Shiro引入Spring

添加jar包/maven配置

<!-- shiro支持 -->

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-core</artifactId>

<version>1.2.4</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-web</artifactId>

<version>1.2.4</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-spring</artifactId>

<version>1.2.4</version>

</dependency>

<!-- 缓存 注解 -->

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-aspectj</artifactId>

<version>1.2.4</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-ehcache</artifactId>

<version>1.2.4</version>

</dependency>

添加spring-shiro.xml配置文件

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"

xmlns:context="http://www.springframework.org/schema/context"

xmlns:aop="http://www.springframework.org/schema/aop"

xmlns:tx="http://www.springframework.org/schema/tx"

xsi:schemaLocation="http://www.springframework.org/schema/beans

        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

        http://www.springframework.org/schema/context

        http://www.springframework.org/schema/context/spring-context-3.0.xsd

        http://www.springframework.org/schema/aop

        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd

        http://www.springframework.org/schema/tx

        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">

<context:annotation-config />

<!-- 自定义Realm -->

<bean id="myRealm" class="shiro03.realm.MyRealm"/>

<!-- 安全管理器 -->

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<property name="realm" ref="myRealm"/>

</bean>

<!-- 配置任何角色 -->

<bean id="anyofroles" class="shiro03.realm.AnyOfRolesAuthorizationFilter"/>

<!-- Shiro过滤器 -->

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

<!-- Shiro的核心安全接口,这个属性是必须的 -->

<property name="securityManager" ref="securityManager"/>

<!-- 身份认证失败，则跳转到登录页面的配置 -->

<property name="loginUrl" value="/index.jsp"/>

<!-- 权限认证失败，则跳转到指定页面 -->

<property name="unauthorizedUrl" value="/unauthorized.jsp"/>

<!-- <property name="anyofroles" ref="anyofroles"/> -->

<!-- Shiro连接约束配置,即过滤链的定义 -->

<property name="filterChainDefinitions">

<value>

/login=anon

/admin*=authc

/student=anyofroles["admin,teacher"]

/teacher=roles[admin]

</value>

</property>

</bean>

<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>

<!-- 开启Shiro注解 -->

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>

<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">

<property name="securityManager" ref="securityManager"/>

</bean>

</beans>

自定义Realm类MyRealm.java

public class MyRealm extends AuthorizingRealm{

@Resource

private UserService userService;

/**

* 为当限前登录的用户授予角色和权

*/

@Override

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

String userName=(String)principals.getPrimaryPrincipal();

SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo();

authorizationInfo.setRoles(userService.getRoles(userName));

authorizationInfo.setStringPermissions(userService.getPermissions(userName));

return authorizationInfo;

}

/**

* 验证当前登录的用户

*/

@Override

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

String userName=(String)token.getPrincipal();

User user=userService.getByUserName(userName);

if(user!=null){

AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(),"xx");

return authcInfo;

}else{

return null;

}

}

}

自定义角色过滤器AnyOfRolesAuthorizationFilter.java

当一个角色有多个功能模块页面的权限时，会出现权限失效问题，无法配置，需要自己定义角色过滤器。

public class AnyOfRolesAuthorizationFilter extends RolesAuthorizationFilter{

@Override

public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)

throws IOException {

Subject subject = getSubject(request, response);

String[] rolesArray = (String[]) mappedValue;

if (rolesArray == null || rolesArray.length == 0) {

return true;

}

for (String roleName : rolesArray) {

if (subject.hasRole(roleName)) {

return true;

}

}

return false;

}

}