filter配置
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- 权限管理器 -->
<property name="securityManager" ref="securityManager"/>
<!-- 登录地址 -->
<property name="loginUrl" value="/login"/>
<!-- 登录后跳转到业务页面 -->
<property name="successUrl" value="/"/>
<!-- 错误页面 -->
<property name="unauthorizedUrl" value="/403"/>
<!-- 自定义filter -->
<property name="filters">
<map>
<entry key="authc" value-ref="formAuthenticationFilter"/>
</map>
</property>
<!-- 权限配置 -->
<property name="filterChainDefinitions">
<value>
/login = authc
/logout = logout
/403 = anon
/** = authc
/static/**=anon
</value>
</property>
</bean>
默认Filter
Filter名称 | 类 |
---|
anon | org.apache.shiro.web.filter.authc.AnonymousFilter |
authc | org.apache.shiro.web.filter.authc.FormAuthenticationFilter |
authcBasic | org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter |
logout | org.apache.shiro.web.filter.authc.LogoutFilter |
noSessionCreation | org.apache.shiro.web.filter.session.NoSessionCreationFilter |
perms | org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter |
port | org.apache.shiro.web.filter.authz.PortFilter |
rest | org.apache.shiro.web.filter.authz.HttpMethodPermissionFilter |
roles | org.apache.shiro.web.filter.authz.RolesAuthorizationFilter |
ssl | org.apache.shiro.web.filter.authz.SslFilter |
user | org.apache.shiro.web.filter.authc.UserFilter |
filterChainDefinitions执行规则 (自上而下,从左到右)
## /user是路由可以模糊匹配如 /**
## login,role Shiro Filter可以配置多个Filter
## [普通用户,管理员] 配置的是角色可以多个角色 在Filter的isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)中,mappedValue可以获取
/user = login,role[普通用户,管理员]
自定义Filter
package com.uwo.shiro.config;
import org.apache.log4j.Logger;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.FormAuthenticationFilter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* Created by yanhao on 2017/6/16.
*/
public class UwoFormAuthenticationFilter extends FormAuthenticationFilter{
private final Logger log = Logger.getLogger(UwoFormAuthenticationFilter.class);
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
// 判断是否是登录请求
if (isLoginRequest(request, response)) {
// 判断是否提交登录
if (isLoginSubmission(request, response)) {
//本次用户登陆账号
String account = this.getUsername(request);
Subject subject = this.getSubject(request, response);
//之前登陆的用户
String user = (String) subject.getPrincipal();
//如果两次登陆的用户不一样,则先退出之前登陆的用户
if (account != null && user != null) {
log.warn("账号:" + user + " 退出");
subject.logout();
}
}
}
return super.isAccessAllowed(request, response, mappedValue);
}
}