1、授权:在自定义realm的doGetAuthorizationInfo方法中读取用户权限并授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
System.out.println("---------------授权----------------");
//模拟授权
List<String> list = new ArrayList<>();
list.add("sys:user:view");
list.add("sys:user:edit");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.addStringPermissions(list);
return info;
}
2、在controller或jsp中添加权限控制符并检验授权情况
1、控制器
@RequiresPermissions("sys:user:edit")
2、jsp页面
<shiro:hasPermission name="sys:user:view">...</shiro:hasPermission>
3、缓存管理
当同一用户对某一资源的权限多次授权认证时,可以将其放入缓存中。在shiro-all包下默认有一个ehcache的包,也可以单独添加一个
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.4.0</version>
</dependency>
<!-- 安全认证过滤器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm" />
<property name="cacheManager" ref="cacheManager"/>
<property name="sessionManager" ref="sessionManager"/>
<property name="rememberMeManager" ref="rememberMeManager"/>
</bean>
<!-- 配置缓存管理器 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:ehcache/ehcache.xml"></property>
</bean>
注:ehcache.xml配置文件放在classpath路径下;xml配置文件在shiro-ehcache.jar包下或shiro-all.jar包的cache/ehcache目录下
4、session和rememberMe设置
<!-- 安全认证过滤器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm" />
<property name="cacheManager" ref="cacheManager"/>
**<property name="sessionManager" ref="sessionManager"/>
<property name="rememberMeManager" ref="rememberMeManager"/>**
</bean>
<!-- 配置会话管理器 -->
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="globalSessionTimeout" value="6000"/>
<property name="deleteInvalidSessions" value="true"/>
</bean>
<!-- 配置rememberMeManager管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<property name="cookie" ref="rememberMeCookie"/>
</bean>
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<property name="maxAge" value="604800"/>
<property name="name" value="rememberMe"/>
</bean>
<!-- FormAuthenticationFilter默认提取的身份信息是username,password。若要修改需要配置。bean的id必须为authc-->
<bean id="authc" class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter">
<property name="usernameParam" value="name"/>
<property name="passwordParam" value="pwd"/>
<!-- 配置rememberMe域名 -->
**<property name="rememberMeParam" value="rememberMe"/>**
</bean>
login.jsp
<label class="fancy-checkbox element-left">
<input type="checkbox" name="**rememberMe**">
<span>Remember me</span>
</label>