spring框架整合shiro

shiro框架

定义：
Shiro是apache旗下一个开源框架，它将实现用户身份认证，权限授权、加密、会话管理等功能，组成了一个通用的安全认证框架。

既然shiro将安全认证相关的功能抽取出来组成一个框架，使用shiro就可以非常快速的完成认证、授权等功能的开发，降低系统成本。

shiro使用广泛，shiro可以运行在web应用，非web应用，集群分布式应用中越来越多的用户开始使用shiro。

java领域中spring security(原名Acegi)也是一个开源的权限管理框架，但是spring security依赖spring运行，而shiro就相对独立，最主要是因为shiro使用简单、灵活，所以现在越来越多的用户选择shiro。

在spring中注入shiro

<!-- 1,配置shiro权限管理器 -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <!-- 注入缓存管理 -->
        <property name="cacheManager" ref="cacheManager"/>
        <!-- Single realm app.  If you have multiple realms, use the 'realms' property instead. -->
        <!-- 注入设置会话管理模式 -->
        <property name="sessionMode" value="native"/>
        <!-- 注入自定义realm(认证，授权，加密等等数据源) -->
        <property name="realm" ref="shiroRealm"/>
    </bean>
     <!-- 2,配置shiro缓存管理 -->
    <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
        <!-- Set a net.sf.ehcache.CacheManager instance here if you already have one.  If not, a new one
             will be creaed with a default config:
             <property name="cacheManager" ref="ehCacheManager"/> -->
        <!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want
             a specific Ehcache configuration to be used, specify that here.  If you don't, a default
             will be used.: -->
        <!-- 使用配置文件实现缓存管理 -->
        <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
    </bean>
    <!-- 3,配置自定义realm受Spring容器管理 -->
    <bean id="shiroRealm" class="com.web.shiro.ShiroRealm">
    	<property name="userDAO" ref="userDAO"></property>
    	<!-- 配置认证时加密 -->
    	<property name="credentialsMatcher">
			<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
				<!-- 加密模式 -->
				<property name="hashAlgorithmName" value="MD5"></property>
				<!-- 加密次数 -->
				<property name="hashIterations" value="1024"></property>
			</bean>
		</property>
    </bean>
	<bean id="userDAO" class="com.web.dao.UserDAO"></bean>
	 <!-- 4,配置管理shiro生命周期 -->
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
    <!-- 5,配置启用shiro注解功能(注意:配置启动注解功能必须是在配置shiro生命周期之后) -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
          depends-on="lifecycleBeanPostProcessor"/>
    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager"/>
    </bean>
     <!-- 6,配置shiro过滤器受Spring容器管理(bean的id必须和web.xml中shiro过滤器的filter-name名称保持一致) -->
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <!-- 注入权限管理器 -->
        <property name="securityManager" ref="securityManager"/>
        <!-- 配置用户登录页面 -->
        <property name="loginUrl" value="/login.jsp"/>
        <!-- 配置认证（登录）成功页面 -->
        <property name="successUrl" value="/index.jsp"/>
        <!-- 配置未授权页面 -->
        <property name="unauthorizedUrl" value="/unauthorized.jsp"/>
        <!-- 
        	配置资源文件访问限制 
        	anon	匿名访问
        	authc	认证访问(登录才能访问)
        	logout	注销(退出)
        -->

        <property name="filterChainDefinitions">
            <value>
                /login.jsp = anon
                /user/login = anon
                /index.jsp = authc
                /user/test = authc
                /admin.jsp = authc,roles[admin]
                /user.jsp = authc,roles[user]
                /user/logout = logout
                # everything else requires authentication:
            	/** = authc
            </value>
        </property> 
        <!-- 使用java类配置权限管理 -->
        <!--<property name="filterChainDefinitionMap" ref="filterChainDefinitionMap"></property>-->     
    </bean>
     <!--<bean id="filterChainDefinitionMap" factory-bean="filterChainDefinitionMapBuilder"-->
		<!--factory-method="buildfilterChainDefinitionMap"></bean>-->

	<!--<bean id="filterChainDefinitionMapBuilder"-->
		<!--class="com.web.factory.FilterChainDefinitionMapBuilder"></bean>-->
    <!---->
    <!-- 配置未授权异常处理 -->
	<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
		<property name="exceptionMappings">
			<props>
				<!-- 标签主体部分配置未授权显示页面，注意事项:页面路径不需要加.jsp后缀 -->
				<prop key="org.apache.shiro.authz.UnauthorizedException">/unauthorized</prop>
			</props>
		</property>
	</bean>

web.xml配置文件

  <!-- 编码过滤器 -->
    <filter>
        <filter-name>encodingFilter</filter-name>
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>encodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- Spring MVC servlet -->
    <servlet>
        <servlet-name>dispatcherServlet</servlet-name>
        <servlet-class>
            org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>classpath:spring-mvc.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>dispatcherServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <!-- Spring和shiro的配置文件 -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:spring-shiro.xml</param-value>
    </context-param>
    <!-- Spring监听器 -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- ==================================================================
         Filters
         ================================================================== -->
    <!-- Shiro Filter is defined in the spring application context: -->
    <filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

shiro的依赖jar

 <!-- shiro依赖 -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.3.2</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-ehcache</artifactId>
            <version>1.3.2</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-spring</artifactId>
            <version>1.3.2</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-web</artifactId>
            <version>1.3.2</version>
        </dependency>

使用java类配置权限管理

class FilterChainDefinitionMapBuilder {
    public LinkedHashMap<String, String> buildfilterChainDefinitionMap(){
        LinkedHashMap<String, String> map = new LinkedHashMap<String, String>();
        map.put("/login.jsp", "anon");
        map.put("/user/login", "anon");
        map.put("/index.jsp", "authc");
        map.put("/user/test", "authc");
        map.put("/admin.jsp", "authc,roles[admin]");
        map.put("/user.jsp", "authc,roles[user]");
        map.put("/user/logout", "logout");
        map.put("/**", "authc");
        return map;
    }
}