shiro整合spring&工作流程&DelegatingFilterProxy

Spring ApacheShiro · 發表 2018-11-18 12:38:00

摘要： 1.整合Spring 參考文獻：新建web工程： ehcache-core來自Hibernate wen.xml <?xml version="1.0" encoding="UTF-8"?> <...

1.整合Spring

參考文獻：

新建web工程：

ehcache-core來自Hibernate

wen.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns="http://xmlns.jcp.org/xml/ns/javaee"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"version="3.1">
<display-name>shiro-2</display-name>

<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>


<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

<welcome-file-list>
<welcome-file>user.jsp</welcome-file>
</welcome-file-list>

<!-- 1.配置shiroFilter -->
<!-- 參考官方文件 -->
DelegatingFilterProxy實際上是Filter的一個帶啦物件，預設情況下，spring會到IOC/">IOC容器中查詢和filter-name對應的filter bean ，也可以通過targetBeanName
的初始化引數來配置filter的bean的id
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

</web-app>

spring-servlet.xml

<context:component-scanbase-package="com.MrChengs.shiro"></context:component-scan>
<beanclass="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/"></property>
<property name="suffix" value=".jsp"></property>
</bean>
<mvc:annotation-driven></mvc:annotation-driven>
<mvc:default-servlet-handler/>

ehcache.xml來自

applicationContext.xml

<!--
1.配置SecurityManager
-->
<bean id="securityManager"class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<property name="cacheManager" ref="cacheManager"/>
<!-- Single realm app.If you have multiple realms, usethe 'realms' property instead. -->

<property name="realm" ref="jdbcRealm"/>
</bean>


<!--
2. 配置CacheManager
2.1需要加入ehcache的jar和配置檔案
-->
<bean id="cacheManager"class="org.apache.shiro.cache.ehcache.EhCacheManager">
<!-- Set a net.sf.ehcache.CacheManager instance here ifyou already have one.If not, a new one
will be creaed with a default config:
<property name="cacheManager" ref="ehCacheManager"/>-->
<!-- If you don't have a pre-builtnet.sf.ehcache.CacheManager instance to inject, but you want
a specific Ehcache configuration to be used, specifythat here.If you don't, a default
will be used.: -->

<property name="cacheManagerConfigFile"value="classpath:ehcache.xml"/>
</bean>

<!--
3.配置Realm
3.1直接實現Realm介面的bean
-->
<bean id="jdbcRealm"class="com.MrChengs.shiro.realms.ShiroRealm">

</bean>


<!--
4.生命週期的LifecycleBeanPostProcessor，可以自動來呼叫在springIOC容器中shiro bean的生命週期的方法
-->
<bean id="lifecycleBeanPostProcessor"class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Enable Shiro Annotations for Spring-configured beans.Only run after
the lifecycleBeanProcessor has run: -->
<!--
5.啟用IOC容器中shiro註解，但是必須在配置了lifecycleBeanProcessor之後才可以使用
-->
<beanclass="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<beanclass="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>

<!--
6.配置ShiroFilterFactoryBean
id必須和web.xml檔案中的DelegatingFilterProxy，的filter-name一致
若不一致，則會拋異常org.springframework.beans.factory.NoSuchBeanDefinitionException:No bean named 'shiroFilter' is defined
因為Shiro會在IOC容器中查詢和<filter-name>和
-->
<bean id="shiroFilter"class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>

<!-- 登陸頁面 -->
<property name="loginUrl" value="/login.jsp"/>
<!-- 登陸成功頁面 -->
<property name="successUrl" value="/list.jsp"/>
<!-- 沒有許可權的頁面 -->
<property name="unauthorizedUrl" value="/unauthor.jsp"/>
<!-- The 'filters' property is not necessary since anydeclared javax.servlet.Filter bean
defined will be automatically acquired and availablevia its beanName in chain
definitions, but you can perform overrides orparent/child consolidated configuration
here if you like: -->
<!-- <property name="filters">
<util:map>
<entry key="aName" value-ref="someFilterPojo"/>
</util:map>
</property> --

<!--
配置那些頁面需要受保護，以及訪問這些頁面需要的的許可權

1）anon 可以被匿名訪問
2）authc 必須認證即登陸後才可以訪問的頁面
-->
<property name="filterChainDefinitions">
<value>
/login.jsp = anon

# everything else requires authentication:
/** = authc
</value>
</property>
</bean>

此時訪問幾個jsp頁面都是預設自動訪問下面的url

ofollow,noindex" target="_blank">http://localhost:8081/shiro-2/login.jsp

2.工作流程

與web整合

---Shiro提供了與web整合的支援，其通過ShiroFilter入口攔截需要安全控制的URL，然後進行相應的控制

---ShiroFilter類似Strus2/Springmvc這種web框架的前端控制器，是安全控制的入口點，其負責讀取配置檔案，然後判斷URL是否需要登陸/許可權等工作

3.關於DelegatingFilterProxy的配置

兩種方法：

兩個名字一致

或者下圖的方法

其他均會報錯！！！

shiro整合spring&工作流程&DelegatingFilterProxy

1.整合Spring

2.工作流程

您可能也會喜歡…