shiro權限配置

在applicationContext.xml

<!-- Shiro可控制的Web請求必須通過Shiro主過濾器的攔截 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"></property>
<!-- 被攔截的請求會跳轉登陸頁面地址 -->
<property name="loginUrl" value="/login.jsp"></property>
<!-- 用戶訪問未對其受權的資源時，所顯示的鏈接 -->
<property name="unauthorizedUrl" value="/login.jsp"></property>
<!--/security/*=anon 不須要認證 /tag=authc須要認證-->
<!-- <property name="filterChainDefinitions">
<value>
/security/*=anon
/manager/text/*=user
</value>
</property> -->
<!-- 引入自定義動態攔截鏈 -->
<property name="filterChainDefinitionMap" ref="chainDefinitionSectionMetaSource" />
</bean>

<!--自定義Realm -->
<bean id="myRealm" class="com.springmvc.shiro.MyRealm">
<!-- <property name="credentialsMatcher" ref="credentialsMatcher"/> -->
<property name="cachingEnabled" value="true" />
</bean>

<!-- 緩存管理 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/>
</bean>

<!-- 憑證匹配器 --> 若是要是用shiro自帶的且要加迭代次數須要加鹽,由於simpleHash這個對象裏的參數
<!-- <bean id="credentialsMatcher" class="com.springmvc.shiro.credentials.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager"/>
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="2"/>
<property name="storedCredentialsHexEncoded" value="true"/>
</bean> -->

<!-- 數據庫保存的密碼是使用MD5算法加密的，因此這裏須要配置一個密碼匹配對象 -->
<!-- <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.Md5CredentialsMatcher"></bean> -->

<!-- Shiro安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"></property>
<property name="cacheManager" ref="cacheManager"></property>
<property name="sessionManager" ref="sessionManager" />
</bean>
<!--自定義filterChainDefinitionMap -->
<bean id="chainDefinitionSectionMetaSource" class="com.springmvc.shiro.ChainDefinitionSectionMetaSource">
<property name="filterChainDefinitions">
<value>
/js/** = anon
/images/** =anon
/rest/**=anon
/css/** =anon
/json/**=anon
/login/**=anon
/LoginController.do=anon
/manager/loginOut/**=anon
<!-- /*.html = authc
/*.do = authc
/*.json = authc
/* = authc -->
</value>
</property>
</bean>

若是不使用也能夠使用shiro自帶的jdbcRealm

<!--使用Shiro自帶的JdbcRealm類,指定密碼匹配所須要用到的加密對象,指定存儲用戶、角色、權限許可的數據源及相關查詢語句-->
<!-- <bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
<property name="credentialsMatcher" ref="credentialsMatcher"></property>
<property name="permissionsLookupEnabled" value="true"></property>
<property name="dataSource" ref="dataSource"></property>
<property name="authenticationQuery" value="SELECT password FROM m_user WHERE user_name = ?"></property>
<property name="userRolesQuery" value="select r.role from m_role r,m_user u,m_user_role ur where r.id = ur.role_id and u.id = ur.user_id and u.user_name = ?"></property>
<property name="permissionsQuery" value="select distinct p.function_name from m_permission p,m_role r,m_role_permission rp where p.id = rp.function_id and r.id = rp.role_id and r.role = ?"></property>
</bean> -->

 

<!-- 啓動shiro註解掃描-->
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" >
<!-- 默認使用JDK代理 ，如被代理類沒有實現接口，必須使用下列配置開啓 cglib代理 -->
<property name="proxyTargetClass" value="true" />
</bean>

<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
<!-- 會話DAO -->
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO">
<property name="activeSessionsCacheName" value="shiro-activeSessionCache"/>
<property name="sessionIdGenerator" ref="sessionIdGenerator"/>
</bean>
<bean id="sessionIdGenerator" class="org.apache.shiro.session.mgt.eis.JavaUuidSessionIdGenerator"/>

<!-- 會話驗證調度器 -->
<!-- 全局的會話信息檢測掃描信息間隔30分鐘-->
<bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.quartz.QuartzSessionValidationScheduler">
<property name="sessionValidationInterval" value="1800000"/>
<property name="sessionManager" ref="sessionManager"/>
</bean>

 

<!-- 會話管理器 -->
<!-- 全局的會話信息設置成30分鐘,sessionValidationSchedulerEnabled參數就是是否開啓掃描 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="1800000"/>
<property name="deleteInvalidSessions" value="true"/>
<property name="sessionValidationSchedulerEnabled" value="true"/>
<property name="sessionValidationScheduler" ref="sessionValidationScheduler"/>
<property name="sessionDAO" ref="sessionDAO"/>
</bean>

 

 

在web.xml中須要在前端控制器以前配置shiro攔截器

<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>