在spring的整合xml配置信息
<!-- 配置自定义Realm -->
<bean id="userRealm" class="com.hisicompass.web.shiro.UserRealm" />
<!-- 用户授权信息Cache,缓存在本机内存,不支持集群 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:spring/shiroEhcache.xml"/>
</bean>
<bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.MemorySessionDAO" />
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionDAO" ref="sessionDAO" />
</bean>
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm" />
<property name="sessionManager" ref="sessionManager" />
<!-- 缓存管理器 -->
<!-- <property name="cacheManager" ref="cacheManager"/> -->
</bean>
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod"
value="org.apache.shiro.SecurityUtils.setSecurityManager" />
<property name="arguments" ref="securityManager" />
</bean>
<!-- 自定义shiro的fileter -->
<!-- <bean id="unifyShiroFilter" class="com.hisicompass.web.shiro.UnifyShiroFilter"
/> -->
<!-- Shiro过滤器 核心 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<!-- Shiro的核心安全接口,这个属性是必须的 -->
<property name="securityManager" ref="securityManager" />
<!-- 权限认证失败时,则跳转到指定请求地址 -->
<property name="unauthorizedUrl" value="/401.jsp" />
<property name="loginUrl" value="/BTVhtml/page/login/login.html" />
<!-- <property name="filters"> -->
<!-- <util:map> -->
<!-- <entry key="unifyShiroFilter" value-ref="unifyShiroFilter" /> -->
<!-- </util:map> -->
<!-- </property> -->
<!-- Shiro连接约束配置,即过滤链的定义 -->
<property name="filterChainDefinitions">
<value>
<!--过滤器分为两组,一组是认证过滤器,一组是授权过滤器。其中anon,authcBasic,authc,user是第一组,perms,roles,ssl,rest,port是第二组 -->
<!--注意user和authc不同:当应用开启了rememberMe时,用户下次访问时可以是一个user,但绝不会是authc,因为authc是需要重新认证的; -->
<!--user表示用户不一定已通过认证,只要曾被Shiro记住过登录状态的用户就可以正常发起请求,比如rememberMe -->
<!--说白了,以前的一个用户登录时开启了rememberMe,然后他关闭浏览器,下次再访问时他就是一个user,而不会authc -->
<!--/index=user 表示用户不一定需要已经通过认证,只需要曾经被Shiro记住过登录状态就可以正常发起'/index'请求 -->
<!--anon表示可匿名使用,无需认证;authc表示需认证才能使用;authcBasic表示httpBasic认证;user表示必须Shiro记住用户,当登入操作时不做检查;ssl表示安全的URL请求,协议为https -->
<!--perms表示拥有某权限,参数可写多个,多参时必须加上引号,且参数之间用逗号分割,如/admins/user/**=perms["user:add:*,user:modify:*"],当有多个参数时必须每个参数都通过才算通过 -->
<!--roles表示拥有某角色,参数可写多个,多个时必须加上引号,且参数之间用逗号分割,如/admins/user/**=roles["admin,guest"],当有多个参数时必须每个参数都通过才算通过 -->
/b5e160ba-2132-494d-8c56-30029ea5ff0b=anon
/BTVhtml/css/**=anon
/BTVhtml/fonts/**=anon
/BTVhtml/images/**=anon
/BTVhtml/img/**=anon
/BTVhtml/js/**=anon
/BTVhtml/page/login/login.html=anon
/erro.jsp=anon
/user/login=anon
/system=anon
<!-- 首页 -->
/BTVhtml/index.html=perms[sys_survey]
/index=perms[sys_survey]
<!-- 首页-基础资源 -->
/BTVhtml/page/baseResource/**=perms[sys_survey]
/baseResource/**=perms[sys_survey]
</value>
</property>
</bean>
<!-- 保证实现了Shiro内部lifecycle函数的bean执行 -->
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
<!-- the lifecycleBeanProcessor has run: -->
<!-- AOP式方法级权限检查 这两个类主要用于注解 -->
<bean
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor">
<!-- 必须改为true,即使用cglib方式为Action创建代理对象。默认值为false,使用JDK创建代理对象,会造成bean注入问题 -->
<property name="proxyTargetClass" value="true" />
</bean>
<!-- 使用shiro框架提供的切面类,用于创建代理对象 -->
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
public class UserRealm extends AuthorizingRealm {
@Autowired
private DefaultWebSecurityManager securityManager;
@Autowired
private HisiUserMapper btvUserMapper;
@Autowired
private HisiUserPowerMapper btvUserPowerMapper;
/**
* 用户身份验证
*
* @param token
* @throws 匹配失败会抛出异常
* @return
*/
@Override
protected AuthenticationInfo
doGetAuthenticationInfo(
AuthenticationToken token) {
String userName = (String) token.getPrincipal();
Session sessionLocal = SecurityUtils.getSubject().getSession();
DefaultWebSessionManager sessionManager = (DefaultWebSessionManager) securityManager
.getSessionManager();
Collection<Session> sessions = sessionManager.getSessionDAO()
.getActiveSessions();
for (Session session : sessions) {
if (userName
.equals(String.valueOf(session
.getAttribute(DefaultSubjectContext.PRINCIPALS_SESSION_KEY)))) {
if (!sessionLocal.getId().equals(session.getId())) {
sessionManager.getSessionDAO().delete(session);
}
}
}
HisiUser btvUser = btvUserMapper.selectByUserName(userName);
if (btvUser !=
null) {
AuthenticationInfo authenticationInfo =
new SimpleAuthenticationInfo(
btvUser.getUserName(), btvUser.getUserPwd(), getClass()
.getName());
return authenticationInfo;
}
else {
throw new UnknownAccountException();
}
}
/**
* 用户权限认证
*/
@Override
protected AuthorizationInfo
doGetAuthorizationInfo(
PrincipalCollection principals) {
String userName = principals.getPrimaryPrincipal().toString();
String sysId = String.valueOf(SecurityUtils.getSubject().getSession()
.getAttribute(Constant.HTTP_SESSION_SYSTEM_ID));
HisiUser btvUser = btvUserMapper.selectByUserName(userName);
SimpleAuthorizationInfo simpleAuthorizationInfo =
new SimpleAuthorizationInfo();
List<HisiUserPower> powers = btvUserPowerMapper.listByUserIdAndSysId(
btvUser.getId(), Integer.parseInt(sysId));
Set<String> userPowerSet =
new HashSet<String>();
for (HisiUserPower e : powers) {
userPowerSet.add(e.getPowerVal());
}
simpleAuthorizationInfo.setStringPermissions(userPowerSet);
return simpleAuthorizationInfo;
}
}