ssm整合shiro

1、导入shiro相应jar包，也可下载shiro-all.jar; 

2、web.xml添加shiroFilter配置，类似于mvc

 <!-- shiro 安全过滤器-->
    <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

3、添加shiro配置文件，在spring-conf.xml导入

<import resource="classpath*:conf/spring-shiro.xml"/> 

<description>Shiro安全配置</description>
    <!-- 扫描service注入realm -->
    <context:component-scan base-package="com.myssm.yuan.service" use-default-filters="false">
        <context:include-filter type="annotation" expression="org.springframework.stereotype.Service"/>
    </context:component-scan>
    <!--securityManager是shiro的核心，初始化时协调各个模块运行-->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
       <!--单个realm使用realm,如果有多个realm，使用realms属性代替--> 
       <property name="realm" ref="userRealm" />
       <property name="cacheManager" ref="shiroEhcacheManager" />
    </bean>
    <!--realm配置，realm是shiro的桥梁，它主要是用来判断subject是否可以登录及权限等-->
    <bean id="userRealm" class="com.myssm.yuan.shiro.UserRealm" />
    <!-- <property name="userService" ref="userService"/></bean> 不扫描可采用此方法注入-->
    <!--shiro过滤器配置，bean的id值须与web中的filter-name的值相同-->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager" />
         <!-- 没有权限或者失败后跳转的页面 -->
     <property name="loginUrl" value="/login.jsp" /> 
     <property name="successUrl" value="/WEB-INF/page/index.jsp" />
     <property name="unauthorizedUrl" value="/login/unauthorized" />
        <property name="filterChainDefinitions">
            <value>
                /login/logout=logout
                /login/**=anon
                /**=authc,rest
            </value>
        </property>
    </bean>
    <!-- 用户授权/认证信息Cache, 采用EhCache 缓存 -->
    <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
        <property name="cacheManagerConfigFile" value="classpath:conf/ehcache-shiro.xml"/>
    </bean>
    <!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

3.1 添加shiro缓存配置文件

<?xml version="1.0" encoding="UTF-8"?>
<ehcache xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd">
    <diskStore path="java.io.tmpdir"/>
    <defaultCache maxElementsInMemory="10000" eternal="false" 
    timeToIdleSeconds="900" timeToLiveSeconds="1800" 
    overflowToDisk="false" 
    memoryStoreEvictionPolicy="LFU" />
    <cache name="testEhcache" 
        maxElementsInMemory="10000" 
        eternal="false"
        overflowToDisk="false" 
        timeToIdleSeconds="900"
        timeToLiveSeconds="1800"
        memoryStoreEvictionPolicy="LFU" />
 
</ehcache>

4、添加配置文件中配置的自定义realm,继承AuthorizingRealm

    /** 
     * 授权
     * <p>Title: doGetAuthorizationInfo</p> 
     * <p>Description: </p> 
     * @param principals
     * @return 
     * @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) 
    */
    
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();//未进行授权处理
        return authorizationInfo;
    }

    /** 
     * 认证
     * <p>Title: doGetAuthenticationInfo</p> 
     * <p>Description: </p> 
     * @param token
     * @return
     * @throws AuthenticationException 
     * @see org.apache.shiro.realm.AuthenticatingRealm#doGetAuthenticationInfo(org.apache.shiro.authc.AuthenticationToken) 
    */
    
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken token) throws AuthenticationException {
        UsernamePasswordToken usernamePasswordToke = (UsernamePasswordToken)token; 
        String account = usernamePasswordToke.getUsername();
        String pwd = String.valueOf(usernamePasswordToke.getPassword());
        User user = this.userService.getUserByAccount(account);
        if( user == null ){
            throw new UnknownAccountException();
        }
        if( !user.getPassword().equals(pwd)){
            throw new IncorrectCredentialsException();
        }
//		if(Boolean.TRUE.equals( user.getLocked())){
//			  throw new LockedAccountException(); //帐号锁定
//		}
        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
                account,pwd,this.getName()); //此处未进行密码加密处理
        return authenticationInfo;
    }

5、增加登录jsp及controller进行测试，java培训机构结果:未登录自动跳到login.jsp,登录成功调到index.jsp

以上为简单的整合shiro，如有错误或好的建议，敬请提出。