shiro整合spring&工作流程&DelegatingFilterProxy
阿新 • • 發佈:2018-11-19
1.整合Spring
參考文獻:
新建web工程:
ehcache-core來自Hibernate
wen.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <display-name>shiro-2</display-name> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext.xml</param-value> </context-param> <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>user.jsp</welcome-file> </welcome-file-list> <!-- 1.配置shiroFilter --> <!-- 參考官方文件 --> DelegatingFilterProxy實際上是Filter的一個帶啦物件,預設情況下,spring會到IOC容器中查詢和filter-name對應的filter bean ,也可以通過targetBeanName 的初始化引數來配置filter的bean的id <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
spring-servlet.xml
<context:component-scan base-package="com.MrChengs.shiro"></context:component-scan> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix" value="/"></property> <property name="suffix" value=".jsp"></property> </bean> <mvc:annotation-driven></mvc:annotation-driven> <mvc:default-servlet-handler/>
ehcache.xml來自
applicationContext.xml
<!-- 1.配置SecurityManager --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <property name="realm" ref="jdbcRealm"/> </bean> <!-- 2. 配置CacheManager 2.1需要加入ehcache的jar和配置檔案 --> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <!-- Set a net.sf.ehcache.CacheManager instance here if you already have one. If not, a new one will be creaed with a default config: <property name="cacheManager" ref="ehCacheManager"/> --> <!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want a specific Ehcache configuration to be used, specify that here. If you don't, a default will be used.: --> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- 3.配置Realm 3.1直接實現Realm介面的bean --> <bean id="jdbcRealm" class="com.MrChengs.shiro.realms.ShiroRealm"> </bean> <!-- 4.生命週期的LifecycleBeanPostProcessor,可以自動來呼叫在springIOC容器中shiro bean的生命週期的方法 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after the lifecycleBeanProcessor has run: --> <!-- 5.啟用IOC容器中shiro註解,但是必須在配置了lifecycleBeanProcessor之後才可以使用 --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 6.配置ShiroFilterFactoryBean id必須和web.xml檔案中的DelegatingFilterProxy,的filter-name一致 若不一致,則會拋異常org.springframework.beans.factory.NoSuchBeanDefinitionException: No bean named 'shiroFilter' is defined 因為Shiro會在IOC容器中查詢和<filter-name>和 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <!-- 登陸頁面 --> <property name="loginUrl" value="/login.jsp"/> <!-- 登陸成功頁面 --> <property name="successUrl" value="/list.jsp"/> <!-- 沒有許可權的頁面 --> <property name="unauthorizedUrl" value="/unauthor.jsp"/> <!-- The 'filters' property is not necessary since any declared javax.servlet.Filter bean defined will be automatically acquired and available via its beanName in chain definitions, but you can perform overrides or parent/child consolidated configuration here if you like: --> <!-- <property name="filters"> <util:map> <entry key="aName" value-ref="someFilterPojo"/> </util:map> </property> -- <!-- 配置那些頁面需要受保護,以及訪問這些頁面需要的的許可權 1)anon 可以被匿名訪問 2)authc 必須認證即登陸後才可以訪問的頁面 --> <property name="filterChainDefinitions"> <value> /login.jsp = anon # everything else requires authentication: /** = authc </value> </property> </bean>此時訪問幾個jsp頁面都是預設自動訪問下面的url http://localhost:8081/shiro-2/login.jsp
2.工作流程
與web整合 ---Shiro提供了與web整合的支援,其通過ShiroFilter入口攔截需要安全控制的URL,然後進行相應的控制 ---ShiroFilter類似Strus2/Springmvc這種web框架的前端控制器,是 安全控制的入口點,其負責讀取配置檔案,然後 判斷URL是否需要登陸/許可權等工作
3.關於DelegatingFilterProxy的配置 兩種方法: 兩個名字一致 或者下圖的方法
其他均會報錯!!!