Shiro引入Spring
?????? 添加jar包/maven配置
<!-- shiro支持 -->
?????? <dependency>
?????????? <groupId>org.apache.shiro</groupId>
?????????? <artifactId>shiro-core</artifactId>
?????????? <version>1.2.4</version>
?????? </dependency>
?????? <dependency>
?????????? <groupId>org.apache.shiro</groupId>
?????????? <artifactId>shiro-web</artifactId>
?????????? <version>1.2.4</version>
?????? </dependency>
?????? <dependency>
?????? ? ? <groupId>org.apache.shiro</groupId>
?????? ? ? <artifactId>shiro-spring</artifactId>
?????? ? ? <version>1.2.4</version>
?????? </dependency>
?????? <!-- 緩存 注解 -->
?????? <dependency>
?????? ? ? <groupId>org.apache.shiro</groupId>
?????? ? ? <artifactId>shiro-aspectj</artifactId>
?????? ? ? <version>1.2.4</version>
?????? </dependency>
?????? <dependency>
?????? ? ? <groupId>org.apache.shiro</groupId>
?????? ? ? <artifactId>shiro-ehcache</artifactId>
?????? ? ? <version>1.2.4</version>
Spring Framework。??? ??? </dependency>
?
?
添加spring-shiro.xml配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
??? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
??? xmlns:context="http://www.springframework.org/schema/context"
??? xmlns:aop="http://www.springframework.org/schema/aop"
??? xmlns:tx="http://www.springframework.org/schema/tx"
??? xsi:schemaLocation="http://www.springframework.org/schema/beans
??????? http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
??????? http://www.springframework.org/schema/context
??????? http://www.springframework.org/schema/context/spring-context-3.0.xsd
??????? http://www.springframework.org/schema/aop
??????? http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
??????? http://www.springframework.org/schema/tx
??????? http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
???????
??? <context:annotation-config />
??? <!-- 自定義Realm -->
??? <bean id="myRealm" class="shiro03.realm.MyRealm"/>
???
??? <!-- 安全管理器 -->
??? <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">?
? ? ??<property name="realm" ref="myRealm"/>?
??? </bean>
???
??? <!-- 配置任何角色 -->
??? <bean id="anyofroles" class="shiro03.realm.AnyOfRolesAuthorizationFilter"/>
???
??? <!-- Shiro過濾器 -->
??? <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">?
??? ??? <!-- Shiro的核心安全接口,這個屬性是必須的 -->?
??? ??? <property name="securityManager" ref="securityManager"/>
??? ??? <!-- 身份認證失敗,則跳轉到登錄頁面的配置 -->?
??? ??? <property name="loginUrl" value="/index.jsp"/>
??? ??? <!-- 權限認證失敗,則跳轉到指定頁面 -->?
??? ??? <property name="unauthorizedUrl" value="/unauthorized.jsp"/>
??? ??? <!-- <property name="anyofroles" ref="anyofroles"/> -->
??? ??? <!-- Shiro連接約束配置,即過濾鏈的定義 -->?
??? ??? <property name="filterChainDefinitions">?
??? ??????? <value>?
??? ???????????? /login=anon
????????????? /admin*=authc
????????????? /student=anyofroles["admin,teacher"]
????????????? /teacher=roles[admin]
??? ??????? </value>?
??? ??? </property>
??? </bean>
???
??? <!-- 保證實現了Shiro內部lifecycle函數的bean執行 -->?
??? <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>?
???
??? <!-- 開啟Shiro注解 -->
??? <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>?
? ????? <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">?
? ? ??<property name="securityManager" ref="securityManager"/>?
??? </bean>
</beans>
?
?
自定義Realm類MyRealm.java
?
public class MyRealm extends AuthorizingRealm{
??? @Resource
??? private UserService userService;
??? /**
??? ?* 為當限前登錄的用戶授予角色和權
??? ?*/
??? @Override
??? protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
?????? String userName=(String)principals.getPrimaryPrincipal();
?????? SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo();
?????? authorizationInfo.setRoles(userService.getRoles(userName));
?????? authorizationInfo.setStringPermissions(userService.getPermissions(userName));
?????? return authorizationInfo;
??? }
??? /**
??? ?* 驗證當前登錄的用戶
??? ?*/
??? @Override
??? protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
?????? String userName=(String)token.getPrincipal();
?????????? User user=userService.getByUserName(userName);
?????????? if(user!=null){
????????????? AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(),"xx");
????????????? return authcInfo;
?????????? }else{
????????????? return null;????????????
?????????? }
??? }
}
?
?
自定義角色過濾器AnyOfRolesAuthorizationFilter.java
?????? 當一個角色有多個功能模塊頁面的權限時,會出現權限失效問題,無法配置,需要自己定義角色過濾器。
public class AnyOfRolesAuthorizationFilter extends RolesAuthorizationFilter{
??? @Override
??? public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)
?????????? throws IOException {
?????? Subject subject = getSubject(request, response);
??????? String[] rolesArray = (String[]) mappedValue;
??????? if (rolesArray == null || rolesArray.length == 0) {
??????????? return true;
??????? }
??????? for (String roleName : rolesArray) {
??????????? if (subject.hasRole(roleName)) {
??????????????? return true;
??????????? }
??????? }
?????? return false;
??? }
}??
?
? ? ??