认证:
配置单个realm时,不涉及modularRealmAuthenticator, 因此,也就不涉及认证策略
注意:applicationContext.xml配置中的MyRealm和SecondRealm是我定义的两个Realm
配置单个realm时.
applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"> <!-- ========================================================= Shiro Core Components - Not Spring Specific ========================================================= --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <property name="sessionMode" value="native"/> <property name="realm" ref="realm"/> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- MD5校验 --> <bean id="realm" class="com.qx.realm.MyRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- ========================================================= Shiro Spring-specific integration ========================================================= --> <!-- Post processor that automatically invokes init() and destroy() methods for Spring-configured Shiro objects so you don't have to 1) specify an init-method and destroy-method attributes for every bean definition and 2) even know which Shiro objects require these methods to be called. --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated with a Subject for security checks. --> <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/success.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> <property name="filterChainDefinitions"> <!-- anon代表所有人都可以访问,authc必须登陆认证后才可以访问 --> <value> /login.jsp = anon /user/login.action = anon /success.jsp = authc /index.jsp = anon /logout=logout /list.jsp=roles[user] /admin.jsp=roles[admin] # everything else requires authentication: /** = authc </value> </property> </bean> </beans>
配置多个realm时:--配置多个realm时,就涉及到modularRealmAuthenticator, 因此,也就涉及到配置何种认证策略
applicationContext.xml写法1:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"> <!-- ========================================================= Shiro Core Components - Not Spring Specific ========================================================= --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <property name="sessionMode" value="native"/> <property name="authenticator" ref="modularRealmAuthenticator"></property> <property name="realms"> <!-- 在这里的配置,其实最终设置给了org.apache.shiro.authc.pam.ModularRealmAuthenticator,注意这是在有多个realm的情况 --> <list> <ref bean="realm"/> <ref bean="secondRealm"/> </list> </property> </bean> <!-- 配置多个realm的时候如何认证 (给modularRealmAuthernticator设置id,是因为,在securityManager中要配置authenticator,需要ref它)--> <bean id="modularRealmAuthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator"> <property name="authenticationStrategy"> <!-- 认证策略 --> <bean class="org.apache.shiro.authc.pam.AllSuccessfulStrategy"></bean> </property> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- MD5校验 --> <bean id="realm" class="com.qx.realm.MyRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- SHA1校验 --> <bean id="secondRealm" class="com.qx.realm.SecondRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="SHA1"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- ========================================================= Shiro Spring-specific integration ========================================================= --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated with a Subject for security checks. --> <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/success.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> <property name="filterChainDefinitions"> <!-- anon代表所有人都可以访问,authc必须登陆认证后才可以访问 --> <value> /login.jsp = anon /user/login.action = anon /success.jsp = authc /index.jsp = anon /logout=logout /list.jsp=roles[user] /admin.jsp=roles[admin] # everything else requires authentication: /** = authc </value> </property> </bean> </beans>
applicationContext.xml写法2:---严重不推荐,会出现各种问题提示realm没有配置
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"> <!-- ========================================================= Shiro Core Components - Not Spring Specific ========================================================= --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <property name="sessionMode" value="native"/> <property name="authenticator" ref="modularRealmAuthenticator"></property> </bean> <!-- 配置多个realm的时候如何认证 (给modularRealmAuthernticator设置id,是因为,在securityManager中要配置authenticator,需要ref它) --> <bean id="modularRealmAuthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator"> <property name="authenticationStrategy"> <!-- 认证策略 --> <bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean> </property> <!-- 可以配置到securityManager上面 --> <property name="realms"> <list> <ref bean="realm"/> <ref bean="secondRealm"/> </list> </property> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- MD5校验 --> <bean id="realm" class="com.qx.realm.MyRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- SHA1校验 --> <bean id="secondRealm" class="com.qx.realm.SecondRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="SHA1"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- ========================================================= Shiro Spring-specific integration ========================================================= --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated with a Subject for security checks. --> <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- 配置shiro的 filter id 必须和web.xml中的配置的shiroFilter的filter-name一致 ,否则一定会报错--> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/success.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> </property> --> <property name="filterChainDefinitions"> <!-- anon代表所有人都可以访问,authc必须登陆认证后才可以访问 --> <value> /login.jsp = anon /user/login.action = anon /success.jsp = authc /index.jsp = anon /logout=logout /list.jsp=roles[user] /admin.jsp=roles[admin] # everything else requires authentication: /** = authc </value> </property> </bean> </beans>
applicationContext.xml写法3:
---需要在shiroFilter中注入filterChainDefinitionMap,因此,需要自己定义一个RolesMapFactory,访问那个url需要什么权限在 RolesMapFactory中定义,放在一个LinkedHashMap中,定义一个init方法返回该map.
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd"> <!-- ========================================================= Shiro Core Components - Not Spring Specific ========================================================= --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="cacheManager" ref="cacheManager"/> <!-- Single realm app. If you have multiple realms, use the 'realms' property instead. --> <property name="sessionMode" value="native"/> <!-- <property name="realm" ref="realm"/> --> <property name="authenticator" ref="modularRealmAuthenticator"></property> <!-- 可以配置到securityManager上面 --> <property name="realms"> <list> <ref bean="realm"/> <ref bean="secondRealm"/> </list> </property> </bean> <!-- 配置多个realm的时候如何认证 --> <bean id="modularRealmAuthenticator" class="org.apache.shiro.authc.pam.ModularRealmAuthenticator"> <property name="authenticationStrategy"> <!-- 认证策略 --> <bean class="org.apache.shiro.authc.pam.AtLeastOneSuccessfulStrategy"></bean> </property> <!-- 可以配置到securityManager上面 <property name="realms"> <list> <ref bean="realm"/> <ref bean="secondRealm"/> </list> </property> --> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <!-- Set a net.sf.ehcache.CacheManager instance here if you already have one. If not, a new one will be creaed with a default config: <property name="cacheManager" ref="ehCacheManager"/> --> <!-- If you don't have a pre-built net.sf.ehcache.CacheManager instance to inject, but you want a specific Ehcache configuration to be used, specify that here. If you don't, a default will be used.: <property name="cacheManagerConfigFile" value="classpath:some/path/to/ehcache.xml"/> --> <property name="cacheManagerConfigFile" value="classpath:ehcache.xml"/> </bean> <!-- MD5校验 --> <bean id="realm" class="com.qx.realm.MyRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- SHA1校验 --> <bean id="secondRealm" class="com.qx.realm.SecondRealm"> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="SHA1"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- ========================================================= Shiro Spring-specific integration ========================================================= --> <!-- Post processor that automatically invokes init() and destroy() methods for Spring-configured Shiro objects so you don't have to 1) specify an init-method and destroy-method attributes for every bean definition and 2) even know which Shiro objects require these methods to be called. --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/> <!-- Enable Shiro Annotations for Spring-configured beans. Only run after the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated with a Subject for security checks. --> <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="/login.jsp"/> <property name="successUrl" value="/success.jsp"/> <property name="unauthorizedUrl" value="/unauthorized.jsp"/> <property name="filterChainDefinitionMap" ref="filterChainDefinitionMap"> </property> <!-- <property name="filterChainDefinitions"> anon代表所有人都可以访问,authc必须登陆认证后才可以访问 <value> /login.jsp = anon /user/login.action = anon /success.jsp = authc /index.jsp = anon /logout=logout /list.jsp=roles[user] /admin.jsp=roles[admin] # everything else requires authentication: /** = authc </value> </property> --> </bean> <bean id="rolesMapFactory" class="com.qx.shiro.controller.RolesMapFactory"></bean> <bean id="filterChainDefinitionMap" factory-bean="rolesMapFactory" factory-method="initRoleMap"></bean> </beans>
所需要的RolesMapFactory:
package com.qx.shiro.controller; import java.util.HashMap; import java.util.LinkedHashMap; public class RolesMapFactory { /** * 初始化权限,此处实际项目中应该是从数据库中获取数据 * @return */ public HashMap<String, String> initRoleMap(){ LinkedHashMap<String, String> map=new LinkedHashMap<>(); map.put("/login.jsp", "anon"); map.put("/user/login.action", "anon"); map.put("/success.jsp", "authc"); map.put("/index .jsp", "anon"); map.put("/logout", "logout"); map.put("/list.jsp", "roles[user]"); map.put("/admin.jsp", "roles[admin]"); map.put("/**", "authc"); return map; } }
无论是上述是哪种配置web.xml中都需要配置shiroFilter 且要 注意 filter-name必须和spring中对应的org.apache.shiro.spring.web.ShiroFilterFactoryBean的id一致
web.xml:中这样配置shiroFilter:
<filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>