本文介绍了一种使用Spring配置Shiro进行权限管理的方法,详细展示了如何配置安全管理器、会话管理器、凭证匹配器等核心组件,并实现了自定义过滤器以增强系统的登录认证功能。
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="cacheManager" ref="cacheManager"/>
<property name="rememberMeManager" ref="rememberMeManager"/>
</bean>
<!-- 会话管理器 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<!-- 设置全局会话超时时间,默认30分钟(1800000) -->
<property name="globalSessionTimeout" value="1800000"/>
<!-- 是否在会话过期后会调用SessionDAO的delete方法删除会话 默认true-->
<property name="deleteInvalidSessions" value="false"/>
<!-- 是否开启会话验证器任务 默认true -->
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionFactory" ref="sessionFactory"/>
<property name="sessionDAO" ref="sessionDAO"/>
<!-- 默认JSESSIONID,同tomcat/jetty在cookie中缓存标识相同,修改用于防止访问404页面时,容器生成的标识把shiro的覆盖掉 -->
<property name="sessionIdCookieEnabled" value="true"/>
<property name="sessionIdCookie" ref="sessionIdCookie"/>
<property name="sessionListeners" >
<list>
<bean class="zxz.framework.shiro.session.listener.ShiroSessionListener"/>
</list>
</property>
</bean>
<!-- 自定义Session工厂方法 返回会标识是否修改主要字段的自定义Session-->
<bean id="sessionFactory" class="zxz.framework.shiro.session.factory.ShiroSessionFactory"/>
<!-- 缓存管理器 -->
<bean id="cacheManager" class="zxz.framework.shiro.spring.SpringCacheManagerWrapper">
<property name="cacheManager" ref="springCacheManager"/>
</bean>
<!-- 凭证匹配器 -->
<bean id="credentialsMatcher" class="zxz.framework.shiro.credentials.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager"/>
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="2"/>
<property name="storedCredentialsHexEncoded" value="true"/>
</bean>
<!-- Realm实现 -->
<bean id="userRealm" class="zxz.framework.shiro.realm.UserRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
<property name="cachingEnabled" value="false"/>
<!--<property name="authenticationCachingEnabled" value="true"/>-->
<!--<property name="authenticationCacheName" value="authenticationCache"/>-->
<!--<property name="authorizationCachingEnabled" value="true"/>-->
<!--<property name="authorizationCacheName" value="authorizationCache"/>-->
</bean>
<!-- 会话ID生成器 -->
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
<!-- 会话Cookie模板 -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg name="name" value="SHRIOSESSIONID"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="-1"/>
</bean>
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="2592000"/><!-- 30天 -->
</bean>
<!-- rememberMe管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)-->
<property name="cipherKey"
value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/>
<property name="cookie" ref="rememberMeCookie"/>
</bean>
<!-- 默认 会话DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<!-- redis 会话同步 brgin-->
<!-- <bean id="sessionDAO" class="zxz.framework.shiro.session.dao.RedisSessionDao"></bean> -->
<!-- 自定义人redis缓存, 注意中央缓存有效时间要比本地缓存有效时间长 -->
<bean id="sessionDAO" class="zxz.framework.shiro.session.dao.CachingShiroSessionDao">
<property name="prefix" value="ShiroSession_"/>
<property name="seconds" value="1800000"/>
</bean>
<!-- 会话验证调度器 : 定时清理僵尸session,Shiro会启用一个后台守护线程定时执行清理操作用户直接关闭浏览器造成的孤立会话 -->
<bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler">
<!-- 会话验证器调度时间 -->
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>
<!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
<!-- 访问路径校验 -->
<bean id="sysUserFilter" class="zxz.framework.shiro.filter.SysUserFilter"/>
<!-- 自定义基于Form表单的身份验证过滤器 -->
<bean id="sysUserFormFilter" class="zxz.framework.shiro.filter.SysUserFormAuthenticationFilter">
<property name="usernameParam" value="username"/>
<property name="passwordParam" value="password"/>
<property name="rememberMeParam" value="rememberMe"/>
<property name="loginUrl" value="/loginPage"/>
</bean>
<!-- 默认基于Form表单的身份验证过滤器 -->
<!-- <bean id="formAuthenticationFilter" class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
<property name="usernameParam" value="username"/>
<property name="passwordParam" value="password"/>
<property name="rememberMeParam" value="rememberMe"/>
<property name="loginUrl" value="/"/>
</bean> -->
<bean id="kickoutSessionControlFilter" class="zxz.framework.shiro.filter.KickoutSessionControlFilter">
<property name="cacheManager" ref="cacheManager"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="kickoutAfter" value="false"/>
<property name="maxSession" value="1"/>
<property name="kickoutUrl" value="/loginPage"/>
</bean>
<bean id="loginControlFilter" class="zxz.framework.shiro.filter.LoginFilter">
<property name="loginUrl" value="/loginPage"/>
</bean>
<!-- Shiro的Web过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/loginPage"/>
<!-- 登陆成功后的一面 -->
<property name="successUrl" value="/system/welcome"/>
<property name="filters">
<util:map>
<entry key="authc" value-ref="sysUserFormFilter"/>
<entry key="sysUser" value-ref="sysUserFilter"/>
<entry key="kickout" value-ref="kickoutSessionControlFilter"/>
<entry key="login" value-ref="loginControlFilter"/>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/static/**=anon
/code/captchaImage=anon
/loginPage=anon
/system/logout=anon
/system/login=anon
/=login
/** = kickout,authc,sysUser
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
</beans>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd">
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="cacheManager" ref="cacheManager"/>
<property name="rememberMeManager" ref="rememberMeManager"/>
</bean>
<!-- 会话管理器 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<!-- 设置全局会话超时时间,默认30分钟(1800000) -->
<property name="globalSessionTimeout" value="1800000"/>
<!-- 是否在会话过期后会调用SessionDAO的delete方法删除会话 默认true-->
<property name="deleteInvalidSessions" value="false"/>
<!-- 是否开启会话验证器任务 默认true -->
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionFactory" ref="sessionFactory"/>
<property name="sessionDAO" ref="sessionDAO"/>
<!-- 默认JSESSIONID,同tomcat/jetty在cookie中缓存标识相同,修改用于防止访问404页面时,容器生成的标识把shiro的覆盖掉 -->
<property name="sessionIdCookieEnabled" value="true"/>
<property name="sessionIdCookie" ref="sessionIdCookie"/>
<property name="sessionListeners" >
<list>
<bean class="zxz.framework.shiro.session.listener.ShiroSessionListener"/>
</list>
</property>
</bean>
<!-- 自定义Session工厂方法 返回会标识是否修改主要字段的自定义Session-->
<bean id="sessionFactory" class="zxz.framework.shiro.session.factory.ShiroSessionFactory"/>
<!-- 缓存管理器 -->
<bean id="cacheManager" class="zxz.framework.shiro.spring.SpringCacheManagerWrapper">
<property name="cacheManager" ref="springCacheManager"/>
</bean>
<!-- 凭证匹配器 -->
<bean id="credentialsMatcher" class="zxz.framework.shiro.credentials.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager"/>
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="2"/>
<property name="storedCredentialsHexEncoded" value="true"/>
</bean>
<!-- Realm实现 -->
<bean id="userRealm" class="zxz.framework.shiro.realm.UserRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"/>
<property name="cachingEnabled" value="false"/>
<!--<property name="authenticationCachingEnabled" value="true"/>-->
<!--<property name="authenticationCacheName" value="authenticationCache"/>-->
<!--<property name="authorizationCachingEnabled" value="true"/>-->
<!--<property name="authorizationCacheName" value="authorizationCache"/>-->
</bean>
<!-- 会话ID生成器 -->
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
<!-- 会话Cookie模板 -->
<bean id="sessionIdCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg name="name" value="SHRIOSESSIONID"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="-1"/>
</bean>
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="2592000"/><!-- 30天 -->
</bean>
<!-- rememberMe管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)-->
<property name="cipherKey"
value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/>
<property name="cookie" ref="rememberMeCookie"/>
</bean>
<!-- 默认 会话DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<!-- redis 会话同步 brgin-->
<!-- <bean id="sessionDAO" class="zxz.framework.shiro.session.dao.RedisSessionDao"></bean> -->
<!-- 自定义人redis缓存, 注意中央缓存有效时间要比本地缓存有效时间长 -->
<bean id="sessionDAO" class="zxz.framework.shiro.session.dao.CachingShiroSessionDao">
<property name="prefix" value="ShiroSession_"/>
<property name="seconds" value="1800000"/>
</bean>
<!-- 会话验证调度器 : 定时清理僵尸session,Shiro会启用一个后台守护线程定时执行清理操作用户直接关闭浏览器造成的孤立会话 -->
<bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler">
<!-- 会话验证器调度时间 -->
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>
<!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>
<property name="arguments" ref="securityManager"/>
</bean>
<!-- 访问路径校验 -->
<bean id="sysUserFilter" class="zxz.framework.shiro.filter.SysUserFilter"/>
<!-- 自定义基于Form表单的身份验证过滤器 -->
<bean id="sysUserFormFilter" class="zxz.framework.shiro.filter.SysUserFormAuthenticationFilter">
<property name="usernameParam" value="username"/>
<property name="passwordParam" value="password"/>
<property name="rememberMeParam" value="rememberMe"/>
<property name="loginUrl" value="/loginPage"/>
</bean>
<!-- 默认基于Form表单的身份验证过滤器 -->
<!-- <bean id="formAuthenticationFilter" class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
<property name="usernameParam" value="username"/>
<property name="passwordParam" value="password"/>
<property name="rememberMeParam" value="rememberMe"/>
<property name="loginUrl" value="/"/>
</bean> -->
<bean id="kickoutSessionControlFilter" class="zxz.framework.shiro.filter.KickoutSessionControlFilter">
<property name="cacheManager" ref="cacheManager"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="kickoutAfter" value="false"/>
<property name="maxSession" value="1"/>
<property name="kickoutUrl" value="/loginPage"/>
</bean>
<bean id="loginControlFilter" class="zxz.framework.shiro.filter.LoginFilter">
<property name="loginUrl" value="/loginPage"/>
</bean>
<!-- Shiro的Web过滤器 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/loginPage"/>
<!-- 登陆成功后的一面 -->
<property name="successUrl" value="/system/welcome"/>
<property name="filters">
<util:map>
<entry key="authc" value-ref="sysUserFormFilter"/>
<entry key="sysUser" value-ref="sysUserFilter"/>
<entry key="kickout" value-ref="kickoutSessionControlFilter"/>
<entry key="login" value-ref="loginControlFilter"/>
</util:map>
</property>
<property name="filterChainDefinitions">
<value>
/static/**=anon
/code/captchaImage=anon
/loginPage=anon
/system/logout=anon
/system/login=anon
/=login
/** = kickout,authc,sysUser
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
</beans>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
