在applicationContext.xml
<!-- Shiro可控制的Web请求必须经过Shiro主过滤器的拦截 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<!-- 被拦截的请求会跳转登录页面地址 -->
<property name="loginUrl" value="/login.jsp"></property>
<!-- 用户访问未对其授权的资源时,所显示的连接 -->
<property name="unauthorizedUrl" value="/login.jsp"></property>
<!--/security/*=anon 不需要认证 /tag=authc需要认证-->
<!-- <property name="filterChainDefinitions">
<value>
/security/*=anon
/manager/text/*=user
</value>
</property> -->
<!-- 引入自定义动态拦截链 -->
<property name="filterChainDefinitionMap" ref="chainDefinitionSectionMetaSource" />
</bean>
<!--自定义Realm -->
<bean id="myRealm" class="com.springmvc.shiro.MyRealm">
<!-- <property name="credentialsMatcher" ref="credentialsMatcher"/> -->
<property name="cachingEnabled" value="true" />
</bean>
<!-- 缓存管理 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean>
<!-- 凭证匹配器 --> 如果要是用shiro自带的且要加迭代次数需要加盐,因为simpleHash这个对象里的参数
<!-- <bean id="credentialsMatcher" class="com.springmvc.shiro.credentials.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager"/>
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="2"/>
<property name="storedCredentialsHexEncoded" value="true"/>
</bean> -->
<!-- 数据库保存的密码是使用MD5算法加密的,所以这里需要配置一个密码匹配对象 -->
<!-- <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.Md5CredentialsMatcher"></bean> -->
<!-- Shiro安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"></property>
<property name="cacheManager" ref="cacheManager"></property>
<property name="sessionManager" ref="sessionManager" />
</bean>
<!--自定义filterChainDefinitionMap -->
<bean id="chainDefinitionSectionMetaSource" class="com.springmvc.shiro.ChainDefinitionSectionMetaSource">
<property name="filterChainDefinitions">
<value>
/js/** = anon
/images/** =anon
/rest/**=anon
/css/** =anon
/json/**=anon
/login/**=anon
/LoginController.do=anon
/manager/loginOut/**=anon
<!-- /*.html = authc
/*.do = authc
/*.json = authc
/* = authc -->
</value>
</property>
</bean>
如果不使用也可以使用shiro自带的jdbcRealm
<!--使用Shiro自带的JdbcRealm类,指定密码匹配所需要用到的加密对象,指定存储用户、角色、权限许可的数据源及相关查询语句-->
<!-- <bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"></property>
<property name="permissionsLookupEnabled" value="true"></property>
<property name="dataSource" ref="dataSource"></property>
<property name="authenticationQuery" value="SELECT password FROM m_user WHERE user_name = ?"></property>
<property name="userRolesQuery" value="select r.role from m_role r,m_user u,m_user_role ur where r.id = ur.role_id and u.id = ur.user_id and u.user_name = ?"></property>
<property name="permissionsQuery" value="select distinct p.function_name from m_permission p,m_role r,m_role_permission rp where p.id = rp.function_id and r.id = rp.role_id and r.role = ?"></property>
</bean> -->
<!-- 启动shiro注解扫描-->
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" >
<!-- 默认使用JDK代理 ,如被代理类没有实现接口,必须使用下列配置开启 cglib代理 -->
<property name="proxyTargetClass" value="true" />
</bean>
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
<!-- 会话DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>
<!-- 会话验证调度器 -->
<!-- 全局的会话信息检测扫描信息间隔30分钟-->
<bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler">
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>
<!-- 会话管理器 -->
<!-- 全局的会话信息设置成30分钟,sessionValidationSchedulerEnabled参数就是是否开启扫描 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1800000"/>
<property name="deleteInvalidSessions" value="true"/>
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionDAO" ref="sessionDAO"/>
</bean>
在web.xml中需要在前端控制器之前配置shiro拦截器
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>