setStringPermissions(permNames);
return authorizationInfo;
}
/**
* 对当前subject进行身份认证
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username=(String)token.getPrincipal();
User user =userMapper.findUserByUsername(username);
if(user==null) {
//登陆失败
return null;
}
AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUsername(),user.getPassword(),this.getClass().getSimpleName());
return authcInfo;
}
}
5、自定义shiro登陆成功后的filter过滤器
package com.tingcream.shiroSpring.common;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.AccessControlFilter;
import org.springframework.beans.factory.annotation.Autowired;
import com.tingcream.shiroSpring.mapper.UserMapper;
import com.tingcream.shiroSpring.model.User;
/**
* shiro用户登陆成功后,经过这个过滤器处理,保存用户实体对象到session中
* @author jelly
*
*/
public class UserSessionFilter extends AccessControlFilter {
@Autowired
private UserMapper userMapper;
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
throws Exception {
Subject subject = this.getSubject(request, response);
if(subject==null) {
return false;
}
String username= (String) subject.getPrincipal();
// HttpSession session = WebUtils.toHttp(request).getSession();
org.apache.shiro.session.Session session = subject.getSession();
User sessionUser =(User)session.getAttribute("sessionUser");
if(sessionUser==null) {
//根据用户名到数据库中查询
sessionUser=userMapper.findUserByUsername(username);
}
session.setAttribute("sessionUser", sessionUser);
return true;
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
return true;
}
}
完整shiro+spring整合的项目参考笔者gitee.com仓库: https://gitee.com/mmxl/shiroSpring