在web.xml中进行配置,对所有的URL请求进行过滤,就像"击鼓传花"一样,链式处理。
配置分为两种A和B。
A:普通配置
在web.xml中增加如下内容:
<filter>
<filter-name>permissionFilter</filter-name>
<filter-class>com.taobao.riskm.filter.PermissionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>permissionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
由filter和filter-mapping构成。filter指定过滤器处理类(实现了Filter接口),filter-mapping指定过滤的规则。
<filter>
<filter-name>permissionFilter</filter-name>
<filter-class>com.taobao.riskm.filter.PermissionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>permissionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
由filter和filter-mapping构成。filter指定过滤器处理类(实现了Filter接口),filter-mapping指定过滤的规则。
B:高级配置(允许代理注入Spring bean)
在web.xml中增加如下内容:
<filter>
<filter-name>permission</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
在spring bean配置中加入:
<bean id="permission" class="com.taobao.kfc.kwb.web.permission.PermissionHttpServlet"></bean>
<filter>
<filter-name>permission</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>permission</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
在spring bean配置中加入:
<bean id="permission" class="com.taobao.kfc.kwb.web.permission.PermissionHttpServlet"></bean>
因为filter比bean先加载,也就是spring会先加载filter指定的类到container中,这样filter中注入的spring bean就为null了。
解决办法:
先filter中加入DelegatingFilterProxy类,"targetFilterLifecycle"指明作用于filter的所有生命周期。
原理是,DelegatingFilterProxy类是一个代理类,所有的请求都会首先发到这个filter代理,然后再按照"filter-name"委派到spring中的这个bean。
在Spring中配置的bean的name要和web.xml中的<filter-name>一样.
------------------------------------------------------------------------------------------------------
在Shiro的配置文件中,发现与上述有所差异,Spring中配置的bean的name如下
在web.xml中
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/actions/*</url-pattern>
</filter-mapping>
<!-- Shiro Filter 拦截器相关配置 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- securityManager -->
<property name="securityManager" ref="securityManager"/>
<!-- 重新登录路径 -->
<property name="loginUrl" value="/actions/invalid"/>
<!-- 用户访问无权限的链接时跳转此页面 -->
<property name="unauthorizedUrl" value="/actions/index"/>
<!-- 验证成功跳转此页面 -->
<property name="successUrl" value="/actions/secured/home"/>
<!-- 过滤链定义 -->
<property name="filterChainDefinitions">
<value><!-- 注意拦截顺序,从上往下依次设置-->
/actions/locale* = anon
/actions/index* = anon
/actions/logout = logout
/actions/security/authenticate* = anon
/actions/secured/** = authc,userAccessControlFilter
/actions/**=authc
</value>
</property>
<property name="filters">
<map>
<entry key="userAccessControlFilter" value-ref="userAccessControlFilter"/>
<entry key="logout" value-ref="logoutFilter"/>
</map>
</property>
</bean>
<!-- Shiro 生命周期处理器,,保证实现shiro内部的生命周期函数bean的执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>