在web项目中使用shiro进行权限的控制(主要是认证authentication和授权authorization两部分),首先要进行的就是环境的配置。主要的步骤包括,加入jar包,配置web.xml,配置applicationContext.xml。接下来是详细步骤。
1.除了spring本身项目的jar包,还要加入四个jar包
(1)shiro-all-1.2.5.jar
(2)slf4j-api-1.7.7.jar
(3)slf4j-log4j12-1.7.7.jar
(4)log4j-1.2.17.jar
2.首先进行web.xml的配置
参考官方的文档
需要在web.xml中配置一个过滤器,即shiro过滤器
<!--1 配置shiroFilter -->
<!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- Make sure any request you want accessible to Shiro is filtered. /* catches all -->
<!-- requests. Usually this filter mapping is defined first (before all others) to -->
<!-- ensure that Shiro works in subsequent filters in the filter chain: -->
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
在url-pattern标签中,设置为/*即拦截所有的请求。
2.配置applicationContext.xml配置applicationContext.xml主要分位6步
(1)非常非常重要的shiro的核心securityManager配置
<!--
1.配置SecurityManager
-->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"></property>
<!-- Single realm app. If you have multiple realms, use the 'realms' property instead. -->
<property name="realm" ref="myRealm"/>
<!-- By default the servlet container sessions will be used. Uncomment this line
to use shiro's native sessions (see the JavaDoc for more): -->
<!-- <property name="sessionMode" value="native"/> -->
</bean>
securityManager有两个属性,一个是realm,用于和数据底层打交道,一个是cacheManager用于使用一些缓存工具(例如ehcache和redis)提高效率,在这边我们使用的是ehcache。下面去具体配置这两个bean。
(2)配置cacheManager
<!--
2.配置cacheManager,导入ehcache jar包,添加配置文件
-->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile"
value="classpath:ehcache.xml">
</property>
</bean>
这步主要分为两个步骤,
第一步,加入ehcache的jar包,ehcache-core-2.6.11.jar
第二步,在classpath下加入ehcache.xml配置文件
(3)配置realm
<!--
3.配置realm,自己写的类shiroRealm,实现了Realm接口
-->
<bean id="myRealm" class="com.sc.testshiro.realms.shiroRealm">
</bean>
这边realm是自己写的一个类,实现了Realm接口,并且实现了它的抽象方法。
(4)配置lifecycleBeanPostProcessor
<!--
4.配置lifecycleBeanPostProcessor
-->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
注入这个bean,通过IOC容器来管理shiro一些bean的生命周期,生命周期就是初始化 与 销毁的管理
(5)启用shiro注解,注意!!必须配置了第四步,这步配置后才会生效
<!--
5.启用IOC容器中的shiro注解
-->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"></property>
</bean>
(6)关键,配置shiroFilter
<!--
6.配置shiroFilter
-->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!-- override these for application-specific URLs if you like:-->
<property name="loginUrl" value="/login.jsp"/>
<property name="successUrl" value="/list.jsp"/>
<property name="unauthorizedUrl" value="/unauthorized.jsp"/>
<!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean -->
<!-- defined will be automatically acquired and available via its beanName in chain -->
<!-- definitions, but you can perform instance overrides or name aliases here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="anAlias" value-ref="someFilter"/>
</util:map>
</property> -->
<property name="filterChainDefinitions">
<value>
/login.jsp = anon
/** = authc
</value>
</property>
</bean>
要注意的是,此处的shiroFilter名字必须和web.xml中配置的filter的名字相同。