首先,这是创建ssm项目的地址:http://blog.csdn.net/qq_40706089/article/details/78707234,今天打算将shiro安全框架也给集成进来,网上对shiro的介绍非常之多,在这也不多赘述了,直接开始集成。
step1:通过pom文件管理shiro框架所需的jar包
<!--整合shiro需要的依赖--> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-spring</artifactId> <version>1.2.2</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-ehcache</artifactId> <version>1.2.2</version> </dependency>step2:在web.xml中添加shiro安全过滤器
<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>这个要注意两个小问题:a.一般shiro过滤器配置在编码过滤器之后,这样在对编码进行过滤后就走shiro的过滤器。b.
<filter-name>shiroFilter</filter-name>
此处的名字要和下一步的spring-shiro.XML中ShiroFilterFactoryBean 的id一样,如果不一样 会创建shiroFilter失败
step3:在resourse目录下建立spring-shiro.XML文件(此处名字 随意)
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd" default-lazy-init="true"> <description>Shiro Configuration</description> <!-- Shiro's main business-tier object for web-enabled applications --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="MyRealm" /> <property name="cacheManager" ref="cacheManager" /> </bean> <!-- 項目自定义的Realm --> <bean id="MyRealm" class="com.lsd.shiro.MyRealm"> <property name="cacheManager" ref="cacheManager" /> </bean> <!--自定义LogoutFilter,退出--> <bean id="logoutFilter" class="com.lsd.shiro.SystemLogoutFilter"> <property name="redirectUrl" value="/userController/login"/> </bean> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value=" /userController/login" /> <property name="successUrl" value="userController/index" /> <property name="filters"> <map> <entry key="logout" value-ref="logoutFilter"/> </map> </property> <property name="filterChainDefinitions"> <value> /userController/login = anon /userController/index =authc /userController/logout = logout </value> </property> </bean> <!-- 用户授权信息Cache --> <bean id="cacheManager" class="org.apache.shiro.cache.MemoryConstrainedCacheManager" /> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!-- AOP式方法级权限检查 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean> </beans>
配置解释:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value=" /userController/login" /> <property name="successUrl" value="userController/index" /> <property name="filters"> <map> <entry key="logout" value-ref="logoutFilter"/> </map> </property> <property name="filterChainDefinitions"> <value> /userController/login = anon /userController/index =authc /userController/logout = logout </value> </property> </bean>
securityManager:是shiro 的安全管理器
loginUrl:登录页面,也可以当成是项目的首页
successUrl:登录成功后的页面
后面跟的都是访问页面的路由,然后在value里面进行配置
路径1 = anon 代表不需要经过登录验证即可访问,即无拦截。
路径2 = authc 代表必须通过登录验证才可访问,如果不登录直接访问 则返回loginUrl
注意:配置成功后先注释掉自定义的realm,下篇博客会用到
step4:
在web.xml文件中引入shiro的配置文件让他随项目启动时就加载
<display-name>web-ssm</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-mybatis.xml,classpath:spring-shiro.xml</param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>classpath:log4j.properties</param-value> </context-param>
至此,shiro框架就集成进来了 ,测试是否集成成功,可以将某个页面的地址加上 authc 权限 不登录访问的时候如果能拦截,跳到loginUrl,代表集成成功,具体用法还需要深入的学习,在这推荐开涛大神的跟我学shiro。