shiro实现SSL登陆

个人主页，技术杂谈

原文链接

考虑项目安全需求，将http请求转为https，项目中已集成的shiro框架已实现SSL登陆，来看下具体实现吧。

tomcat的server.xml文件配置。将http的8080端口调转到https的8443端口

<Connector acceptCount="500" connectionTimeout="20000" enableLookups="false" maxThreads="400" port="8080" protocol="HTTP/1.1" URIEncoding="UTF-8" redirectPort="8443"/><Connector SSLEnabled="true" acceptCount="500" clientAuth="false" keystoreFile="D:\localhost.keystore" keystorePass="aerors123" maxThreads="400" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>

applicationContext.xml中添加shiro相关配置

<bean id="sslFilter" class="org.apache.shiro.web.filter.authz.SslFilter">        <property name="port" value="8443" />    </bean><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">    <!-- securityManager -->    <property name="securityManager" ref="securityManager" />    <!-- 登录路径 -->    <property name="loginUrl" value="/login.jsp" />    <!-- 登录成功后跳转路径 -->    <property name="successUrl" value="/index.jsp" />    <!-- 授权失败跳转路径 -->    <property name="unauthorizedUrl" value="/login.jsp" />    <property name="filters">        <util:map>            <entry key="authc" value-ref="formAuthenticationFilter" />            <entry key="sysUser" value-ref="sysUserFilter" />            <entry key="kickout" value-ref="kickoutSessionControlFilter" />            <entry key="ssl" value-ref="sslFilter" />        </util:map>    </property>    <!-- 过滤链定义 -->    <property name="filterChainDefinitions">        <value>            /login.jsp = ssl,anon            /logout = logout            /*.js = anon            /*.css = anon            /error.jsp= anon            /mapdaohang.jsp= anon            /unauthor.jsp= anon            <!-- authc表示需要认证的链接 -->            /lost.jsp = kickout,authc,roles["lost"]            /*.jsp = kickout,authc        </value>    </property></bean>

在filters中添加<entry key="ssl" value-ref="sslFilter" />即可在filterChainDefinitions中直接引用.

推荐个详细教程：第十四章 SSL——《跟我学Shiro》