Spring Shiro配置实现用户认证和授权

1、applicationContext-shiro.xml配置：实现认证和授权

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

<!-- shiro start -->   < bean id = "lifecycleBeanPostProcessor" class = "org.apache.shiro.spring.LifecycleBeanPostProcessor" />   < bean id = "cacheManager" class = "org.apache.shiro.cache.ehcache.EhCacheManager" >       < property name = "cacheManagerConfigFile"           value = "classpath:ehcache.xml" />   </ bean >   < bean id = "credentialsMatcher"       class = "org.apache.shiro.authc.credential.HashedCredentialsMatcher" >       < property name = "hashAlgorithmName" value = "SHA-256" />   </ bean >   < bean id = "iniRealm" class = "com.boonya.shiro.security.CurrentIniRealm" >       < constructor-arg type = "java.lang.String" value = "classpath:shiro.ini" />       < property name = "credentialsMatcher" ref = "credentialsMatcher" />   </ bean >   < bean id = "userRealm" class = "com.boonya.shiro.security.UserRealm" />   < bean id = "securityManager" class = "org.apache.shiro.web.mgt.DefaultWebSecurityManager" >       < property name = "realms" >           < list >               < ref bean = "iniRealm" />               < ref bean = "userRealm" />           </ list >       </ property >       < property name = "cacheManager" ref = "cacheManager" />   </ bean >   < bean id = "shiroFilter" class = "org.apache.shiro.spring.web.ShiroFilterFactoryBean" >       < property name = "securityManager" ref = "securityManager" />       < property name = "loginUrl" value = "/login" />       < property name = "successUrl" value = "/maps/main.html" ></ property >       < property name = "unauthorizedUrl" value = "/unauthorized" ></ property >       < property name = "filters" >           < util:map >               < entry key = "anAlias" >                   < bean                       class = "org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter" />               </ entry >           </ util:map >       </ property >       < property name = "filterChainDefinitions" >           < value >               /unauthorized=anon               /validate/code*=anon               /login/**=anon               /image/**=anon               /js/**=anon               /css/**=anon               /common/**=anon               /index.htm* = anon               /maps/**=authc                     </ value >       </ property >   </ bean >   <!-- shiro end --> 说明：红色字体部分是对用户操作的URL进行过滤：认证或授权

2、shiro过滤器过滤属性含义

securityManager：这个属性是必须的。

loginUrl ：没有登录的用户请求需要登录的页面时自动跳转到登录页面，不是必须的属性，不输入地址的话会自动寻找项目web项目的根目录下的”/login.jsp”页面。

successUrl ：登录成功默认跳转页面，不配置则跳转至”/”。如果登陆前点击的一个需要登录的页面，则在登录自动跳转到那个需要登录的页面。不跳转到此。

unauthorizedUrl ：没有权限默认跳转的页面。

===============其权限过滤器及配置释义=======================

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

anon   org.apache.shiro.web.filter.authc.AnonymousFilter   authc  org.apache.shiro.web.filter.authc.FormAuthenticationFilter   authcBasic org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter   perms  org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter   port   org.apache.shiro.web.filter.authz.PortFilter   rest   org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter   roles  org.apache.shiro.web.filter.authz.RolesAuthorizationFilter   ssl    org.apache.shiro.web.filter.authz.SslFilter   user   org.apache.shiro.web.filter.authc.UserFilter   logout org.apache.shiro.web.filter.authc.LogoutFilter

anon:例子/admins/**=anon 没有参数，表示可以匿名使用。

authc:例如/admins/user/**=authc表示需要认证(登录)才能使用，没有参数

roles：例子/admins/user/**=roles[admin],参数可以写多个，多个时必须加上引号，并且参数之间用逗号分割，当有多个参数时，例如admins/user/**=roles["admin,guest"],每个参数通过才算通过，相当于hasAllRoles()方法。

perms：例子/admins/user/**=perms[user:add:*],参数可以写多个，多个时必须加上引号，并且参数之间用逗号分割，例如/admins/user/**=perms["user:add:*,user:modify:*"]，当有多个参数时必须每个参数都通过才通过，想当于isPermitedAll()方法。

rest：例子/admins/user/**=rest[user],根据请求的方法，相当于/admins/user/**=perms[user:method] ,其中method为post，get，delete等。

port：例子/admins/user/**=port[8081],当请求的url的端口不是8081是跳转到schemal://serverName:8081?queryString,其中schmal是协议http或https等，serverName是你访问的host,8081是url配置里port的端口，queryString

是你访问的url里的？后面的参数。

authcBasic：例如/admins/user/**=authcBasic没有参数表示httpBasic认证

ssl:例子/admins/user/**=ssl没有参数，表示安全的url请求，协议为https

user:例如/admins/user/**=user没有参数表示必须存在用户，当登入操作时不做检查

注：anon，authcBasic，auchc，user是认证过滤器，

perms，roles，ssl，rest，port是授权过滤器

3、web.xml中shiroFilter配置

?

1 2 3 4 5 6 7 8 9

<!-- Shiro Filter is defined in the spring application context: --> < filter >     < filter-name >shiroFilter</ filter-name >     < filter-class >org.springframework.web.filter.DelegatingFilterProxy</ filter-class > </ filter > < filter-mapping >     < filter-name >shiroFilter</ filter-name >     < url-pattern >/*</ url-pattern > </ filter-mapping >