shiro整合spring&工作流程&DelegatingFilterProxy
1.整合Spring
參考文獻:
新建web工程:
ehcache-core來自Hibernate
wen.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns="http://xmlns.jcp.org/xml/ns/javaee"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"version="3.1"> <display-name>shiro-2</display-name> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext.xml</param-value> </context-param> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>user.jsp</welcome-file> </welcome-file-list> <!-- 1.配置shiroFilter --> <!-- 參考官方文件 --> DelegatingFilterProxy實際上是Filter的一個帶啦物件,預設情況下,spring會到IOC/">IOC容器中查詢和filter-name對應的filter bean ,也可以通過targetBeanName 的初始化引數來配置filter的bean的id <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
spring-servlet.xml
<context:component-scanbase-package="com.MrChengs.shiro"></context:component-scan> <beanclass="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/"></property> <property name="suffix" value=".jsp"></property> </bean> <mvc:annotation-driven></mvc:annotation-driven> <mvc:default-servlet-handler/>
ehcache.xml來自
applicationContext.xml
<!-- 1.配置SecurityManager --> <bean id="securityManager"class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app.If you have multiple realms, usethe 'realms' property instead. --> <property name="realm" ref="jdbcRealm"/> </bean> <!-- 2. 配置CacheManager 2.1需要加入ehcache的jar和配置檔案 --> <bean id="cacheManager"class="org.apache.shiro.cache.ehcache.EhCacheManager"> <!-- Set a net.sf.ehcache.CacheManager instance here ifyou already have one.If not, a new one will be creaed with a default config: <property name="cacheManager" ref="ehCacheManager"/>--> <!-- If you don't have a pre-builtnet.sf.ehcache.CacheManager instance to inject, but you want a specific Ehcache configuration to be used, specifythat here.If you don't, a default will be used.: --> <property name="cacheManagerConfigFile"value="classpath:ehcache.xml"/> </bean> <!-- 3.配置Realm 3.1直接實現Realm介面的bean --> <bean id="jdbcRealm"class="com.MrChengs.shiro.realms.ShiroRealm"> </bean> <!-- 4.生命週期的LifecycleBeanPostProcessor,可以自動來呼叫在springIOC容器中shiro bean的生命週期的方法 --> <bean id="lifecycleBeanPostProcessor"class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans.Only run after the lifecycleBeanProcessor has run: --> <!-- 5.啟用IOC容器中shiro註解,但是必須在配置了lifecycleBeanProcessor之後才可以使用 --> <beanclass="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 6.配置ShiroFilterFactoryBean id必須和web.xml檔案中的DelegatingFilterProxy,的filter-name一致 若不一致,則會拋異常org.springframework.beans.factory.NoSuchBeanDefinitionException:No bean named 'shiroFilter' is defined 因為Shiro會在IOC容器中查詢和<filter-name>和 --> <bean id="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <!-- 登陸頁面 --> <property name="loginUrl" value="/login.jsp"/> <!-- 登陸成功頁面 --> <property name="successUrl" value="/list.jsp"/> <!-- 沒有許可權的頁面 --> <property name="unauthorizedUrl" value="/unauthor.jsp"/> <!-- The 'filters' property is not necessary since anydeclared javax.servlet.Filter bean defined will be automatically acquired and availablevia its beanName in chain definitions, but you can perform overrides orparent/child consolidated configuration here if you like: --> <!-- <property name="filters"> <util:map> <entry key="aName" value-ref="someFilterPojo"/> </util:map> </property> -- <!-- 配置那些頁面需要受保護,以及訪問這些頁面需要的的許可權 1)anon 可以被匿名訪問 2)authc 必須認證即登陸後才可以訪問的頁面 --> <property name="filterChainDefinitions"> <value> /login.jsp = anon # everything else requires authentication: /** = authc </value> </property> </bean>
此時訪問幾個jsp頁面都是預設自動訪問下面的url
ofollow,noindex" target="_blank">http://localhost:8081/shiro-2/login.jsp
2.工作流程
與web整合
---Shiro提供了與web整合的支援,其通過ShiroFilter入口攔截需要安全控制的URL,然後進行相應的控制
---ShiroFilter類似Strus2/Springmvc這種web框架的前端控制器,是 安全控制的入口點 ,其負責讀取配置檔案,然後 判斷URL是否需要登陸/許可權等工作
3.關於DelegatingFilterProxy的配置
兩種方法:
兩個名字一致
或者下圖的方法
其他均會報錯!!!