ssm+shiro框架的详细配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<!--Shiro安全框架集成,主要用来更便捷的认证，授权，加密，会话管理-->
    <!-- shiro配置 -->
    <dependency>
      <groupId>org.apache.shiro</groupId>
      <artifactId>shiro-core</artifactId>
      <version>${shiro.version}</version>
    </dependency>
    <!-- Enables support for web-based applications. -->
    <dependency>
      <groupId>org.apache.shiro</groupId>
      <artifactId>shiro-web</artifactId>
      <version>${shiro.version}</version>
    </dependency>
    <!-- Enables AspectJ support for Shiro AOP and Annotations. -->
    <dependency>
      <groupId>org.apache.shiro</groupId>
      <artifactId>shiro-aspectj</artifactId>
      <version>${shiro.version}</version>
    </dependency>
    <!-- Enables Ehcache-based famework caching. -->
    <dependency>
      <groupId>org.apache.shiro</groupId>
      <artifactId>shiro-ehcache</artifactId>
      <version>${shiro.version}</version>
    </dependency>
    <!-- Enables Spring Framework integration. -->
    <dependency>
      <groupId>org.apache.shiro</groupId>
      <artifactId>shiro-spring</artifactId>
      <version>${shiro.version}</version>
    </dependency>

或者直接导入一个
<!-- https://mvnrepository.com/artifact/org.apache.shiro/shiro-all -->
    <dependency>
      <groupId>org.apache.shiro</groupId>
      <artifactId>shiro-all</artifactId>
      <version>1.4.0</version>
      <type>pom</type>
    </dependency>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:tx="http://www.springframework.org/schema/tx" xmlns:util="http://www.springframework.org/schema/util"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
       http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
       http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
        <!--shiro 核心安全接口  -->
        <property name="securityManager" ref="securityManager"></property>
        <!--登录时的连接  -->
        <property name="loginUrl" value="/login"></property>       
        <!--未授权时跳转的连接  -->
        <property name="unauthorizedUrl" value="/unauthorized.jsp"></property>
           <!-- 其他过滤器 -->
           <property name="filters">
               <map>
                   <!-- <entry key="rememberMe" value-ref="RememberMeFilter"></entry> -->
                   <entry key="kickout" value-ref="KickoutSessionControlFilter"/>
               </map>
           </property>
               
        <!-- 读取初始自定义权限内容-->
        <!-- 如果使用authc验证,需重写实现rememberMe的过滤器,或配置formAuthenticationFilter的Bean -->
        <property name="filterChainDefinitions">
            <value>
                /js/**=anon
                /css/**=anon
                /images/**=anon
                /skin/**=anon
                   /lib/**=anon
                   /nodel/**=anon
                   /WEB-INF/jsp/**=anon
                   /adminUserLogin/**=anon
                   
       
                   
                   /**/submitLogin.do=anon
                /**=user,kickout
            </value>
        </property>
    </bean>
    
    
    
    
    <!-- Shiro生命周期处理器-->
    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
    
    <!-- 安全管理器 -->
    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
        <property name="realm" ref="MyRealm"/>
        <property name="rememberMeManager" ref="rememberMeManager"/>
    </bean>
    
    <bean id="MyRealm" class="com.sys.shiro.MyRealm" >
        <property name="cachingEnabled" value="false"/>
    </bean>
    
    <!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->
    <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
        <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
        <property name="arguments" ref="securityManager"/>
    </bean>
    
    <!-- sessionIdCookie：maxAge=-1表示浏览器关闭时失效此Cookie -->
    <bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">  
        <constructor-arg value="rememberMe"/>  
        <property name="httpOnly" value="true"/>  
        <property name="maxAge" value="-1"/>  
    </bean>
         
    <!-- 用户信息记住我功能的相关配置 -->
    <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
        <constructor-arg value="rememberMe"/>
        <property name="httpOnly" value="true"/>
        <!-- 配置存储rememberMe Cookie的domain为 一级域名        这里如果配置需要和Session回话一致更好。-->
        <property name="maxAge" value="604800"/><!-- 记住我==保留Cookie有效7天 -->
    </bean>
    
    <!-- rememberMe管理器 -->
    <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
        <!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度（128 256 512 位）-->
        <property name="cipherKey"
                  value="#{T(org.apache.shiro.codec.Base64).decode('3AvVhmFLUs0KTA3Kprsdag==')}"/>
        <property name="cookie" ref="rememberMeCookie"/>
    </bean>
    
    <!-- 记住我功能设置session的Filter -->
    <bean id="RememberMeFilter" class="com.sys.shiro.RememberMeFilter" />
    
    <!-- rememberMeParam请求参数是 boolean 类型，true 表示 rememberMe -->
    <!-- shiro规定记住我功能最多得user级别的，不能到authc级别.所以如果使用authc，需打开此配置或重写实现rememberMe的过滤器 -->
    <!-- <bean id="formAuthenticationFilter" class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
        <property name="rememberMeParam" value="rememberMe"/>
    </bean> -->    
    
    <bean id="KickoutSessionControlFilter" class="com.sys.shiro.KickoutSessionControlFilter">
    </bean>
               
    
</beans>

1
2
3
<!-- 包含shiro的配置文件 -->
<import resource="classpath:applicationContext-shiro.xml"/>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 <!--启用shiro注解 -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor">
        <property name="proxyTargetClass" value="true" />
    </bean>
    <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
        <property name="securityManager" ref="securityManager" />
    </bean>
    <!-- shiro为集成springMvc 拦截异常，使用注解时无权限的跳转 -->
    <bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
        <property name="exceptionMappings">
            <props>
                <!-- 这里你可以根据需要定义N多个错误异常转发 -->
                <prop key="org.apache.shiro.authz.UnauthorizedException">redirect:/unauthorized</prop>
                <prop key="org.apache.shiro.authz.UnauthenticatedException">redirect:/unauthorized</prop>
                <prop key="java.lang.IllegalArgumentException">/error</prop>  <!-- 参数错误(bizError.jsp) -->
                <prop key="java.lang.Exception">/error</prop>  <!-- 其他错误为'未定义错误'(unknowError.jsp) -->
            </props>
        </property>
    </bean>