Shiro与Spring整合

Shiro引入Spring

       添加jar包/maven配置

<!-- shiro支持 -->

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-core</artifactId>

           <version>1.2.4</version>

       </dependency>

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-web</artifactId>

           <version>1.2.4</version>

       </dependency>

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-spring</artifactId>

           <version>1.2.4</version>

       </dependency>

       <!-- 缓存 注解 -->

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-aspectj</artifactId>

           <version>1.2.4</version>

       </dependency>

       <dependency>

           <groupId>org.apache.shiro</groupId>

           <artifactId>shiro-ehcache</artifactId>

           <version>1.2.4</version>

        </dependency>

添加spring-shiro.xml配置文件

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"

    xmlns:context="http://www.springframework.org/schema/context"

    xmlns:aop="http://www.springframework.org/schema/aop"

    xmlns:tx="http://www.springframework.org/schema/tx"

    xsi:schemaLocation="http://www.springframework.org/schema/beans

        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

        http://www.springframework.org/schema/context

        http://www.springframework.org/schema/context/spring-context-3.0.xsd

        http://www.springframework.org/schema/aop

        http://www.springframework.org/schema/aop/spring-aop-3.0.xsd

        http://www.springframework.org/schema/tx

        http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">

       

    <context:annotation-config />

    <!-- 自定义Realm -->

    <bean id="myRealm" class="shiro03.realm.MyRealm"/>

   

    <!-- 安全管理器 -->

    <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> 

      <property name="realm" ref="myRealm"/> 

    </bean>

   

    <!-- 配置任何角色 -->

    <bean id="anyofroles" class="shiro03.realm.AnyOfRolesAuthorizationFilter"/>

   

    <!-- Shiro过滤器 -->

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> 

        <!-- Shiro的核心安全接口,这个属性是必须的 --> 

        <property name="securityManager" ref="securityManager"/>

        <!-- 身份认证失败，则跳转到登录页面的配置 --> 

        <property name="loginUrl" value="/index.jsp"/>

        <!-- 权限认证失败，则跳转到指定页面 --> 

        <property name="unauthorizedUrl" value="/unauthorized.jsp"/>

        <!-- <property name="anyofroles" ref="anyofroles"/> -->

        <!-- Shiro连接约束配置,即过滤链的定义 --> 

        <property name="filterChainDefinitions"> 

            <value> 

                 /login=anon

              /admin*=authc

              /student=anyofroles["admin,teacher"]

              /teacher=roles[admin]

            </value> 

        </property>

    </bean>

   

    <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> 

    <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> 

   

    <!-- 开启Shiro注解 -->

    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> 

        <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> 

      <property name="securityManager" ref="securityManager"/> 

    </bean>

</beans>

自定义Realm类MyRealm.java

public class MyRealm extends AuthorizingRealm{

    @Resource

    private UserService userService;

    /**

     * 为当限前登录的用户授予角色和权

     */

    @Override

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

       String userName=(String)principals.getPrimaryPrincipal();

       SimpleAuthorizationInfo authorizationInfo=new SimpleAuthorizationInfo();

       authorizationInfo.setRoles(userService.getRoles(userName));

       authorizationInfo.setStringPermissions(userService.getPermissions(userName));

       return authorizationInfo;

    }

    /**

     * 验证当前登录的用户

     */

    @Override

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

       String userName=(String)token.getPrincipal();

           User user=userService.getByUserName(userName);

           if(user!=null){

              AuthenticationInfo authcInfo=new SimpleAuthenticationInfo(user.getUserName(),user.getPassword(),"xx");

              return authcInfo;

           }else{

              return null;            

           }

    }

}

自定义角色过滤器AnyOfRolesAuthorizationFilter.java

       当一个角色有多个功能模块页面的权限时，会出现权限失效问题，无法配置，需要自己定义角色过滤器。

public class AnyOfRolesAuthorizationFilter extends RolesAuthorizationFilter{

    @Override

    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue)

           throws IOException {

       Subject subject = getSubject(request, response);

        String[] rolesArray = (String[]) mappedValue;

        if (rolesArray == null || rolesArray.length == 0) {

            return true;

        }

        for (String roleName : rolesArray) {

            if (subject.hasRole(roleName)) {

                return true;

            }

        }

       return false;

    }

}