Spring Framework，Shiro與Spring整合

Shiro引入Spring

?????? 添加jar包/maven配置

<!-- shiro支持 -->

?????? <dependency>

?????????? <groupId>org.apache.shiro</groupId>

?????????? <artifactId>shiro-core</artifactId>

?????????? <version>1.2.4</version>

?????? </dependency>

?????? <dependency>

?????????? <groupId>org.apache.shiro</groupId>

?????????? <artifactId>shiro-web</artifactId>

?????????? <version>1.2.4</version>

?????? </dependency>

?????? <dependency>

?????? ? ? <groupId>org.apache.shiro</groupId>

?????? ? ? <artifactId>shiro-spring</artifactId>

?????? ? ? <version>1.2.4</version>

?????? </dependency>

?????? <!-- 緩存 注解 -->

?????? <dependency>

?????? ? ? <groupId>org.apache.shiro</groupId>

?????? ? ? <artifactId>shiro-aspectj</artifactId>

?????? ? ? <version>1.2.4</version>

?????? </dependency>

?????? <dependency>

?????? ? ? <groupId>org.apache.shiro</groupId>

?????? ? ? <artifactId>shiro-ehcache</artifactId>

?????? ? ? <version>1.2.4</version>

Spring Framework。??? ??? </dependency>

?

?

添加spring-shiro.xml配置文件

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

??? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"

??? xmlns:context="http://www.springframework.org/schema/context"

??? xmlns:aop="http://www.springframework.org/schema/aop"

??? xmlns:tx="http://www.springframework.org/schema/tx"

??? xsi:schemaLocation="http://www.springframework.org/schema/beans

??????? http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

??????? http://www.springframework.org/schema/context

??????? http://www.springframework.org/schema/context/spring-context-3.0.xsd

??????? http://www.springframework.org/schema/aop

??????? http://www.springframework.org/schema/aop/spring-aop-3.0.xsd

??????? http://www.springframework.org/schema/tx

??????? http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">

???????

??? <context:annotation-config />

??? <!-- 自定義Realm -->

??? <bean id="myRealm" class="shiro03.realm.MyRealm"/>

???

??? <!-- 安全管理器 -->

??? <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">?

? ? ??<property name="realm" ref="myRealm"/>?

??? </bean>

???

??? <!-- 配置任何角色 -->

??? <bean id="anyofroles" class="shiro03.realm.AnyOfRolesAuthorizationFilter"/>

???

??? <!-- Shiro過濾器 -->

??? <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">?

??? ??? <!-- Shiro的核心安全接口,這個屬性是必須的 -->?

??? ??? <property name="securityManager" ref="securityManager"/>

??? ??? <!-- 身份認證失敗，則跳轉到登錄頁面的配置 -->?

??? ??? <property name="loginUrl" value="/index.jsp"/>

??? ??? <!-- 權限認證失敗，則跳轉到指定頁面 -->?

??? ??? <property name="unauthorizedUrl" value="/unauthorized.jsp"/>

??? ??? <!-- <property name="anyofroles" ref="anyofroles"/> -->

??? ??? <!-- Shiro連接約束配置,即過濾鏈的定義 -->?

??? ??? <property name="filterChainDefinitions">?

??? ??????? <value>?

??? ???????????? /login=anon

????????????? /admin*=authc

????????????? /student=anyofroles["admin,teacher"]

????????????? /teacher=roles[admin]

??? ??????? </value>?

??? ??? </property>

??? </bean>

???

??? <!-- 保證實現了Shiro內部lifecycle函數的bean執行 -->?

??? <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>?

???

??? <!-- 開啟Shiro注解 -->

??? <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>?

? ????? <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">?

? ? ??<property name="securityManager" ref="securityManager"/>?

??? </bean>

</beans>

?

?

自定義Realm類MyRealm.java

?

public class MyRealm extends AuthorizingRealm{

??? @Resource

??? private UserService userService;

??? /**

??? ?* 為當限前登錄的用戶授予角色和權

??? ?*/

??? @Override

??? protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

?????? String userName=(String)principals.getPrimaryPrincipal();

?????? SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo();

?????? authorizationInfo.setRoles(userService.getRoles(userName));

?????? authorizationInfo.setStringPermissions(userService.getPermissions(userName));

?????? return authorizationInfo;

??? }

??? /**

??? ?* 驗證當前登錄的用戶

??? ?*/

??? @Override

??? protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

?????? String userName=(String)token.getPrincipal();

?????????? User user=userService.getByUserName(userName);

?????????? if(user!=null){

????????????? AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(),"xx");

????????????? return authcInfo;

?????????? }else{

????????????? return null;????????????

?????????? }

??? }

}

?

?

自定義角色過濾器AnyOfRolesAuthorizationFilter.java

?????? 當一個角色有多個功能模塊頁面的權限時，會出現權限失效問題，無法配置，需要自己定義角色過濾器。

public class AnyOfRolesAuthorizationFilter extends RolesAuthorizationFilter{

??? @Override

??? public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)

?????????? throws IOException {

?????? Subject subject = getSubject(request, response);

??????? String[] rolesArray = (String[]) mappedValue;

??????? if (rolesArray == null || rolesArray.length == 0) {

??????????? return true;

??????? }

??????? for (String roleName : rolesArray) {

??????????? if (subject.hasRole(roleName)) {

??????????????? return true;

??????????? }

??????? }

?????? return false;

??? }

}??

?

? ? ??